Source blog: Schneier on Security
Hacking Gesture-Based Security
Interesting research: Abdul Serwadda, Vir V. Phoha, Zibo Wang, Rajesh Kumar, and Diksha Shukla, "Robotic Robbery on the Touch Screen," ACM Transactions on Information and System Security, May 2016. Abstract: Despite the tremendous amount of research fronting the use of touch gestures as a mechanism of continuous authentication on smart phones, very little research has been conducted to evaluate how...
FTC Investigating Android Patching Practices
It's a known truth that most Android vulnerabilities don't get patched. It's not Google's fault. They release the patches, but the phone carriers don't push them down to their smartphone users. Now the Federal Communications Commission and the Federal Trade Commission are investigating, sending letters to major carriers and device makers. I think this is a good thing. This is...
New Credit Card Scam
A criminal ring was arrested in Malaysia for credit card fraud: They would visit the online shopping websites and purchase all their items using phony credit card details while the debugging app was activated. The app would fetch the transaction data from the bank to the online shopping website, and trick the website into believing that the transaction was approved,...
Children of Spies
Fascinating story of Tim and Alex Foley, the children of Russian spies Donald Heathfield and Tracey Foley....
Economist Detained for Doing Math on an Airplane
An economics professor was detained when he was spotted doing math on an airplane: On Thursday evening, a 40-year-old man -- with dark, curly hair, olive skin and an exotic foreign accent -- boarded a plane. It was a regional jet making a short, uneventful hop from Philadelphia to nearby Syracuse. Or so dozens of unsuspecting passengers thought. The curly-haired...
NIST Starts Planning for Post-Quantum Cryptography
Last year, the NSA announced its plans for transitioning to cryptography that is resistant to a quantum computer. Now, it's NIST's turn. Its just-released report talks about the importance of algorithm agility and quantum resistance. Sometime soon, it's going to have a competition for quantum-resistant public-key algorithms: Creating those newer, safer algorithms is the longer-term goal, Moody says. A key...
Friday Squid Blogging: Firefly Squid in the News
It's a good time to see firefly squid in Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Dilbert on Electronic Voting Machines
Accurate (the cartoon, not the machines)....
White House Report on Big Data Discrimination
The White House has released a report on big-data discrimination. From the blog post: Using case studies on credit lending, employment, higher education, and criminal justice, the report we are releasing today illustrates how big data techniques can be used to detect bias and prevent discrimination. It also demonstrates the risks involved, particularly how technologies can deliberately or inadvertently perpetuate,...
Own a Pair of Clipper Chips
The AT&T TSD was an early 1990s telephone encryption device. It was digital. Voice quality was okay. And it was the device that contained the infamous Clipper Chip, the U.S. government's first attempt to put a back door into everyone's communications. Marcus Ranum is selling a pair on eBay. He has the decryption wrong, though. The TSD-3600-E is the model...
$7 Million Social Media Privacy Mistake
Forbes estimates that football player Laremy Tunsil lost $7 million in salary because of an ill-advised personal video made public....
Credential Stealing as an Attack Vector
Traditional computer security concerns itself with vulnerabilities. We employ antivirus software to detect malware that exploits vulnerabilities. We have automatic patching systems to fix vulnerabilities. We debate whether the FBI should be permitted to introduce vulnerabilities in our software so it can get access to systems with a warrant. This is all important, but what's missing is a recognition that...
Fake Security Conferences
Turns out there are two different conferences with the title International Conference on Cyber Security (ICCS 2016), one real and one fake. Richard Clayton has the story....
Vulnerabilities in Samsung's SmartThings
Interesting research: Earlence Fernandes, Jaeyeon Jung, and Atul Prakash, "Security Analysis of Emerging Smart Home Applications": Abstract: Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. This paper presents the first in-depth empirical security analysis of one such...
Friday Squid Blogging: Global Squid Shortage
There's a squid shortage along the Pacific coast of the Americas. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
I'm Writing a Book on Security
I'm writing a book on security in the highly connected Internet-of-Things World. Tentative title: Click Here to Kill Everything Peril and Promise in a Hyper-connected World There are two underlying metaphors in the book. The first is what I have called the World-Sized Web, which is that combination of mobile, cloud, persistence, personalization, agents, cyber-physical systems, and the Internet of...
Documenting the Chilling Effects of NSA Surveillance
In Data and Golliath, I talk about the self-censorship that comes along with broad surveillance. This interesting research documents this phenomenon in Wikipedia: "Chilling Effects: Online Surveillance and Wikipedia Use," by Jon Penney, Berkeley Technology Law Journal, 2016. Abstract: This article discusses the results of the first empirical study providing evidence of regulatory "chilling effects" of Wikipedia users associated with...
Amazon Unlimited Fraud
Amazon Unlimited is a all-you-can-read service. You pay one price and can read anything that's in the program. Amazon pays authors out of a fixed pool, on the basis of how many people read their books. More interestingly, it pays by the page. An author make more money if someone reads his book through to page 200 than if they...
Two Good Readings on the Encryption "Going Dark" Debate
Testimonies of Matt Blaze and Danny Weitzner, both on April 19th before the House Energy and Commerce Committee. And the hearing....
People Trust Robots, Even When They Don't Inspire Trust
Interesting research: In the study, sponsored in part by the Air Force Office of Scientific Research (AFOSR), the researchers recruited a group of 42 volunteers, most of them college students, and asked them to follow a brightly colored robot that had the words "Emergency Guide Robot" on its side. The robot led the study subjects to a conference room, where...
Graffiti by Drone
Drones can graffiti walls that no person can reach. (Note that wired.com blocks ad blockers. My trick is to copy the page and then paste it into my text editor.)...
BlackBerry's Global Encryption Key
Last week there was a big news story about the Blackberry encryption. The news was that all BlackBerry devices share a global encryption key, and that the Canadian RCMP has a copy of it. Stupid design, certainly, but it's not news. As The Register points out, this has been repeatedly reported on since 2010. And note that this only holds...
Friday Squid Blogging: My Little Cephalopod
I assume this is more amusing to people who know about My Little Pony. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Encryption Backdoor Cartoons
Dilbert has a series: 1, 2, 3, 4, and 5. SMBC. And three more that make it clear this is a security vs. surveillance debate. Also this....
Cheating in Bicycle Races with Tiny Hidden Motors
If doping weren't enough, cyclists are cheating in races by hiding tiny motors in their bicycles. There are many detection techniques: For its report, Stade 2 positioned a thermal imaging camera along the route of the Strade Bianche, an Italian professional men's race in March held mostly on unpaved roads and featuring many steep climbs. The rear hub of one...
How Hacking Team Got Hacked
The hacker who hacked Hacking Team posted a lengthy description of how he broke into the company and stole everything. Two articles. ETA: This post originally had a pastebin.com link to the original post, but it seems to have been taken down....
Helen Nissenbaum on Regulating Data Collection and Use
NYU Helen Nissenbaum gave an excellent lecture at Brown University last month, where she rebutted those who think that we should not regulate data collection, only data use: something she calls "big data exceptionalism." Basically, this is the idea that collecting the "haystack" isn't the problem; it what is done with it that is. (I discuss this same topic in...
GCHQ Gets Involved in Mundane Surveillance Matters
GCHQ detected a potential pre-publication leak of a Harry Potter book, and alerted the publisher. Is this what British national intelligence is supposed to be doing?...
Details about Juniper's Firewall Backdoor
Last year, we learned about a backdoor in Juniper firewalls, one that seems to have been added into the code base. There's now some good research: "A Systematic Analysis of the Juniper Dual EC Incident," by Stephen Checkoway, Shaanan Cohney, Christina Garman, Matthew Green, Nadia Heninger, Jacob Maskiewicz, Eric Rescorla, Hovav Shacham, and Ralf-Philipp Weinmann: Abstract: In December 2015, Juniper...
Kuwaiti Government will DNA Test Everyone
There's a new law that will enforce DNA testing for everyone: citizens, expatriates, and visitors. They promise that the program "does not include genealogical implications or affects personal freedoms and privacy." I assume that "visitors" includes tourists, so presumably the entry procedure at passport control will now include a cheek swab. And there is nothing preventing the Kuwaiti government from...
Security Risks of Shortened URLs
Shortened URLs, produced by services like bit.ly and goo.gl, can be brute-forced. And searching random shortened URLs yields all sorts of secret documents. Plus, many of them can be edited, and can be infected with malware. Academic paper. Blog post with lots of detail....
Friday Squid Blogging: Replicating Reflecting Squid Tissue
New research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
IRS Security
Monday is Tax Day. Many of us are thinking about our taxes. Are they too high or too low? What's our money being spent on? Do we have a government worth paying for? I'm not here to answer any of those questions -- I'm here to give you something else to think about. In addition to sending the IRS your...
Cheating in Marathon Running
Story of Julie Miller, who cheated in multiple triathlon races: The difference between cheating in 1980 and cheating today is that it's much harder to get away with now. What trips up contemporary cheaters, Empfield said, is their false assumption that the only thing they have to worry about is their timing chip, the device they wear that records their...
Smartphone Forensics to Detect Distraction
The company Cellebrite is developing a portable forensics device that would determine if a smartphone user was using the phone at a particular time. The idea is to test phones of drivers after accidents: Under the first-of-its-kind legislation proposed in New York, drivers involved in accidents would have to submit their phone to roadside testing from a textalyzer to determine...
Hacking Lottery Machines
Interesting article about how a former security director of the US Multi-State Lottery Association hacked the random-number generator in lottery software so he could predict the winning numbers. For several years, Eddie Tipton, the former security director of the US Multi-State Lottery Association, installed software code that allowed him to predict winning numbers on specific days of the year, investigators...
2016 Protocols Workshop
Ross Anderson has liveblogged the 24th International Workshop on Security Protocols in Brno, Czech Republic....
Scams from the 1800s
They feel quaint today: But in the spring of 1859, folks were concerned about another kind of hustle: A man who went by the name of A.V. Lamartine drifted from town to town in the Midwest pretending to attempt suicide. He would walk into a hotel according to newspaper accounts from Salem, Ore., to Richmond, Va., and other...
Friday Squid Blogging: Cooking with Squid Ink
Risotto nero and more. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Security Lessons from the Game of Werewolf
I can't believe I haven't posted this before....
Breaking Semantic Image CAPTCHAs
Interesting research: Suphannee Sivakorn, Iasonas Polakis and Angelos D. Keromytis, "I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs": Abstract: Since their inception, captchas have been widely used for preventing fraudsters from performing illicit actions. Nevertheless, economic incentives have resulted in an armsrace, where fraudsters develop automated solvers and, in turn, captcha services tweak their design to break the...
Bypassing Phone Security through Social Engineering
This works: Khan was arrested in mid-July 2015. Undercover police officers posing as company managers arrived at his workplace and asked to check his driver and work records, according to the source. When they disputed where he was on a particular day, he got out his iPhone and showed them the record of his work. The undercover officers asked to...
IBM Officially Owns Resilient Systems
It's officially final; IBM has "completed the acquisition" of Resilient Systems, Inc. We are now "Resilient: an IBM Company." As I expected when I announced this acquisition, I am staying on as the CTO of Resilient and something like Senior Advisor to IBM Security -- we're still working on the exact title. Everything I've seen so far indicates that this...
CONIKS
CONIKS is an new easy-to-use transparent key-management system: CONIKS is a key management system for end users capable of integration in end-to-end secure communication services. The main idea is that users should not have to worry about managing encryption keys when they want to communicate securely, but they also should not have to trust their secure communication service providers to...
WhatsApp is Now End-to-End Encrypted
WhatsApp is now end-to-end encrypted....
Data and Goliath Sale
I have a bunch of extra copies of my book Data and Goliath, and I am selling them at a discount. Details here....
Smart Essay on the Limitations of Anti-Terrorism Security
This is good: Threats constantly change, yet our political discourse suggests that our vulnerabilities are simply for lack of resources, commitment or competence. Sometimes, that is true. But mostly we are vulnerable because we choose to be; because we've accepted, at least implicitly, that some risk is tolerable. A state that could stop every suicide bomber wouldn't be a free...
Friday Squid Blogging: Composite Materials Based on Squid Beaks
Squid-based research is yielding composites that are both strong and flexible. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Reddit's Warrant Canary Just Died
Reddit has received a National Security Letter. I have long discounted warrant canaries. A gag order is serious, and this sort of high-school trick won't fool judges for a minute. But so far they seem to be working. Now we have another question: now what? We have one piece of information, but not a very useful one. We know that...
Hacking Elections in Latin America
Long and interesting article about a fixer who hacked multiple elections in Latin America. This isn't election hacking as in manipulate the voting machines or the vote counting, but hacking and social-media dirty tricks leading up to the election....
ISIS Encryption Opsec
Tidbits from the New York Times: The final phase of Mr. Hame's training took place at an Internet cafe in Raqqa, where an Islamic State computer specialist handed him a USB key. It contained CCleaner, a program used to erase a user's online history on a given computer, as well as TrueCrypt, an encryption program that was widely available at...
Lawful Hacking and Continuing Vulnerabilities
The FBI's legal battle with Apple is over, but the way it ended may not be good news for anyone. Federal agents had been seeking to compel Apple to break the security of an iPhone 5c that had been used by one of the San Bernardino, Calif., terrorists. Apple had been fighting a court order to cooperate with the FBI,...
Mass Surveillance Silences Minority Opinions
Research paper: Elizabeth Stoycheff, "Under Surveillance: Examining Facebook's Spiral of Silence Effects in the Wake of NSA Internet Monitoring": Abstract: Since Edward Snowden exposed the National Security Agency's use of controversial online surveillance programs in 2013, there has been widespread speculation about the potentially deleterious effects of online government monitoring. This study explores how perceptions and justification of surveillance practices...
A 1976 Congressional Report on Surveillance
Here's a 1,300-page Congressional report on "surveillance technology" from 1976....
Power on the Internet
Interesting paper: Yochai Benkler, "Degrees of Freedom, Dimensions of Power," Daedelus, winter 2016: Abstract: The original Internet design combined technical, organizational, and cultural characteristics that decentralized power along diverse dimensions. Decentralized institutional, technical, and market power maximized freedom to operate and innovate at the expense of control. Market developments have introduced new points of control. Mobile and cloud computing, the...
Memphis Airport Inadvertently Gets Security Right
A local newspaper recently tested airport security at Memphis Airport: Our crew sat for 30 minutes in the passenger drop-off area Tuesday without a word from anyone, and that raised a number of eyebrows. Certainly raised mine. Here's my question: why is that a bad thing? If you're worried about a car bomb, why do you think length of time...
Interesting Lottery Terminal Hack
It was a manipulation of the terminals. The 5 Card Cash game was suspended in November after Connecticut Lottery and state Department of Consumer Protection officials noticed there were more winning tickets than the game's parameters should have allowed. The game remains suspended. An investigation determined that some lottery retailers were manipulating lottery machines to print more instant winner tickets...
FBI vs. Apple: Who Is Helping the FBI?
On Monday, the FBI asked the court for a two-week delay in a scheduled hearing on the San Bernardino iPhone case, because some "third party" approached it with a way into the phone. It wanted time to test this access method. Who approached the FBI? We have no idea. I have avoided speculation because the story makes no sense. Why...
Cryptography Is Harder Than It Looks
Writing a magazine column is always an exercise in time travel. I'm writing these words in early December. You're reading them in February. This means anything that's news as I write this will be old hat in two months, and anything that's news to you hasn't happened yet as I'm writing. This past November, a group of researchers found some...
FBI's Cyber Most Wanted List
The FBI just added two members of the Syrian Electronic Army to its cyber most-wanted list. I had no idea that the FBI had a cyber most-wanted list....
1981 US Document on Encryption Policy
This was newly released under FOIA at my request: Victor C. Williams, Jr., Donn B. Parker, and Charles C. Wood, "Impacts of Federal Policy Options for Nonmilitary Cryptography," NTIA-CR-81-10, National Telecommunications and Information Administration, US. Department of Commerce, June 1981. It argues that cryptography is an important enabling technology. At this point, it's only of historical value....
Observations on the Surveillance that Resulted in the Capture of Salah Abdeslam
Interesting analysis from The Grugq: Bottom Line Up Front Intelligence agencies must cooperate more rapidly and proactively to counter ISIS' rapid and haphazard operational tempo. Clandestine operatives must rely on support networks that include overt members of the public. These networks are easily mapped out based on metadata available to nation state level security forces. Fugitives should learn to cook...
iMessage Encryption Flaw Found and Fixed
Matthew Green and team found and reported a significant iMessage encryption flaw last year. Green suspected there might be a flaw in iMessage last year after he read an Apple security guide describing the encryption process and it struck him as weak. He said he alerted the firm's engineers to his concern. When a few months passed and the flaw...
Brennan Center Report on NSA Overseas Spying and Executive Order 12333
The Brennan Center has released a report on EO 12333, the executive order that regulates the NSA's overseas surveillance. Much of what the NSA does here is secret and, even though the EO is designed for foreign surveillance, Americans are regularly swept up in the NSA's collection operations: Despite a series of significant disclosures, the scope of these operations, as...
Friday Squid Blogging: Braised Squid With Harissa and Olives
Recommended recipe. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
I'm a Wall Street Journal Acrostic Answer
A quote from Data and Goliath is the answer to a Wall Street Journal acrostic. It's not the same as being a New York Times crossword puzzle answer, but it's close....
Companies Handing Source Code Over to Governments
ZDNet has an article on US government pressure on software companies to hand over copies of their source code. There's no details because no one is talking on the record, but I also believe that this is happening. When asked, a spokesperson for the Justice Dept. acknowledged that the department has demanded source code and private encryption keys before. These...
New NIST Encryption Guidelines
NIST has published a draft of their new standard for encryption use: "NIST Special Publication 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms." In it, the Escrowed Encryption Standard from the 1990s, FIPS-185, is no longer certified. And Skipjack, NSA's symmetric algorithm from the same period, will no longer be certified. I see nothing sinister about...
Another FBI Filing on the San Bernardino iPhone Case
The FBI's reply to Apple is more of a character assassination attempt than a legal argument. It's as if it only cares about public opinion at this point. Although notice the threat in footnote 9 on page 22: For the reasons discussed above, the FBI cannot itself modify the software on Farook's iPhone without access to the source code and...
Financial Cryptography 2016
Ross Anderson liveblogged this year's Financial Cryptography conference....
Possible Government Demand for WhatsApp Backdoor
The New York Times is reporting that WhatsApp, and its parent company Facebook, may be headed to court over encrypted chat data that the FBI can't decrypt. This case is fundamentally different from the Apple iPhone case. In that case, the FBI is demanding that Apple create a hacking tool to exploit an already existing vulnerability in the iPhone 5c,...
Punishment and Trust
Interesting research: "Third-party punishment as a costly signal of trustworthiness, by Jillian J. Jordan, Moshe Hoffman, Paul Bloom,and David G. Rand, Nature: Abstract: Third-party punishment (TPP), in which unaffected observers punish selfishness, promotes cooperation by deterring defection. But why should individuals choose to bear the costs of punishing? We present a game theoretic model of TPP as a costly signal...
Analysis of Yemeni Cell Phone Metadata
This research shows the power of cell phone metadata. From an article by the author: Yemen has experienced an array of violent incidents and political turmoil in recent years, ranging from al Qaeda militant attacks to drone strikes, Arab Spring protests, and now Saudi Arabian air strikes. Call patterns can capture political or violent activities as they unravel in real...
Friday Squid Blogging: Squid Scientists on Tumblr
Really great Tumblr feed. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Leaked ISIS Documents
Looks like tens of thousands of ISIS documents have been leaked. Where did they come from? We don't know: Documents listing the names of Islamic State fighters have been touted around the Middle East for months, dangled in front of media outlets for large sums of money. [...] Ramsay said he met the source of the documents in Turkey, an...
Espionage Tactics Against Tibetans
A Citizen Lab research study of Chinese attack and espionage tactics against Tibetan networks and users. This report describes the latest iteration in a long-running espionage campaign against the Tibetan community. We detail how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing that draws on "inside" knowledge of community activities. This...
Hidden Credit Card Skimmers
New credit card skimmers are hidden inside the card readers, making them impossible to spot. EDITED TO ADD (3/11): Brian Krebs on this from over a year ago....
Plagiarism in Crossword Puzzles
Yet another fraud discovered through data analysis. EDITED TO ADD (3/11): More....
Hacking Ukraine's Power Grid
This is an excellent article on the December hack of Ukraine's power grid....
Eavesdropping by the Foscam Security Camera
Brian Krebs has a really weird story about the build-in eavesdropping by the Chinese-made Foscam security camera: Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek...
Research on Balancing Privacy with Surveillance
Interesting research: Michael Kearns, Aaron Roth, Zhiewi Steven Wu, and Grigory Yaroslavtsev, "Private algorithms for the protected in social network search," PNAS, Jan 2016: Abstract: Motivated by tensions between data privacy for individual citizens and societal priorities such as counterterrorism and the containment of infectious disease, we introduce a computational model that distinguishes between parties for whom privacy is explicitly...
The Ads vs. Ad Blockers Arms Race
For the past month or so, Forbes has been blocking browsers with ad blockers. Today, I tried to access a Wired article and the site blocked me for the same reason. I see this as another battle in this continuing arms race, and hope/expect that the ad blockers will update themselves to fool the ad blocker detectors. But in a...
Practical TEMPEST Attack
Four researchers have demonstrated a TEMPEST attack against a laptop, recovering its keys by listening to its electrical emanations. The cost for the attack hardware was about $3,000. News article: To test the hack, the researchers first sent the target a specific ciphertext -- in other words, an encrypted message. "During the decryption of the chosen ciphertext, we measure the...
Decrypting an iPhone for the FBI
Earlier this week, a federal magistrate ordered Apple to assist the FBI in hacking into the iPhone used by one of the San Bernardino shooters. Apple will fight this order in court. The policy implications are complicated. The FBI wants to set a precedent that tech companies will assist law enforcement in breaking their users' security, and the technology community...
Friday Squid Blogging: Up Close and Personal with a Giant Squid
Fascinating story. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Security Implications of Cash
I saw two related stories today. The first is about high-denomination currency. The EU is considering dropping its 500-euro note, on the grounds that only criminals need to move around that much cash. In response, Switzerland said that it is not dropping its 1,000-Swiss franc note. Of course, the US leads the way in small money here; its biggest banknote...
Underage Hacker Is behind Attacks against US Government
It's a teenager: British police have arrested a teenager who allegedly was behind a series of audacious -- and, for senior U.S. national security officials, embarrassing -- hacks targeting personal accounts or top brass at the CIA, FBI, Homeland Security Department, the White House and other federal agencies, according to U.S. officials briefed on the investigation. [...] The prominent victims...
Judge Demands that Apple Backdoor an iPhone
A judge has ordered that Apple bypass iPhone security in order for the FBI to attempt a brute-force password attack on an iPhone 5c used by one of the San Bernardino killers. Apple is refusing. The order is pretty specific technically. This implies to me that what the FBI is asking for is technically possible, and even that Apple assisted...
Enabling Trust by Consensus
Trust is a complex social phenomenon, captured very poorly by the binary nature of Internet trust systems. This paper proposes a social consensus system of trust: "Do You Believe in Tinker Bell? The Social Externalities of Trust," by Khaled Baqer and Ross Anderson. From the abstract: Inspired by Tinker Bell, we propose a new approach: a trust service whose power...
Using Eagles to Intercept Drones
Both Dutch and UK police are training eagles to attack drones....
Fear and Anxiety
More psychological research on our reaction to terrorism and mass violence: The researchers collected posts on Twitter made in response to the 2012 shooting attack at Sandy Hook Elementary School in Newtown, Connecticut. They looked at tweets about the school shooting over a five-and-a-half-month period to see whether people used different language in connection with the event depending on how...
Survey of the Dark Web
Interesting paper on the dark web: Daniel Moore & Thomas Rid, "Cryptopolitik and the Darknet," Survival, 2016. (Technical annex here -- requires the Tor browser.) They conclude that it's mostly used for illegal activity. No surprise, really, but it's good to have actual research to back it up. Press coverage....
Friday Squid Blogging : Pajama Squid
The Monterey Bay Aquarium has a pajama squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Fitbit Data Reveals Pregnancy
A man learned his wife was pregnant from her Fitbit data. The details of the story are weird. The man posted the data to Reddit and asked for analysis help. But the point is that the data can reveal pregnancy, and this might not be something a person wants to tell a company who can sell that information for profit....
Determining Physical Location on the Internet
Interesting research: "CPV: Delay-based Location Verification for the Internet": Abstract: The number of location-aware services over the Internet continues growing. Some of these require the client's geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g., by faking GPS coordinates...
Worldwide Encryption Products Survey
Today I released my worldwide survey of encryption products. The findings of this survey identified 619 entities that sell encryption products. Of those 412, or two-thirds, are outside the U.S.-calling into question the efficacy of any US mandates forcing backdoors for law-enforcement access. It also showed that anyone who wants to avoid US surveillance has over 567 competing products to...
Make Privacy a 2016 Election Issue
EPIC has just launched "Data Protection 2016" to try to make privacy an issue in this year's elections. You can buy swag....
AT&T Does Not Care about Your Privacy
AT&T's CEO believes that the company should not offer robust security to its customers: But tech company leaders aren't all joining the fight against the deliberate weakening of encryption. AT&T CEO Randall Stephenson said this week that AT&T, Apple, and other tech companies shouldn't have any say in the debate. "I don't think it is Silicon Valley's decision to make...
10,000-Year-Old Warfare
Evidence of primitive warfare from Kenya's Rift Valley....
The 2016 National Threat Assessment
It's National Threat Assessment Day. Published annually by the Director of National Intelligence, the "Worldwide Threat Assessment of the US Intelligence Community" is the US intelligence community's one time to publicly talk about the threats in general. The document is the results of weeks of work and input from lots of people. For Clapper, it's his chance to shape the...
Large-Scale FBI Hacking
As part of a child pornography investigation, the FBI hacked into over 1,300 computers. But after Playpen was seized, it wasn't immediately closed down, unlike previous dark web sites that have been shuttered" by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a...
Data and Goliath Published in Paperback
Today, Data and Goliath is being published in paperback. Everyone tells me that the paperback version sells better than the hardcover, even though it's a year later. I can't really imagine that there are tens of thousands of people who wouldn't spend $28 on a hardcover but are happy to spend $18 on the paperback, but we'll see. (Amazon has...
Exploiting Google Maps for Fraud
The New York Times has a long article on fraudulent locksmiths. The scam is a basic one: quote a low price on the phone, but charge much more once you show up and do the work. But the method by which the scammers get victims is new. They exploit Google's crowdsourced system for identifying businesses on their maps. The scammers...
Friday Squid Blogging: Squid Knitting Pattern
Surprisingly realistic for a knitted stuffed animal....
NSA Reorganizing
The NSA is undergoing a major reorganization, combining its attack and defense sides into a single organization: In place of the Signals Intelligence and Information Assurance directorates the organizations that historically have spied on foreign targets and defended classified networks against spying, respectively the NSA is creating a Directorate of Operations that combines the operational elements of each....
Tracking Anonymous Web Users
This research shows how to track e-commerce users better across multiple sessions, even when they do not provide unique identifiers such as user IDs or cookies. Abstract: Targeting individual consumers has become a hallmark of direct and digital marketing, particularly as it has become easier to identify customers as they interact repeatedly with a company. However, across a wide variety...
The Internet of Things Will Be the World's Biggest Robot
The Internet of Things is the name given to the computerization of everything in our lives. Already you can buy Internet-enabled thermostats, light bulbs, refrigerators, and cars. Soon everything will be on the Internet: the things we own, the things we interact with in public, autonomous things that interact with each other. These "things" will have two separate parts. One...
Security vs. Surveillance
Both the "going dark" metaphor of FBI Director James Comey and the contrasting "golden age of surveillance" metaphor of privacy law professor Peter Swire focus on the value of data to law enforcement. As framed in the media, encryption debates are about whether law enforcement should have surreptitious access to data, or whether companies should be allowed to provide strong...
Paper on the Going Dark Debate
I am pleased to have been a part of this report, part of the Berkman Center's Berklett Cybersecurity project: Don't Panic: Making Progress on the "Going Dark" Debate From the report: In this report, we question whether the "going dark" metaphor accurately describes the state of affairs. Are we really headed to a future in which our ability to effectively...
More Details on the NSA Switching to Quantum-Resistant Cryptography
The NSA is publicly moving away from cryptographic algorithms vulnerable to cryptanalysis using a quantum computer. It just published a FAQ about the process: Q: Is there a quantum resistant public-key algorithm that commercial vendors should adopt? A: While a number of interesting quantum resistant public key algorithms have been proposed external to NSA, nothing has been standardized by NIST,...
NSA and GCHQ Hacked Israeli Drone Feeds
The NSA and GCHQ have successfully hacked Israel's drones, according to the Snowden documents. The story is being reported by the Intercept and Der Spiegel. The Times of Israel has more....
NSA's TAO Head on Internet Offense and Defense
Rob Joyce, the head of the NSA's Tailored Access Operations (TAO) group -- basically the country's chief hacker -- spoke in public earlier this week. He talked both about how the NSA hacks into networks, and what network defenders can do to protect themselves. Here's a video of the talk, and here are two good summaries. Intrusion Phases Reconnaissance Initial...
Friday Squid Blogging: Polynesian Squid Hook
From 1909, for squid fishing. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Integrity and Availability Threats
Cyberthreats are changing. We're worried about hackers crashing airplanes by hacking into computer networks. We're worried about hackers remotely disabling cars. We're worried about manipulated counts from electronic voting booths, remote murder through hacked medical devices and someone hacking an Internet thermostat to turn off the heat and freeze the pipes. The traditional academic way of thinking about information security...
Psychological Model of Selfishness
This is interesting: Game theory decision-making is based entirely on reason, but humans don't always behave rationally. David Rand, assistant professor of psychology, economics, cognitive science, and management at Yale University, and psychology doctoral student Adam Bear incorporated theories on intuition into their model, allowing agents to make a decision either based on instinct or rational deliberation. In the model,...
Horrible Story of Digital Harassment
This is just awful. Their troll -- or trolls, as the case may be -- have harassed Paul and Amy in nearly every way imaginable. Bomb threats have been made under their names. Police cars and fire trucks have arrived at their house in the middle of the night to respond to fake hostage calls. Their email and social media...
Shodan Lets Your Browse Insecure Webcams
There's a lot out there: The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores.... Slashdot thread....
Friday Squid Blogging: North Coast Squid
North Coast Squid is a local writing journal from Manzanita, Oregon. It's going to publish its fifth edition this year. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
UK Government Promoting Backdoor-Enabled Voice Encryption Protocol
The UK government is pushing something called the MIKEY-SAKKE protocol to secure voice. Basically, it's an identity-based system that necessarily requires a trusted key-distribution center. So key escrow is inherently built in, and there's no perfect forward secrecy. The only reasonable explanation for designing a protocol with these properties is third-party eavesdropping. Steven Murdoch has explained the details. The upshot:...
Security Trade-offs in the Longbow vs. Crossbow Decision
Interesting research: Douglas W. Allen and Peter T. Leeson, "Institutionally Constrained Technology Adoption: Resolving the Longbow Puzzle," Journal of Law and Economics, v. 58, Aug 2015. Abstract: For over a century the longbow reigned as undisputed king of medieval European missile weapons. Yet only England used the longbow as a mainstay in its military arsenal; France and Scotland clung to...
El Chapo's Opsec
I've already written about Sean Penn's opsec while communicating with El Chapo. Here's the technique of mirroring, explained: El chapo then switched to a complex system of using BBM (Blackberry's Instant Messaging) and Proxies. The way it worked was if you needed to contact The Boss, you would send a BBM text to an intermediary (who would spend his days...
France Rejects Back Doors in Encryption Products
For the right reasons too: Axelle Lemaire, the Euro nation's digital affairs minister, shot down the amendment during the committee stage of the forthcoming omnibus digital bill, saying it would be counterproductive and would leave personal data unprotected. "Recent events show how the fact of introducing faults deliberately at the request - sometimes even without knowing - the intelligence agencies...
Reverse-Engineering a Zero-Day Exploit from the Hacking Team Data Dump
Last July, a still-anonymous hacker broke into the network belonging to the cyberweapons arms manufacturer Hacking Team, and dumped an enormous amount of its proprietary documents online. Kaspersky Labs was able to reverse-engineer one of its zero-day exploits from that data....
Counterfeit Theater Tickets in New York
Counterfeiters are making tickets for the Broadway show "Hamilton." Counterfeiting is much easier when the person you're passing the fakes off to doesn't know what the real thing is supposed to look like....
Match Fixing in Tennis
The BBC and Buzzfeed are jointly reporting on match fixing in tennis. Their story is based partially on leaked documents and partly on data analysis. BuzzFeed News began its investigation after devising an algorithm to analyse gambling on professional tennis matches over the past seven years. It identified 15 players who regularly lost matches in which heavily lopsided betting appeared...
Should We Allow Bulk Searching of Cloud Archives?
Jonathan Zittrain proposes a very interesting hypothetical: Suppose a laptop were found at the apartment of one of the perpetrators of last year's Paris attacks. It's searched by the authorities pursuant to a warrant, and they find a file on the laptop that's a set of instructions for carrying out the attacks. The discovery would surely help in the prosecution...
Spamming Someone from PayPal
Troy Hunt has identified a new spam vector. PayPal allows someone to send someone else a $0 invoice. The spam is in the notes field. But it's a legitimate e-mail from PayPal, so it evades many of the traditional spam filters. Presumably it doesn't cost anything to send a $0 invoice via PayPal. Hopefully, the company will close this loophole...
Fighting DRM in the W3C
Cory Doctorow has a good post on the EFF website about how they're trying to fight digital rights management software in the World Wide Web Consortium. So we came back with a new proposal: the W3C could have its cake and eat it too. It could adopt a rule that requires members who help make DRM standards to promise not...
Sean Penn's Opsec
This article talks about the opsec used by Sean Penn surrounding his meeting with El Chapo. Security experts say there aren't enough public details to fully analyze Penn's operational security (opsec). But they described the paragraph above as "incomprehensible" and "gibberish." Let's try to break it down: Penn describes using "TracPhones," by which he likely means TracFones, which are cheap...
The Internet of Things that Talks About You Behind Your Back
SilverPush is an Indian startup that's trying to figure out all the different computing devices you own. It embeds inaudible sounds into the webpages you read and the television commercials you watch. Software secretly embedded in your computers, tablets, and smartphones pick up the signals, and then use cookies to transmit that information back to SilverPush. The result is that...
Michael Hayden and the Dutch Government Are against Crypto Backdoors
Last week, former NSA Director Michael Hayden made a very strong argument against deliberately weakening security products by adding backdoors: Americans' safety is best served by the highest level of technology possible, and that the country's intelligence agencies have figured out ways to get around encryption. "Before any civil libertarians want to come up to me afterwards and get my...
Mac OS X, iOS, and Flash Had the Most Discovered Vulnerabilities in 2015
Interesting analysis: Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple's Mac OS X, with 384 vulnerabilities. The runner-up? Apple's iOS, with 375 vulnerabilities. Rounding out the top five are Adobe's Flash Player, with 314 vulnerabilities; Adobe's AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. For comparison,...
IT Security and the Normalization of Deviance
Professional pilot Ron Rapp has written a fascinating article on a 2014 Gulfstream plane that crashed on takeoff. The accident was 100% human error and entirely preventable -- the pilots ignored procedures and checklists and warning signs again and again. Rapp uses it as example of what systems theorists call the "normalization of deviance," a term coined by sociologist Diane...
Friday Squid Blogging: Squid Ink Pasta
Squid ink pasta is not hard to make, and is a really good side for a wide variety of fish recipes. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Podcast Interview with Me
The Technoskeptic has posted a good interview with me on its website. Normally it charges for its content, but this interview is available for free....
"How Stories Deceive"
Fascinating New Yorker article about Samantha Azzopardi, serial con artist and deceiver. The article is really about how our brains allow stories to deceive us: Stories bring us together. We can talk about them and bond over them. They are shared knowledge, shared legend, and shared history; often, they shape our shared future. Stories are so natural that we don't...
Replacing Judgment with Algorithms
China is considering a new "social credit" system, designed to rate everyone's trustworthiness. Many fear that it will become a tool of social control -- but in reality it has a lot in common with the algorithms and systems that score and classify us all every day. Human judgment is being replaced by automatic algorithms, and that brings with it...
Straight Talk about Terrorism
Nice essay that lists ten "truths" about terrorism: We can't keep the bad guys out. Besides, the threat is already inside. More surveillance won't get rid of terrorism, either. Defeating the Islamic State won't make terrorism go away. Terrorism still remains a relatively minor threat, statistically speaking. But don't relax too much, because things will probably get worse before they...
How the US Is Playing Both Ends on Data Privacy
There's an excellent article in Foreign Affairs on how the European insistence on data privacy -- most recently illustrated by their invalidation of the "safe harbor" agreement -- is really about the US talking out of both sides of its mouth on the issue: championing privacy in public, but spying on everyone in private. As long as the US keeps...
1981 CIA Report on Deception
Recently declassified: Deception Maxims: Fact and Folklore, Office of Research and Development, Central Intelligence Agency, June 1981. Research on deception and con games has advanced in the past 25 years, but this is still interesting to read....
NSA Spies on Israeli Prime Minister
The Wall Street Journal has a story that the NSA spied on Israeli Prime Minister Benjamin Netanyahu and other Israeli government officials, and incidentally collected conversations between US citizens -- including lawmakers -- and those officials. US lawmakers who are usually completely fine with NSA surveillance are aghast at this behavior, as both Glenn Greenwald and Trevor Timm explain. Greenwald:...
Windows 10 Whole-Disk Encryption without Key Escrow
On the Intercept, Micah Lee has a good article that talks about how Microsoft is collecting the hard-drive encryption keys of Windows 10 users, and how to disable that "feature."...
De-Anonymizing Users from their Coding Styles
Interesting blog post: We are able to de-anonymize executable binaries of 20 programmers with 96% correct classification accuracy. In the de-anonymization process, the machine learning classifier trains on 8 executable binaries for each programmer to generate numeric representations of their coding styles. Such a high accuracy with this small amount of training data has not been reached in previous attempts....
Friday Squid Blogging: Video of Live Giant Squid
Giant squid filmed swimming through a harbor in Japan: Reports in Japanese say that the creature was filmed on December 24, seen by an underwater camera swimming near boat moorings. It was reportedly about 13 feet long and 3 feet around. Some on Twitter have suggested that the species may be Architeuthis, a deep-ocean dwelling creature that can grow up...
Cory Doctorow on Software Security and the Internet of Things
Cory Doctorow has a good essay on software integrity and control problems and the Internet of Things. He's writing about self-driving cars, but the issue is much more general. Basically, we're going to want systems that prevent their owner from making certain changes to it. We know how to do this: digital rights management. We also know that this solution...
Another Scandal Resulting from E-mails Gone Public
A lot of Pennsylvania government officials are being hurt as a result of e-mails being made public. This is all the result of a political pressure to release the emails, and not an organizational doxing attack, but the effects are the same. Our psychology of e-mail doesn't match the reality. We treat them as ephemeral, even though they're not. And...
PayPal Authentication Still Substandard
Brian Krebs has the story. Bottom line: PayPal has no excuse for this kind of stuff. I hope the public shaming incents them to offer better authentication for its customers....
DMCA and the Internet of Things
In theory, the Internet of Things -- the connected network of tiny computers inside home appliances, household objects, even clothing -- promises to make your life easier and your work more efficient. These computers will communicate with each other and the Internet in homes and public spaces, collecting data about their environment and making changes based on the information they...
NSA/GCHQ Exploits Against Juniper Networking Equipment
The Intercept just published a 2011 GCHQ document outlining their exploit capabilities against Juniper networking equipment, including routers and NetScreen firewalls as part of this article. GCHQ currently has capabilities against: Juniper NetScreen Firewalls models Ns5gt, N25, NS50, NS500, NS204, NS208, NS5200, NS5000, SSG5, SSG20, SSG140, ISG 1000, ISG 2000. Some reverse engineering maybe required depending on firmware revisions. Juniper...
Friday Squid Blogging: Squid Christmas
Squid sighting in this Christmas cartoon. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. And Happy Christmas for those who celebrate it....
Burglary Footage Turned into Commercial
Earlier this month, a Las Vegas taco shop was robbed in the middle of the night. The restaurant took the surveillance-video footage and turned it into a combination commercial for their tacos and request for help identifying the burglars....
Police Dog Sniffs for Hard Drives
This weird story describes a "porn dog" that is trained to find hidden hard drives. It's used in child porn investigations. I suppose it's reasonable that computer disks have a particular chemical smell, but I wonder what it is....
Using Law Against Technology
On Thursday, a Brazilian judge ordered the text messaging service WhatsApp shut down for 48 hours. It was a monumental action. WhatsApp is the most popular app in Brazil, used by about 100 million people. The Brazilian telecoms hate the service because it entices people away from more expensive text messaging services, and they have been lobbying for months to...
More Writings on the Second Crypto Wars
Two things to read: "Wanting It Bad Enough Won't Make It Work: Why Adding Backdoors and Weakening Encryption Threatens the Internet," by Meredith Whittaker and Ben Laurie. "The Second Crypto War is Not about Crypto," by Jaap-Henk Hoepman....
"The Medieval Origins of Mass Surveillance"
This interesting article by medieval historian Amanda Power traces our culture's relationship with the concept of mass surveillance from the medieval characterization of the Christian god and how piety was policed by the church: What is all this but a fundamental trust in the experience of being watched? One must wonder about the subtle, unspoken fear of the consequences of...
Back Door in Juniper Firewalls
Juniper has warned about a malicious back door in their firewalls that automatically decrypts VPN traffic. It's been there for years. Hopefully details are forthcoming, but the folks at Hacker News have pointed to this page about Juniper's use of the DUAL_EC_DBRG random number generator. For those who don't immediately recognize that name, it's the pseudo-random-number generator that was back-doored...
Friday Squid Blogging: Penguins Fight over Squid
Watch this video of gentoo penguins fighting over a large squid. This underwater brawl was captured on a video camera taped to the back of the second penguin, revealing this unexpected foraging behaviour for the first time. "This is completely new behaviour, not just for gentoo penguins but for penguins in general," says Jonathan Handley, a doctoral student at Nelson...
GCHQ Holiday Puzzle
If you like puzzles, GCHQ has one for you. Just don't let it distract you from fighting the UK legislation giving the GCHQ new surveillance powers....
25th Anniversary of the Landmark Unix Security Book
Gene Spafford writes about the history of Practical Unix Security....
Catalog of Police Surveillance Equipment
The Intercept has "a secret, internal U.S. government catalogue of dozens of cellphone surveillance devices used by the military and by intelligence agencies." Lot of detailed information about Stingrays and similar equipment....
User Errors Often Compromise Encryption
This should come as no surprise: users often compromise their own security by making mistakes setting up and using their encryption apps. Paper: "On the Security and Usability of Crypto Phones," by Maliheh Shivanian and Nitesh Saxena, Proceedings of ACSAC 2015....
DOS Attack Against Los Angeles Schools
Yesterday, the city of Los Angeles closed all of its schools -- over 1,000 schools -- because of a bomb threat. It was a hoax. LA officials defended the move, with that city's police chief dismissing the criticism as "irresponsible." "It is very easy in hindsight to criticize a decision based on results the decider could never have known," Chief...
Attack Against DNS Root Servers
Has anyone been following the attack against the DNS root servers two weeks ago? Details. I can't precisely explain why, but this feels like someone testing an attack capability. For defense: it's long past time to implement source address validation in the DNS system....
Good Swatting Story
The New York Times Magazine has a good story about swatting, centering around a Canadian teenager who did it over a hundred times....
Friday Squid Blogging: Rare Octopus Squid Video from Hawaii
Neat: While the Dana octopus squid may lack a squid's trademark trailing tentacles, it makes up for them in spectacular lighting equipment, with two of its muscular arms ending in lidded light organs called "photophores." About the size of lemons, these photophores are the largest known light-producing organs in the animal kingdom, said Mike Vecchione, a zoologist at the NOAA...
Resilient Systems News: End-of-Year Trends Webinar
I'll be participating in an end-of-year trends and predictions webinar on Thursday, December 17, at 1:00 PM EST. Join me here. In other news, Resilient has joined the IBM Security App Exchange community. And we're still hiring for a bunch of positions....
Hit-and-Run Driver Arrested Because Car Reported Accident
A Florida woman drove away after an accident, but her car automatically reported it anyway. She was arrested....
How People Learn about Computer Security
Interesting research: "Identifying patterns in informal sources of security information," by Emilee Rader and Rick Wash, Journal of Cybersecurity, 1 Dec 2015. Abstract: Computer users have access to computer security information from many different sources, but few people receive explicit computer security training. Despite this lack of formal education, users regularly make many important security decisions, such as "Should I...
Terrifying Technologies
I've written about the difference between risk perception and risk reality. I thought about that when reading this list of Americans' top technology fears: Cyberterrorism Corporate tracking of personal information Government tracking of personal information Robots replacing workforce Trusting artificial intelligence to do work Robots Artificial intelligence Technology I don't understand More at the link....
How Israel Regulates Encryption
Interesting essay about how Israel regulates encryption: ...the Israeli encryption control mechanisms operate without directly legislating any form of encryption-key depositories, built-in back or front door access points, or other similar requirements. Instead, Israel's system emphasizes smooth initial licensing processes and cultivates government-private sector collaboration. These processes help ensure that Israeli authorities are apprised of the latest encryption and cyber...
Forced Authorization Attacks Against Chip-and-Pin Credit Card Terminals
Clever: The way forced authorisation fraud works is that the retailer sets up the terminal for a transaction by inserting the customer's card and entering the amount, then hands the terminal over to the customer so they can type in the PIN. But the criminal has used a stolen or counterfeit card, and due to the high value of the...
Friday Squid Blogging: North Korean Squid Fisherman Found Dead in Boats
I don't know if you've been following the story of the boats full of corpses that have been found in Japanese waters: Over the past two months, at least 12 wooden boats have been found adrift or on the coast, carrying chilling cargo -- the decaying bodies of 22 people, police and Japan's coast guard said. All the bodies were...
BlackBerry Leaves Pakistan Rather Than Provide a Government Backdoor
BlackBerry has chosen to shut down operations in Pakistan rather than provide the government with backdoor access to encrypted communications. Pakistan is a relatively small market, but still....
The Moral Dimension of Cryptography
Phil Rogaway has written an excellent paper titled "The Moral Character of Cryptography Work." In it, he exhorts cryptographers to consider the morality of their research, and to build systems that enhance privacy rather than diminish it. It is very much worth reading....
Worldwide Cryptographic Products Survey: Edits and Additions Wanted
Back in September, I announced my intention to survey the world market of cryptographic products. The goal is to compile a list of both free and commercial encryption products that can be used to protect arbitrary data and messages. That is, I'm not interested in products that are specifically designed for a narrow application, like financial transactions, or products that...
Security vs. Business Flexibility
This article demonstrates that security is less important than functionality. When asked about their preference if they needed to choose between IT security and business flexibility, 71 percent of respondents said that security should be equally or more important than business flexibility. But show them the money and things change, when the same people were asked if they would take...
Tracking Someone Using LifeLock
Someone opened a LifeLock account in his ex-wife's name, and used the service to track her bank accounts, credit cards, and other financial activities. The article is mostly about how appalling LifeLock was about this, but I'm more interested in the surveillance possibilities. Certainly the FBI can use LifeLock to surveil people with a warrant. The FBI/NSA can also collect...
A History of Privacy
This New Yorker article traces the history of privacy from the mid 1800s to today: As a matter of historical analysis, the relationship between secrecy and privacy can be stated in an axiom: the defense of privacy follows, and never precedes, the emergence of new technologies for the exposure of secrets. In other words, the case for privacy always comes...
Cryptanalysis of Algebraic Eraser
Algebraic Eraser is a public-key key-agreement protocol that's patented and being pushed by a company for the Internet of Things, primarily because it is efficient on small low-power devices. There's a new cryptanalytic attack. This is yet another demonstration of why you should not choose proprietary encryption over public algorithms and protocols. The good stuff is not patented. News article....
Friday Squid Blogging: Squid Necklace
She's calling it an octopus, but it's a squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Data and Goliath in German
The German edition of Data and Goliath has been published....
Defending against Actual IT Threats
Roger Grimes has written an interesting paper: "Implementing a Data-Driven Computer Security Defense." His thesis is that most organizations don't match their defenses to the actual risks. His paper explains how it got to be this way, and how to fix it....
NSA Lectures on Communications Security from 1973
Newly declassified: "A History of U.S. Communications Security (Volumes I and II)," the David G. Boak Lectures, National Security Agency (NSA), 1973. (The document was initially declassified in 2008. We just got a whole bunch of additional material declassified. Both versions are in the document, so you can compare and see what was kept secret seven years ago.)...
NSA Collected Americans' E-mails Even After it Stopped Collecting Americans' E-mails
In 2011, the Bush administration authorized -- almost certainly illegally -- the NSA to conduct bulk electronic surveillance on Americans: phone calls, e-mails, financial information, and so on. We learned a lot about the bulk phone metadata collection program from the documents provided by Edward Snowden, and it was the focus of debate surrounding the USA FREEDOM Act. E-mail metadata...
Policy Repercussions of the Paris Terrorist Attacks
In 2013, in the early days of the Snowden leaks, Harvard Law School professor and former Assistant Attorney General Jack Goldsmith reflected on the increase in NSA surveillance post 9/11. He wrote: Two important lessons of the last dozen years are (1) the government will increase its powers to meet the national security threat fully (because the People demand it),...
Voter Surveillance
There hasn't been that much written about surveillance and big data being used to manipulate voters. In Data and Goliath, I wrote: Unique harms can arise from the use of surveillance data in politics. Election politics is very much a type of marketing, and politicians are starting to use personalized marketing's capability to discriminate as a way to track voting...
Friday Squid Blogging: Squid Spawning in South Australian Waters
Divers are counting them: Squid gather and mate with as many partners as possible, then die, in an annual ritual off Rapid Head on the Fleurieu Peninsula, south of Adelaide. Department of Environment divers will check the waters and gather data on how many eggs are left by the spawning squid. No word on how many are expected. Ten? Ten...
Reputation in the Information Age
Reputation is a social mechanism by which we come to trust one another, in all aspects of our society. I see it as a security mechanism. The promise and threat of a change in reputation entices us all to be trustworthy, which in turn enables others to trust us. In a very real sense, reputation enables friendships, commerce, and everything...
RFID-Shielded, Ultra-Strong Duffel Bags
They're for carrying cash through dangerous territory: SDR Traveller caters to people who, for one reason or another, need to haul huge amounts of cash money through dangerous territory. The bags are made from a super strong, super light synthetic material designed for yacht sails, are RFID-shielded, and are rated by how much cash in US$100 bills each can carry.......
Paris Terrorists Use Double ROT-13 Encryption
That is, no encryption at all. The Intercept has the story: "Yet news emerging from Paris -- as well as evidence from a Belgian ISIS raid in January -- suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted. European media outlets are reporting that the location of...
Ads Surreptitiously Using Sound to Communicate Across Devices
This is creepy and disturbing: Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person's online behavior across a range of devices, including phones, TVs, tablets, and computers. The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser....
On CISA
I have avoided writing about the Cybersecurity Information Sharing Act (CISA), largely because the details kept changing. (For those not following closely, similar bills were passed by both the House and the Senate. They're now being combined into a single bill which will be voted on again, and then almost certainly signed into law by President Obama.) Now that it's...
Refuse to Be Terrorized
Paul Krugman has written a really good update of my 2006 esssay. Krugman: So what can we say about how to respond to terrorism? Before the atrocities in Paris, the West's general response involved a mix of policing, precaution, and military action. All involved difficult tradeoffs: surveillance versus privacy, protection versus freedom of movement, denying terrorists safe havens versus the...
Paris Attacks Blamed on Strong Cryptography and Edward Snowden
Well, that didn't take long: As Paris reels from terrorist attacks that have claimed at least 128 lives, fierce blame for the carnage is being directed toward American whistleblower Edward Snowden and the spread of strong encryption catalyzed by his actions. Now the Paris attacks are being used an excuse to demand back doors. CIA Director John Brennan chimed in,...
Did Carnegie Mellon Attack Tor for the FBI?
There's pretty strong evidence that the team of researchers from Carnegie Mellon University who canceled their scheduled 2015 Black Hat talk deanonymized Tor users for the FBI. Details are in this Vice story and this Wired story (and these https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users">two follow-on Vice stories). And here's the reaction from the Tor Project. Nicholas Weaver guessed this back in January. The behavior...
Friday Squid Blogging: Squid Fishing Championship
It's an annual event in Hvar, Croatia....
Amazon Chooses Data and Goliath as a Best Book of 2015
Amazon chose Data and Goliath as one of its Best Books of 2015, in both the nonfiction and business categories....
Personal Data Sharing by Mobile Apps
Interesting research: "Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps," by Jinyan Zang, Krysta Dummit, James Graves, Paul Lisker, and Latanya Sweeney. We tested 110 popular, free Android and iOS apps to look for apps that shared personal, behavioral, and location data with third parties. 73% of Android...
Testing the Usability of PGP Encryption Tools
"Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client," by Scott Ruoti, Jeff Andersen, Daniel Zappala, and Kent Seamons. Abstract: This paper presents the results of a laboratory study involving Mailvelope, a modern PGP client that integrates tightly with existing webmail providers. In our study, we brought in pairs of participants and had them attempt...
Betting Ticket Forged Based on Selfie
This is an interesting story. Someone posts a photograph of herself holding a winning horse-race betting ticket, and someone else uses the data from the photograph to forge the ticket and claim the winnings. I have been thinking a lot about how technology is messing with our intuitions about risk and security. This is a good example of that....
Bypassing the iPhone Activation Lock
Clever man-in-the-middle attack....
Ransomware Is Getting Sophisticated
Some of the tricks that ransomware is using to get victims to pay up....
IT Security Is Still a Great Career Path
Jobs are plentiful and salaries are booming. I know from personal experience that demand far exceeds supply....
Linus Torvalds on Linux Security
Interesting interview. Slashdot thread....
Good Article on the Blockchain
The Economist published a really good article on the blockchain....
Friday Squid Blogging: The Symbiotic Relationship Between Squid and Bacteria
Margaret McFall-Ngai studies the symbiotic relationship between squid and the bacteria that live inside them. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Passwords by Mail
Julia Angwin's daughter is selling diceware passwords by mail....
The Effects of Surveillance on the Victims
Last month, the Cato Institute held its Second Annual Cato Surveillance Conference. It was an excellent event, with many interesting talks and panels. But their was one standout: a panel by victims of surveillance. Titled "The Feeling of Being Watched," it consisted of Assia Boundaoui, Faisal Gill, and Jumana Musa. It was very powerful and moving to hear them talk...
Analyzing Reshipping Mule Scams
Interesting paper: "Drops for Stuff: An Analysis of Reshipping Mule Scams. From a blog post: A cybercriminal (called operator) recruits unsuspecting citizens with the promise of a rewarding work-from-home job. This job involves receiving packages at home and having to re-ship them to a different address, provided by the operator. By accepting the job, people unknowingly become part of a...
$1M Bounty for iPhone Hack
I don't know whether to believe this story. Supposedly the startup Zerodium paid someone $1M for an iOS 9.1 and 9.2b hack. Bekrar and Zerodium, as well as its predecessor VUPEN, have a different business model. They offer higher rewards than what tech companies usually pay out, and keep the vulnerabilities secret, revealing them only to certain government customers, such...
Australia Is Testing Virtual Passports
Australia is going to be the first country to have virtual passports. Presumably, the passport data will be in the cloud somewhere, and you'll access it with an app or a URL or maybe just the passport number. On the one hand, all a passport needs to be is a pointer into a government database with all the relevant information...
The Rise of Political Doxing
Last week, CIA director John O. Brennan became the latest victim of what's become a popular way to embarrass and harass people on the Internet. A hacker allegedly broke into his AOL account and published e-mails and documents found inside, many of them personal and sensitive. It's called doxing -- sometimes doxxing -- from the word "documents." It emerged in...
Friday Squid Blogging: Baby Giant Squid Found
First ever examples of a baby giant squid have been found. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
The Onion on the State of IT Security
"China Unable To Recruit Hackers Fast Enough To Keep Up With Vulnerabilities In U.S. Security Systems." It's only funny because it's true....
Weaknesses in the PLAID Protocol
In 2009, the Australian government released the Protocol for Lightweight Authentication of Identity (PLAID) protocol. It was recently analyzed (original paper is from 2014, but was just updated), and it's a security disaster. Matt Green wrote a good blog post back in 2014 that explains the problems. Slashdot thread. Reddit thread....
Flash Drive Lock
This device is clever: it's a three-digit combination lock that prevents a USB drive from being read. It's not going to keep out anyone serious, but is a great solution for the sort of casual security that most people need....
Tracking Connected Vehicles
Researchers have shown that it is both easy and cheap to surveil connected vehicles. The second link talks about various anonymization techniques, none of which I am optimistic about....
Why Is the NSA Moving Away from Elliptic Curve Cryptography?
In August, I wrote about the NSA's plans to move to quantum-resistant algorithms for its own cryptographic needs. Cryptographers Neal Koblitz and Alfred Menezes just published a long paper speculating as to the government's real motives for doing this. They range from some new cryptanalysis of ECC to a political need after the DUAL_EC_PRNG disaster -- to the stated reason...
The Doxing Trend
If the director of the CIA can't keep his e-mail secure, what hope do the rest of us have -- for our e-mail or any of our digital information? None, and that's why the companies that we entrust with our digital lives need to be required to secure it for us, and held accountable when they fail. It's not just...
The Need for Transparency in Surveillance
In Data and Goliath, I talk about the need for transparency, oversight, and accountability as the mechanism to allow surveillance when it is necessary, while preserving our security against excessive surveillance and surveillance abuse. James Losey has a new paper that discusses the need for transparency in surveillance. His conclusion: Available transparency reports from ICT companies demonstrate the rise in...
Ravens Can Identify Cheaters
Ravens have been shown to identify and remember cheaters among their unkindness....
Microsoft's Brad Smith on the Collapse of Safe Harbor
Microsoft's President Brad Smith has a blog post discussing what to do now that the US-EU safe-harbor agreement has collapsed. He outlines four steps: First, we need to ensure across the Atlantic that people's legal rights move with their data. This is a straightforward proposition that would require, for example, that the U.S. government agree that it will only demand...
Forensic Analysis of Smart Card Fraud
This paper describes what is almost certainly the most sophisticated chip-and-pin credit card fraud to date. News article. BoingBoing post....
Hacking Fitbit
This is impressive: "An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near," Apvrille says. "[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile ... the fitness tracker responds...
Police Want Genetic Data from Corporate Repositories
Both the FBI and local law enforcement are trying to get the genetic data stored at companies like 23andMe. No surprise, really. As NYU law professor Erin Murphy told the New Orleans Advocate regarding the Usry case, gathering DNA information is "a series of totally reasonable steps by law enforcement." If you're a cop trying to solve a crime, and...
Security Risks of Unpatched Android Software
A lot has been written about the security vulnerability resulting from outdated and unpatched Android software. The basic problem is that while Google regularly updates the Android software, phone manufacturers don't regularly push updates out to Android users. New research tries to quantify the risk: We are presenting a paper at SPSM next week that shows that, on average over...
How to Commandeer a Store PA System
If you call the proper phone extension, you have complete control over the public address system at a Target store....
Friday Squid Blogging: Squid Photos
"Terrifying" squid photos. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Mapping FinFisher Users
Citizen Lab continues to do excellent work exposing the world's cyber-weapons arms manufacturers. Its latest report attempts to track users of Gamma International's FinFisher: This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher's "anonymizing proxies"...
Breaking Diffie-Hellman with Massive Precomputation (Again)
The Internet is abuzz with this blog post and paper, speculating that the NSA is breaking the Diffie-Hellman key-exchange protocol in the wild through massive precomputation. I wrote about this at length in May when this paper was first made public. (The reason it's news again is that the paper was just presented at the ACM Computer and Communications Security...
Obama Administration Not Pursuing a Backdoor to Commercial Encryption
The Obama Administration is not pursuing a law that would force computer and communications manufacturers to add backdoors to their products for law enforcement. Sensibly, they concluded that criminals, terrorists, and foreign spies would use that backdoor as well. Score one for the pro-security side in the Second Crypto War. It's certainly not over. The FBI hasn't given up on...
Soviet Spying on US Selectric Typewriters
In the 19980s, the Soviet Union bugged the IBM Selectric typewriters in the U.S. Embassy in Moscow. This NSA document discusses how the US discovered the bugs and what we did about it. Codename is GUNMAN. Is this the world's first keylogger? Maybe....
Friday Squid Blogging: Japanese Squid Recipe
Delicious recipe of squid with cabbage, bean sprouts, and noodles. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. EDITED TO ADD (10/9): Posted a day early by mistake.......
I'm a Guest on "Adam Ruins Everything"
The show is about security theater. I am a disembodied head on a scooter. Here's a teaser. Here's the full episode (for pay, but cheap). The scooter idea was a hack when I couldn't find the time to fly to LA for live filming. The whole thing was a lot of fun....
SHA-1 Freestart Collision
There's a new cryptanalysis result against the hash function SHA-1: Abstract: We present in this article a freestart collision example for SHA-1, i.e., a collision for its internal compression function. This is the first practical break of the full SHA-1, reaching all 80 out of 80 steps, while only 10 days of computation on a 64 GPU cluster were necessary...
Information in Your Boarding Pass's Bar Code
There's a lot of information, including the ability to get even more information....
European Court of Justice Rules Against Safe Harbor
The European Court of Justice ruled that sending personal data to the US violates their right to privacy: The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans' online information. The court said leaks from Edward J. Snowden, the former contractor for...
Autonomous Vehicles as Bombs
Good discussion of the issues. Now we need to think about solutions....
Automatic Face Recognition and Surveillance
ID checks were a common response to the terrorist attacks of 9/11, but they'll soon be obsolete. You won't have to show your ID, because you'll be identified automatically. A security camera will capture your face, and it'll be matched with your name and a whole lot of other information besides. Welcome to the world of automatic facial recognition. Those...
Friday Squid Blogging: Bobtail Squid Keeps Bacteria to Protect Its Eggs
The Hawaiian Bobtail Squid deposits bacteria on its eggs to keep them safe. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Resilient Systems News
Former Raytheon chief scientist Bill Swanson has joined our board of directors. For those who don't know, Resilient Systems is my company. I'm the CTO, and we sell an incident-response management platform that...well...helps IR teams to manage incidents. It's a single hub that allows a team to collect data about an incident, assign and manage tasks, automate actions, integrate intelligence...
Stealing Fingerprints
The news from the Office of Personnel Management hack keeps getting worse. In addition to the personal records of over 20 million US government employees, we've now learned that the hackers stole fingerprint files for 5.6 million of them. This is fundamentally different from the data thefts we regularly read about in the news, and should give us pause before...
Existential Risk and Technological Advancement
AI theorist Eliezer Yudkowsky: "Every eighteen months, the minimum IQ necessary to destroy the world drops by one point." Oh, how I wish I said that....
Identifying CIA Officers in the Field
During the Cold War, the KGB was very adept at identifying undercover CIA officers in foreign countries through what was basically big data analysis. (Yes, this is a needlessly dense and very hard-to-read article. I think it's worth slogging through, though.)...
Spoofing Fitness Trackers
The website Unfitbits.com has a series of instructional videos on how to spoof fitness trackers, using such things as a metronome, pendulum, or power drill. With insurance companies like John Hancock offering discounts to people who allow them to verify their exercise program by opening up their fitness-tracker data, these are useful hacks. News article....
Volkswagen and Cheating Software
For the past six years, Volkswagen has been cheating on the emissions testing for its diesel cars. The cars' computers were able to detect when they were being tested, and temporarily alter how their engines worked so they looked much cleaner than they actually were. When they weren't being tested, they belched out 40 times the pollutants. Their CEO has...
How GCHQ Tracks Internet Users
The Intercept has a new story from the Snowden documents about The UK's GCHQ's surveillance of the Internet: The mass surveillance operation code-named KARMA POLICE was launched by British spies about seven years ago without any public debate or scrutiny. It was just one part of a giant global Internet spying apparatus built by the United Kingdom's electronic eavesdropping...
Good Article on the Sony Attack
Fortune has a three-part article on the Sony attack by North Korea. There's not a lot of tech here; it's mostly about Sony's internal politics regarding the movie and IT security before the attack, and some about their reaction afterwards. Despite what I wrote at the time, I now believe that North Korea was responsible for the attack. This is...
Friday Squid Blogging: Disney's Minigame Squid Wars
It looks like a Nintendo game. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Anti-Alien Security
You can wrap your house in tinfoil, but when you start shining bright lights to defend yourself against alien attack, you've gone too far. In general, society puts limits on what types of security you are allowed to use, especially when that use can affect others. You can't place landmines on your lawn or shoot down drones hovering over your...
People Who Need to Pee Are Better at Lying
No, really. Abstract: The Inhibitory-Spillover-Effect (ISE) on a deception task was investigated. The ISE occurs when performance in one self-control task facilitates performance in another (simultaneously conducted) self-control task. Deceiving requires increased access to inhibitory control. We hypothesized that inducing liars to control urination urgency (physical inhibition) would facilitate control during deceptive interviews (cognitive inhibition). Participants drank small (low-control) or...
Living in a Code Yellow World
In the 1980s, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the "combat mind-set." Here is his summary: In White you are unprepared and unready to take lethal action. If you are attacked in White you will probably die unless your adversary is totally inept. In Yellow you bring yourself to the understanding...
Hacking the Game Show "Press Your Luck"
Fascinating story about a man who figured out how to hack the game show "Press Your Luck" in 1984....
Buying an Online Reputation
The story of a reporter who set up a fake business and then bought Facebook fans, Twitter followers, and online reviews. It was surprisingly easy and cheap....
Bringing Frozen Liquids through Airport Security
Gizmodo reports that UK airport security confiscates frozen liquids: "He told me that it wasn't allowed so I asked under what grounds, given it is not a liquid. When he said I couldn't take it I asked if he knew that for sure or just assumed. He grabbed his supervisor and the supervisor told me that 'the government does not...
SYNful Knock Attack Against Cisco Routers
FireEye is reporting the discovery of persistent malware that compromises Cisco routers: While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers. The Mandiant team found 14 instances of this router implant, dubbed SYNful Knock, across four countries: Ukraine, Philippines, Mexico, and India. [...] The implant uses techniques that make it...
History of Hacktivism
Nice article by Dorothy Denning. Hacktivism emerged in the late 1980s at a time when hacking for fun and profit were becoming noticeable threats. Initially it took the form of computer viruses and worms that spread messages of protest. A good example of early hacktivism is "Worms Against Nuclear Killers (WANK)," a computer worm that anti-nuclear activists in Australia unleashed...
Friday Squid Blogging; Giant Squid Sculpture at Burning Man
It looks impressive, maybe 20-30 feet long: "I think this might be the coolest thing I have ever built," said Barry Crawford about his giant, metal squid that was installed at Burning Man. The sculpture is entirely made of found objects including half of a dropped airplane tank and a metal vegetable strainer. The eyeball opens and closes and the...
Smart Watch that Monitors Typing
Here's a watch that monitors the movements of your hand and can guess what you're typing. Using the watch's built-in motion sensors, more specifically data from the accelerometer and gyroscope, researchers were able to create a 3D map of the user's hand movements while typing on a keyboard. The researchers then created two algorithms, one for detecting what keys were...
Two Security Companies Battling It Out over Disclosures
Okay, this is weird. FireEye has gone to court to prevent ERNW from disclosing vulnerabilities in FireEye products. FireEye should know better. Here's FireEye's statement, BTW....
Self-Destructing Computer Chip
The chip is built on glass: Shattering the glass is straightforward. When the proper circuit is toggled, a small resistor within the substrate heats up until the glass shatters. According to Corning, it will continue shattering even after the initial break, rendering the entire chip unusable. The demo chip resistor was triggered by a photo diode that switched the circuit...
Anonymous Browsing at the Library
A rural New Hampshire library decided to install Tor on their computers and allow anonymous Internet browsing. The Department of Homeland pressured them to stop: A special agent in a Boston DHS office forwarded the article to the New Hampshire police, who forwarded it to a sergeant at the Lebanon Police Department. DHS spokesman Shawn Neudauer said the agent was...
Child Arrested Because Adults Are Stupid
A Texas 9th-grader makes an electronic clock and brings it to school. Teachers immediately become stupid and call the police: The bell rang at least twice, he said, while the officers searched his belongings and questioned his intentions. The principal threatened to expel him if he didn't make a written statement, he said. "They were like, 'So you tried to...
Obama and the Security of the Waldorf Astoria Hotel
President Obama won't stay at the Waldorf Astoria Hotel in New York because of security concerns. The hotel "was bought last year by Chinese investors with deep ties to Beijing's ruling elite..." Why can't they just erect the security tent for him?...
Hacking Team, Computer Vulnerabilities, and the NSA
When the National Security Administration (NSA) -- or any government agency -- discovers a vulnerability in a popular computer system, should it disclose it or not? The debate exists because vulnerabilities have both offensive and defensive uses. Offensively, vulnerabilities can be exploited to penetrate others' computers and networks, either for espionage or destructive purposes. Defensively, publicly revealing security flaws can...
Programming Errors Weaken bcrypt Hashes of Ashley Madison Passwords
Ashley Madison encrypted users' passwords using the bcrypt function. It's a secure password-encryption function, but two implemention programming mistakes allow millions of passwords to be easily decrypted. Ars Technica explains the problems....
Friday Squid Blogging: The Chemistry of Squid Camouflage
Interesting research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Wanted: Cryptography Products for Worldwide Survey
In 1999, Lance Hoffman, David Balenson, and others published a survey of non-US cryptographic products. The point of the survey was to illustrate that there was a robust international market in these products, and that US-only export restrictions on strong encryption did nothing to prevent its adoption and everything to disadvantage US corporations. This was an important contribution during the...
Drone Self-Defense and the Law
Last month, a Kentucky man shot down a drone that was hovering near his backyard. WDRB News reported that the camera drone's owners soon showed up at the home of the shooter, William H. Merideth: "Four guys came over to confront me about it, and I happened to be armed, so that changed their minds," Merideth said. "They asked me,...
Cheating News from the Chess World
Chess player caught cheating at a tournament: I kept on looking at him. He was always sitting down, he never got up. It was very strange; we are taking about hours and hours of playing. But most suspicious of all, he always had his arms folded with his thumb under his armpit. He never took it out." Mr Coqueraut said...
FBI and Apple's Encryption
The New York Times is reporting that Apple encryption is hampering an FBI investigation: In an investigation involving guns and drugs, the Justice Department obtained a court order this summer demanding that Apple turn over, in real time, text messages between suspects using iPhones. Apple's response: Its iMessage system was encrypted and the company could not comply. Government officials had...
Animals vs. Drones
It's not just humans who dislike the small flying objects. YouTube has videos of drones being stared at quizzically by a moose, harassed by a raven, attacked by a hawk, butted by a ram, knocked out of the sky by a chimpanzee (who planned the whole thing) and a goose, and punched out of the sky by a kangaroo. And...
The Security Risks of Third-Party Data
Most of us get to be thoroughly relieved that our e-mails weren't in the Ashley Madison database. But don't get too comfortable. Whatever secrets you have, even the ones you don't think of as secret, are more likely than you think to get dumped on the Internet. It's not your fault, and there's largely nothing you can do about it....
Remotely Hacking a Car While It's Driving
This is a big deal. Hackers can remotely hack the Uconnect system in cars just by knowing the car's IP address. They can disable the brakes, turn on the AC, blast music, and disable the transmission: The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway....
Malcom Gladwell on Competing Security Models
In this essay/review of a book on UK intelligence officer and Soviet spy Kim Philby, Malcom Gladwell makes this interesting observation: Here we have two very different security models. The Philby-era model erred on the side of trust. I was asked about him, and I said I knew his people. The "cost" of the high-trust model was Burgess, Maclean, and...
Malcolm Gladwell on Competing Security Models
In this essay/review of a book on UK intelligence officer and Soviet spy Kim Philby, Malcolm Gladwell makes this interesting observation: Here we have two very different security models. The Philby-era model erred on the side of trust. I was asked about him, and I said I knew his people. The "cost" of the high-trust model was Burgess, Maclean, and...
Organizational Doxing of Ashley Madison
The -- depending on who is doing the reporting -- cheating, affair, adultery, or infidelity site Ashley Madison has been hacked. The hackers are threatening to expose all of the company's documents, including internal e-mails and details of its 37 million customers. Brian Krebs writes about the hackers' demands. According to the hackers, although the "full delete" feature that Ashley...
Google's Unguessable URLs
Google secures photos using public but unguessable URLs: So why is that public URL more secure than it looks? The short answer is that the URL is working as a password. Photos URLs are typically around 40 characters long, so if you wanted to scan all the possible combinations, you'd have to work through 1070 different combinations to get the...
Friday Squid Blogging: Squid Giving Birth
I may have posted this short video before, but if I did, I can't find it. It's four years old, but still pretty to watch. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Using Secure Chat
Micah Lee has a good tutorial on installing and using secure chat. To recap: We have installed Orbot and connected to the Tor network on Android, and we have installed ChatSecure and created an anonymous secret identity Jabber account. We have added a contact to this account, started an encrypted session, and verified that their OTR fingerprint is correct. And...
ProxyHam Canceled
The ProxyHam project (and associated Def Con talk) has been canceled under mysterious circumstances. No one seems to know anything, and conspiracy theories abound....
Crypto-Gram Is Moving
If you subscribe to my monthly e-mail newsletter, Crypto-Gram, you need to read this. Sometime between now and the August issue, the Crypto-Gram mailing list will be moving to a new host. When the move happens, you'll get an e-mail asking you to confirm your subscription. In the e-mail will be a link that you will have to click in...
Human and Technology Failures in Nuclear Facilities
This is interesting: We can learn a lot about the potential for safety failures at US nuclear plants from the July 29, 2012, incident in which three religious activists broke into the supposedly impregnable Y-12 facility at Oak Ridge, Tennessee, the Fort Knox of uranium. Once there, they spilled blood and spray painted "work for peace not war" on the...
NSA Antennas
Interesting article on the NSA's use of multi-beam antennas for surveillance. Certainly smart technology; it can eavesdrop on multiple targets per antenna. I'm surprised by how behind the NSA was on this technology. It's from at least 1973, and there was some commercialization as far back as 1981. Why did it take the NSA/GCHQ until 2010 to install this? Here's...
Friday Squid Blogging: My Little Cephalopod
A cute series of knitted plushies. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
High-tech Cheating on Exams
India is cracking down on people who use technology to cheat on exams: Candidates have been told to wear light clothes with half-sleeves, and shirts that do not have big buttons. They cannot wear earrings and carry calculators, pens, handbags and wallets. Shoes have also been discarded in favour of open slippers. In India students cheating in exams have been...
Organizational Doxing
Recently, WikiLeaks began publishing over half a million previously secret cables and other documents from the Foreign Ministry of Saudi Arabia. It's a huge trove, and already reporters are writing stories about the highly secretive government. What Saudi Arabia is experiencing isn't common but part of a growing trend. Just last week, unknown hackers broke into the network of the...
The Risks of Mandating Back Doors in Encryption Products
Monday a group of cryptographers and security experts released a major paper outlining the risks of government-mandated back-doors in encryption products: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, by Hal Abelson, Ross Anderson, Steve Bellovin, Josh Behaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter Neumann, Ron Rivest, Jeff Schiller,...
Amazon Is Analyzing the Personal Relationships of Its Reviewers
This is an interesting story of a reviewer who had her reviewer deleted because Amazon believed she knew the author personally. Leaving completely aside the ethics of friends reviewing friends' books, what is Amazon doing conducting this kind of investigative surveillance? Do reviewers know that Amazon is keeping tabs on who their friends are?...
More on Hacking Team
Read this: Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team's "crisis procedure," it could have killed their operations remotely. The company, in fact, has "a backdoor" into every customer's software, giving it ability to suspend it or shut it down -- something that even customers aren't...
More about the NSA's XKEYSCORE
I've been reading through the 48 classified documents about the NSA's XKEYSCORE system released by the Intercept last week. From the article: The NSA's XKEYSCORE program, first revealed by The Guardian, sweeps up countless people's Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that...
Hacking Team Is Hacked
Someone hacked the cyberweapons arms manufacturer Hacking Team and posted 400 GB of internal company data. Hacking Team is a pretty sleazy company, selling surveillance software to all sorts of authoritarian governments around the world. Reporters Without Borders calls it one of the enemies of the Internet. Citizen Lab has published many reports about their activities. It's a huge trove...
NSA German Intercepts
On Friday, WikiLeaks published three summaries of NSA intercepts of German government communications. To me, the most interesting thing is not the intercept analyses, but this spreadsheet of intelligence targets. Here we learn the specific telephone numbers being targeted, who owns those phone numbers, the office within the NSA that processes the raw communications received, why the target is being...
Friday Squid Blogging: Squid Fishing in the Gulf of Thailand
Long article about a very lucrative squid-fishing industry that involves bribing the Cambodian Navy. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Rabbit Beating Up Snake
It's the Internet, which means there must be cute animal videos on this blog. But this one is different. Watch a mother rabbit beat up a snake to protect her children. It's impressive the way she keeps attacking the snake until it is far away from her nest, but I worry that she doesn't know enough to grab the snake...
Clever System of Secure Distributed Computation
This is really clever: Enigma's technique -- what cryptographers call "secure multiparty computation" -- works by mimicking a few of the features of bitcoin's decentralized network architecture: It encrypts data by splitting it up into pieces and randomly distributing indecipherable chunks of it to hundreds of computers in the Enigma network known as "nodes." Each node performs calculations on its...
Details of the NSA's XKEYSCORE
The Intercept has published a highly detailed two-part article on how the NSA's XKEYSCORE works, including a huge number of related documents from the Snowden archive. So much to digest. Please post anything interesting you notice in the comments....
Office of Personnel Management Data Hack
I don't have much to say about the recent hack of the US Office of Personnel Management, which has been attributed to China (and seems to be getting worse all the time). We know that government networks aren't any more secure than corporate networks, and might even be less secure. I agree with Ben Wittes here (although not the imaginary...
Twitter Followers: Please Use the Correct Feed
The official Twitter feed for my blog is @schneierblog. The account @Bruce_Schneier also mirrors my blog, but it is not mine. I have nothing to do with it, and I don't know who owns it. Normally I wouldn't mind, but the unofficial blog fails intermittently. Also, @Bruce_Schneier follows people who then think I'm following them. I'm not; I never log...
Tracking the Psychological Effects of the 9/11 Attacks
Interesting research from 2012: "The Dynamics of Evolving Beliefs, Concerns, Emotions, and Behavioral Avoidance Following 9/11: A Longitudinal Analysis of Representative Archival Samples": Abstract: September 11 created a natural experiment that enables us to track the psychological effects of a large-scale terror event over time. The archival data came from 8,070 participants of 10 ABC and CBS News polls collected...
TEMPEST Attack
There's a new paper on a low-cost TEMPEST attack against PC cryptography: We demonstrate the extraction of secret decryption keys from laptop computers, by nonintrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm. The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle. The...
Migrating from SHA-1 to SHA-2
Here's a comprehensive document on migrating from SHA-1 to SHA-2 in Active Directory certificates....
Friday Squid Blogging: Classic Gary Larson Squid Cartoon
I have always liked this one. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Other GCHQ News from Snowden
There are two other Snowden stories this week about GCHQ: one about its hacking practices, and the other about its propaganda and psychology research. The second is particularly disturbing: While some of the unit's activities are focused on the claimed areas, JTRIG also appears to be intimately involved in traditional law enforcement areas and U.K.-specific activity, as previously unpublished documents...
NSA and GCHQ Attacked Antivirus Companies
On Monday, the Intercept published a new story from the Snowden documents: The spy agencies have reverse engineered software products, sometimes under questionable legal authority, and monitored web and email traffic in order to discreetly thwart anti-virus software and obtain intelligence from companies about security software and users of such software. One security software maker repeatedly singled out in the...
Yet Another Leaker -- with the NSA's French Intercepts
Wikileaks has published some NSA SIGINT documents describing intercepted French government communications. This seems not be from the Snowden documents. It could be one of the other NSA leakers, or it could be someone else entirely. As leaks go, this isn't much. As I've said before, spying on foreign leaders is the kind of thing we want the NSA to...
Baseball Hacking: Cardinals vs. Astros
I think this is the first case of one professional sports team hacking another. No idea if it was an official operation, or a couple of employees doing it on their own initiative....
What is the DoD's Position on Backdoors in Security Systems?
In May, Admiral James A. Winnefeld, Jr., vice-chairman of the Joint Chiefs of Staff, gave an address at the Joint Service Academies Cyber Security Summit at West Point. After he spoke for twenty minutes on the importance of Internet security and a good national defense, I was able to ask him a question (32:42 mark) about security versus surveillance: Bruce...
Hayden Mocks NSA Reforms
Former NSA Director Michael recently mocked the NSA reforms in the recently passed USA Freedom Act: If somebody would come up to me and say, "Look, Hayden, here's the thing: This Snowden thing is going to be a nightmare for you guys for about two years. And when we get all done with it, what you're going to be required...
Why We Encrypt
Encryption protects our data. It protects our data when it's sitting on our computers and in data centers, and it protects it when it's being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And sometimes, it protects our lives. This protection is important for everyone. It's easy...
History of the First Crypto War
As we're all gearing up to fight the Second Crypto War over governments' demands to be able to back-door any cryptographic system, it pays for us to remember the history of the First Crypto War. The Open Technology Instutute has written the story of those years in the mid-1990s. The act that truly launched the Crypto Wars was the White...
The Secrecy of the Snowden Documents
Last weekend, the Sunday Times published a front-page story (full text here), citing anonymous British sources claiming that both China and Russia have copies of the Snowden documents. It's a terrible article, filled with factual inaccuracies and unsubstantiated claims about both Snowden's actions and the damage caused by his disclosure, and others have thoroughly refuted the story. I want to...
Friday Squid Blogging: Squid Salad Servers
Nice. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Counterfeit Social Media Accounts
Interesting article on the inner workings of a Facebook account farm, with commentary on fake social media accounts in general....
Hacking Drug Pumps
When you connect hospital drug pumps to the Internet, they're hackable -- only surprising people who aren't paying attention. Rios says when he first told Hospira a year ago that hackers could update the firmware on its pumps, the company "didn't believe it could be done." Hospira insisted there was "separation" between the communications module and the circuit board that...
Research on The Trade-off Between Free Services and Personal Data
New report: "The Tradeoff Fallacy: How marketers are misrepresenting American consumers and opening them up to exploitation." New Annenberg survey results indicate that marketers are misrepresenting a large majority of Americans by claiming that Americas give out information about themselves as a tradeoff for benefits they receive. To the contrary, the survey reveals most Americans do not believe that 'data...
Peter Swire on the USA FREEDOM Act
Peter Swire, law professor and one of the members of the President's review group on the NSA, writes about intelligence reform and the USA FREEDOM Act....
Encrypting Windows Hard Drives
Encrypting your Windows hard drives is trivially easy; choosing which program to use is annoyingly difficult. I still use Windows -- yes, I know, don't even start -- and have intimate experience with this issue. Historically, I used PGP Disk. I used it because I knew and trusted the designers. I even used it after Symantec bought the company. But...
Eighth Movie-Plot Threat Contest Winner
On April 1, I announced the Eighth Movie-Plot Threat Contest: I want a movie-plot threat that shows the evils of encryption. (For those who don't know, a movie-plot threat is a scary-threat story that would make a great movie, but is much too specific to build security policies around. Contest history here.) We've long heard about the evils of the...
Friday Squid Blogging: Dancing Zombie Squid
How dead squid is made to dance when soy sauce is poured on it. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Uh Oh -- Robots Are Getting Good with Samurai Swords
It's Iaido, not sword fighting, but still. Of course, the two didn't battle each other, but competed in Iaido tests like cutting mats and flowers in various cross-sectional directions. A highlight was when the robot horizontally sliced string beans measuring just 1cm in thickness! At the end, the ultimate test unfolds: the famous 1,000 iaido sword cut challenge. Ultimately, both...
The History of Internet Insecurity
The Washington Post has a good two part story on the history of insecurity of the Internet....
Duqu 2.0
Kaspersky Labs has discovered and publicized details of a new nation-state surveillance malware system, called Duqu 2.0. It's being attributed to Israel. There's a lot of details, and I recommend reading them. There was probably a Kerberos zero-day vulnerability involved, allowing the attackers to send updates to Kaspersky's clients. There's code specifically targeting anti-virus software, both Kaspersky and others. The...
Security and Human Behavior (SHB 2015)
Earlier this week, I was at the eighth Workshop on Security and Human Behavior. This is a small invitational gathering of people studying various aspects of the human side of security. The fifty people in the room include psychologists, computer security researchers, sociologists, behavioral economists, philosophers, political scientists, lawyers, biologists, anthropologists, business school professors, neuroscientists, and a smattering of others....
Reassessing Airport Security
News that the Transportation Security Administration missed a whopping 95% of guns and bombs in recent airport security "red team" tests was justifiably shocking. It's clear that we're not getting value for the $7 billion we're paying the TSA annually. But there's another conclusion, inescapable and disturbing to many, but good news all around: we don't need $7 billion worth...
Should Companies Do Most of Their Computing in the Cloud? (Part 3)
Cloud computing is the future of computing. Specialization and outsourcing make society more efficient and scalable, and computing isn't any different. But why aren't we there yet? Why don't we, in Simon Crosby's words, "get on with it"? I have discussed some reasons: loss of control, new and unquantifiable security risks, and -- above all -- a lack of trust....
Should Companies Do Most of Their Computing in the Cloud? (Part 2)
Let me start by describing two approaches to the cloud. Most of the students I meet at Harvard University live their lives in the cloud. Their e-mail, documents, contacts, calendars, photos and everything else are stored on servers belonging to large internet companies in America and elsewhere. They use cloud services for everything. They converse and share on Facebook and...
Should Companies Do Most of Their Computing in the Cloud? (Part 1)
Yes. No. Yes. Maybe. Yes. Okay, it's complicated. The economics of cloud computing are compelling. For companies, the lower operating costs, the lack of capital expenditure, the ability to quickly scale and the ability to outsource maintenance are just some of the benefits. Computing is infrastructure, like cleaning, payroll, tax preparation and legal services. All of these are outsourced. And...
The Effects of Near Misses on Risk Decision-Making
This is interesting research: "How Near-Miss Events Amplify or Attenuate Risky Decision Making," Catherine H. Tinsley, Robin L. Dillon, and Matthew A. Cronin. In the aftermath of many natural and man-made disasters, people often wonder why those affected were underprepared, especially when the disaster was the result of known or regularly occurring hazards (e.g., hurricanes). We study one contributing factor:...
Surveillance Law and Surveillance Studies
Interesting paper by Julie Cohen: Abstract: The dialogue between law and Surveillance Studies has been complicated by a mutual misrecognition that is both theoretical and temperamental. Legal scholars are inclined to consider surveillance simply as the (potential) subject of regulation, while scholarship in Surveillance Studies often seems not to grapple with the ways in which legal processes and doctrines are...
Tracking People By Smart Phone Accelerometers
Interesting research: "We Can Track You If You Take the Metro: Tracking Metro Riders Using Accelerometers on Smartphones": Abstract: Motion sensors (e.g., accelerometers) on smartphones have been demonstrated to be a powerful side channel for attackers to spy on users' inputs on touchscreen. In this paper, we reveal another motion accelerometer-based attack which is particularly serious: when a person takes...
Friday Squid Blogging: Giant Squid Lore
Legends of giant squid go back centuries: In his book "The Search for the Giant Squid" marine biologist Richard Ellis notes that "There is probably no apparition more terrifying than a gigantic, saucer-eyed creature of the depths... Even the man-eating shark pales by comparison to such a horror... An animal that can reach a length of 60 feet is already...
US Identifies and Destroys ISIS Headquarters Because of "Selfie"
The news media is buzzing about how the US military identified the location of an ISIS HQ because someone there took a photo and posted it. Quoting Air Force General Hawk Carlisle, head of Air Combat Command: "The guys that were working down out of Hurlburt, they're combing through social media and they see some moron standing at this command....
NSA Running a Massive IDS on the Internet Backbone
The latest story from the Snowden documents, co-published by The New York Times and ProPublica, shows that the NSA is operating a signature-based intrusion detection system on the Internet backbone: In mid-2012, Justice Department lawyers wrote two secret memos permitting the spy agency to begin hunting on Internet cables, without a warrant and on American soil, for data linked to...
Yet Another New Biometric: Brainprints
New research: In "Brainprint," a newly published study in academic journal Neurocomputing, researchers from Binghamton University observed the brain signals of 45 volunteers as they read a list of 75 acronyms, such as FBI and DVD. They recorded the brain's reaction to each group of letters, focusing on the part of the brain associated with reading and recognizing words, and...
2015 EPIC Champions of Freedom Dinner
Monday night, EPIC -- that's the Electronic Privacy Information Center -- had its annual Champions of Freedom Dinner. I tell you this for two reasons. One, I received a Lifetime Achievement Award. (I was incredibly honored to receive this, and I thank EPIC profusely.) And two, Apple's CEO Tim Cook received a Champion of Freedom Award. His acceptance speech, delivered...
Smart Billboards Recognize Cops
There are smart billboards in Russia that change what they display when cops are watching. Of course there are a gazillion ways this kind of thing will go wrong. I'm more interested in the general phenomenon of smart devices identifying us automatically and without our knowledge....
TSA Not Detecting Weapons at Security Checkpoints
This isn't good: An internal investigation of the Transportation Security Administration revealed security failures at dozens of the nation's busiest airports, where undercover investigators were able to smuggle mock explosives or banned weapons through checkpoints in 95 percent of trials, ABC News has learned. The series of tests were conducted by Homeland Security Red Teams who pose as passengers, setting...
Fun NSA Surveillance Quizzes
Okay, maybe not so fun. Quiz 1: "Just How Kafkaesque is the Court that Oversees NSA Spying?" Quiz 2: "Can You Tell the Difference Between Bush and Obama on the Patriot Act?" It's been fourteen hours since a few provisions of the Patriot Act have expired, and the world hasn't come to an end -- at least so far....
US Also Tried Stuxnet Against North Korea
According to a Reuters article, the US military tried to launch Stuxnet against North Korea in addition to Iran: According to one U.S. intelligence source, Stuxnet's developers produced a related virus that would be activated when it encountered Korean-language settings on an infected machine. But U.S. agents could not access the core machines that ran Pyongyang's nuclear weapons program, said...
Friday Squid Blogging: Nutty Conspiracy Theory Involving Both the NSA and SQUID
It's almost as if they wrote it for me. These devices, which are known as super conducting quantum interference devices (SQUIDS for short), can be attached to NSA signals intelligence satellites and used to track the electromagnetic fields which surround each of our bodies. These devices make it possible for agencies like the NSA (National Security Agency) to track any...
UN Report on the Value of Encryption to Freedom World-Wide
United Nation's Office of the High Commissioner released a report on the value of encryption and anonymity to the world: Summary: In the present report, submitted in accordance with Human Rights Council resolution 25/2, the Special Rapporteur addresses the use of encryption and anonymity in digital communications. Drawing from research on international and national norms and jurisprudence, and the input...
Ransomware as a Service
Tox is an outsourced ransomware platform that everyone can use....
MOOC on Cybersecurity
The University of Adelaide is offering a new MOOC on "Cyberwar, Surveillance and Security." Here's a teaser video. I was interviewed for the class, and make a brief appearance in the teaser....
Terrorist Risks by City, According to Actual Data
I don't know enough about the methodology to judge it, but it's interesting: In total, 64 cities are categorised as 'extreme risk' in Verisk Maplecroft's new Global Alerts Dashboard (GAD), an online mapping and data portal that logs and analyses every reported terrorism incident down to levels of 100m² worldwide. Based on the intensity and frequency of attacks in the...
Race Condition Exploit in Starbucks Gift Cards
A researcher was able to steal money from Starbucks by exploiting a race condition in their gift-card value-transfer protocol. Basically, by initiating two identical web transfers at once, he was able to trick the system into recording them both. Normally, you could take a $5 gift card and move that money to another $5 gift card, leaving you with an...
Stink Bombs for Riot Control
They're coming to the US: It's called Skunk, a type of "malodorant," or in plainer language, a foul-smelling liquid. Technically nontoxic but incredibly disgusting, it has been described as a cross between "dead animal and human excrement." Untreated, the smell lingers for weeks. The Israeli Defense Forces developed Skunk in 2008 as a crowd-control weapon for use against Palestinians. Now...
Story of the ZooKeeper Poison-Packet Bug
Interesting story of a complex and deeply hidden bug -- with AES as a part of it....
Friday Squid Blogging: Giant Squid Washes Up in New Zealand
The latest one. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
USPS Tracking Queries to Its Package Tracking Website
A man was arrested for drug dealing based on the IP address he used while querying the USPS package tracking website....
Why the Current Section 215 Reform Debate Doesn't Matter Much
The ACLU's Chris Soghoian explains (time 25:52-30:55) why the current debate over Section 215 of the Patriot Act is just a minor facet of a large and complex bulk collection program by the FBI and the NSA. There were 180 orders authorized last year by the FISA Court under Section 215 -- 180 orders issued by this court. Only five...
New Pew Research Report on Americans' Attitudes on Privacy, Security, and Surveillance
This is interesting: The surveys find that Americans feel privacy is important in their daily lives in a number of essential ways. Yet, they have a pervasive sense that they are under surveillance when in public and very few feel they have a great deal of control over the data that is collected about them and how it is used....
The Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange
Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically: The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the...
Research on Patch Deployment
New research indicates that it's very hard to completely patch systems against vulnerabilities: It turns out that it may not be that easy to patch vulnerabilities completely. Using WINE, we analyzed the patch deployment process for 1,593 vulnerabilities from 10 Windows client applications, on 8.4 million hosts worldwide [Oakland 2015]. We found that a host may be affected by multiple...
Spy Dust
Used by the Soviet Union during the Cold War: A defecting agent revealed that powder containing both luminol and a substance called nitrophenyl pentadien (NPPD) had been applied to doorknobs, the floor mats of cars, and other surfaces that Americans living in Moscow had touched. They would then track or smear the substance over every surface they subsequently touched....
More on Chris Roberts and Avionics Security
Last month ago I blogged about security researcher Chris Roberts being detained by the FBI after tweeting about avionics security while on a United flight: But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight...
United Airlines Offers Frequent Flier Miles for Finding Security Vulnerabilities
Vulnerabilities on the website only, not in airport security or in the avionics....
Friday Squid Blogging: NASA's Squid Rover
NASA is funding a study for a squid rover that could explore Europa's oceans. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Microbe Biometric
Interesting: Franzosa and colleagues used publicly available microbiome data produced through the Human Microbiome Project (HMP), which surveyed microbes in the stool, saliva, skin, and other body sites from up to 242 individuals over a months-long period. The authors adapted a classical computer science algorithm to combine stable and distinguishing sequence features from individuals' initial microbiome samples into individual-specific "codes."...
Eighth Movie-Plot Threat Contest Semifinalists
On April 1, I announced the Eighth Movie Plot Threat Contest: demonstrate the evils of encryption. Not a whole lot of good submissions this year. Possibly this contest has run its course, and there's not a whole lot of interest left. On the other hand, it's heartening to know that there aren't a lot of encryption movie-plot threats out there....
In Which I Collide with Admiral Rogers
Universe does not explode. Photo here....
Admiral Rogers Speaking at the Joint Service Academy Cyber Security Summit
Admiral Mike Rogers gave the keynote address at the Joint Service Academy Cyber Security Summit today at West Point. He started by explaining the four tenets of security that he thinks about. First: partnerships. This includes government, civilian, everyone. Capabilities, knowledge, and insight of various groups, and aligning them to generate better outcomes to everyone. Ability to generate and share...
License Plate Scanners Hidden in Fake Cactus
The city of Paradise Valley, AZ, is hiding license plate scanners in fake cactus plants....
German Cryptanalysis of the M-209
This 1947 document describes a German machine to cryptanalyze the American M-209 mechanical encryption machine. I can't figure out anything about how it works....
Amateurs Produce Amateur Cryptography
Anyone can design a cipher that he himself cannot break. This is why you should uniformly distrust amateur cryptography, and why you should only use published algorithms that have withstood broad cryptanalysis. All cryptographers know this, but non-cryptographers do not. And this is why we repeatedly see bad amateur cryptography in fielded systems. The latest is the cryptography in the...
More on the NSA's Capabilities
Ross Anderson summarizes a meeting in Princeton where Edward Snowden was "present." Third, the leaks give us a clear view of an intelligence analyst's workflow. She will mainly look in Xkeyscore which is the Google of 5eyes comint; it's a federated system hoovering up masses of stuff not just from 5eyes own assets but from other countries where the NSA...
Friday Squid Blogging: Squid Chair
Squid chair. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Stealing a Billion
It helps if you own the banks: The report said Shor and his associates worked together in 2012 to buy a controlling stake in three Moldovan banks and then gradually increased the banks' liquidity through a series of complex transactions involving loans being passed between the three banks and foreign entities. The three banks then issued multimillion-dollar loans to companies...
Online Dating Scams
Interesting research: We identified three types of scams happening on Jiayuan. The first one involves advertising of escort services or illicit goods, and is very similar to traditional spam. The other two are far more interesting and specific to the online dating landscape. One type of scammers are what we call swindlers. For this scheme, the scammer starts a long-distance...
Another Example of Cell Phone Metadata Forensic Surveillance
Matthew Cole explains how the Italian police figured out how the CIA kidnapped Abu Omar in Milan. Interesting use of cell phone metadata, showing how valuable it is for intelligence purposes....
An Example of Cell Phone Metadata Forensic Surveillance
In this long article on the 2005 assassination of Rafik Hariri in Beirut, there's a detailed section on what the investigators were able to learn from the cell phone metadata: At Eid's request, a judge ordered Lebanon's two cellphone companies, Alfa and MTC Touch, to produce records of calls and text messages in Lebanon in the four months before the...
The NSA's Voice-to-Text Capabilities
New article from the Intercept based on the Snowden documents....
Easily Cracking a Master Combination Lock
Impressive. Kamkar told Ars his Master Lock exploit started with a well-known vulnerability that allows Master Lock combinations to be cracked in 100 or fewer tries. He then physically broke open a combination lock and noticed the resistance he observed was caused by two lock parts that touched in a way that revealed important clues about the combination. (He likened...
Detecting QUANTUMINSERT
Fox-IT has a blog post (and has published Snort rules) on how to detect man-on-the-side Internet attacks like the NSA's QUANTUMINSERT. From a Wired article: But hidden within another document leaked by Snowden was a slide that provided a few hints about detecting Quantum Insert attacks, which prompted the Fox-IT researchers to test a method that ultimately proved to be...
Digital Privacy Public Service Announcement
I thought this was very well done....
Ears as a Biometric
It's an obvious biometric for cell phones: Bodyprint recognizes users by their ears with 99.8% precision with a false rejection rate of only 1 out of 13. Grip, too. News story....
Measuring the Expertise of Burglars
New research paper: "New methods for examining expertise in burglars in natural and simulated environments: preliminary findings": Expertise literature in mainstream cognitive psychology is rarely applied to criminal behaviour. Yet, if closely scrutinised, examples of the characteristics of expertise can be identified in many studies examining the cognitive processes of offenders, especially regarding residential burglary. We evaluated two new methodologies...
Protecting Against Google Phishing in Chrome
Google has a new Chrome extension called "Password Alert": To help keep your account safe, today we're launching Password Alert, a free, open-source Chrome extension that protects your Google and Google Apps for Work Accounts. Once you've installed it, Password Alert will show you a warning if you type your Google password into a site that isn't a Google sign-in...
Remote Proctoring and Surveillance
Interesting article. There are a lot of surveillance and privacy issues at play here....
Shaking Someone Down for His Password
A drug dealer claims that the police leaned him over an 18th floor balcony and threatened to kill him if he didn't give up his password. One of the policemen involved corroborates this story. This is what's known as "rubber-hose cryptanalysis," well-described in this xkcd cartoon....
Nice Essay on Security Snake Oil
This is good: Just as "data" is being sold as "intelligence", a lot of security technologies are being sold as "security solutions" rather than what they for the most part are, namely very narrow focused appliances that as a best case can be part of your broader security effort. Too many of these appliances do unfortunately not easily integrate with...
The Further Democratization of Stingray
Stingray is the code name for an IMSI-catcher, which is basically a fake cell phone tower sold by Harris Corporation to various law enforcement agencies. (It's actually just one of a series of devices with fish names -- Amberjack is another -- but it's the name used in the media.) What is basically does is trick nearby cell phones into...
Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid
Interesting: While most female squid and octopuses have just one reproductive cycle before they die, vampire squid go through dozens of egg-making cycles in their lifetimes, scientists have found. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Signed Copies of Data and Goliath
You can now order signed copies of Data and Goliath from my website....
Federal Trade Commissioner Julie Brill on Obscurity
I think this is good: Obscurity means that personal information isn't readily available to just anyone. It doesn't mean that information is wiped out or even locked up; rather, it means that some combination of factors makes certain types of information relatively hard to find. Obscurity has always been an important component of privacy. It is a helpful concept because...
The Further Democratization of QUANTUM
From Data and Goliath: ...when I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection -- basically, a technology that allows the agency to hack into computers. Turns out, though, that the NSA was...
An Incredibly Insecure Voting Machine
Wow: The weak passwords -- which are hard-coded and can't be changed -- were only one item on a long list of critical defects uncovered by the review. The Wi-Fi network the machines use is encrypted with wired equivalent privacy, an algorithm so weak that it takes as little as 10 minutes for attackers to break a network's encryption key....
"Hinky" in Action
In Beyond Fear I wrote about trained officials recognizing "hinky" and how it differs from profiling: Ressam had to clear customs before boarding the ferry. He had fake ID, in the name of Benni Antoine Noris, and the computer cleared him based on this ID. He was allowed to go through after a routine check of his car's trunk, even...
Hacking Airplanes
Imagine this: A terrorist hacks into a commercial airplane from the ground, takes over the controls from the pilots and flies the plane into the ground. It sounds like the plot of some "Die Hard" reboot, but it's actually one of the possible scenarios outlined in a new Government Accountability Office report on security vulnerabilities in modern airplanes. It's certainly...
Hacker Detained by FBI After Tweeting About Airplane Software Vulnerabilities.
This is troubling: Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane's engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft's functions,...
Counting the US Intelligence Community Leakers
It's getting hard to keep track of the US intelligence community leakers without a scorecard. So here's my attempt: Leaker #1: Chelsea Manning. Leaker #2: Edward Snowden. Leaker #3: The person who leaked secret documents to Jake Appelbaum, Laura Poitras, and others in Germany: the Angela Merkel surveillance story, the TAO catalog, the X-KEYSCORE rules. My guess is that this...
New Top Secret Information on the US's Drone Program
New operational information on the US's drone program, published by the Intercept and Der Speigel....
Friday Squid Blogging: Squid Hoodie
This is neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
The No-Fly List and Due Process
The Congressional Research Service has released a report on the no-fly list and current litigation that it violates due process....
How Many Vulnerabilities Are there in Software?
Dan Geer proposes some techniques for answering this question....
Metal Detectors at Sports Stadiums
Fans attending Major League Baseball games are being greeted in a new way this year: with metal detectors at the ballparks. Touted as a counterterrorism measure, they're nothing of the sort. They're pure security theater: They look good without doing anything to make us safer. We're stuck with them because of a combination of buck passing, CYA thinking, and fear....
John Oliver Interviews Edward Snowden
Wow, what an amazing segment and interview....
Two Thoughtful Essays on the Future of Privacy
Paul Krugman argues that we'll give up our privacy because we want to emulate the rich, who are surrounded by servants who know everything about them: Consider the Varian rule, which says that you can forecast the future by looking at what the rich have today -- that is, that what affluent people will want in the future is, in...
China's Great Cannon
Citizen Lab has issued a report on China's "Great Cannon" attack tool, used in the recent DDoS attack against GitHub. We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the "Great Cannon." The Great Cannon is not simply...
Alternatives to the FBI's Manufacturing of Terrorists
John Mueller suggests an alternative to the FBI's practice of encouraging terrorists and then arresting them for something they would have never have planned on their own: The experience with another case can be taken to suggest that there could be an alternative, and far less costly, approach to dealing with would-be terrorists, one that might generally (but not always)...
Attacking Researchers Who Expose Voting Vulnerabilities
Researchers found voting-system flaws in New South Wales, and were attacked by voting officials and the company that made the machines....
Lone-Wolf Terrorism
The Southern Poverty Law Center warns of the rise of lone-wolf terrorism. From a security perspective, lone wolves are much harder to prevent because there is no conspiracy to detect. The long-term trend away from violence planned and committed by groups and toward lone wolf terrorism is a worrying one. Authorities have had far more success penetrating plots concocted by...
Cell Phone Opsec
Here's an article on making secret phone calls with cell phones. His step-by-step instructions for making a clandestine phone call are as follows: Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren't changing locations); Leave your daily cell phone behind...
Friday Squid Blogging: Giant Squid Video
Giant squid caught on video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Friday Squid Blogging: The Longfin Inshore Squid Regularly Rewrites Its Own DNA
Wow. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
TrueCrypt Security Audit Completed
The security audit of the TrueCrypt code has been completed (see here for the first phase of the audit), and the results are good. Some issues were found, but nothing major. From Matthew Green, who is leading the project: The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC...
Ugly Mail: Gmail Extension to Expose E-mail Tracking
Nice idea, but I would like it to work for other browsers and other e-mail programs....
The Eighth Movie-Plot Threat Contest
It's April 1, and time for another Movie-Plot Threat Contest. This year, the theme is Crypto Wars II. Strong encryption is evil, because it prevents the police from solving crimes. (No, really -- that's the argument.) FBI Director James Comey is going to be hard to beat with his heartfelt litany of movie-plot threats: "We're drifting toward a place where...
Survey of Americans' Privacy Habits Post-Snowden
Pew Research has a new survey on Americans' privacy habits in a post-Snowden world. The 87% of those who had heard at least something about the programs were asked follow-up questions about their own behaviors and privacy strategies: 34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide...
Chinese CA Issuing Fraudulent Certificates
There's a Chinese CA that's issuing fraudulent Google certificates. Yet another example of why the CA model is so broken....
Australia Outlaws Warrant Canaries
In the US, certain types of warrants can come with gag orders preventing the recipient from disclosing the existence of warrant to anyone else. A warrant canary is basically a legal hack of that prohibition. Instead of saying "I just received a warrant with a gag order," the potential recipient keeps repeating "I have not received any warrants." If the...
Brute-Forcing iPhone PINs
This is a clever attack, using a black box that attaches to the iPhone via USB: As you know, an iPhone keeps a count of how many wrong PINs have been entered, in case you have turned on the Erase Data option on the Settings | Touch ID & Passcode screen. That's a highly-recommended option, because it wipes your device...
Friday Squid Blogging: Using Squid Proteins for Commercial Camouflage Products
More research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Yet Another Computer Side Channel
Researchers have managed to get two computers to communicate using heat and thermal sensors. It's not really viable communication -- the bit rate is eight per hour over fifteen inches -- but it's neat....
New Zealand's XKEYSCORE Use
The Intercept and the New Zealand Herald have reported that New Zealand spied on communications about the World Trade Organization director-general candidates. I'm not sure why this is news; it seems like a perfectly reasonable national intelligence target. More interesting to me is that the Intercept published the XKEYSCORE rules. It's interesting to see how primitive the keyword targeting is,...
Capabilities of Canada's Communications Security Establishment
There's a new story about the hacking capabilities of Canada's Communications Security Establishment (CSE), based on the Snowden documents....
Reforming the FISA Court
The Brennan Center has a long report on what's wrong with the FISA Court and how to fix it. At the time of its creation, many lawmakers saw constitutional problems in a court that operated in total secrecy and outside the normal "adversarial" process.... But the majority of Congress was reassured by similarities between FISA Court proceedings and the hearings...
BIOS Hacking
We've learned a lot about the NSA's abilities to hack a computer's BIOS so that the hack survives reinstalling the OS. Now we have a research presentation about it. From Wired: The BIOS boots a computer and helps load the operating system. By infecting this core software, which operates below antivirus and other security products and therefore is not usually...
Friday Squid Blogging: Squid Pen
Neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
New Paper on Digital Intelligence
David Omand -- GCHQ director from 1996-1997, and the UK's security and intelligence coordinator from 2000-2005 -- has just published a new paper: "Understanding Digital Intelligence and the Norms That Might Govern It." Executive Summary: This paper describes the nature of digital intelligence and provides context for the material published as a result of the actions of National Security Agency...
Cisco Shipping Equipment to Fake Addresses to Foil NSA Interception
Last May, we learned that the NSA intercepts equipment being shipped around the world and installs eavesdropping implants. There were photos of NSA employees opening up a Cisco box. Cisco's CEO John Chambers personally complained to President Obama about this practice, which is not exactly a selling point for Cisco equipment abroad. Der Spiegel published the more complete document, along...
More Data and Goliath News
Right now, the book is #6 on the New York Times best-seller list in hardcover nonfiction, and #13 in combined print and e-book nonfiction. This is the March 22 list, and covers sales from the first week of March. The March 29 list -- covering sales from the second week of March -- is not yet on the Internet. On...
Understanding the Organizational Failures of Terrorist Organizations
New research: Max Abrahms and Philip B.K. Potter, "Explaining Terrorism: Leadership Deficits and Militant Group Tactics," International Organizations. Abstract: Certain types of militant groups -- those suffering from leadership deficits -- are more likely to attack civilians. Their leadership deficits exacerbate the principal-agent problem between leaders and foot soldiers, who have stronger incentives to harm civilians. We establish the validity...
How We Become Habituated to Security Warnings on Computers
New research: "How Polymorphic Warnings Reduce Habituation in the Brain - Insights from an fMRI Study." Abstract: Research on security warnings consistently points to habituation as a key reason why users ignore security warnings. However, because habituation as a mental state is difficult to observe, previous research has examined habituation indirectly by observing its influence on security behaviors. This study...
Details on Hacking Team Software Used by Ethiopian Government
The Citizen Lab at the University of Toronto published a new report on the use of spyware from the Italian cyberweapons arms manufacturer Hacking Team by the Ethiopian intelligence service. We previously learned that the government used this software to target US-based Ethiopian journalists. News articles. Human Rights Watch press release....
How the CIA Might Target Apple's XCode
The Intercept recently posted a story on the CIA's attempts to hack the iOS operating system. Most interesting was the speculation that they hacked XCode, which would mean that any apps developed using that tool would be compromised. The security researchers also claimed they had created a modified version of Apple's proprietary software development tool, Xcode, which could sneak surveillance...
Friday Squid Blogging: Squid Stir-Fry
Spicy squid masala stir-fry. Easy and delicious. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Fall Seminar on Catastrophic Risk
I am planning a study group at Harvard University (in Boston) for the Fall semester, on catastrophic risk. Berkman Study Group -- Catastrophic Risk: Technologies and Policy Technology empowers, for both good and bad. A broad history of "attack" technologies shows trends of empowerment, as individuals wield ever more destructive power. The natural endgame is a nuclear bomb in everybody's...
Threats to Information Integrity
Every year, the Director of National Intelligence publishes an unclassified "Worldwide Threat Assessment." This year's report was published two weeks ago. "Cyber" is the first threat listed, and includes most of what you'd expect from a report like this. More interesting is this comment about information integrity: Most of the public discussion regarding cyber threats has focused on the confidentiality...
Data and Goliath Makes New York Times Best-Seller List
The March 22 best-seller list from the New York Times will list me as #6 in the hardcover nonfiction category, and #13 in the combined paper/e-book category. This is amazing, really. The book just barely crossed #400 on Amazon this week, but it seems that other booksellers did more. There are new reviews from the LA Times, >i>Lawfare, EFF, and...
The Changing Economics of Surveillance
Cory Doctorow examines the changing economics of surveillance and what it means: The Stasi employed one snitch for every 50 or 60 people it watched. We can't be sure of the size of the entire Five Eyes global surveillance workforce, but there are only about 1.4 million Americans with Top Secret clearance, and many of them don't work at or...
Equation Group Update
More information about the Equation Group, aka the NSA. Kaspersky Labs has published more information about the Equation Group -- that's the NSA -- and its sophisticated malware platform. Ars Technica article....
Hardware Bit-Flipping Attack
The Project Zero team at Google has posted details of a new attack that targets a computer's' DRAM. It's called Rowhammer. Here's a good description: Here's how Rowhammer gets its name: In the Dynamic Random Access Memory (DRAM) used in some laptops, a hacker can run a program designed to repeatedly access a certain row of transistors in the computer's...
Can the NSA Break Microsoft's BitLocker?
The Intercept has a new story on the CIA's -- yes, the CIA, not the NSA -- efforts to break encryption. These are from the Snowden documents, and talk about a conference called the Trusted Computing Base Jamboree. There are some interesting documents associated with the article, but not a lot of hard information. There's a paragraph about Microsoft's BitLocker,...
Geotagging Twitter Users by Mining Their Social Graphs
New research: Geotagging One Hundred Million Twitter Accounts with Total Variation Minimization," by Ryan Compton, David Jurgens, and David Allen. Abstract: Geographically annotated social media is extremely valuable for modern information retrieval. However, when researchers can only access publicly-visible data, one quickly finds that social media users rarely publish location information. In this work, we provide a method which can...
Identifying When Someone is Operating a Computer Remotely
Here's an interesting technique to detect Remote Access Trojans, or RATS: differences in how local and remote users use the keyboard and mouse: By using biometric analysis tools, we are able to analyze cognitive traits such as hand-eye coordination, usage preferences, as well as device interaction patterns to identify a delay or latency often associated with remote access attacks. Simply...
Attack Attribution and Cyber Conflict
The vigorous debate after the Sony Pictures breach pitted the Obama administration against many of us in the cybersecurity community who didn't buy Washington's claim that North Korea was the culprit. What's both amazing -- and perhaps a bit frightening -- about that dispute over who hacked Sony is that it happened in the first place. But what it highlights...
Friday Squid Blogging: Biodegradable Thermoplastic Inspired by Squid Teeth
There's a new 3D-printable biodegradable thermoplastic: Pennsylvania State University researchers have synthesized a biodegradable thermoplastic that can be used for molding, extrusion, 3D printing, as an adhesive, or a coating using structural proteins from the ring teeth on squid tentacles. Another article: The researchers took genes from a squid and put it into E. coli bacteria. "You can insert genes...
Data and Goliath's Big Idea
Data and Goliath is a book about surveillance, both government and corporate. It's an exploration in three parts: what's happening, why it matters, and what to do about it. This is a big and important issue, and one that I've been working on for decades now. We've been on a headlong path of more and more surveillance, fueled by fear--of...
FREAK: Security Rollback Attack Against SSL
This week we learned about an attack called "FREAK" -- "Factoring Attack on RSA-EXPORT Keys" -- that can break the encryption of many websites. Basically, some sites' implementations of secure sockets layer technology, or SSL, contain both strong encryption algorithms and weak encryption algorithms. Connections are supposed to use the strong algorithms, but in many cases an attacker can force...
The TSA's FAST Personality Screening Program Violates the Fourth Amendment
New law journal article: "A Slow March Towards Thought Crime: How the Department of Homeland Security's FAST Program Violates the Fourth Amendment," by Christopher A. Rogers. From the abstract: FAST is currently designed for deployment at airports, where heightened security threats justify warrantless searches under the administrative search exception to the Fourth Amendment. FAST scans, however, exceed the scope of...
Now Corporate Drones are Spying on Cell Phones
The marketing firm Adnear is using drones to track cell phone users: The capture does not involve conversations or personally identifiable information, according to director of marketing and research Smriti Kataria. It uses signal strength, cell tower triangulation, and other indicators to determine where the device is, and that information is then used to map the user's travel patterns. "Let's...
Tom Ridge Can Find Terrorists Anywhere
One of the problems with our current discourse about terrorism and terrorist policies is that the people entrusted with counterterrorism -- those whose job it is to surveil, study, or defend against terrorism -- become so consumed with their role that they literally start seeing terrorists everywhere. So it comes as no surprise that if you ask Tom Ridge, the...
Data and Goliath: Reviews and Excerpts
On the net right now, there are excerpts from the Introduction on Scientific American, Chapter 5 on the Atlantic, Chapter 6 on the Blaze, Chapter 8 on Ars Technica, Chapter 15 on Slate, and Chapter 16 on Motherboard. That might seem like a lot, but it's only 9,000 of the book's 80,000 words: barely 10%. There are also a few...
Google Backs Away from Default Lollipop Encryption
Lillipop encryption by default is still in the future. No consipricy here; it seems like they don't have the appropriate drivers yet. But while relaxing the requirement might make sense technically, it's not a good public relations move. Android compatibility document. Slashdot story...
The Democratization of Cyberattack
The thing about infrastructure is that everyone uses it. If it's secure, it's secure for everyone. And if it's insecure, it's insecure for everyone. This forces some hard policy choices. When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's...
Friday Squid Blogging: Humboldt Squid Communicate by Flashing Each Other
Scientists are attaching cameras to Humboldt squid to watch them communicate with each other. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Data and Goliath Book Tour
Over the next two weeks, I am speaking about my new book -- Data and Goliath, if you've missed it -- in New York, Boston, Washington, DC, Seattle, San Francisco, and Minneapolis. Stop by to get your book signed, or just to say hello....
Everyone Wants You To Have Security, But Not from Them
In December, Google's Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: "If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place...
Snowden-Greenwald-Poitras AMA
Glenn Greenwald, Laura Poitras, and Edward Snowden did an "Ask Me Anything" on Reddit. Point out anything interesting in the comments. And note that Snowden mentioned my new book: One of the arguments in a book I read recently (Bruce Schneier, "Data and Goliath"), is that perfect enforcement of the law sounds like a good thing, but that may not...
"Surreptitiously Weakening Cryptographic Systems"
New paper: "Surreptitiously Weakening Cryptographic Systems," by Bruce Schneier, Matthew Fredrikson, Tadayoshi Kohno, and Thomas Ristenpart. Abstract: Revelations over the past couple of years highlight the importance of understanding malicious and surreptitious weakening of cryptographic systems. We provide an overview of this domain, using a number of historical examples to drive development of a weaknesses taxonomy. This allows comparing different...
Twitpic
On Monday, I asked Adm. Rogers a question. EDITED TO ADD: The question....
AT&T Charging Customers to Not Spy on Them
AT&T is charging a premium for gigabit Internet service without surveillance: The tracking and ad targeting associated with the gigabit service cannot be avoided using browser privacy settings: as AT&T explained, the program "works independently of your browser's privacy settings regarding cookies, do-not-track and private browsing." In other words, AT&T is performing deep packet inspection, a controversial practice through which...
Cell Phones Leak Location Information through Power Usage
New research on tracking the location of smart phone users by monitoring power consumption: PowerSpy takes advantage of the fact that a phone's cellular transmissions use more power to reach a given cell tower the farther it travels from that tower, or when obstacles like buildings or mountains block its signal. That correlation between battery use and variables like environmental...
Friday Squid Blogging: Squid Can Recode Their Genetic Makeup
This is freaky: A new study showcases the first example of an animal editing its own genetic makeup on-the-fly to modify most of its proteins, enabling adjustments to its immediate surroundings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Man-in-the-Middle Attacks on Lenovo Computers
It's not just national intelligence agencies that break your https security through man-in-the-middle attacks. Corporations do it, too. For the past few months, Lenovo PCs have shipped with an adware app called Superfish that man-in-the-middles TLS connections. Here's how it works, and here's how to get rid of it. And you should get rid of it, not merely because it's...
NSA/GCHQ Hacks SIM Card Database and Steals Billions of Keys
The Intercept has an extraordinary story: the NSA and/or GCHQ hacked into the Dutch SIM card manufacturer Gemalto, stealing the encryption keys for billions of cell phones. People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards....
Database of Ten Million Passwords
Earlier this month, Mark Burnett released a database of ten million usernames and passwords. He collected this data from already-public dumps from hackers who had stolen the information; hopefully everyone affected has changed their passwords by now. News articles....
The Obsolescence of Submarines
Interesting article on the submarine arms race between remaining hidden and detection. It seems that it is much more expensive for a submarine to hide than it is to detect it. And this changing balance will affect the long-term viability of submarines....
IRS Encourages Poor Cryptography
I'm not sure what to make of this, or even what it means. The IRS has a standard called IDES: International Data Exchange Service: "The International Data Exchange Service (IDES) is an electronic delivery point where Financial Institutions (FI) and Host Country Tax Authorities (HCTA) can transmit and exchange FATCA data with the United States." It's like IRS data submission,...
The Equation Group's Sophisticated Hacking and Exploitation Tools
This week, Kaspersky Labs published detailed information on what it calls the Equation Group -- almost certainly the NSA -- and its abilities to embed spyware deep inside computers, gaining pretty much total control of those computers while maintaining persistence in the face of reboots, operating system reinstalls, and commercial anti-virus products. The details are impressive, and I urge anyone...
Co3 Systems Changes Its Name to Resilient Systems
Today my company, Co3 Systems, is changing its name to Resilient Systems. The new name better reflects who we are and what we do. Plus, the old name was kind of dumb. I have long liked the term "resilience." If you look around, you'll see it a lot. It's used in human psychology, in organizational theory, in disaster recovery, in...
Friday Squid Blogging: Dumpling Squid and Sex
This just in: the threat of being eaten doesn't deter dumpling squid from having sex. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Further Evidence Pointing to North Korea as Sony Hacker
The FBI has provided more evidence: Speaking at a Fordham Law School cybersecurity conference Wednesday, Comey said that he has "very high confidence" in the FBI's attribution of the attack to North Korea. And he named several of the sources of his evidence, including a "behavioral analysis unit" of FBI experts trained to psychologically analyze foes based on their writings...
Hacking Attack Causes Physical Damage at German Steel Mill
This sort of thing is still very rare, but I fear it will become more common: ...hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in "massive" -- though unspecified -- damage....
Attack Attribution in Cyberspace
When you're attacked by a missile, you can follow its trajectory back to where it was launched from. When you're attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense. Many of us in the computer-security field are skeptical of the US government's claim that it...
Attributing the Sony Attack
No one has admitted taking down North Korea's Internet. It could have been an act of retaliation by the US government, but it could just as well have been an ordinary DDoS attack. The follow-on attack against Sony PlayStation definitely seems to be the work of hackers unaffiliated with a government. Not knowing who did what isn't new. It's called...
Fidgeting as Lie Detection
Sophie Van Der Zee and colleagues have a new paper on using body movement as a lie detector: Abstract: We present a new robust signal for detecting deception: full body motion. Previous work on detecting deception from body movement has relied either on human judges or on specific gestures (such as fidgeting or gaze aversion) that are coded or rated...
Attributing Cyberattacks
New paper: "Attributing Cyber Attacks," by Thomas Rid and Ben Buchanan: Abstract: Who did it? Attribution is fundamental. Human lives and the security of the state may depend on ascribing agency to an agent. In the context of computer network intrusions, attribution is commonly seen as one of the most intractable technical problems, as either solvable or not solvable, and...
Loitering as a Security System
In Kyoto, taxi drivers are encouraged to loiter around convenience stores late at night. Their presence reduces crime. In Kyoto about half of the convenience stores had signed on for the Midnight Defender Strategy. These 500 or so shops hung posters with slogans such as "vigilance strengthening" written on them in their windows. These signs are indicators to taxi drivers...
How Browsers Store Passwords
Good information on how Internet Explorer, Chrome, and Firefox store user passwords....
Friday Squid Blogging: Easy Squid Recipes
Stewed squid with tomatoes, sauteed squid with parsley and garlic, and braised squid with garlic and herbs. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Doxing as an Attack
Those of you unfamiliar with hacker culture might need an explanation of "doxing." The word refers to the practice of publishing personal information about people without their consent. Usually it's things like an address and phone number, but it can also be credit card details, medical information, private e-mails -- pretty much anything an assailant can get his hands on....
More Data on Attributing the Sony Attack
An analysis of the timestamps on some of the leaked documents shows that they were downloaded at USB 2.0 speeds -- which implies an insider. Our Gotnews.com investigation into the data that has been released by the "hackers" shows that someone at Sony was copying 182GB at minimum the night of the 21st -- the very same day that Sony...
Leaked CIA Documents
I haven't seen much press mention about the leaked CIA documents that have appeared on Wikileaks this month. There are three: The CIA review of high-value target assassination programs, classified SECRET, from 2009. The CIA's advice for agents going through airport security and surviving secondary screening, classified SECRET, from 2011. The CIA's advice for agents travelling into the Shengen Area,...
New Documents on NSA's Crypanalysis Capabilities
Spiegel published a long article today on the NSA's analysis capabilities against encrypted systems, with a lot of new documents from the Snowden archive. I'm not going to have time to look at this for a few days. Describe anything interesting you find -- with links to the documents -- in the comments....
Friday Squid Blogging: Mummers Play Featuring Giant Squid
"St. George, the Dragon, and the Squid: A Preservation Mumming," by the American Folklife Center. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Merry Christmas from the NSA
On Christmas eve the NSA relesed a bunch of audit reports on illegal spying using EO 12333 from 2001 to 2013. Bloomberg article. The heavily-redacted reports include examples of data on Americans being e-mailed to unauthorized recipients, stored in unsecured computers and retained after it was supposed to be destroyed, according to the documents. They were posted on the NSA's...
"Santa Claus and the Surveillance State"
He sees you when you're sleeping. He knows when you're awake. He's everywhere. And that's the whole point of the Elf on the Shelf, the bright-eyed, Kewpie-esque doll that millions of parents display around their homes in December as a reminder to children to behave. The elf, the story goes, is an agent reporting back to Santa Claus, and he's...
Did North Korea Really Attack Sony?
I am deeply skeptical of the FBI's announcement on Friday that North Korea was behind last month's Sony hack. The agency's evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the US government would make the accusation this formally if officials didn't believe it. Clues in the hackers' attack code seem...
Manipulating Juries with PowerPoint
Interesting article on the subconscious visual tricks used to manipulate juries and affect verdicts. In December 2012 the Washington Supreme Court threw out Glasmann's convictions based on the "highly inflammatory" slides. As a general rule, courts don't want prosecutors expressing their personal opinion to a jury; they're supposed to couch their arguments in terms of what the evidence shows. Plastering...
North Korea DDoSed Off the Internet
North Korea has been knocked off the Internet by a distributed denial-of-service (DDoS) attack. Maybe the US did it, and maybe not. This whole incident is a perfect illustration of how technology is equalizing capability. In both the original attack against Sony, and this attack against North Korea, we can't tell the difference between a couple of hackers and a...
2008 Cyberattack Against Turkish Oil Pipeline
Interesting article talks about the 2008 cyberattack against a Turkish oil pipeline: For western intelligence agencies, the blowout was a watershed event. Hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident who asked not to be identified because details of the investigation are confidential. The...
Reacting to the Sony Hack
First we thought North Korea was behind the Sony cyberattacks. Then we thought it was a couple of hacker guys with an axe to grind. Now we think North Korea is behind it again, but the connection is still tenuous. There have been accusations of cyberterrorism, and even cyberwar. I've heard calls for us to strike back, with actual missiles...
Friday Squid Blogging: Squid Beard
Impressive. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Lessons from the Sony Hack
Earlier this month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment's computer systems and began revealing many of the Hollywood studio's best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama's presumed movie-watching preferences) to the personnel data of employees, including salaries and...
SS7 Vulnerabilities
There are security vulnerability in the phone-call routing protocol called SS7. The flaws discovered by the German researchers are actually functions built into SS7 for other purposes -- such as keeping calls connected as users speed down highways, switching from cell tower to cell tower -- that hackers can repurpose for surveillance because of the lax security on the network....
ISIS Cyberattacks
Citizen Lab has a new report on a probable ISIS-launched cyberattack: This report describes a malware attack with circumstantial links to the Islamic State in Iraq and Syria. In the interest of highlighting a developing threat, this post analyzes the attack and provides a list of Indicators of Compromise. A Syrian citizen media group critical of Islamic State of Iraq...
The Limits of Police Subterfuge
"The next time you call for assistance because the Internet service in your home is not working, the 'technician' who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and -- when he shows up at your door, impersonating a technician -- let...
How the FBI Unmasked Tor Users
Kevin Poulson has a good article up on Wired about how the FBI used a Metasploit variant to identity Tor users....
Fake Cell Towers Found in Norway
In yet another example of what happens when you build an insecure communications infrastructure, fake cell phone towers have been found in Oslo. No one knows who has been using them to eavesdrop. This is happening in the US, too. Remember the rule: we're all using the same infrastructure, so we can either keep it insecure so we -- and...
Understanding Zero-Knowledge Proofs
Matthew Green has a good primer....
Over 700 Million People Taking Steps to Avoid NSA Surveillance
There's a new international survey on Internet security and trust, of "23,376 Internet users in 24 countries," including "Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst the findings, 60% of Internet users have heard of Edward...
Friday Squid Blogging: Recreational Squid Fishing in Washington State
There is year-round recreational squid fishing from the Strait of Juan de Fuca to south Puget Sound. A nighttime sport that requires simple, inexpensive fishing tackle, squid fishing-or jigging-typically takes place on the many piers and docks throughout the Puget Sound region As usual, you can also use this squid post to talk about the security stories in the news...
Incident Response Webinar on Thursday
On 12/18 I'll be part of a Co3 webinar where we examine incident-response trends of 2014 and look ahead to 2015. I tend not to do these, but this is an exception. Please sign up if you're interested....
Who Might Control Your Telephone Metadata
Remember last winter when President Obama called for an end to the NSA's telephone metadata collection program? He didn't actually call for an end to it; he just wanted it moved from an NSA database to some commercial database. (I still think this is a bad idea, and that having the companies store it is worse than having the...
Comments on the Sony Hack
I don't have a lot to say about the Sony hack, which seems to still be ongoing. I want to highlight a few points, though. At this point, the attacks seem to be a few hackers and not the North Korean government. (My guess is that it's not an insider, either.) That we live in the world where we aren't...
Not Enough CISOs to Go Around
This article is reporting that the demand for Chief Information Security Officers far exceeds supply: Sony and every other company that realizes the need for a strong, senior-level security officer are scrambling to find talent, said Kris Lovejoy, general manager of IBM's security service and former IBM chief security officer. CISOs are "almost impossible to find these days," she said....
Effects of Terrorism Fears
Interesting article: "How terrorism fears are transforming America's public space." I am reminded of my essay from four years ago: "Close the Washington Monument."...
NSA Hacking of Cell Phone Networks
The Intercept has published an article -- based on the Snowden documents -- about AURORAGOLD, an NSA surveillance operation against cell phone network operators and standards bodies worldwide. This is not a typical NSA surveillance operation where agents identify the bad guys and spy on them. This is an operation where the NSA spies on people designing and building a...
Rapiscan Full-Body Scanner for Sale
Government surplus. Only $8,000 on eBay. Note that this device has been analyzed before....
Corporate Abuse of our Data
Last week, we learned about a striking piece of malware called Regin that has been infecting computer networks worldwide since 2008. It's more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there's substantial evidence that it was built and operated by the United States. This isn't...
Friday Squid Blogging: Squid Poaching off the Coast of Japan
There has been an increase in squid poaching by North Korea out of Japanese territorial waters. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Corporations Misusing Our Data
In the Internet age, we have no choice but to entrust our data with private companies: e-mail providers, service providers, retailers, and so on. We realize that this data is at risk from hackers. But there's another risk as well: the employees of the companies who are holding our data for us. In the early years of Facebook, employees had...
Olfactory Surveillance
The Denver police are using olfactometers to measure the concentration of cannabis in the air. I haven't found any technical information about these devices, their sensitivity, range, etc....
Quantum Attack on Public-Key Algorithm
This talk (and paper) describe a lattice-based public-key algorithm called Soliloquy developed by GCHQ, and a quantum-computer attack on it. News article....
The Future of Auditory Surveillance
Interesting essay on the future of speech recognition, microphone miniaturization, and the future ubiquity of auditory surveillance....
Putting NSA/GCHQ Spying Together
This is a really good analysis of how the NSA/GCHQ spying programs actually work. It's nice that we finally have enough documents public that we can start putting together the complete pictures....
Friday Squid Blogging: Squid Bikes
Squid Bikes is a California brand. Article from Velo News. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Economic Failures of HTTPS Encryption
Interesting paper: "Security Collapse of the HTTPS Market." From the conclusion: Recent breaches at CAs have exposed several systemic vulnerabilities and market failures inherent in the current HTTPS authentication model: the security of the entire ecosystem suffers if any of the hundreds of CAs is compromised (weakest link); browsers are unable to revoke trust in major CAs ("too big to...
"Cooperating with the Future"
This is an interesting paper -- the full version is behind a paywall -- about how we as humans can motivate people to cooperate with future generations. Abstract: Overexploitation of renewable resources today has a high cost on the welfare of future generations. Unlike in other public goods games, however, future generations cannot reciprocate actions made today. What mechanisms can...
New Snowden Documents Show GCHQ Paying Cable & Wireless for Access
A new story based on the Snowden documents and published in the German newspaper Süddeutsche Zeitung shows how the GCHQ worked with Cable & Wireless -- acquired by Vodafone in 2012 -- to eavesdrop on Internet and telecommunications traffic. New documents on the page, and here. Ars Technica article. Slashdot thread....
FBI Agents Pose as Repairmen to Bypass Warrant Process
This is a creepy story. The FBI wanted access to a hotel guest's room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant. From the motion to suppress: The next time you call for assistance because the internet service in your home is not...
Regin: Another Military-Grade Malware
Regin is another military-grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater....
The Security Underpinnnings of Cryptography
Nice article on some of the security assumptions we rely on in cryptographic algorithms....
New Kryptos Clue
Jim Sanborn has given he world another clue to the fourth cyphertext in his Kryptos sculpture at the CIA headquarters. Older posts on Kryptos....
Friday Squid Blogging: Cephalopod Cognition
Tales of cephalopod behavior, including octopuses, squid, cuttlefish and nautiluses. Cephalopod Cognition, published by Cambridge University Press, is currently available in hardcover, and the paperback edition will be available next week....
Pre-Snowden Debate About NSA Call-Records Collection Program
Reuters is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program. The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing...
Citadel Malware Steals Password Manager Master Passwords
Citadel is the first piece of malware I know of that specifically steals master passwords from password managers. Note that my own Password Safe is a target....
A New Free CA
Announcing Let's Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan. This is an absolutely fantastic idea. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is the server you intended to talk to. For many server operators,...
Whatsapp Is Now End-to-End Encrypted
Whatapp is now offering end-to-end message encryption: Whatsapp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device. I don't know the details, but the article talks about perfect forward secrecy. Moxie Marlinspike is involved, which gives...
Snarky 1992 NSA Report on Academic Cryptography
The NSA recently declassified a report on the Eurocrypt '92 conference. Honestly, I share some of the writer's opinions on the more theoretical stuff. I know it's important, but it's not something I care all that much about....
The NSA's Efforts to Ban Cryptographic Research in the 1970s
New article on the NSA's efforts to control academic cryptographic research in the 1970s. It includes new interviews with public-key cryptography inventor Martin Hellman and then NSA-director Bobby Inman....
Friday Squid Blogging: The Story of Inventing the SQUID
The interesting story of how engineers at Ford Motor Co. invented the superconducting quantum interference device, or SQUID. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
The Return of Crypto Export Controls?
Last month, for the first time since US export restrictions on cryptography were relaxed two decades ago, the US government has fined a company for exporting crypto software without a license. News article. No one knows what this means....
Pew Research Survey on Privacy Perceptions
Pew Research has released a new survey on American's perceptions of privacy. The results are pretty much in line with all the other surveys on privacy I've read. As Cory Doctorow likes to say, we've reached "peak indifference to surveillance."...
ISPs Blocking TLS Encryption
It's not happening often, but it seems that some ISPs are blocking STARTTLS messages and causing web encryption to fail. EFF has the story....
Narrowly Constructing National Surveillance Law
Orin Kerr has a new article that argues for narrowly constructing national security law: This Essay argues that Congress should adopt a rule of narrow construction of the national security surveillance statutes. Under this interpretive rule, which the Essay calls a "rule of lenity," ambiguity in the powers granted to the executive branch in the sections of the United States...
Hacking Internet Voting from Wireless Routers
Good paper, and layman's explanation. Internet voting scares me. It gives hackers the potential to seriously disrupt our democratic processes....
Sophisticated Targeted Attack Via Hotel Networks
Kaspersky Labs is reporting (detailed report here, technical details here) on a sophisticated hacker group that is targeting specific individuals around the world. "Darkhotel" is the name the group and its techniques has been given. This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and...
The Future of Incident Response
Security is a combination of protection, detection, and response. It's taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network. By 2000, we realized that detection needed to be formalized as well, and the industry was full of...
Friday Squid Blogging: Dried Squid Sold in Korean Baseball Stadiums
I'm not sure why this is news, except that it makes for a startling headline. (Is the New York Times now into clickbait?) It's not as if people are throwing squid onto the field, as Detroit hockey fans do with octopus. As usual, you can also use this squid post to talk about the security stories in the news that...
Co3 Systems Is Hiring
My company, Co3 Systems, is hiring both technical and nontechnical positions. If you live in the Boston area, click through and take a look....
Testing for Explosives in the Chicago Subway
Chicago is doing random explosives screenings at random L stops in the Chicago area. Compliance is voluntary: Police made no arrests but one rider refused to submit to the screening and left the station without incident, Maloney said. [...] Passengers can decline the screening, but will not be allowed to board a train at that station. Riders can leave that...
Why Hyping Cyber Threats is Counterproductive
Robert Lee and Thomas Rid have a new paper: "OMG Cyber! Thirteen Reasons Why Hype Makes for Bad Policy."...
How the Internet Affects National Sovereignty
Interesting paper by Melissa Hathaway: "Connected Choices: How the Internet Is Challenging Sovereign Decisions." Abstract: Modern societies are in the middle of a strategic, multidimensional competition for money, power, and control over all aspects of the Internet and the Internet economy. This article discusses the increasing pace of discord and the competing interests that are unfolding in the current debate...
Verizon Tracking Mobile Internet Use
Verizon is tracking the Internet use of its phones by surreptitiously modifying URLs. This is a good description of how it works....
Friday Squid Blogging: 1,057 Squid T-Shirts
That's a lot. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. And commenting was broken for a couple of days. It's fixed now, I hope....
Hacking a Video Poker Machine
Kevin Poulsen has written an interesting story about two people who successfully exploited a bug in a popular video poker machine....
NSA Classification ECI = Exceptionally Controlled Information
ECI is a classification above Top Secret. It's for things that are so sensitive they're basically not written down, like the names of companies whose cryptography has been deliberately weakened by the NSA, or the names of agents who have infiltrated foreign IT companies. As part of the Intercept story on the NSA's using agents to infiltrate foreign companies and...
DEA Sets Up Fake Facebook Page in Woman's Name
This is a creepy story. A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were "racy") and use it to set up a fake Facebook page in her name. The woman sued the...
FOXACID Operations Manual
A few days ago, I saw this tweet: "Just a reminder that it is now *a full year* since Schneier cited it, and the FOXACID ops manual remains unpublished." It's true. The citation is this: According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety...
Surveillance in Schools
This essay, "Grooming students for a lifetime of surveillance," talks about the general trends in student surveillance. Related: essay on the need for student privacy in online learning....
How James Bamford Came to Write The Puzzle Palace
Interesting essay about James Bamford and his efforts to publish The Puzzle Palace over the NSA's objections. Required reading for those who think the NSA's excesses are somehow new....
NSA Has Undercover Operatives in Foreign Companies
The latest Intercept article on the Snowden NSA documents talks about their undercover operatives working in foreign companies. There are no specifics, although the countries China, Germany, and South Korea are mentioned. It's also hard to tell if the NSA has undercover operatives working in companies in those countries, or has undercover contractors visiting those companies. The document is dated...
Friday Squid Blogging: Flash-Fried Squid Recipe
Recipe from Tom Douglas. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Online Activism and the Computer Fraud and Abuse Act
Good essay by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet. Also note Sauter's new book, The Coming Swarm....
Dynamic Encryption for Voice
This article reads like snake oil. But the company was founded by Lars Knudsen, so it can't possibly be. I'm curious....
USB Cufflinks
Just the thing for smuggling data out of secure locations....
BadUSB Code Has Been Published
In July, I wrote about an unpatchable USB vulnerability called BadUSB. Code for the vulnerability has been published....
Data and Goliath Is Finished
Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World is finished. I submitted it to my publisher, Norton, this morning. In a few weeks, I'll get the copyedited manuscript back, and a few weeks after that, it'll go into production. Stacks of printed books will come out the other end in February, and the book...
iPhone Encryption and the Return of the Crypto Wars
Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone's encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it. From now on, all the phone's data is protected. It can no longer be accessed by...
Friday Squid Blogging: Squid Burger
McDonald's has a Halloween-themed burger with a squid-ink bun. Only in Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
William Binney Explains NSA Surveillance Using Snowden's Documents
Former NSA employee -- not technical director, as the link says -- explains how NSA bulk surveillance works, using some of the Snowden documents. Very interesting....
The NSA's Private Cloud
The NSA is building a private cloud with its own security features: As a result, the agency can now track every instance of every individual accessing what is in some cases a single word or name in a file. This includes when it arrived, who can access it, who did access it, downloaded it, copied it, printed it, forwarded it,...
Firechat
Firechat is a secure wireless peer-to-peer chat app: Firechat is theoretically resistant to the kind of centralized surveillance that the Chinese government (as well as western states, especially the US and the UK) is infamous for. Phones connect directly to one another, establish encrypted connections, and transact without sending messages to servers where they can be sniffed and possibly decoded....
Security Theater in China
The Chinese government checked ten thousand pigeons for "dangerous materials." Because fear....
NSA Patents Available for License
There's a new article on NSA's Technology Transfer Program, a 1990s-era program to license NSA patents to private industry. I was pretty dismissive about the offerings in the article, but I didn't find anything interesting in the catalog. Does anyone see something I missed? My guess is that the good stuff remains classified, and isn't "transferred" to anyone. Slashdot thread....
Friday Squid Blogging: Squid Fishing Moves North in California
Warmer waters are moving squid fishing up the California coast. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Medical Records Theft and Fraud
There's a Reuters article on new types of fraud using stolen medical records. I don't know how much of this is real and how much is hype, but I'm certain that criminals are looking for new ways to monetize stolen data....
Security Trade-offs of Cloud Backup
This is a good essay on the security trade-offs with cloud backup: iCloud backups have not eliminated this problem, but they have made it far less common. This is, like almost everything in tech, a trade-off: Your data is far safer from irretrievable loss if it is synced/backed up, regularly, to a cloud-based service. Your data is more at risk...
Nasty Vulnerability found in Bash
It's a big and nasty one. Invariably we're going to see articles pointing at this and at Heartbleed and claim a trend in vulnerabilities in open-source software. If anyone has any actual data other than two instances and the natural human tendency to generalize, I'd like to see it....
Julian Sanchez on the NSA and Surveillance Reform
Julian Sanchez of the Cato Institute has a lengthy audio interview on NSA surveillance and reform. Worth listening to....
Detecting Robot-Handwriting
Interesting article on the arms race between creating robot "handwriting" that looks human, and detecting text that has been written by a robot. Robots will continue to get better, and will eventually fool all of us....
Lesson in Successful Disaster Planning
I found the story of the Federal Reserve on 9/11 to be fascinating. It seems they just flipped a switch on all their Y2K preparations, and it worked....
Kill Switches for Weapons
Jonathan Zittrain argues that our military weapons should be built with a kill switch, so they become useless when they fall into enemy hands....
Security for Vehicle-to-Vehicle Communications
The National Highway Traffic Safety Administration (NHTSA) has released a report titled "Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application." It's very long, and mostly not interesting to me, but there are security concerns sprinkled throughout: both authentication to ensure that all the communications are accurate and can't be spoofed, and privacy to ensure that the communications can't be used...
Friday Squid Blogging: Colossal Squid Dissected in New Zealand
Months after it was found in August, scientists have dissected a colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
iOS 8 Security
Apple claims that they can no longer unlock iPhones, even if the police show up with a warrant. Of course they still have access to everything in iCloud, but it's a start....
Fake Cell Phone Towers Across the US
Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US These seems to be ISMI catchers, like Harris Corporation's Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone...
Terrible Article on Vernam Ciphers
If there's anything that confuses wannabe cryptographers, it's one-time pads....
The Full Story of Yahoo's Fight Against PRISM
In 2008 Yahoo fought the NSA to avoid becoming part of the PRISM program. They eventually lost their court battle, and at one point were threatened with a $250,000 a day fine if they continued to resist. I am continually amazed at the extent of the government coercion....
Identifying Dread Pirate Roberts
According to court documents, Dread Pirate Roberts was identified because a CAPTCHA service used on the Silk Road login page leaked the users' true location....
Tracking People From their Cellphones with an SS7 Vulnerability
What's interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What's interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability....
Two New Snowden Stories
New Zealand is spying on its citizens. Edward Snowden weighs in personally. The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom....
Security of the SHA Family of Hash Functions
Good article on the insecurity of SHA-1 and the need to replace it sooner rather than later....
Friday Squid Blogging: 200-Pound Squid Found in Gulf of Mexico
A 200-pound dead giant squid was found near the coast of Matagorda, Texas. This is only the third giant squid ever found in the Gulf of Mexico. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
The Concerted Effort to Remove Data Collection Restrictions
Since the beginning, data privacy regulation focused on collection, storage, and use. You can see it in the OECD Privacy Framework from 1980 (see also this proposed update). Recently, there has been concerted effort to focus all potential regulation on data use, completely ignoring data collection. Microsoft's Craig Mundie argues this. So does the PCAST report. And the World Economic...
Tabnapping: A New Phishing Attack
Aza Raskin describes a new phishing attack: taking over a background tab on a browser to trick people into entering in their login credentials. Clever....
WikiLeaks Spy Files
WikiLeaks has organized the trove of documents about corporations aiding government surveillance around the world. It's worth wandering around through all this material....
Safeplug Security Analysis
Good security analysis of Safeplug, which is basically Tor in a box. Short answer: not yet....
Wi-Fi Jammer
A device called Cyborg Unplugged can be configured to prevent any Wi-Fi connection: Oliver notes on the product's website that its so-called "All Out Mode" -- which prevents surveillance devices from connecting to any Wi-Fi network in the area -- is likely illegal, and he advises against its use. Nevertheless, we can imagine activists slipping these little devices into public...
iPhone Payment Security
Apple is including some sort of automatic credit card payment system with the iPhone 6. It's using some security feature of the phone and system to negotiate a cheaper transaction fee. Basically, there are two kinds of credit card transactions: card-present, and card-not-present. The former is cheaper because there's less risk of fraud. The article says that Apple has negotiated...
Friday Squid Blogging: Book by One Squid-Obsessed Person About Another
Preparing the Ghost: An Essay Concerning the Giant Squid and Its First Photographer, by Matthew Gavin Frank. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Security of Password Managers
At USENIX Security this year, there were two papers studying the security of password managers: David Silver, Suman Jana, and Dan Boneh, "Password Managers: Attacks and Defenses." Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song, "The Emperor's New Password Manager: Security Analysis of Web-based Password Managers." It's interesting work, especially because it looks at security problems in something that...
JackPair Encrypted Phone Add-On
JackPair is a clever device encrypts your voice between your headset and the audio jack. The crypto looks competent, and the design looks well-thought-out. I'd use it....
Pencil-and-Paper Codes Used by Central American Criminal Gangs
No mention of how good the codes are. My guess is not very....
Squid Skin Inspires Eye-Like Photodetector
Squid are color-blind, but may detect color directly through their skin. A researcher is working on a system to detect colored light the way squid do....
Cell Phone Kill Switches Mandatory in California
California passed a kill-switch law, meaning that all cell phones sold in California must have the capability to be remotely turned off. It was sold as an antitheft measure. If the phone company could remotely render a cell phone inoperative, there would be less incentive to steal one. I worry more about the side effects: once the feature is in...
ISIS Threatens US with Terrorism
They're openly mocking our profiling. But in several telephone conversations with a Reuters reporter over the past few months, Islamic State fighters had indicated that their leader, Iraqi Abu Bakr al-Baghdadi, had several surprises in store for the West. They hinted that attacks on American interests or even U.S. soil were possible through sleeper cells in Europe and the United...
Hacking Traffic Lights
New paper: "Green Lights Forever: Analyzing the Security of Traffic Infrastructure," Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman. Abstract: The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. We investigate a networked traffic signal system currently deployed in the United States and...
Edward Snowden Wins EPIC "Champion of Freedom" Award
On Monday I had the honor of presenting Edward Snowden with a "Champion of Freedom" award at the EPIC dinner. Snowden couldn't be there in person -- his father and stepmother were there in his place -- but he recorded this message. Left to right: Mark Rotenberg, Jesselyn Radack (Snowden's attorney), Lonnie Snowden, and Bruce Schneier...
The Human Side of Heartbleed
The announcement on April 7 was alarming. A new Internet vulnerability called Heartbleed could allow hackers to steal your logins and passwords. It affected a piece of security software that is used on half a million websites worldwide. Fixing it would be hard: It would strain our security infrastructure and the patience of users everywhere. It was a software insecurity,...
Chinese Hacking of the US
Chinese hacking of American computer networks is old news. For years we've known about their attacks against U.S. government and corporate targets. We've seen detailed reports of how they hacked The New York Times. Google has detected them going after Gmail accounts of dissidents. They've built sophisticated worldwide eavesdropping networks. These hacks target both military secrets and corporate intellectual property....
Friday Squid Blogging: Squid-Shaped Pancakes
Here are pictures of squid-shaped pancakes. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Vulnerabilities Found in Law Enforcement Surveillance System
SEC Consult has published an advisory warning people not to use a government eavesdropping product called Recording eXpress, sold by the Israeli company Nice Systems. Basically, attackers can completely compromise the system. There are good stories on this by Brian Krebs and Dan Goodin....
TrueCrypt WTF
I have no idea what's going on with TrueCrypt. Good summary of story is a ArsTechnica, and SlashDot, Hacker News, and Reddit all have long comment threads. See also Brian Krebs and Cory Doctorow. Speculations include a massive hack of the TrueCrypt developers, some Lavabit-like forced shutdown, and an internal power struggle within TrueCrypt. I suppose we'll have to wait...
Eben Moglen on Snowden and Surveillance
This is well worth reading. It's based on a series of talks he gave last fall....
The Economics of Bulk Surveillance
Ross Anderson has an important new paper on the economics that drive government-on-population bulk surveillance: My first big point is that all the three factors which lead to monopoly network effects, low marginal costs and technical lock-in are present and growing in the national-intelligence nexus itself. The Snowden papers show that neutrals like Sweden and India are heavily...
Friday Squid Blogging: Squid Ink Cocktail
Del Campo, a restaurant in Washington DC, has a Bloody Mary made with squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Alan Watts on the Harms of Surveillance
Biologist Alan Watts makes some good points: Mammals dont respond well to surveillance. We consider it a threat. It makes us paranoid, and aggressive and vengeful. [...] "Natural selection favors the paranoid," Watts said. Those who run away. In the earliest days of man on the savannah, when we roamed among the predatory, wild animals, someone realized pretty quickly that...
Disclosing vs Hoarding Vulnerabilities
There's a debate going on about whether the U.S. government -- specifically, the NSA and United States Cyber Comman -- should stockpile Internet vulnerabilities or disclose and fix them. It's a complicated problem, and one that starkly illustrates the difficulty of separating attack and defense in cyberspace. A software vulnerability is a programming mistake that allows an adversary access into...
The NSA is Not Made of Magic
I am regularly asked what is the most surprising thing about the Snowden NSA documents. It's this: the NSA is not made of magic. Its tools are no different from what we have in our world, it's just better-funded. X-KEYSCORE is Bro plus memory. FOXACID is Metasploit with a budget. QUANTUM is AirPwn with a seriously privileged position on the...
Government Policy on Cell Phone Interception Technology
New paper: "Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and its Impact on National Security and Consumer Privacy," by Christopher Soghoian and Stephanie K. Pell: Abstract: In the early 1990s, off-the-shelf radio scanners allowed any snoop or criminal to eavesdrop on the calls of nearby cell phone users. These radio scanners could intercept...
Preplay Attack on Chip and PIN
Interesting research paper on a bank card chip-and-PIN vulnerability. From the blog post: Our new paper shows that it is possible to create clone chip cards which normal bank procedures will not be able to distinguish from the real card. When a Chip and PIN transaction is performed, the terminal requests that the card produces an authentication code for the...
Advances in Solving the Discrete Log Problem
At Eurocrypt this year, researchers presented a paper that completely breaks the discrete log problem in any field with a small characteristic. It's nice work, and builds on a bunch of advances in this direction over the last several years. Despite headlines to the contrary, this does not have any cryptanalytic application -- unless they can generalize the result, which...
Pervasive Monitoring as Network Attack
New IETF RFC: "RFC 7258: Pervasive Monitoring Is an Attack" that designers must mitigate. Slashdot thread....
Abusing Power to Shut Down a Twitter Parody Account
This is a pretty horrible story of a small-town mayor abusing his authority -- warrants where there is no crime, police raids, incidental marijuana bust -- to identify and shut down a Twitter parody account. The ACLU is taking the case....
Friday Squid Blogging: Fossil Squid
Rare fossilized cephalopods. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
How to Stop an Insider from Stealing All Your Secrets
This article from Communications of the ACM outlines some of the security measures the NSA could, and should, have had in place to stop someone like Snowden. Mostly obvious stuff, although I'm not sure it would have been effective against such a skilled and tenacious leaker. What's missing is the one thing that would have worked: have fewer secrets....
Forged SSL Certificates Pervasive on the Internet
About 0.2% of all SSL certificates are forged. This is the first time I've ever seen a number based on real data. News article: Of 3.45 million real-world connections made to Facebook servers using the transport layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2 percent of them, were established using forged certificates. Actual paper....
Is Antivirus Dead?
Symantec declared anti-virus dead, and Brian Krebs writes a good response. He's right: antivirus won't protect you from the ever-increasing percentage of malware that's specifically designed to bypass antivirus software, but it will protect you from all the random unsophisticated attacks out there: the "background radiation" of the Internet....
Seventh Movie-Plot Threat Contest Semifinalists
On April 1, I announced the Seventh Movie Plot Threat Contest: The NSA has won, but how did it do it? How did it use its ability to conduct ubiquitous surveillance, its massive data centers, and its advanced data analytics capabilities to come out on top? Did it take over the world overtly, or is it just pulling the strings...
Espionage vs. Surveillance
According to NSA documents published in Glenn Greenwald's new book No Place to Hide, we now know that the NSA spies on embassies and missions all over the world, including those of Brazil, Bulgaria, Colombia, the European Union, France, Georgia, Greece, India, Italy, Japan, Mexico, Slovakia, South Africa, South Korea, Taiwan, Venezuela and Vietnam. This will certainly strain international relations,...
New Al Qaeda Encryption Software
The Web intelligence company Recorded Future is reporting -- picked up by the Wall Street Journal -- that al Qaeda is using new encryption software in the wake of the Snowden stories. I've been fielding press queries, asking me how this will adversely affect US intelligence efforts. I think the reverse is true. I think this will help US intelligence...
Computer Forensics in Fiction
New television show -- CSI: Cyber. I hope they have some good technical advisers, but I doubt they do....
New NSA Snowden Documents
Glenn Greenwald's book, No Place to Hide, has been published today. There are about 100 pages of NSA documents on the book's website. I haven't gone through them yet. At a quick glance, only a few of them have been published before. Here are two book reviews....
Steganography in Tweets
Clever, but make sure to heed the caveats in the final two paragraphs....
Internet Subversion
In addition to turning the Internet into a worldwide surveillance platform, the NSA has surreptitiously weakened the products, protocols, and standards we all use to protect ourselves. By doing so, it has destroyed the trust that underlies the Internet. We need that trust back. Trust is inherently social. It is personal, relative, situational, and fluid. It is not uniquely human,...
Friday Squid Blogging: The Evolutionary Purpose of Pain
A new study shows that Doryteuthis pealei in pain -- or whatever passes for pain in that species -- has heightened sensory sensitivity and heightened reactions. News articles. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Retelling of Stories Increases Bias
Interesting experiment shows that the retelling of stories increases conflict and bias. For their study, which featured 196 undergraduates, the researchers created a narrative about a dispute between two groups of young people. It described four specific points of tension, but left purposely ambiguous the issue of which party was the aggressor, and "depicted the groups as equally blameworthy." Half...
Correspondence Between the NSA and Google Leaked
Al Jazeera is reporting on leaked emails (not leaked by Snowden, but by someone else) detailing close ties between the NSA and Google. There are no smoking guns in the correspondence -- and the Al Jazeera article makes more of the e-mails than I think is there -- but it does show a closer relationship than either side has admitted...
Fearing Google
Mathias Dopfner writes an open letter explaining why he fears Google: We know of no alternative which could offer even partially comparable technological prerequisites for the automated marketing of advertising. And we cannot afford to give up this source of revenue because we desperately need the money for technological investments in the future. Which is why other publishers are increasingly...
The Economics of Video Game Cheating
Interesting article on the business of selling enhancements that allow you to cheat in online video games....
Friday Squid Blogging: How Flying Squid Fly
Someone has finally proven how: How do these squid go from swimming to flying? Four phases of flight are described in the research: launching, jetting, gliding and diving. While swimming, the squid open up their mantle and draw in water. Then these squid launch themselves into the air with a high-powered blast of the water from their bodies. Once launched...
Unusual Electronic Voting Machine Threat Model
Rats have destroyed dozens of electronic voting machines by eating the cables. It would have been a better story if the rats had zeroed out the machines after the votes had been cast but before they were counted, but it seems that they just ate the machines while they were in storage. The EVMs had been stored in a pre-designated...
Analysis of the FBI's Failure to Stop the Boston Marathon Bombings
Detailed response and analysis of the inspectors general report on the Boston Marathon bombings: Two opposite mistakes in an after-the-fact review of a terrorist incident are equally damaging. One is to fail to recognize the powerful difference between foresight and hindsight in evaluating how an investigative or intelligence agency should have behaved. After the fact, we know on whom we...
Putin Requires Russian Bloggers to Register with the Government
This is not good news. Widely known as the "bloggers law," the new Russian measure specifies that any site with more than 3,000 visitors daily will be considered a media outlet akin to a newspaper and be responsible for the accuracy of the information published. Besides registering, bloggers can no longer remain anonymous online, and organizations that provide platforms for...
Really Weird Keith Alexander Interview
Comedian John Oliver interviewed now-retired NSA director General Keith Alexander. It's truly weird....
The Federal Reserve System's Cyberdefense Force
Interesting article on the cybersecurity branch of the Federal Reserve System....
Tracking People from Smartphone Accelerometers
It's been long known that individual analog devices have their own fingerprints. Decades ago, individual radio transmitters were identifiable and trackable. Now, researchers have found that accelerometers in smartphone are unique enough to be identifiable. The researchers focused specifically on the accelerometer, a sensor that tracks three-dimensional movements of the phone essential for countless applications, including pedometers, sleep monitoring,...
The Quantified Toilet Hoax
Good essay on the Quantified Toilet hoax, and the difference between public surveillance and private self-surveillance....
Details of Apple's Fingerprint Recognition
This is interesting: Touch ID takes a 88x88 500ppi scan of your finger and temporarily sends that data to a secure cache located near the RAM, after the data is vectorized and forwarded to the secure enclave located on the top left of the A7 near the M7 processor it is immediately discarded after processing. The fingerprint scanner uses subdermal...
A New Pencil-and-Paper Encryption Algorithm
Handycipher is a new pencil-and-paper symmetric encryption algorithm. I'd bet a gazillion dollars that it's not secure, although I haven't done the cryptanalysis myself....
Friday Squid Blogging: New Squid Exhibit at the Monterey Bay Aquarium.
It's called "Tentacles." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Is Google Too Big to Trust?
Interesting essay about how Google's lack of transparency is hurting their trust: The reality is that Google's business is and has always been about mining as much data as possible to be able to present information to users. After all, it can't display what it doesn't know. Google Search has always been an ad-supported service, so it needs a way...
Conversnitch
Surveillance is getting cheaper and easier: Two artists have revealed Conversnitch, a device they built for less than $100 that resembles a lightbulb or lamp and surreptitiously listens in on nearby conversations and posts snippets of transcribed audio to Twitter. Kyle McDonald and Brian House say they hope to raise questions about the nature of public and private spaces in...
The Security of Various Programming Languages
Interesting research on the security of code written in different programming languages. We don't know whether the security is a result of inherent properties of the language, or the relative skill of the typical programmers of that language. The report....
Dan Geer on Heartbleed and Software Monocultures
Good essay: To repeat, Heartbleed is a common mode failure. We would not know about it were it not open source (Good). That it is open source has been shown to be no talisman against error (Sad). Because errors are statistical while exploitation is not, either errors must be stamped out (which can only result in dampening the rate of...
Info on Russian Bulk Surveillance
Good information: Russian law gives Russias security service, the FSB, the authority to use SORM (System for Operative Investigative Activities) to collect, analyze and store all data that transmitted or received on Russian networks, including calls, email, website visits and credit card transactions. SORM has been in use since 1990 and collects both metadata and content. SORM-1 collects mobile and...
Friday Squid Blogging: Squid Jigging
Good news from Malaysia: The Terengganu International Squid Jigging Festival (TISJF) will be continued and become an annual event as one of the state's main tourism products, said Menteri Besar Datuk Seri Ahmad Said. He said TISJF will become a signature event intended to enhance the branding of Terengganu as a leading tourism destination in the region. "Beside introducing squid...
Metaphors of Surveillance
There's a new study looking at the metaphors we use to describe surveillance. Over 62 days between December and February, we combed through 133 articles by 105 different authors and over 60 news outlets. We found that 91 percent of the articles contained metaphors about surveillance. There is rich thematic diversity in the types of metaphors that are used, but...
Reverse Heartbleed
Heartbleed can affect clients as well as servers....
Overreacting to Risk
This is a crazy overreaction: A 19-year-old man was caught on camera urinating in a reservoir that holds Portland's drinking water Wednesday, according to city officials. Now the city must drain 38 million gallons of water from Reservoir 5 at Mount Tabor Park in southeast Portland. I understand the natural human disgust reaction, but do these people actually think that...
Tails
Nice article on the Tails stateless operating system. I use it. Initially I would boot my regular computer with Tails on a USB stick, but I went out and bought a remaindered computer from Best Buy for $250 and now use that....
Book Title
I previously posted that I am writing a book on security and power. Here are some title suggestions: Permanent Record: The Hidden Battles to Capture Your Data and Control Your World Hunt and Gather: The Hidden Battles to Capture Your Data and Control Your World They Already Know: The Hidden Battles to Capture Your Data and Control Your World We...
Auditing TrueCrypt
Recently, Matthew Green has been leading an independent project to audit TrueCrypt. Phase I, a source code audit by iSEC Partners, is complete. Next up is Phase II, formal cryptanalysis. Quick summary: I'm still using it....
Schneier Talks and Interviews
Here are three articles about me from the last month. Also these three A/V links....
Schneier Speaking Schedule: AprilMay
Here's my upcoming speaking schedule for April and May: Stanford Law School on April 15. Brown University in Providence, RI -- two times -- on April 24. The Global Summit for Leaders in Information Technology in Washington, DC, on May 7. The Institute of World Politics on May 8. The University of Zurich on May 21. IT Security Inside in...
GoGo Wireless Adds Surveillance Capabilities for Government
The important piece of this story is not that GoGo complies with the law, but that it goes above and beyond what is required by law. It has voluntarily decided to violate your privacy and turn your data over to the government....
Friday Squid Blogging: Bronze Giant Squid Sculpture
A little too big for my house....
More on Heartbleed
This is an update to my earlier post. Cloudflare is reporting that its very difficult, if not practically impossible, to steal SSL private keys with this attack. Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not...
Police Disabling Their own Voice Recorders
This is not a surprise: The Los Angeles Police Commission is investigating how half of the recording antennas in the Southeast Division went missing, seemingly as a way to evade new self-monitoring procedures that the Los Angeles Police Department imposed last year. The antennas, which are mounted onto individual patrol cars, receive recorded audio captured from an officers belt-worn transmitter....
Heartbleed
Heartbleed is a catastrophic bug in OpenSSL: "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows...
"Unbreakable" Encryption Almost Certainly Isn't
This headline is provocative: "Human biology inspires 'unbreakable' encryption." The article is similarly nonsensical: Researchers at Lancaster University, UK have taken a hint from the way the human lungs and heart constantly communicate with each other, to devise an innovative, highly flexible encryption algorithm that they claim can't be broken using the traditional methods of cyberattack. Information can be encrypted...
The Youngest Security Researcher
Five-year-old finds login vulnerability in Microsoft Xbox....
Mass Surveillance by Eavesdropping on Web Cookies
Interesting research: Abstract: We investigate the ability of a passive network observer to leverage third-party HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which emits a unique pseudonymous identifier, then the adversary can link visits to those pages from the same user (browser instance) even if the users IP address varies. Using simulated browsing...
Ephemeral Apps
Ephemeral messaging apps such as Snapchat, Wickr and Frankly, all of which advertise that your photo, message or update will only be accessible for a short period, are on the rise. Snapchat and Frankly, for example, claim they permanently delete messages, photos and videos after 10 seconds. After that, there's no record. This notion is especially popular with young people,...
Seventh Movie-Plot Threat Contest
As you might expect, this year's contest has the NSA as the villain: The NSA has won, but how did it do it? How did it use its ability to conduct ubiquitous surveillance, its massive data centers, and its advanced data analytics capabilities to come out on top? Did it take over the world overtly, or is it just pulling...
The Continuing Public/Private Surveillance Partnership
If you've been reading the news recently, you might think that corporate America is doing its best to thwart NSA surveillance. Google just announced that it is encrypting Gmail when you access it from your computer or phone, and between data centers. Last week, Mark Zuckerberg personally called President Obama to complain about the NSA using Facebook as a means...
Friday Squid Blogging: Encounter Between a Submersible Robot and a Giant Squid
Wow....
Creating Forensic Sketches from DNA
This seems really science fictional: It's already possible to make some inferences about the appearance of crime suspects from their DNA alone, including their racial ancestry and some shades of hair colour. And in 2012, a team led by Manfred Kayser of Erasmus University Medical Center in Rotterdam, the Netherlands, identified five genetic variants with detectable effects on facial shape....
Smarter People are More Trusting
Interesting research. Both vocabulary and question comprehension were positively correlated with generalized trust. Those with the highest vocab scores were 34 percent more likely to trust others than those with the lowest scores, and someone who had a good perceived understanding of the survey questions was 11 percent more likely to trust others than someone with a perceived poor understanding....
Geolocating Twitter Users
Interesting research into figuring out where Twitter users are located, based on similar tweets from other users: While geotags are the most definitive location information a tweet can have, tweets can also have plenty more salient information: hashtags, FourSquare check-ins, or text references to certain cities or states, to name a few. The authors of the paper created their algorithm...
Password Hashing Competition
There's a private competition to identify new password hashing schemes. Submissions are due at the end of the month....
NSA Hacks Huawei
Both Der Spiegel and the New York Times are reporting that the NSA has hacked Huawei pretty extensively, getting copies of the company's products' source code and most of the e-mail from the company. Aside from being a pretty interesting story about the operational capabilities of the NSA, it exposes some pretty blatant US government hypocrisy on this issue. As...
An Open Letter to IBM's Open Letter
Last week, IBM published an "open letter" about "government access to data," where it tried to assure its customers that it's not handing everything over to the NSA. Unfortunately, the letter (quoted in part below) leaves open more questions than it answers. At the outset, we think it is important for IBM to clearly state some simple facts: IBM has...
Giant Squid as an Omen
An omen of what? An increase in the number of giant squid being caught along the Sea of Japan coast is leading puzzled fishermen to fear their presence may be some kind of 'omen' -- although experts think the invertebrate are simply a bit cold....
New Book on Data and Power
I'm writing a new book, with the tentative title of Data and Power. While it's obvious that the proliferation of data affects power, it's less clear how it does so. Corporations are collecting vast dossiers on our activities on- and off-line -- initially to personalize marketing efforts, but increasingly to control their customer relationships. Governments are using surveillance, censorship, and...
Liveblogging the Financial Cryptography Conference
Ross Anderson liveblogged Financial Cryptography 2014. Interesting stuff....
Friday Squid Blogging: Bobtail Squid Photos
Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
NEBULA: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: NEBULA (S//SI//FVEY) Multi-Protocol macro-class Network-In-a-Box (NIB) system. Leverages the existing Typhon GUI and supports GSM, UMTS, CDMA2000 applications. LTE capability currently under development. (S//SI//REL) Operational Restrictions exist for equipment deployment. (S//SI//REL) Features: Dual Carrier System EGSM 900MHz UMTS 2100MHz CDMA2000 1900MHz Macro-class Base station 32+Km Range Optional Battery...
Decoding the Voynich Manuscript
The Voynich Manuscript has been partially decoded. This seems not to be a hoax. And the manuscript seems not to be a hoax, either. Here's the paper....
GENESIS: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: GENESIS (S//SI//REL) Commercial GSM handset that has been modified to include a Software Defined Radio (SDR) and additional system memory. The internal SDR allows a witting user to covertly perform network surveys, record RF spectrum, or perform handset location in hostile environments. (S//SI//REL) The GENESIS systems are designed...
Was the iOS SSL Flaw Deliberate?
Last October, I speculated on the best ways to go about designing and implementing a software backdoor. I suggested three characteristics of a good backdoor: low chance of discovery, high deniability if discovered, and minimal conspiracy to implement. The critical iOS vulnerability that Apple patched last week is an excellent example. Look at the code. What caused the vulnerability is...
ENTOURAGE: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: ENTOURAGE (S//SI//REL) Direction Finding application operating on the HOLLOWPOINT platform. The system is capable of providing line of bearing for GSM/UMTS/CDMA2000/FRS signals. A band-specific antenna and laptop controller is needed to compliment the HOLLOWPOINT system and completes the ground based system. (S//SI) The ENTOURAGE application leverages the 4...
DDoSing a Cell Phone Network
Interesting research: Abstract: The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel...
EBSR: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: EBSR (S//SI//REL) Multi-purpose, Pico class, tri-band active GSM base station with internal 802.11/GPS/handset capability. (S//SI//REL) Operational Restrictions exist for equipment deployment. (S//SI//REL) Features: LxT Model: 900/1800/1900MHz LxU Model: 850/1800/1900MHz Pico-class (1Watt) Base station Optional Battery Kits Highly Mobile and Deployable Integrated GPS, MS, & 802.11 Voice & High-speed...
Breaking Up the NSA
The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission -- protecting the security of U.S. communications and eavesdropping on the communications of our enemies -- has become unbalanced in the post-Cold War, all-terrorism-all-the-time era. Putting the U.S. Cyber Command, the military's cyberwar wing, in the same location and...
CYCLONE Hx9: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: CYCLONE Hx9 (S//SI//FVEY) EGSM (900MGz) macro-class Network-In-a-Box (NIB) system. Uses the existing Typhon GUI and supports the full Typhon feature base and applications. (S//SI//REL) Operational Restrictions exist for equipment deployment. (S//SI//REL) Features: EGSM 900MHz Macro-class (+43dBm) 32+Km Range Optional Battery Kits Highly Mobile and Deployable Integrated GPS, MS,...
New Results in Software Obfuscation
Amit Sahai and others have some new results in software obfuscation. The papers are here. An over-the top Wired.com story on the research is here. And Matthew Green has a great blog post explaining what's real and what's hype....
Friday Squid Blogging: Squid vs. Owlfish
This video is pretty fantastic: The narrator does a great job at explaining what's going on here, blow by gross blow, but here are the highlights: Black-eyed squid snares owlfish with its two tentacles, which are tipped with hooks and suckers, and reels it in. Black-eyed squid gnaws away at the owlfish's spinal cord using its very sharp beak. Owlfish...
CROSSBEAM: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: CROSSBEAM (TS//SI//REL) CROSSBEAM is a GSM module that mates a modified commercial cellular product with a WAGONBED controller board. (TS//SI//REL) CROSSBEAM is a reusable CHIMNEYPOOL-compliant GSM communications module capable of collecting and compressing voice data. CROSSBEAM can receive GSM voice, record voice data, and transmit the received information...
Co3 Systems at the RSA Conference
Co3 Systems is going to be at the RSA Conference. We don't have our own booth on the show floor, but there are four ways you can find us. Monday, we're at the Innovation Sandbox: 1:005:00 in Moscone North. At the conference, we're in the RSA Security booth. Go to the SecOps section of the booth and ask about us....
Building an Online Lie Detector
There's an interesting project to detect false rumors on the Internet. The EU-funded project aims to classify online rumours into four types: speculation -- such as whether interest rates might rise; controversy -- as over the MMR vaccine; misinformation, where something untrue is spread unwittingly; and disinformation, where it's done with malicious intent. The system will also automatically categorise sources...
Brian Krebs
Nice profile of Brian Krebs, cybersecurity journalist: Russian criminals routinely feed Mr. Krebs information about their rivals that they obtained through hacks. After one such episode, he began receiving daily calls from a major Russian cybercriminal seeking his files back. Mr. Krebs is writing a book about the ordeal, called "Spam Nation," to be published by Sourcebooks this year. In...
CANDYGRAM: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: CANDYGRAM (S//SI//REL) Mimics GSM cell tower of a target network. Capable of operations at 900, 1800, or 1900 MHz. Whenever a target handset enters the CANDYGRAM base station's area of influence, the system sends out an SMS through the external network to registered watch phones. (S//SI//REL) Typical use...
RCS Spyware and Citizen Lab
Remote-Controlled System (RCS) is a piece of spyware sold exclusively to governments by a Milan company called Hacking Team. Recently, Citizen Lab found this spyware being used by the Ethiopian government against journalists, including American journalists. More recently, Citizen Lab mapped the software and who's using it: Hacking Team advertises that their RCS spyware is "untraceable" to a specific government...
TOTEGHOSTLY 2.0: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: TOTEGHOSTLY 2.0 (TS//SI//REL) TOTEGHOSTLY 2.0 is STRAITBIZARRE based implant for the Windows Mobile embedded operating system and uses the CHIMNEYPOOL framework. TOTEGHOSTLY 2.0 is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture. (TS//SI//REL) TOTEGHOSTLY 2.0 is a software implant for the Windows Mobile...
TOTECHASER: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: TOTECHASER (TS//SI//REL) TOTECHASER is a Windows CE implant targeting the Thuraya 2520 handset. The Thuraya is a dual mode phone that can operate either in SAT or GSM modes. The phone also supports a GPRS data connection for Web browsing, e-mail, and MMS messages. The initial software implant...
What Information Are Stun Guns Recording?
In a story about a stolen Stradivarius violin, there's this: Information from a stun gun company, an anonymous tip and hours of surveillance paved the way for authorities to find a stolen 300-year-old Stradivarius violin in the attic of a Milwaukee home, police said Thursday. [...] Taser International, the maker of the stun gun used in the attack, "provided invaluable...
PICASSO: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: PICASSO (S//SI//REL) Modified GSM (target) handset that collects user data, location information and room audio. Command and data exfil is done from a laptop and regular phone via SMS (Short Messaging Service), without alerting the target. (S//SI) Target Data via SMS: Incoming call numbers Outgoing call numbers Recently...
US Infosec Researchers Against NSA Surveillance
I signed an open letter from US researchers in cryptography and information security on NSA surveillance. It has received a lot of media coverage....
Who Should Store NSA Surveillance Data
One of the recommendations by the president's Review Group on Intelligence and Communications Technologies on reforming the National Security Agency—No. 5, if you're counting—is that the government should not collect and store telephone metadata. Instead, a private company -- either the phone companies themselves or some other third party -- should store the metadata and provide it to the government...
Friday Squid Blogging: Giant Squid TED Talk
Interesting. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
MONKEYCALENDAR: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: MONKEYCALENDAR (TS//SI//REL) MONKEYCALENDAR is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls geolocation information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS). (TS//SI//REL) Modern SIM cards (Phase 2+) have...
My Talk on the NSA
Earlier this month, I gave a talk about the NSA at MIT. The video is available. ETA: The video doesn't display on some Firefox browsers. If you have trouble, try a different browser....
The Insecurity of Secret IT Systems
We now know a lot about the security of the Rapiscan 522 B x-ray system used to scan carry-on baggage in airports worldwide. Billy Rios, director of threat intelligence at Qualys, got himself one and analyzed it. And he presented his results at the Kaspersky Security Analyst Summit this week. Its worse than you might have expected: It runs on...
GOPHERSET: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: GOPHERSET (TS//SI//REL) GOPHERSET is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls Phonebook, SMS, and call log information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS). (TS//SI//REL) Modern SIM...
Finding People's Location Based on Their Activities in Cyberspace
Glenn Greenwald is back reporting about the NSA, now with Pierre Omidyar's news organization FirstLook and its introductory publication, The Intercept. Writing with national security reporter Jeremy Scahill, his first article covers how the NSA helps target individuals for assassination by drone. Leaving aside the extensive political implications of the story, the article and the NSA source documents reveal additional...
DROPOUTJEEP: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: DROPOUTJEEP (TS//SI//REL) DROPOUTJEEP is a STRAITBIZARRE based software implant for the Apple iPhone operating system and uses the CHIMNEYPOOL framework. DROPOUTJEEP is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture. (TS//SI//REL) DROPOUTJEEP is a software implant for the Apple iPhone that utilizes modular...
SURLYSPAWN: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SURLYSPAWN (TS//SI//REL TO USA,FVEY) Data RF retro-reflector. Provides return modulated with target data (keyboard, low data rate digital device) when illuminated with radar. (U) Capabilities(TS//SI//REL TO USA,FVEY) SURLYSPAWN has the capability to gather keystrokes without requiring any software running on the targeted system. It also only requires that...
DRM and the Law
Cory Doctorow gives a good history of the intersection of Digital Rights Management (DRM) software and the law, describes how DRM software is antithetical to end-user security, and speculates how we might convince the law to recognize that. Every security system relies on reports of newly discovered vulnerabilities as a means of continuously improving. The forces that work against security...
"The Mask" Espionage Malware
Weve got a new nation-state espionage malware. "The Mask" was discovered by Kaspersky Labs: The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world -- from the Middle East and Europe to Africa and the Americas. The...
WISTFULTOLL: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: WISTFULTOLL (TS//SI//REL) WISTFULTOLL is a UNITEDRAKE and STRAITBIZZARE plug-in used for harvesting and returning forensic information from a target using Windows Management Instrumentation (WMI) calls and Registry extractions. (TS//SI//REL) This plug-in supports systems running Microsoft Windows 2000, 2003, and XP. (TS//SI//REL) Through remote access or interdiction, WISTFULLTOLL is...
NSA/GCHQ Accused of Hacking Belgian Cryptographer
There has been a lot of news about Bengian cryptographer Jean-Jacques Quisquater having his computer hacked, and whether the NSA or GCHQ is to blame. It's a lot of assumptions and hyperbole, mostly related to the GCHQ attack against the Belgian telcom operator Belgicom. I'm skeptical. Not about the attack, but about the NSA's or GCHQ's involvement. I don't think...
Friday Squid Blogging: Radioactive Giant Squid Washes Ashore in California
Uh oh. And the real story. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
TRINITY: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: TRINITY (TS//SI//REL) TRINITY is a miniaturized digital core packaged in a Multi-Chip Module (MCM) to be used in implants with size constraining concealments. (TS//SI//REL) TRINITY uses the TAO standard implant architecture. The architecture provides a robust, reconfigurable, standard digital platform resulting in a dramatic performance improvement over the...
Another Fake NSA Codename Generator
Generate your own fake TAO implant. This is even more fun than the fake NSA program generator. Sadly, the NSA will probably use these to help develop their R&D roadmap....
SWAP: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SWAP (TS//SI//REL) SWAP provides software application persistence by exploiting the motherboard BIOS and the hard drive's Host Protected Area to gain periodic execution before the Operating System loads. (TS//SI//REL) This technique supports single or multi-processor systems running Windows, Linux, FreeBSD, or Solaris with the following file systems: FAT32,...
Dispute Resolution Systems for Security Protocols
Interesting paper by Steven J. Murdoch and Ross Anderson in this year's Financial Cryptography conference: "Security Protocols and Evidence: Where Many Payment Systems Fail." Abstract: As security protocols are used to authenticate more transactions, they end up being relied on in legal proceedings. Designers often fail to anticipate this. Here we show how the EMV protocol -- the dominant card...
SOMBERKNAVE: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SOMBERKNAVE (TS//SI//REL) SOMBERKNAVE is Windows XP wireless software implant that provides covert internet connectivity for isolated targets. (TS//SI//REL) SOMBEKNAVE is a software implant that surreptitiously routes TCP traffic from a designated process to a secondary network via an unused embedded 802.11 network device. If an Internet-connected wireless Access...
1971 Social Engineering Attack
From Betty Medsger's book on the 1971 FBI burglary (page 22): As burglars, they used some unusual techniques, ones Davidon enjoyed recalling years later, such as what some of them did in 1970 at a draft board office in Delaware. During their casing, they had noticed that the interior door that opened to the draft board office was always locked....
MAESTRO-II: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: MAESTRO-II (TS//SI//REL) MAESTRO-II is a miniaturized digital core packaged in a Multi-Chip Module (MCM) to be used in implants with size constraining concealments. (TS//SI//REL) MAESTRO-II uses the TAO standard implant architecture. The architecture provides a robust, reconfigurable, standard digital platform resulting in a dramatic performance improvement over the...
Hacking Airline Lounges for Free Meals
I think this is a great hack: A man bought a first-class ticket and used it to have free meals and drinks at the airport's VIP lounge almost every day for nearly a year, Kwong Wah Yit Poh reported. The itinerary for the ticket was found to have been changed more than 300 times within a year, and the owner...
JUNIORMINT: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: JUNIORMINT (TS//SI//REL) JUNIORMINT is a digital core packaged in both a mini Printed circuit Board (PCB), to be used in typical concealments, and a miniaturized Flip Chip Module (FCM), to be used in implants with size constraining concealments. (TS//SI//REL) JUNIORMINT uses the TAO standard implant architecture. The architecture...
CSEC Surveillance Analysis of IP and User Data
The most recent story from the Snowden documents is from Canada: it claims the CSEC (Communications Security Establishment Canada) used airport Wi-Fi information to track travelers. That's not really true. What the top-secret presentation shows is a proof-of-concept project to identify different IP networks, using a database of user IDs found on those networks over time, and then potentially using...
Friday Squid Blogging: Squid T-Shirt
A T-shirt with a drawing of a squid reading. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
IRATEMONK: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: IRATEMONK (TS//SI//REL) IRATEMONK provides software application persistence on desktop and laptop computers by implanting in the hard drive firmware to gain execution through Master Boot Record (MBR) substitution. (TS//SI//REL) This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung...
Another Credit-Card-as-Authentication Hack
This is a pretty impressive social engineering story: an attacker compromised someone's GoDaddy domain registration in order to change his e-mail address and steal his Twitter handle. It's a complicated attack. My claim was refused because I am not the "current registrant." GoDaddy asked the attacker if it was ok to change account information, while they didn't bother asking me...
HOWLERMONKEY: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: HOWLERMONKEY (TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range impant RF Tranceiver. It is used in conjumction with a digital core to provide a complete implant. (TS//SI//REL) HOWLERMONKEY is a COTS-based transceiver deigned to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE devices running a HOWLERMONKEY personality. PCB...
Side-Channel Attacks on Frog Calls
The male túngara frog Physalaemus pustulosus uses calls to attract females. But croaking also causes ripples in the water, which are eavesdropped on -- both by rival male frogs and frog-eating bats....
Catalog of Snowden Revelations
This looks to be very good. Add that to these three indexes of NSA source material, and these two summaries. This excellent parody website has a good collection of all the leaks, too....
GINSU: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: GINSU (TS//SI//REL) GINSU provides software application persistence for the CNE implant, KONGUR, on target systems with the PCI bus hardware implant, BULLDOZER. (TS//SI//REL) This technique supports any desktop PC system that contains at least one PCI connector (for BULLDOZER installation) and Microsoft Windows 9x, 2000, 20003, XP, or...
Trying to Value Online Privacy
Interesting paper: "The value of Online Privacy," by Scott Savage and Donald M. Waldman. Abstract: We estimate the value of online privacy with a differentiated products model of the demand for Smartphone apps. We study the apps market because it is typically necessary for the consumer to relinquish some personal information through "privacy permissions" to obtain the app and its...
The Politics of Fear
This is very good: ...one might suppose that modern democratic states, with the lessons of history at hand, would seek to minimize fear or at least minimize its effect on deliberative decision-making in both foreign and domestic policy. But today the opposite is frequently true. Even democracies founded in the principles of liberty and the common good often take...
TAWDRYYARD: NSA Exploit of the Day
Back in December, Der Spiegel published a lot of information about the NSA's Tailored Access Operations (TAO) group, including a 2008 catalog of hardware and software "implants." Because there were so many items in the catalog, the individual items didn't get a lot of discussion. By highlighting an individual implant every day, my goal is to fix that. Today's item:...
US Privacy and Civil Liberties Oversight Board (PCLOB) Condems NSA Mass Surveillance
Now we know why the president gave his speech on NSA surveillance last week; he wanted to get ahead of the Privacy and Civil Liberties Oversight Board. Last week, it issued a report saying that NSA mass surveillance of Americans is illegal and should end. Both EPIC and EFF have written about this. What frustrates me about all of this...
EU Might Raise Fines for Data Breaches
This makes a lot of sense. Viviane Reding dismissed recent fines for Google as "pocket money" and said the firm would have had to pay $1bn under her plans for privacy failings. Ms Reding said such punishments were necessary to ensure firms took the use of personal data seriously. And she questioned how Google was able to take so long...
SPARROW II: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SPARROW II (TS//SI//REL) An embedded computer system running BLINDDATE tools. Sparrow II is a fully functional WLAN collection system with integrated Mini PCI slots for added functionality such as GPS and multiple Wireless Network Interface Cards. (U//FOUO) System Specs Processor: IBM Power PC 405GPR Memory: 64MB (SDRAM), 16MB...
New Security Risks for Windows XP Systems
Microsoft is trying to stop supporting Windows XP. The problem is that a majority of ATMs still use that OS. And once Microsoft stops issuing security updates to XP, those machines will become increasingly vulnerable. Although I have to ask the question: how many of those ATMs have been keeping up with their patches so far? We have far to...
Friday Squid Blogging: Giant Squid Caught by Japanese Fisherman
It's big: 13 feet long. The fisherman was stunned to discover the giant squid trapped in his net, having been caught at a depth of around 70m, about two-thirds of a mile from the coast. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
PHOTOANGLO: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: PHOTOANGLO (TS//SI//REL TO USA,FVEY) PHOTOANGLO is a joint NSA/GCHQ project to develop a new radar system to take the place of the CTX4000. (U) Capabilities(TS//SI//REL TO USA,FVEY) The planned capabilities for this system are: Frequency range: 1 - 2 GHz, which will be later extended to 1 -...
Applied Cryptography Available Online
I'm sure this is a pirated copy. Looking at it, it's amazing how long ago twenty years was....
Income Inequality as a Security Issue
This is an interesting way to characterizing income inequality as a security issue: &growing inequality menaces vigorous societies. It is a proxy for how effectively an elite has constructed institutions that extract value from the rest of society. Professor Sam Bowles, also part of the INET network, goes further. He argues that inequality pulls production away from value creation to...
NIGHTWATCH: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: NIGHTWATCH (TS//SI//REL TO USA,FVEY) NIGHTWATCH is a portable computer with specialized, internal hardware designed to process progressive-scan (non-interlaced VAGRANT signals. (U) Capability Summary (TS//SI//REL TO USA,FVEY) The current implementation of NIGHTWATCH consists of a general-purpose PC inside of a shielded case. The PC has PCI digitizing and clock...
Consumer Manipulation
Tim Hartford talks about consumer manipulation: Consider, first, confusion by design: Las Vegas casinos are mazes, carefully crafted to draw players to the slot machines and to keep them there. Casino designers warn against the "yellow brick road" effect of having a clear route through the casino. (One side effect: it takes paramedics a long time to find gamblers in...
NIGHTSTAND: NSA Exploit of the Day
Today's device from the NSA's Tailored Access Operations (TAO) group implant catalog: NIGHTSTAND (TS//SI//REL) An active 802.11 wireless exploitation and injection tool for payload /exploit delivery into otherwise denied target space. NIGHTSTAND is typically used in operations where wired access to the target is not possible. (TS//SI//REL) NIGHTSTAND - Close Access Operations " Battlefield Tested " Windows Exploitation " Standalone...
Refrigerator Sending Spam Messages?
Coming barely weeks after my essay on the security risks from embedded systems, the Proofpoint report of a span-sending refrigerator was just too good to be true. I was skeptical, so I didn't blog it. Now Ars Technica has a good analysis of the report, and is also skeptical. In any case: it could happen, and sooner or later it...
Questioning the Efficacy of NSA's Bulk-Collection Programs
Two reports have recently been published questioning the efficacy of the NSA's bulk-collection programs. The first one is from the left-leaning New American Foundation (report here, and one-page tabular summary here). However, our review of the governments claims about the role that NSA bulk surveillance of phone and email communications records has had in keeping the United States safe from...
LOUDAUTO: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: LOUDAUTO (TS//SI//REL TO USA,FVEY) Audio-based RF retro-reflector. Provides room audio from targeted space using radar and basic post-processing. (U) Capabilities (TS//SI//REL TO USA,FVEY) LOUDAUTO's current design maximizes the gain of the microphone. This makes it extremely useful for picking up room audio. It can pick up speech at...
Adware Vendors Buy and Abuse Chrome Extensions
This is not a good development: To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is...
CTX4000: NSA Exploit of the Day
Today's device -- this one isn't an implant -- from the NSA's Tailored Access Operations (TAO) group implant catalog: CTX4000 (TS//SI//REL TO USA,FVEY) The CTX4000 is a portable continuous wave (CW) radar unit. It can be used to illuminate a target system to recover different off net information. Primary uses include VAGRANT and DROPMIRE collection. (TS//SI//REL TO USA,FVEY) The CTX4000...
DDOS Attacks Using NTP
This is new: The NTP method first began to appear late last year. To bring down a server such as one running "League of Legends," the attackers trick NTP servers into thinking they've been queried by the "League of Legends" server. The NTP servers, thinking they're responding to a legitimate query, message the "League of Legends" server, overloading it with...
Friday Squid Blogging: Camouflage in Squid Eyes
Interesting research: Cephalopods possess a sophisticated array of mechanisms to achieve camouflage in dynamic underwater environments. While active mechanisms such as chromatophore patterning and body posturing are well known, passive mechanisms such as manipulating light with highly evolved reflectors may also play an important role. To explore the contribution of passive mechanisms to cephalopod camouflage, we investigated the optical and...
PowerLocker uses Blowfish
There's a new piece of ransomware out there, PowerLocker (also called PrisonLocker), that uses Blowfish: PowerLocker could prove an even more potent threat because it would be sold in underground forums as a DIY malware kit to anyone who can afford the $100 for a license, Friday's post warned. CryptoLocker, by contrast, was custom built for use by a single...
STUCCOMONTANA: NSA Exploit of the Day
Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: STUCCOMONTANA (TS//SI//REL) STUCCOMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card. (TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process...
NSA Collects Hundreds of Millions of Text Messages Daily
No surprise here. Although we some new codenames: DISHFIRE: The NSA's program to collect text messages and text-message metadata. PREFER: The NSA's program to perform automatic analysis on the text-message data and metadata. The documents talk about not just collecting chatty text messages, but VCards, SIM card changes, missed calls, roaming information indicating border crossings, travel itineraries, and financial transactions....
SIERRAMONTANA: NSA Exploit of the Day
Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: SIERRAMONTANA (TS//SI//REL) SIERRAMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card. (TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process...
Today I Briefed Congress on the NSA
This morning I spent an hour in a closed room with six Members of Congress: Rep. Logfren, Rep. Sensenbrenner, Rep. Scott, Rep. Goodlate, Rep Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn't forthcoming about their activities, and they wanted...
Edward Elgar's Ciphers
Elgar's cryptography puzzles from the late 1890s....
Cell Phone Tracking by Non-State Actors
This is interesting: Adding credence to the theory that Brooklyn landlord Menachem Stark was kidnapped and murdered by professionals, a law enforcement source tells the Post that the NYPD found a cell phone attached to the bottom of his car, which could have been used to track his movements. This is interesting. Presumably the criminals installed one of those "track...
SCHOOLMONTANA: NSA Exploit of the Day
Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: SCHOOLMONTANA (TS//SI//REL) SCHOOLMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card. (TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process...
The Changing Cost of Surveillance
From Ashkan Soltani's blog post: The Yale Law Journal Online (YLJO) just published an article that I co-authored with Kevin Bankston (first workshopped at the Privacy Law Scholars Conference last year) entitled "Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones." In it, we discuss the drastic reduction in the cost of tracking an...
HEADWATER: NSA Exploit of the Day
Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: HEADWATER (TS//SI//REL) HEADWATER is a Persistent Backdoor (PDB) software implant for selected Huawei routers. The implant will enable covert functions to be remotely executed within the router via an Internet connection. (TS//SI//REL) HEADWATER PBD implant will be transferred remotely over the Internet to the selected target router by...
Debunking the "NSA Mass Surveillance Could Have Stopped 9/11" Myth
It's something that we're hearing a lot, both from NSA Director General Keith Alexander and others: the NSA's mass surveillance programs could have stopped 9/11. It's not true, and recently two people have published good essays debunking this claim. The first is from Lawrence Wright, who wrote the best book (The Looming Tower) on the lead-up to 9/11: Judge Pauley...
SOUFFLETROUGH: NSA Exploit of the Day
One of the top secret NSA documents published by Der Spiegel is a 50-page catalog of "implants" from the NSA's Tailored Access Group. Because the individual implants are so varied and we saw so many at once, most of them were never discussed in the security community. (Also, the pages were pds, which makes them harder to index and search.)...
How the NSA Threatens National Security
Secret NSA eavesdropping is still in the news. Details about once secret programs continue to leak. The Director of National Intelligence has recently declassified additional information, and the President's Review Group has just released its report and recommendations. With all this going on, it's easy to become inured to the breadth and depth of the NSA's activities. But through the...
Friday Squid Blogging: Squid New Year
Happy squid new year. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
1971 FBI Burglary
Interesting story: ...burglars took a lock pick and a crowbar and broke into a Federal Bureau of Investigation office in a suburb of Philadelphia, making off with nearly every document inside. They were never caught, and the stolen documents that they mailed anonymously to newspaper reporters were the first trickle of what would become a flood of revelations about extensive...
JETPLOW: NSA Exploit of the Day
Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: JETPLOW (TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls. It persists DNT's BANANAGLEE software implant. JETPLOW also has a persistent back-door capability. (TS//SI//REL) JETPLOW is a firmware persistence impant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls....
Security Risks of Embedded Systems
We're at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself -- as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there's no good way to patch them. It's not unlike what happened in the mid-1990s, when the insecurity of personal computers was reaching...
HALLUXWATER: NSA Exploit of the Day
Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: HALLUXWATER (TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine. Once installed,...
The Failure of Privacy Notices and Consumer Choice
Paper from First Monday: "Transaction costs, privacy, and trust: The laudable goals and ultimate failure of notice and choice to respect privacy." Abstract: The goal of this paper is to outline the laudable goals and ultimate failure of notice and choice to respect privacy online and suggest an alternative framework to manage and research privacy. This paper suggests that the...
Twitter Users: Please Make Sure You're Following the Right Feed
I have an official Twitter feed of my blog; it's @schneierblog. There's also an unofficial feed at @Bruce_Schneier. I have nothing to do with that one. I wouldn't mind the unofficial feed -- if people are reading my blog, who cares -- except that it isn't working right, and hasn't been for some time. It publishes some posts weeks late...
GOURMETTROUGH: NSA Exploit of the Day
Continuing our walk through the NSA's Tailored Access Operations (TAO) group implant catalog: GOURMETTROUGH (TS//SI//REL) GOURMETTROUGH is a user configurable implant for certain Juniper firewalls. It persists DNT's BANANAGLEE implant across reboots and OS upgrades. For some platforms, it supports a minimal implant with beaconing for OS's unsupported by BANANAGLEE. (TS//SI//REL) For supported platforms, DNT may configure without ANT involvement....
Matt Blaze on TAO's Methods
Matt Blaze makes a point that I have been saying for a while now: Don't get me wrong, as a security specialist, the NSA's Tailored Access Operations (TAO) scare the daylights of me. I would never want these capabilities used against me or any other innocent person. But these tools, as frightening and abusable as they are, represent far less...
FEEDTROUGH: NSA Exploit of the Day
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: FEEDTROUGH (TS//SI//REL) FEEDTROUGH is a persistence technique for two software implants, DNT's BANANAGLEE and CES's ZESTYLEAK used against Juniper Netscreen firewalls. (TS//SI//REL) FEEDTROUGH can be used to persist two implants, ZESTYLEAK and/or BANANAGLEE across reboots and software upgrades on known and covered OS's for the following Netscreen firewalls,...
I've Joined Co3 Systems
For decades, I've said that good security is a combination of protection, detection, and response. In 1999, when I formed Counterpane Internet Security, I focused the company on what was then the nascent area of detection. Since then, there have been many products and services that focus on detection, and it's a huge part of the information security industry. Now,...
NSA Documents from the Spiegel Story
There are more source documents from the recent Spiegel story on the NSA than I realized. Here is what I think is the complete list: "Tailored Access Operations" presentation, 14 pages. Lots of information about QUANTUM. "NSA QUANTUM Tasking Techniques for the R&T Analyst" presentation, 28 pages. Includes details about MARINA. "Getting Close to the Adversary: Forward-based Defense with QFIRE"...
NSA Exploit of the Day: IRONCHEF
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog is IRONCHEF: IRONCHEF (TS//SI//REL) IRONCHEF provides access persistence to target systems by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to communicate with a hardware implant that provides two-way RF communication. (TS//SI//REL) This technique supports the HP Proliant 380DL G6 server, onto which a hardware implant...
Cost/Benefit Analysis of NSA's 215 Metadata Collection Program
It has amazed me that the NSA doesn't seem to do any cost/benefit analyses on any of its surveillance programs. This seems particularly important for bulk surveillance programs, as they have significant costs aside from the obvious monetary costs. In this paper, John Mueller and Mark G. Stewart have done the analysis on one of these programs. Worth reading....
NSA Exploit of the Day: DEITYBOUNCE
Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog is DEITYBOUNCE: DEITYBOUNCE (TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads. (TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and...
"Military Style" Raid on California Power Station
I don't know what to think about this: Around 1:00 AM on April 16, at least one individual (possibly two) entered two different manholes at the PG&E Metcalf power substation, southeast of San Jose, and cut fiber cables in the area around the substation. That knocked out some local 911 services, landline service to the substation, and cell phone service...
More about the NSA's Tailored Access Operations Unit
Der Spiegel has a good article on the NSA's Tailored Access Operations unit: basically, its hackers. The article also has more details on how QUANTUM -- particularly, QUANTUMINSERT -- works. Another article discusses the various tools TAO has at its disposal. A document viewed by SPIEGEL resembling a product catalog reveals that an NSA division called ANT has burrowed its...
Joseph Stiglitz on Trust
Joseph Stiglitz has an excellent essay on the value of trust, and the lack of it in today's society. Trust is what makes contracts, plans and everyday transactions possible; it facilitates the democratic process, from voting to law creation, and is necessary for social stability. It is essential for our lives. It is trust, more than money, that makes the...
Friday Squid Blogging: Kim Jong Un Tours Frozen Squid Factory
Frozen squid makes him happy. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Operation Vula
"Talking to Vula" is the story of a 1980s secret communications channel between black South African leaders and others living in exile in the UK. The system used encrypted text encoded into DTMF "touch tones" and transmitted from pay phones. Our next project was one that led to the breakthrough we had been waiting for. We had received a request,...
Report on Syrian Malware
Fascinating report from Citizen Lab on the use of malware in the current Syrian conflict (EFF summary and Wired article)....
NSA Spying: Who Do You Believe?
On Friday, Reuters reported that RSA entered a secret contract to make DUAL_EC_PRNG the default random number generator in the BSAFE toolkit. DUA_EC_PRNG is now known to be back-doored by the NSA. Yesterday, RSA denied it: Recent press coverage has asserted that RSA entered into a secret contract with the NSA to incorporate a known flawed random number generator into...
Friday Squid Blogging: "What Does the Squid Say?"
Minecraft parody. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Yes, I'm Leaving BT
The Register reported that I am leaving BT at the end of the year. It quoted BT as saying: We hired Bruce because of his thought leadership in security and as part of our acquisition of Counterpane. We have agreed to part ways as we felt our relationship had run its course and come to a natural end. It has...
Eben Moglen and I Talk about the NSA
Last week, Eben Moglen and I had a conversation about NSA surveillance. Audio and video are online....
Acoustic Cryptanalysis
This is neat: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be...
Tor User Identified by FBI
Eldo Kim sent an e-mail bomb threat to Harvard so he could skip a final exam. (It's just a coincidence that I was on the Harvard campus that day.) Even though he used an anonymous account and Tor, the FBI identified him. Reading the criminal complaint, it seems that the FBI got itself a list of Harvard users that accessed...
Security Vulnerabilities of Legacy Code
An interesting research paper documents a "honeymoon effect" when it comes to software and vulnerabilities: attackers are more likely to find vulnerabilities in older and more familiar code. It's a few years old, but I haven't seen it before now. The paper is by Sandy Clark, Stefan Frei, Matt Blaze, and Jonathan Smith: "Familiarity Breeds Contempt: The Honeymoon Effect and...
Attacking Online Poker Players
This story is about how at least two professional online poker players had their hotel rooms broken into and their computers infected with malware. I agree with the conclusion: So, what's the moral of the story? If you have a laptop that is used to move large amounts of money, take good care of it. Lock the keyboard when you...
Friday Squid Blogging: Squid Bow Tie
Snappy-looking bow tie. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
President Obama and the Intelligence Community
Really good article from the New Yorker....
World War II Anecdote about Trust and Security
This is an interesting story from World War II about trust: Jones notes that the Germans doubted their system because they knew the British could radio false orders to the German bombers with no trouble. As Jones recalls, "In fact we did not do this, but it seemed such an easy countermeasure that the German crews thought that we might,...
How the NSA Tracks Mobile Phone Data
Last week the Washington Post reported on how the NSA tracks mobile phones world-wide, and this week they followed up with source documents and more detail. Barton Gellman and Ashkan Soltani are doing some fantastic reporting on the Snowden NSA documents. I hope to be able to do the same again, once Pierre Omidyar's media venture gets up and running....
NSA Tracks People Using Google Cookies
The Washington Post has a detailed article on how the NSA uses cookie data to track individuals. The EFF also has a good post on this. I have been writing and saying that government surveillance largely piggy backs on corporate capabilities, and this is an example of that. The NSA doesn't need the cooperation of any Internet company to use...
NSA Spying on Online Gaming Worlds
The NSA is spying on chats in World of Warcraft and other games. There's lots of information -- and a good source document. While it's fun to joke about the NSA and elves and dwarves from World of Warcraft, this kind of surveillance makes perfect sense. If, as Dan Geer has pointed out, your assigned mission is to ensure that...
Bitcoin Explanation
This is the best explanation of the Bitcoin protocol that I have read....
Friday Squid Blogging: Hoax Squid-Like Creature
The weird squid-like creature floating around Bristol Harbour is a hoax. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
New Book: Carry On
I have a new book. It's Carry On: Sound Advice from Schneier on Security, and it's my second collection of essays. This book covers my writings from March 2008 to June 2013. (My first collection of essays, Schneier on Security, covered my writings from April 2002 to February 2008.) There's nothing in this book that hasn't been published before, and...
Bruce Schneier Facts T-Shirts
0-Day Clothing has taken 25 Bruce Schneier Facts and turned them into T-shirts just in time for Christmas....
Telepathwords: A New Password Strength Estimator
Telepathwords is a pretty clever research project that tries to evaluate password strength. It's different from normal strength meters, and I think better. Telepathwords tries to predict the next character of your passwords by using knowledge of: common passwords, such as those made public as a result of security breaches common phrases, such as those that appear frequently on web...
Heartwave Biometric
Here's a new biometric I know nothing about: The wristband relies on authenticating identity by matching the overall shape of the user's heartwave (captured via an electrocardiogram sensor). Unlike other biotech authentication methods -- like fingerprint scanning and iris-/facial-recognition tech -- the system doesn't require the user to authenticate every time they want to unlock something. Because it's a wearable...
The Problem with EULAs
Some apps are being distributed with secret Bitcoin-mining software embedded in them. Coins found are sent back to the app owners, of course. And to make it legal, it's part of the end-user license agreement (EULA): COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and...
Evading Airport Security
The news is reporting about Evan Booth, who builds weaponry out of items you can buy after airport security. It's clever stuff. It's not new, though. People have been explaining how to evade airport security for years. Back in 2006, I -- and others -- explained how to print your own boarding pass and evade the photo-ID check, a trick...
Keeping Track of All the Snowden Documents
As more and more media outlets from all over the world continue to report on the Snowden documents, it's harder and harder to keep track of what has been released. The EFF, ACLU, and Cryptome are all trying. None of them is complete, I believe. Please post additions in the comments, and I will do my best to feed the...
The TQP Patent
One of the things I do is expert witness work in patent litigations. Often, it's defending companies against patent trolls. One of the patents I have worked on for several defendants is owned by a company called TQP Development. The patent owner claims that it covers SSL and RC4, which is does not. The patent owner claims that the patent...
How Antivirus Companies Handle State-Sponsored Malware
Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we've been wondering if it's done anything to antivirus products. Given that it engages in offensive cyberattacks -- and launches cyberweapons like Stuxnet and Flame -- it's reasonable to assume that it's asked antivirus companies to ignore its malware. (We know that antivirus...
Friday Squid Blogging: Squid Worm Discovered
This squid-like worm -- Teuthidodrilus samae -- is new to science. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
More on Stuxnet
Ralph Langer has written the definitive analysis of Stuxnet: short, popular version, and long, technical version. Stuxnet is not really one weapon, but two. The vast majority of the attention has been paid to Stuxnet's smaller and simpler attack routine -- the one that changes the speeds of the rotors in a centrifuge, which is used to enrich uranium. But...
Tor Appliance
Safeplug is an easy-to-use Tor appliance. I like that it can also act as a Tor exit node....
The FBI Might Do More Domestic Surveillance than the NSA
This is a long article about the FBI's Data Intercept Technology Unit (DITU), which is basically its own internal NSA. It carries out its own signals intelligence operations and is trying to collect huge amounts of email and Internet data from U.S. companies -- an operation that the NSA once conducted, was reprimanded for, and says it abandoned. [...] The...
US Working to Kill UN Resolutions to Limit International Surveillance
This story should get more publicity than it has....
Surveillance as a Business Model
Google recently announced that it would start including individual users' names and photos in some ads. This means that if you rate some product positively, your friends may see ads for that product with your name and photo attached—without your knowledge or consent. Meanwhile, Facebook is eliminating a feature that allowed people to retain some portions of their anonymity on...
Friday Squid Blogging: Magnapinna Squid Photo
Neat photo. Video, too. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Rerouting Internet Traffic by Attacking BGP
Renesys is reporting that Internet traffic is being manipulatively rerouted, presumably for eavesdropping purposes. The attacks exploit flaws in the Border Gateway Protocol (BGP). Ars Technica has a good article explaining the details. The odds that the NSA is not doing this sort of thing are basically zero, but I'm sure that their activities are going to be harder to...
How to Avoid Getting Arrested
The tips are more psychological than security....
Fokirtor
Fokirtor is a Linux Trojan that exfiltrates traffic by inserting it into SSH connections. It looks very well-designed and -constructed....
Explaining and Speculating About QUANTUM
Nicholas Weaver has a great essay explaining how the NSA's QUANTUM packet injection system works, what we know it does, what else it can possibly do, and how to defend against it. Remember that while QUANTUM is an NSA program, other countries engage in these sorts of attacks as well. By securing the Internet against QUANTUM, we protect ourselves against...
Friday Squid Blogging: Squid Fishermen Seen from Space
Cool photo. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Various Schneier Audio and Video Talks and Interviews
News articles about me (or with good quotes by me). My talk at the IETF Vancouver meeting on NSA and surveillance. I'm the first speaker after the administrivia. Press articles about me and the IETF meeting. Other video interviews with me....
Security Tents
The US government sets up secure tents for the president and other officials to deal with classified material while traveling abroad. Even when Obama travels to allied nations, aides quickly set up the security tent -- which has opaque sides and noise-making devices inside -- in a room near his hotel suite. When the president needs to read a classified...
A Fraying of the Public/Private Surveillance Partnership
The public/private surveillance partnership between the NSA and corporate data collectors is starting to fray. The reason is sunlight. The publicity resulting from the Snowden documents has made companies think twice before allowing the NSA access to their users' and customers' data. Pre-Snowden, there was no downside to cooperating with the NSA. If the NSA asked you for copies of...
Microsoft Retiring SHA-1 in 2016
I think this is a good move on Microsoft's part: Microsoft is recommending that customers and CA's stop using SHA-1 for cryptographic applications, including use in SSL/TLS and code signing. Microsoft Security Advisory 2880823 has been released along with the policy announcement that Microsoft will stop recognizing the validity of SHA-1 based certificates after 2016. More news. SHA-1 isn't broken...
Another QUANTUMINSERT Attack Example
Der Speigel is reporting that the GCHQ used QUANTUMINSERT to direct users to fake LinkedIn and Slashdot pages run by -- this code name is not in the article -- FOXACID servers. There's not a lot technically new in the article, but we do get some information about popularity and jargon. According to other secret documents, Quantum is an extremely...
Cryptographic Blunders Revealed by Adobe's Password Leak
Adobe lost 150 million customer passwords. Even worse, they had a pretty dumb cryptographic hash system protecting those passwords....
Bizarre Online Gambling Movie-Plot Threat
This article argues that online gambling is a strategic national threat because terrorists could use it to launder money. The Harper demonstration showed the technology and techniques that terror and crime organizations could use to operate untraceable money laundering built on a highly liquid legalized online poker industry -- just the environment that will result from the spread of poker...
Dan Geer Explains the Government Surveillance Mentality
This talk by Dan Geer explains the NSA mindset of "collect everything": I previously worked for a data protection company. Our product was, and I believe still is, the most thorough on the market. By "thorough" I mean the dictionary definition, "careful about doing something in an accurate and exact way." To this end, installing our product instrumented every system...
Friday Squid Blogging: Tree Yarn-Bombed
This tree http://www.thisiscolossal.com/2013/10/a-yarn-bombed-tree-squid/">in San Mateo, CA, has been turned into a giant blue squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Another Snowden Lesson: People Are the Weak Security Link
There's a story that Edward Snowden successfully socially engineered other NSA employees into giving him their passwords....
Why the Government Should Help Leakers
In the Information Age, it's easier than ever to steal and publish data. Corporations and governments have to adjust to their secrets being exposed, regularly. When massive amounts of government documents are leaked, journalists sift through them to determine which pieces of information are newsworthy, and confer with government agencies over what needs to be redacted. Managing this reality is...
Risk-Based Authentication
I like this idea of giving each individual login attempt a risk score, based on the characteristics of the attempt: The risk score estimates the risk associated with a log-in attempt based on a user's typical log-in and usage profile, taking into account their device and geographic location, the system they're trying to access, the time of day they typically...
Deception in Fruit Flies
The wings of the Goniurellia tridens fruit fly have images of an ant on them, to deceive predators: "When threatened, the fly flashes its wings to give the appearance of ants walking back and forth. The predator gets confused and the fly zips off." Click on the link to see the photo....
The Story of the Bomb Squad at the Boston Marathon
This is interesting reading, but I'm left wanting more. What are the lessons here? How can we do this better next time? Clearly we won't be able to anticipate bombings; even Israel can't do that. We have to get better at responding. Several years after 9/11, I conducted training with a military bomb unit charged with guarding Washington, DC. Our...
More NSA Revelations
This New York Times story on the NSA is very good, and contains lots of little tidbits of new information gleaned from the Snowden documents. The agencys Dishfire database -- nothing happens without a code word at the N.S.A. -- stores years of text messages from around the world, just in case. Its Tracfin collection accumulates gigabytes of credit card...
badBIOS
Good story of badBIOS, a really nasty piece of malware. The weirdest part is how it uses ultrasonic sound to jump air gaps. Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with -- but was in close...
Friday Squid Blogging: 8-Foot Giant Squid Pillow
Make your own 8-foot giant squid pillow. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
A Template for Reporting Government Surveillance News Stories
This is from 2006 -- I blogged it here -- but it's even more true today. Under a top secret program initiated by the Bush Administration after the Sept. 11 attacks, the [name of agency (FBI, CIA, NSA, etc.)] have been gathering a vast database of [type of records] involving United States citizens. "This program is a vital tool in...
Reading Group at Harvard Law School
In Spring Semester, I'm running a reading group -- which seems to be a formal variant of a study group -- at Harvard Law School on "Security, Power, and the Internet. I would like a good mix of people, so non law students and non Harvard students are both welcome to sign up....
Close-In Surveillance Using Your Phone's Wi-Fi
This article talks about applications in retail, but the possibilities are endless. Every smartphone these days comes equipped with a WiFi card. When the card is on and looking for networks to join, it's detectable by local routers. In your home, the router connects to your device, and then voila you have the Internet on your phone. But in...
NSA Eavesdropping on Google and Yahoo Networks
The Washington Post reported that the NSA is eavesdropping on the Google and Yahoo private networks -- the code name for the program is MUSCULAR. I may write more about this later, but I have some initial comments: It's a measure of how far off the rails the NSA has gone that it's taking its Cold Warera eavesdropping tactics --...
The Battle for Power on the Internet
We're in the middle of an epic battle for power in cyberspace. On one side are the traditional, organized, institutional powers such as governments and large multinational corporations. On the other are the distributed and nimble: grassroots movements, dissident groups, hackers, and criminals. Initially, the Internet empowered the second side. It gave them a place to coordinate and communicate efficiently,...
What the NSA Can and Cannot Do
Good summary from the London Review of Books....
Arguing for NSA-Level Internet Surveillance
Jack Goldsmith argues that we need the NSA to surveil the Internet not for terrorism reasons, but for cyberespionage and cybercrime reasons. Daniel Gallington argues -- the headline has nothing to do with the content -- that the balance between surveillance and privacy is about right....
Understanding the Threats in Cyberspace
The primary difficulty of cyber security isn't technology -- it's policy. The Internet mirrors real-world society, which makes security policy online as complicated as it is in the real world. Protecting critical infrastructure against cyber-attack is just one of cyberspace's many security challenges, so it's important to understand them all before any one of them can be solved. The list...
US Government Monitoring Public Internet in Real Time
Here's a demonstration of the US government's capabilities to monitor the public Internet. Former CIA and NSA Director Michael Hayden was on the Acela train between New York and Washington DC, taking press interviews on the phone. Someone nearby overheard the conversation, and started tweeting about it. Within 15 or so minutes, someone somewhere noticed the tweets, and informed someone...
Friday Squid Blogging: Dynamic Biophotonics in Squid
Female squid exhibit sexually dimorphic tunable leucophores and iridocytes. Just so you know. Here's the story in more accessible language. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Book Review: Cyber War Will Not Take Place
Thomas Rid, Cyber War Will Not Take Place, Oxford University Press, 2013. Cyber war is possibly the most dangerous buzzword of the Internet era. The fear-inducing rhetoric surrounding it is being used to justify major changes in the way the Internet is organized, governed, and constructed. And in Cyber War Will Not Take Place, Thomas Rid convincingly argues that cyber...
Cognitive Biases About Violence as a Negotiating Tactic
Interesting paper: Max Abrahms, "The Credibility Paradox: Violence as a Double-Edged Sword in International Politics," International Studies Quarterly, 2013: Abstract: Implicit in the rationalist literature on bargaining over the last half-century is the political utility of violence. Given our anarchical international system populated with egoistic actors, violence is thought to promote concessions by lending credibility to their threats. From the...
DARPA Contest for Fully-Automated Network Defense
DARPA is looking for a fully-automated network defense system: What if computers had a "check engine" light that could indicate new, novel security problems? What if computers could go one step further and heal security problems before they happen? To find out, the Defense Advanced Research Projects Agency (DARPA) intends to hold the Cyber Grand Challenge (CGC) -- the first-ever...
Code Names for NSA Exploit Tools
This is from a Snowden document released by Le Monde: General Term Descriptions: HIGHLANDS: Collection from Implants VAGRANT: Collection of Computer Screens MAGNETIC: Sensor Collection of Magnetic Emanations MINERALIZE: Collection from LAN Implant OCEAN: Optical Collection System for Raster-Based Computer Screens LIFESAFER: Imaging of the Hard Drive GENIE: Multi-stage operation: jumping the airgap etc. BLACKHEART: Collection from an FBI Implant...
Dry Ice Bombs at LAX
The news story about the guy who left dry ice bombs in restricted areas of LAX is really weird. I can't get worked up over it, though. Dry ice bombs are a harmless prank. I set off a bunch of them when I was in college, although I used liquid nitrogen, because I was impatient -- and they're harmless. I...
Can I Be Trusted?
SlashDot asks the question: I'm a big fan of Bruce Schneier, but just to play devil's advocate, let's say, hypothetically, that Schneier is actually in cahoots with the NSA. Who better to reinstate public trust in weakened cryptosystems? As an exercise in security that Schneier himself may find interesting, what methods are available for proving (or at least affirming) that...
Defending Against Crypto Backdoors
We already know the NSA wants to eavesdrop on the Internet. It has secret agreements with telcos to get direct access to bulk Internet traffic. It has massive systems like TUMULT, TURMOIL, and TURBULENCE to sift through it all. And it can identify ciphertext -- encrypted information -- and figure out which programs could have created it. But what the...
The Trajectories of Government and Corporate Surveillance
Historically, surveillance was difficult and expensive. Over the decades, as technology advanced, surveillance became easier and easier. Today, we find ourselves in a world of ubiquitous surveillance, where everything is collected, saved, searched, correlated and analyzed. But while technology allowed for an increase in both corporate and government surveillance, the private and public sectors took very different paths to get...
Friday Squid Blogging: Fiona Apple Wears a Squid as a Hat in New Video
Even I think this is weird....
D-Link Router Backdoor
Several versions of D-Link router firmware contain a backdoor. Just set the browser's user agent string to "xmlset_roodkcableoj28840ybtide," and you're in. (Hint, remove the number and read it backwards.) It was probably put there for debugging purposes, but has all sorts of applications for surveillance. Good article on the subject....
Identifying Cell Phones Through Sensor Imperfections
There seems to be a bunch of research into uniquely identifying cell phones through unique analog characteristics of the various embedded sensors. These sorts of things could replace cookies as surveillance tools. Slashdot and MetaFilter threads....
"A Court Order Is an Insider Attack"
Ed Felten makes a strong argument that a court order is exactly the same thing as an insider attack: To see why, consider two companies, which we'll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party -- in this case, the government. Meanwhile, over at Guavabit,...
SecureDrop
SecureDrop is an open-source whistleblower support system, originally written by Aaron Swartz and now run by the Freedom of the Press Foundation. The first instance of this system was named StrongBox and is being run by the New Yorker. To further add to the naming confusion, Aaron Swartz called the system DeadDrop when he wrote the code. I participated in...
iPhone Sensor Surveillance
The new iPhone has a motion sensor chip, and that opens up new opportunities for surveillance: The M7 coprocessors introduce functionality that some may instinctively identify as "creepy." Even Apples own description hints at eerie omniscience: "M7 knows when youre walking, running, or even driving&" While its quietly implemented within iOS, its not secret for third party apps (which require...
NSA Harvesting Contact Lists
A new Snowden document shows that the NSA is harvesting contact lists -- e-mail address books, IM buddy lists, etc. -- from Google, Yahoo, Microsoft, Facebook, and others. Unlike PRISM, this unnamed program collects the data from the Internet . This is similar to how the NSA identifies Tor users. They get direct access to the Internet backbone, either through...
New Secure Smart Phone App
It's hard not to poke fun at this press release for Safeslinger, a new cell phone security app from Carnegie Mellon. "SafeSlinger provides you with the confidence that the person you are communicating with is actually the person they have represented themselves to be," said Michael W. Farb, a research programmer at Carnegie Mellon CyLab. "The most important feature is...
Massive MIMO Cryptosystem
New paper: "Physical-Layer Cryptography Through Massive MIMO." Abstract: We propose the new technique of physical-layer cryptography based on using a massive MIMO channel as a key between the sender and desired receiver, which need not be secret. The goal is for low-complexity encoding and decoding by the desired transmitter-receiver pair, whereas decoding by an eavesdropper is hard in terms of...
Insecurities in the Linux /dev/random
New paper: "Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust, by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. Abstract: A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and...
Fingerprinting Burner Phones
In one of the documents recently released by the NSA as a result of an EFF lawsuit, there's discussion of a specific capability of a call records database to identify disposable "burner" phones. Lets consider, then, the very specific data this query tool was designed to return: The times and dates of the first and last call events, but apparently...
Friday Squid Blogging: 30-Foot Giant Squid Washes Ashore
A 30-foot-long giant squid has washed ashore in Cantabria, Spain. It died at sea, with a broken tentacle. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Stuff I Say
It's a Tumblr feed. Right now there are only six posts, all a year old. Presumably that will change soon. To clarify: I have nothing to do with the feed, and anyone can post stuff to it....
New Low in Election Fraud
Azerbaijan achieves a new low in voter fraud. They government accidentally publishes the results of the election before the polls open. The mistake came when an electoral commission accidentally published results showing a victory for Ilham Aliyev, the countrys long-standing President, a day before voting. Meydan TV, an online channel critical of the government, released a screenshot from a mobile...
Air Gaps
Since I started working with Snowden's documents, I have been using a number of tools to try to stay secure from the NSA. The advice I shared included using Tor, preferring certain cryptography over others, and using public-domain encryption wherever possible. I also recommended using an air gap, which physically isolates a computer or local network of computers from the...
Breaking Taiwan's Digital ID
There's a serious random-number generation flaw in the cryptographic systems used to protect the Taiwanese digital ID. Article and paper....
A New Postal Privacy Product
The idea is basically to use indirection to hide physical addresses. You would get a random number to give to your correspondents, and the post office would use that number to determine your real address. No security against government surveillance, but potentially valuable nonetheless. Here are a bunch of documents. I honestly have no idea what's going on. It seems...
The NSA's New Risk Analysis
As I recently reported in the Guardian, the NSA has secret servers on the Internet that hack into other computers, codename FOXACID. These servers provide an excellent demonstration of how the NSA approaches risk management, and exposes flaws in how the agency thinks about the secrecy of its own programs. Here are the FOXACID basics: By the time the NSA...
Me on Surveillance
This is a video of me talking about surveillance and privacy, both relating to the NSA and more generally....
Why It's Important to Publish the NSA Programs
The Guardian recently reported on how the NSA targets Tor users, along with details of how it uses centrally placed servers on the Internet to attack individual computers. This builds on a Brazilian news story from a mid-September that, in part, shows that the NSA is impersonating Google servers to users; a German story on how the NSA is hacking...
Silk Road Author Arrested Due to Bad Operational Security
Details of how the FBI found the administrator of Silk Road, a popular black market e-commerce site. Despite the elaborate technical underpinnings, however, the complaint portrays Ulbricht as a drug lord who made rookie mistakes. In an October 11, 2011 posting to a Bitcoin Talk forum, for instance, a user called "altoid" advertised he was looking for an "IT pro...
How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID
The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA's application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world. According to a...
Friday Squid Blogging: Squid Exhibit at the Monterey Bay Aquarium
Opens spring 2014. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
"Trust the Math"
I like this piece of art. Someone should do T-shirts....
Developments in Microphone Technology
What's interesting is that this matchstick-sized microphone can be attached to drones. Conventional microphones work when sound waves make a diaphragm move, creating an electrical signal. Microflown's sensor has no moving parts. It consists of two parallel platinum strips, each just 200 nanometres deep, that are heated to 200° C. Air molecules flowing across the strips cause temperature differences between...
Is Cybersecurity a Profession?
A National Academy of Sciences panel says no: Sticking to the quality control aspect of the report, professionalization, it says, has the potential to attract workers and establish long-term paths to improving the work force overall, but measures such as standardized education or requirements for certification, have their disadvantages too. For example, formal education or certification could be helpful to...
On Anonymous
Gabriella Coleman has published an interesting analysis of the hacker group Anonymous: Abstract: Since 2010, digital direct action, including leaks, hacking and mass protest, has become a regular feature of political life on the Internet. The source, strengths and weakness of this activity are considered in this paper through an in-depth analysis of Anonymous, the protest ensemble that has been...
On Secrecy
"When everything is classified, then nothing is classified." I should suppose that moral, political, and practical considerations would dictate that a very first principle of that wisdom would be an insistence upon avoiding secrecy for its own sake. For when everything is classified, then nothing is classified, and the system becomes one to be disregarded by the cynical or the...
My TEDx Talk
I spoke at TEDxCambridge last month on security and power. Here's the video....
NSA Storing Internet Data, Social Networking Data, on Pretty Much Everybody
Two new stories based on the Snowden documents. This is getting silly. General Alexander just lied about this to Congress last week. The old NSA tactic of hiding behind a shell game of different code names is failing. It used to be they could get away with saying "Project X doesn't do that," knowing full well that Projects Y and...
Will Keccak = SHA-3?
Last year, NIST selected Keccak as the winner of the SHA-3 hash function competition. Yes, I would have rather my own Skein had won, but it was a good choice. But last August, John Kelsey announced some changes to Keccak in a talk (slides 44-48 are relevant). Basically, the security levels were reduced and some internal changes to the algorithm...
WhoIs Privacy and Proxy Service Abuse
ICANN has a draft study that looks at abuse of the Whois database. This study, conducted by the National Physical Laboratory (NPL) in the United Kingdom, analyzes gTLD domain names to measure whether the percentage of privacy/proxy use among domains engaged in illegal or harmful Internet activities is significantly greater than among domain names used for lawful Internet activities. Furthermore,...
Senator Feinstein Admits the NSA Taps the Internet Backbone
We know from the Snowden documents (and other sources) that the NSA taps Internet backbone through secret-agreements with major U.S. telcos., but the U.S. government still hasn't admitted it. In late August, the Obama administration declassified a ruling from the Foreign Intelligence Surveillance Court. Footnote 3 reads: The term 'upstream collection' refers to NSA's interception of Internet communications as they...
Friday Squid Blogging: A Squid that Fishes
The Grimalditeuthis bonplandi is the only known squid to use its tenticles to fish: Its tentacles are thin and fragile, and almost always break off when it's captured. For ages, people thought it lacked tentacles altogether until a full specimen was found in the stomach of a fish. Weirder still, its clubs have neither suckers nor hooks. Instead, they are...
Another Schneier Interview
I was interviewed for Technology Review on the NSA and the Snowden documents....
3D-Printed Robot to Break Android PINs
Neat project. The reason it works is that the Android system doesn't start putting in very long delays between PIN attempts after a whole bunch of unsuccessful attempts. The iPhone does....
Paradoxes of Big Data
Interesting paper: "Three Paradoxes of Big Data," by Neil M. Richards and Jonathan H. King, Stanford Law Review Online, 2013. Abstract: Big data is all the rage. Its proponents tout the use of sophisticated analytics to mine large data sets for insight as the solution to many of our society's problems. These big data evangelists insist that data-driven decisionmaking can...
Good Summary of Potential NSA Involvement in a NIST RNG Standard
Kim Zetter has written the definitive story -- at least so far -- of the possible backdoor in the Dual_EC_DRBG random number generator that's part of the NIST SP800-90 standard....
Apple's iPhone Fingerprint Reader Successfully Hacked
Nice hack from the Chaos Computer Club: The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner...
NSA Job Opening
The NSA is looking for a Civil Liberties & Privacy Officer. It appears to be an internal posting. The NSA Civil Liberties & Privacy Officer (CLPO) is conceived as a completely new role, combining the separate responsibilities of NSA's existing Civil Liberties and Privacy (CL/P) protection programs under a single official. The CLPO will serve as the primary advisor to...
Metadata Equals Surveillance
Back in June, when the contents of Edward Snowden's cache of NSA documents were just starting to be revealed and we learned about the NSA collecting phone metadata of every American, many people -- including President Obama -- discounted the seriousness of the NSA's actions by saying that it's just metadata. Lots and lots of people effectively demolished that trivialization,...
Friday Squid Blogging: How Bacteria Terraform a Squid
Fascinating: The bacterium Vibrio fischeri is a squid terraformer. Although it can live independently in seawater, it also colonises the body of the adorable Hawaiian bobtail squid. The squid nourishes the bacteria with nutrients and the bacteria, in turn, act as an invisibility cloak. They produce a dim light that matches the moonlight shining down from above, masking the squid's...
Legally Justifying NSA Surveillance of Americans
Kit Walsh has an interesting blog post where he looks at how existing law can be used to justify the surveillance of Americans. Just to challenge ourselves, we'll ignore the several statutory provisions and other doctrines that allow for spying without court oversight, such as urgent collection, gathering information not considered protected by the Fourth Amendment, the wartime spying provision,...
Google Knows Every Wi-Fi Password in the World
This article points out that as people are logging into Wi-Fi networks from their Android phones, and backing up those passwords along with everything else into Google's cloud, that Google is amassing an enormous database of the world's Wi-Fi passwords. And while it's not every Wi-Fi password in the world, it's almost certainly a large percentage of them. Leaving aside...
Yochai Benkler on the NSA
Excellent essay: We have learned that in pursuit of its bureaucratic mission to obtain signals intelligence in a pervasively networked world, the NSA has mounted a systematic campaign against the foundations of American power: constitutional checks and balances, technological leadership, and market entrepreneurship. The NSA scandal is no longer about privacy, or a particular violation of constitutional or legislative obligations....
The Limitations of Intelligence
We recently learned that US intelligence agencies had at least three days' warning that Syrian President Bashar al-Assad was preparing to launch a chemical attack on his own people, but wasn't able to stop it. At least that's what an intelligence briefing from the White House reveals. With the combined abilities of our national intelligence apparatus -- the CIA, NSA,...
Surreptitiously Tampering with Computer Chips
This is really interesting research: "Stealthy Dopant-Level Hardware Trojans." Basically, you can tamper with a logic gate to be either stuck-on or stuck-off by changing the doping of one transistor. This sort of sabotage will not be noticed on any visual reverse-engineering of the chip -- remove all the layers, generate the netlist-style reverse engineering, and so on. And it...
Tom Tomorrow from 1994
This was published during the battle about the Clipper Chip, and is remarkably prescient....
Reforming the NSA
Leaks from the whistleblower Edward Snowden have catapulted the NSA into newspaper headlines and demonstrated that it has become one of the most powerful government agencies in the country. From the secret court rulings that allow it collect data on all Americans to its systematic subversion of the entire Internet as a surveillance platform, the NSA has amassed an enormous...
Take Back the Internet
Government and industry have betrayed the Internet, and us. By subverting the Internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our Internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our...
How to Remain Secure Against the NSA
Now that we have enough details about how the >NSA eavesdrops on the Internet, including today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves. For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided...
Friday Squid Blogging: Squid Fishing in the Cook Islands
Diamondback squid could be a source of food. No word on taste. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
New NSA Leak Shows MITM Attacks Against Major Internet Services
The Brazilian television show "Fantastico" has exposed an NSA training presentation that discusses how the agency runs man-in-the-middle attacks on the Internet. The point of the story was that the NSA engages in economic espionage against Petrobras, the Brazilian giant oil company, but I'm more interested in the tactical details. The video on the webpage is long, and includes what...
Did I Actually Say That?
I'm quoted (also here) as using this analogy to explain how IT companies will be damaged by the news that they've been collaborating with the NSA: "How would it be if your doctor put rat poison in your medicine? Highly damaging," said Bruce Schneier, a US computer security expert. Not the most eloquent I've been recently. Clearly I need to...
Ed Felten on the NSA Disclosures
Ed Felten has an excellent essay on the damage caused by the NSA secretly breaking the security of Internet systems: In security, the worst case -- the thing you most want to avoid -- is thinking you are secure when you're not. And that's exactly what the NSA seems to be trying to perpetuate. Suppose you're driving a car that...
Matthew Green Speculates on How the NSA Defeats Encryption
This blog post is well worth reading, and not just because Johns Hopkins University asked him to remove it, and then backed down a few hours later....
iPhone Fingerprint Authentication
When Apple bought AuthenTec for its biometrics technology -- reported as one of its most expensive purchases -- there was a lot of speculation about how the company would incorporate biometrics in its product line. Many speculate that the new Apple iPhone to be announced tomorrow will come with a fingerprint authentication system, and there are several ways it could...
The TSA Is Legally Allowed to Lie to Us
The TSA does not have to tell the truth: Can the TSA (or local governments as directed by the TSA) lie in response to a FOIA request? Sure, no problem! Even the NSA responds that they "can't confirm or deny the existence" of classified things for which admitting or denying existence would (allegedly, of course) damage national security. But the...
Government Secrecy and the Generation Gap
Big-government secrets require a lot of secret-keepers. As of October 2012, almost 5m people in the US have security clearances, with 1.4m at the top-secret level or higher, according to the Office of the Director of National Intelligence. Most of these people do not have access to as much information as Edward Snowden, the former National Security Agency contractor turned...
Excess Automobile Deaths as a Result of 9/11
People commented about a point I made in a recent essay: In the months after 9/11, so many people chose to drive instead of fly that the resulting deaths dwarfed the deaths from the terrorist attack itself, because cars are much more dangerous than airplanes. Yes, that's wrong. Where I said "months," I should have said "years." I got the...
My New PGP/GPG and OTR Keys
You can find my new PGP public key and my OTR key fingerprint here....
Friday Squid Blogging: Giant Squid Found Off the Coast of Spain
The incomplete specimen weighs over 160 lbs. And here's a map of squid spottings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Friday Squid Blogging: Giant Squid Found Off the Coast of Spain
The incomplete specimen weighs over 160 lbs. And here's a map of squid spottings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Conspiracy Theories and the NSA
I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking -- and I have no idea whether any of it is true or not -- but it's a good illustration of what happens when trust in a public...
Conspiracy Theories and the NSA
I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking -- and I have no idea whether any of it is true or not -- but it's a good illustration of what happens when trust in a public...
The NSA's Cryptographic Capabilities
The latest Snowden document is the US intelligence "black budget." There's a lot of information in the few pages the Washington Post decided to publish, including an introduction by Director of National Intelligence James Clapper. In it, he drops a tantalizing hint: "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic." Honestly, I'm...
The NSA's Cryptographic Capabilities
The latest Snowden document is the US intelligence "black budget." There's a lot of information in the few pages the Washington Post decided to publish, including an introduction by Director of National Intelligence James Clapper. In it, he drops a tantalizing hint: "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic." Honestly, I'm...
The NSA is Breaking Most Encryption on the Internet
The new Snoden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics. It's joint reporting between the Guardian, the New York Times, and ProPublica. I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my...
The NSA Is Breaking Most Encryption on the Internet
The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics. It's joint reporting between the Guardian, the New York Times, and ProPublica. I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my...
The Effect of Money on Trust
Money reduces trust in small groups, but increases it in larger groups. Basically, the introduction of money allows society to scale. The team devised an experiment where subjects in small and large groups had the option to give gifts in exchange for tokens. They found that there was a social cost to introducing this incentive. When all tokens were "spent",...
The Effect of Money on Trust
Money reduces trust in small groups, but increases it in larger groups. Basically, the introduction of money allows society to scale. The team devised an experiment where subjects in small and large groups had the option to give gifts in exchange for tokens. They found that there was a social cost to introducing this incentive. When all tokens were "spent",...
Journal of Homeland Security and Emergency Management
I keep getting alerts of new issues, but there are rarely articles I find interesting....
Journal of Homeland Security and Emergency Management
I keep getting alerts of new issues, but there are rarely articles I find interesting....
Human/Machine Trust Failures
I jacked a visitor's badge from the Eisenhower Executive Office Building in Washington, DC, last month. The badges are electronic; they're enabled when you check in at building security. You're supposed to wear it on a chain around your neck at all times and drop it through a slot when you leave. I kept the badge. I used my body...
Human-Machine Trust Failures
I jacked a visitor's badge from the Eisenhower Executive Office Building in Washington, DC, last month. The badges are electronic; they're enabled when you check in at building security. You're supposed to wear it on a chain around your neck at all times and drop it through a slot when you leave. I kept the badge. I used my body...
SHA-3 Status
NIST's John Kelsey gave an excellent talk on the history, status, and future of the SHA-3 hashing standard. The slides are online....
Business Opportunities in Cloud Security
Bessemer Venture Partners partner David Cowan has an interesting article on the opportunities for cloud security companies. Richard Stiennnon, an industry analyst, has a similar article. And Zscaler comments on a 451 Research report on the cloud security business....
Syrian Electronic Army Cyberattacks
The Syrian Electronic Army attacked again this week, compromising the websites of the New York Times, Twitter, the Huffington Post, and others. Political hacking isn't new. Hackers were breaking into systems for political reasons long before commerce and criminals discovered the Internet. Over the years, we've seen U.K. vs. Ireland, Israel vs. Arab states, Russia vs. its former Soviet republics,...
Our Newfound Fear of Risk
We're afraid of risk. It's a normal part of life, but we're increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren't free. They cost money, of course, but they cost other things as well. They often don't provide the security they advertise, and -- paradoxically...
1983 Article on the NSA
The moral is that NSA surveillance overreach has been going on for a long, long time....
Friday Squid Blogging: Bobtail Squid Photo
Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Opsec Details of Snowden Meeting with Greenwald and Poitras
I don't like stories about the personalities in the Snowden affair, because it detracts from the NSA and the policy issues. But I'm a sucker for operational security, and just have to post this detail from their first meeting in Hong Kong: Snowden had instructed them that once they were in Hong Kong, they were to go at an appointed...
More on the NSA Commandeering the Internet
If there's any confirmation that the U.S. government has commandeered the Internet for worldwide surveillance, it is what happened with Lavabit earlier this month. Lavabit is -- well, was -- an e-mail service that offered more privacy than the typical large-Internet-corporation services that most of us use. It was a small company, owned and operated by Ladar Levison, and it...
How Many Leakers Came Before Snowden?
Assume it's really true that the NSA has no idea what documents Snowden took, and that they wouldn't even know he'd taken anything if he hadn't gone public. The fact that abuses of their systems by NSA officers were largely discovered through self-reporting substantiates that belief. Given that, why should anyone believe that Snowden is the first person to walk...
The Federal Trade Commission and Privacy
New paper on the FTC and its actions to protect privacy: Abstract: One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies' privacy policies through its authority to police...
Feds Target Polygraph-Beating Company
A company that teaches people how to beat lie detectors is under investigation....
Evading Internet Censorship
This research project by Brandon Wiley -- the tool is called "Dust" -- looks really interesting. Here's the description of his Defcon talk: Abstract: The greatest danger to free speech on the Internet today is filtering of traffic using protocol fingerprinting. Protocols such as SSL, Tor, BitTorrent, and VPNs are being summarily blocked, regardless of their legal and ethical uses....
More on NSA Data Collection
There's an article from Wednesday's Wall Street Journal that gives more details about the NSA's data collection efforts. The system has the capacity to reach roughly 75% of all U.S. Internet traffic in the hunt for foreign intelligence, including a wide array of communications by foreigners and Americans. In some cases, it retains the written content of emails sent between...
Detaining David Miranda
Last Sunday, David Miranda was detained while changing planes at London Heathrow Airport by British authorities for nine hours under a controversial British law -- the maximum time allowable without making an arrest. There has been much made of the fact that he's the partner of Glenn Greenwald, the Guardian reporter whom Edward Snowden trusted with many of his NSA...
Protecting Against Leakers
Ever since Edward Snowden walked out of a National Security Agency facility in May with electronic copies of thousands of classified documents, the finger-pointing has concentrated on government's security failures. Yet the debacle illustrates the challenge with trusting people in any organization. The problem is easy to describe. Organizations require trusted people, but they don't necessarily know whether those people...
"The Next Generation Communications Privacy Act"
Orin Kerr envisions what the ECPA should look like today: Abstract: In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to regulate government access to Internet communications and records. ECPA is widely seen as outdated, and ECPA reform is now on the Congressional agenda. At the same time, existing reform proposals retain the structure of the 1986 Act and...
Friday Squid Blogging: New Research in How Squids Change Color
Interesting: Structural colors rely exclusively on the density and shape of the material rather than its chemical properties. The latest research from the UCSB team shows that specialized cells in the squid skin called iridocytes contain deep pleats or invaginations of the cell membrane extending deep into the body of the cell. This creates layers or lamellae that operate as...
How Security Becomes Banal
Interesting paper: "The Banality of Security: The Curious Case of Surveillance Cameras," by Benjamin Goold, Ian Loader, and Angélica Thumala (full paper is behind a paywall). Abstract: Why do certain security goods become banal (while others do not)? Under what conditions does banality occur and with what effects? In this paper, we answer these questions by examining the story of...
Hacking Consumer Devices
Last weekend, a Texas couple apparently discovered that the electronic baby monitor in their children's bedroom had been hacked. According to a local TV station, the couple said they heard an unfamiliar voice coming from the room, went to investigate and found that someone had taken control of the camera monitor remotely and was shouting profanity-laden abuse. The child's father...
Susan Landau Article on the Snowden Documents
Really good article by Susan Landau on the Snowden documents and what they mean....
Measuring Entropy and its Applications to Encryption
There have been a bunch of articles about an information theory paper with vaguely sensational headlines like "Encryption is less secure than we thought" and "Research shakes crypto foundations." It's actually not that bad. Basically, the researchers arguethat the traditional measurement of Shannon entropy isn't the right model to use for cryptography, and that minimum entropy is. This difference may...
Teens and Privacy
Not much surprising in this new survey. Many teens ages 12-17 report that they usually figure out how to manage content sharing and privacy settings on their own. Focus group interviews with teens suggest that for their day-to-day privacy management, teens are guided through their choices in the app or platform when they sign up, or find answers through their...
The Cryptopocalypse
There was a presentation at Black Hat last month warning us of a "factoring cryptopocalypse": a moment when factoring numbers and solving the discrete log problem become easy, and both RSA and DH break. This presentation was provocative, and has generated a lot of commentary, but I don't see any reason to worry. Yes, breaking modern public-key cryptosystems has gotten...
Friday Squid Blogging: Squid Ink as Food Coloring
Alton Brown suggests it for ice cream. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Wired Names "Schneier on Security" to Best Blog List
I made the list of Wired's best "Government and Security" blogs....
Management Issues in Terrorist Organizations
Terrorist organizations have the same management problems as other organizations, and new ones besides: Terrorist leaders also face a stubborn human resources problem: Their talent pool is inherently unstable. Terrorists are obliged to seek out recruits who are predisposed to violence -- that is to say, young men with a chip on their shoulder. Unsurprisingly, these recruits are not usually...
The NSA is Commandeering the Internet
It turns out that the NSA's domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we've learned, fight and lose. Others cooperate, either out of patriotism or because they believe it's easier that way....
Time Magazine Names "Schneier on Security" to Best Blog List
My blog as made the Time magazine "The 25 Best Bloggers 2013 Edition" list. I can't believe this was published ten days ago, and I'm only just finding out about it. Aren't all you people supposed to be sending me links of things I might be interested in?...
Stories from MI5
This essay is filled historical MI5 stories -- often bizarre, sometimes amusing. My favorite: It was recently revealed that back in the 1970s -- at the height of the obsession with traitors -- MI5 trained a specially bred group of Gerbils to detect spies. Gerbils have a very acute sense of smell and they were used in interrogations to tell...
Circumventing Communications Blackouts
Rangzen looks like a really interesting ad hoc mesh networking system to circumvent government-imposed communications blackouts. I am particularly interested in how it uses reputation to determine who can be trusted, while maintaining some level of anonymity. Academic paper: Abstract: A challenging problem in dissent networking is that of circumventing large-scale communication blackouts imposed by oppressive governments. Although prior work...
Book Review: Rise of the Warrior Cop
Rise of the Warrior Cop: The Militarization of America's Police Forces, by Radley Balko, PublicAffairs, 2013, 400 pages. War as a rhetorical concept is firmly embedded in American culture. Over the past several decades, federal and local law enforcement has been enlisted in a war on crime, a war on drugs and a war on terror. These wars are...
The 2013 Cryptologic History Symposium
The 2013 Cryptologic History Symposium, sponsored by the NSA, will be held at John Hopkins University this October....
NSA Increasing Security by Firing 90% of Its Sysadmins
General Keith Alexander thinks he can improve security by automating sysadmin duties such that 90% of them can be fired: Using technology to automate much of the work now done by employees and contractors would make the NSA's networks "more defensible and more secure," as well as faster, he said at the conference, in which he did not mention Snowden...
Security at Sports Stadiums
Lots of sports stadiums have instituted Draconian new rules. Here are the rules for St. Louis Rams games: Fans will be able to carry the following style and size bag, package, or container at stadium plaza areas, stadium gates, or when approaching queue lines of fans awaiting entry into the stadium: Bags that are clear plastic, vinyl or PVC and...
Friday Squid Blog: Rickshaw Cart Woodblock Print
With a squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Lavabit E-Mail Service Shut Down
Lavabit, the more-secure e-mail service that Edward Snowden -- among others -- used, has abruptly shut down. From the message on their homepage: I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I...
Latest Movie-Plot Threat: Explosive-Dipped Clothing
It's being reported, although there's no indication of where this rumor is coming from or what it's based on. ...the new tactic allows terrorists to dip ordinary clothing into the liquid to make the clothes themselves into explosives once dry. "It's ingenious," one of the officials said. Another senior official said that the tactic would not be detected by current...
Twitter's Two-Factor Authentication System
Twitter just rolled out a pretty nice two-factor authentication system using your smart phone as the second factor: The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitters server. When Twitter receives a new...
Kip Hawley on Fixing the TSA
The further Kip Hawley has gotten from running the TSA, the more sense he has started to make. This is pretty good....
Restoring Trust in Government and the Internet
In July 2012, responding to allegations that the video-chat service Skype -- owned by Microsoft -- was changing its protocols to make it possible for the government to eavesdrop on users, Corporate Vice President Mark Gillett took to the company's blog to deny it. Turns out that wasn't quite true. Or at least he -- or the company's lawyers --...
Has Tor Been Compromised?
There's speculation that the FBI is responsible for an exploit that compromised the Tor anonymity service. Note that Tor nodes installed or updated after June 26 are secure....
NSA Surveillance and Mission Creep
Last month, I wrote about the potential for mass surveillance mission creep: the tendency for the vast NSA surveillance apparatus to be used for other, lesser, crimes. My essay was theoretical, but it turns out to be already happening. Other agencies are already asking to use the NSA data: Agencies working to curb drug trafficking, cyberattacks, money laundering, counterfeiting and...
The Public/Private Surveillance Partnership
Imagine the government passed a law requiring all citizens to carry a tracking device. Such a law would immediately be found unconstitutional. Yet we all carry mobile phones. If the National Security Agency required us to notify it whenever we made a new friend, the nation would rebel. Yet we notify Facebook. If the Federal Bureau of Investigation demanded copies...
Friday Squid Blogging: Squid Watch
I like watches with no numbers. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
XKeyscore
The Guardian discusses a new secret NSA program: XKeyscore. It's the desktop system that allows NSA agents to spy on anyone over the Internet in real time. It searches existing NSA databases -- presumably including PRISM -- and can create fingerprints to search for all future data collections from systems like TRAFFIC THIEF. This seems to be what Edward Snowden...
Cryptography Engineering Book Review
Good review of the strengths and weaknesses of Cryptography Engineering and Applied Cryptography. Best -- at least to me -- is the list of things missing, which we'll have to address if we do another edition....
False Positives and Ubiquitous Surveillance
Searching on Google for a pressure cooker and backpacks got one family investigated by the police. More stories and comments. This seems not to be the NSA eavesdropping on everyone's Internet traffic, as was first assumed. It was one of those "see something say something" amateur tips: Suffolk County Criminal Intelligence Detectives received a tip from a Bay Shore based...
Economist Cyberwar Debate
Richard Bejtlich and Thomas Rid (author of the excellent book Cyber War Will Not Take Place) debate the cyberwar threat on the Economist website....
Scientists Banned from Revealing Details of Car-Security Hack
The UK has banned researchers from revealing details of security vulnerabilities in car locks. In 2008, Phillips brought a similar suit against researchers who broke the Mifare chip. That time, they lost. This time, Volkswagen sued and won. This is bad news for security researchers. (Remember back in 2001 when security researcher Ed Felten sued the RIAA in the US...
Brian Krebs Harassed
This is what happens when you're a security writer and you piss off the wrong people: they conspire to have heroin mailed to you, and then to tip off the police. And that's after they've called in a fake hostage situation....
Neighborhood Security: Feeling vs. Reality
Research on why some neighborhoods feel safer: Salesses and collaborators Katja Schechtner and César A. Hidalgo built an online comparison tool using Google Street View images to identify these often unseen triggers of our perception of place. Have enough people compare paired images of streets in New York or Boston, for instance, for the scenes that look more "safe" or...
Really Clever Bank Card Fraud
This is a really clever social engineering attack against a bank-card holder: It all started, according to the police, on the Saturday night where one of this gang will have watched me take money from the cash point. That's the details of my last transaction taken care of. Sinister enough, the thought of being spied on while you're trying to...
Obama's Continuing War Against Leakers
The Obama Administration has a comprehensive "insider threat" program to detect leakers from within government. This is pre-Snowden. Not surprisingly, the combination of profiling and "see something, say something" is unlikely to work. In an initiative aimed at rooting out future leakers and other security violators, President Barack Obama has ordered federal employees to report suspicious actions of their colleagues...
Friday Squid Blogging: Squid Song
It's "Sparky the Giant Squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
NSA Cracked the Kryptos Sculpture Years Before the CIA Did
We interrupt this blog for some important inter-agency rivalry. The fourth part is still uncracked, though. Older links....
Secret Information Is More Trusted
This is an interesting, if slightly disturbing, result: In one experiment, we had subjects read two government policy papers from 1995, one from the State Department and the other from the National Security Council, concerning United States intervention to stop the sale of fighter jets between foreign countries. The documents, both of which were real papers released through the Freedom...
Details on NSA/FBI Eavesdropping
We're starting to see Internet companies talk about the mechanics of how the US government spies on their users. Here, a Utah ISP owner describes his experiences with NSA eavesdropping: We had to facilitate them to set up a duplicate port to tap in to monitor that customer's traffic. It was a 2U (two-unit) PC that we ran a mirrored...
Poached Eggs
The story of people who poach and collect rare eggs, and the people who hunt them down. Securing wildlife against poachers is a difficult problem, especially when the defenders are poor countries with not a lot of resources....
Michael Hayden on the Effects of Snowden's Whistleblowing
Former NSA director Michael Hayden lists three effects of the Snowden documents: "...the undeniable operational effect of informing adversaries of American intelligence's tactics, techniques and procedures." "...the undeniable economic punishment that will be inflicted on American businesses for simply complying with American law." "...the erosion of confidence in the ability of the United States to do anything discreetly or keep...
NSA Implements Two-Man Control for Sysadmins
In an effort to lock the barn door after the horse has escaped, the NSA is implementing two-man control for sysadmins: NSA chief Keith Alexander said his agency had implemented a "two-man rule," under which any system administrator like Snowden could only access or move key information with another administrator present. With some 15,000 sites to fix, Alexander said, it...
How the FISA Court Undermines Trust
This is a succinct explanation of how the secrecy of the FISA court undermines trust. Surveillance types make a distinction between secrecy of laws, secrecy of procedures and secrecy of operations. The expectation is that the laws that empower or limit the government's surveillance powers are always public. The programs built atop those laws are often secret. And the individual...
Marc Rotenberg on the NSA Supreme Court Suit
Marc Rotenberg of EPIC explains why he is suing the NSA in the Supreme Court. And USA Today has a back and forth on the topic....
Prosecuting Snowden
I generally don't like stories about Snowden as a person, because they distract from the real story of the NSA surveillance programs, but this article on the costs and benefits of the US government prosecuting Edward Snowden is worth reading....
Violence as a Source of Trust in Criminal Societies
This is interesting: If I know that you have committed a violent act, and you know that I have committed a violent act, we each have information on each other that we might threaten to use if relations go sour (Schelling notes that one of the most valuable rights in business relations is the right to be sued -- this...
Friday Squid Blogging: Paul Burke Giant Squid Sculpture
The wood sculpture is part of an art exhibit at the VanDusen Botanical Garden in Vancouver....
TSA Considering Implementing Randomized Security
For a change, here's a good idea by the TSA: TSA has just issued a Request for Information (RFI) to prospective vendors who could develop and supply such randomizers, which TSA expects to deploy at CAT X through CAT IV airports throughout the United States. "The Randomizers would be used to route passengers randomly to different checkpoint lines," says the...
Counterterrorism Mission Creep
One of the assurances I keep hearing about the U.S. government's spying on American citizens is that it's only used in cases of terrorism. Terrorism is, of course, an extraordinary crime, and its horrific nature is supposed to justify permitting all sorts of excesses to prevent it. But there's a problem with this line of reasoning: mission creep. The definitions...
PRISM Q&A
Mikko Hypponen and I answered questions about PRISM on the TED website....
Snowden's Dead Man's Switch
Edward Snowden has set up a dead man's switch. He's distributed encrypted copies of his document trove to various people, and has set up some sort of automatic system to distribute the key, should something happen to him. Dead man's switches have a long history, both for safety (the machinery automatically stops if the operator's hand goes slack) and security...
DHS Puts its Head in the Sand
On the subject of the recent Washington Post Snowden document, the DHS sent this e-mail out to at least some of its employees: From: xxxxx Sent: Thursday, July 11, 2013 10:28 AM To: xxxxx Cc: xxx Security Reps; xxx SSO; xxxx;xxxx Subject: //// SECURITY ADVISORY//// NEW WASHINGTON POST WEBPAGE ARTICLE -- DO NOT CLICK ON THIS LINK I have been...
Tapping Undersea Cables
Good article on the longstanding practice of secretly tapping undersea cables. This is news right now because of a new Snowden document....
The Value of Breaking the Law
Interesting essay on the impossibility of being entirely lawful all the time, the balance that results from the difficulty of law enforcement, and the societal value of being able to break the law. What's often overlooked, however, is that these legal victories would probably not have been possible without the ability to break the law. The state of Minnesota, for...
A Problem with the US Privacy and Civil Liberties Oversight Board
I haven't heard much about the Privacy and Civil Liberties Oversight Board. They recently held hearings regarding the Snowden documents. This particular comment stood out: Rachel Brand, another seemingly unsympathetic board member, concluded: "There is nothing that is more harmful to civil liberties than terrorism. This discussion here has been quite sterile because we have not been talking about terrorism."...
Walls Around Nations
A political history of walls: Roman walls such as Hadrian's Wall, the Great Wall of China, the Berlin Wall, and the wall between Mexico and the U.S. Moral: they solve the wrong problem....
My Fellowship at the Berkman Center
I have been awarded a fellowship at the Berkman Center for Internet and Society at Harvard University, for the 20132014 academic year. I'm excited about this; Berkman and Harvard is where a lot of the cool kids hang out, and I'm looking forward to working with them this coming year. In particular, I have three goals for the year: I...
Friday Squid Blogging: SquidBacteria Symbiotic Relationships
This is really interesting research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
F2P Monetization Tricks
This is a really interesting article about something I never even thought about before: how games ("F2P" means "free to play") trick players into paying for stuff. For example: This is my favorite coercive monetization technique, because it is just so powerful. The technique involves giving the player some really huge reward, that makes them really happy, and then threatening...
More NSA Code Names
We don't know what they mean, but there are a bunch of NSA code names on LinkedIn profiles. ANCHORY, AMHS, NUCLEON, TRAFFICTHIEF, ARCMAP, SIGNAV, COASTLINE, DISHFIRE, FASTSCOPE, OCTAVE/CONTRAOCTAVE, PINWALE, UTT, WEBCANDID, MICHIGAN, PLUS, ASSOCIATION, MAINWAY, FASCIA, OCTSKYWARD, INTELINK, METRICS, BANYAN, MARINA...
The NSA's Project SHAMROCK
Nice history of Project SHAMROCK, the NSA's illegal domestic surveillance program from the 1970s. It targeted telegrams....
Musing on Secret Languages
This is really interesting. It starts by talking about a "cant" dictionary of 16th-century thieves' argot, and ends up talking about secret languages in general. Incomprehension breeds fear. A secret language can be a threat: signifier has no need of signified in order to pack a punch. Hearing a conversation in a language we don't speak, we wonder whether were...
The Effectiveness of Privacy Audits
This study concludes that there is a benefit to forcing companies to undergo privacy audits: "The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a...
Another Perspective on the Value of Privacy
A philosophical perspective: But while Descartes's overall view has been rightly rejected, there is something profoundly right about the connection between privacy and the self, something that recent events should cause us to appreciate. What is right about it, in my view, is that to be an autonomous person is to be capable of having privileged access (in the two...
Big Data Surveillance Results in Bad Policy
Evgeny Morozov makes a point about surveillance and big data: it just looks for useful correlations without worrying about causes, and leads people to implement "fixes" based simply on those correlations -- rather than understanding and correcting the underlying the causes. As the media academic Mark Andrejevic points out in Infoglut, his new book on the political implications of information...
Protecting E-Mail from Eavesdropping
In the wake of the Snowden NSA documents, reporters have been asking me whether encryption can solve the problem. Leaving aside the fact that much of what the NSA is collecting can't be encrypted by the user -- telephone metadata, e-mail headers, phone calling records, e-mail you're reading from a phone or tablet or cloud provider, anything you post on...
Friday Squid Blogging: Giant Origami Squid
Giant origami squid photo found -- without explanation -- on Reddit. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
How Apple Continues to Make Security Invisible
Interesting article: Apple is famously focused on design and human experience as their top guiding principles. When it comes to security, that focus created a conundrum. Security is all about placing obstacles in the way of attackers, but (despite the claims of security vendors) those same obstacles can get in the way of users, too. [...] For many years, Apple...
Sixth Movie-Plot Threat Contest Winner
On April 1, I announced the Sixth Mostly-Annual Movie-Plot Threat Contest: For this year's contest, I want a cyberwar movie-plot threat. (For those who don't know, a movie-plot threat is a scare story that would make a great movie plot, but is much too specific to build security policy around.) Not the Chinese attacking our power grid or shutting off...
Is Cryptography Engineering or Science?
Responding to a tweet by Thomas Ptacek saying, "If you're not learning crypto by coding attacks, you might not actually be learning crypto," Colin Percival published a well-thought-out rebuttal, saying in part: If we were still in the 1990s, I would agree with Thomas. 1990s cryptography was full of holes, and the best you could hope for was to know...
The Office of the Director of National Intelligence Defends NSA Surveillance Programs
Here's a transcript of a panel discussion about NSA surveillance. There's a lot worth reading here, but I want to quote Bob Litt's opening remarks. He's the General Council for ODNI, and he has a lot to say about the programs revealed so far in the Snowden documents. I'm reminded a little bit of a quote that, like many quotes,...
Privacy Protests
Interesting law journal article: "Privacy Protests: Surveillance Evasion and Fourth Amendment Suspicion," by Elizabeth E. Joh. Abstract: The police tend to think that those who evade surveillance are criminals. Yet the evasion may only be a protest against the surveillance itself. Faced with the growing surveillance capacities of the government, some people object. They buy "burners" (prepaid phones) or "freedom...
US Department of Defense Censors Snowden Story
The US Department of Defense is blocking sites that are reporting about the Snowden documents. I presume they're not censoring sites that are smearing him personally. Note that the DoD is only blocking those sites on its own network, not on the Internet at large. The blocking is being done by automatic filters, presumably the same ones used to block...
Security Analysis of Children
This is a really good paper describing the unique threat model of children in the home, and the sorts of security philosophies that are effective in dealing with them. Stuart Schechter, "The User IS the Enemy, and (S)he Keeps Reaching for that Bright Shiny Power Button!" Definitely worth reading. Abstract: Children represent a unique challenge to the security and privacy...
NSA E-Mail Eavesdropping
More Snowden documents analyzed by the Guardian -- two articles -- discuss how the NSA collected e-mails and data on Internet activity of both Americans and foreigners. The program might have ended in 2011, or it might have continued under a different name. This is the program that resulted in that bizarre tale of Bush officials confronting then-Attorney General John...
I've Joined the EFF Board
I'm now on the board of directors of the EFF....
How the NSA Eavesdrops on Americans
Two weeks ago, the Guardian published two new Snowden documents. These outline how the NSA's data-collection procedures allow it to collect lots of data on Americans, and how the FISA court fails to provide oversight over these procedures. The documents are complicated, but I strongly recommend that people read both the Guardian analysis and the EFF analysis -- and possibly...
SIMON and SPECK: New NSA Encryption Algorithms
The NSA has published some new symmetric algorithms: Abstract: In this paper we propose two families of block ciphers, SIMON and SPECK, each of which comes in a variety of widths and key sizes. While many lightweight block ciphers exist, most were designed to perform well on a single platform and were not meant to provide high performance across a...
Friday Squid Blogging: Man Pulled Under by Squids
Video story on Animal Planet. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Me on EconTalk
Another audio interview; this one is mostly about security and power....
My Talk at Google
Last week, I gave a talk at Google. It's another talk about power and security, my continually evolving topic-of-the-moment that could very well become my next book. This installment is different than the previous talks and interviews, but not different enough that you should feel the need to watch it if you've seen the others. There are things I got...
Preventing Cell Phone Theft through Benefit Denial
Adding a remote kill switch to cell phones would deter theft. Here we can see how the rise of the surveillance state permeates everything about computer security. On the face of it, this is a good idea. Assuming it works -- that 1) it's not possible for thieves to resurrect phones in order to resell them, and 2) that it's...
Malware that Foils Two-Factor Authentication
This is an interesting article about a new breed of malware that also hijack's the victim's phone text messaging system, to intercept one-time passwords sent via that channel....
Pre-9/11 NSA Thinking
This quote is from the Spring 1997 issue of CRYPTOLOG, the internal NSA newsletter. The writer is William J. Black, Jr., the Director's Special Assistant for Information Warfare. Specifically, the focus is on the potential abuse of the Government's applications of this new information technology that will result in an invasion of personal privacy. For us, this is difficult to...
Lessons from Biological Security
Nice essay: The biological world is also open source in the sense that threats are always present, largely unpredictable, and always changing. Because of this, defensive measures that are perfectly designed for a particular threat leave you vulnerable to other ones. Imagine if our immune system were designed to deal only with a single strain of flu. In fact, our...
Secrecy and Privacy
Interesting article on the history of, and the relationship between, secrecy and privacy As a matter of historical analysis, the relationship between secrecy and privacy can be stated in an axiom: the defense of privacy follows, and never precedes, the emergence of new technologies for the exposure of secrets. In other words, the case for privacy always comes too late....
MAD in Cyberspace
Ron Beckstrom gives a talk ( ">video and transcript) about "Mutually Assured Destruction," "Mutually Assured Disruption," and "Mutually Assured Dependence."...
Spear Phishing Attack Against the Financial Times
Interesting story with a lot of details....
The Future of Satellite Surveillance
Pretty scary -- and cool. Remember, it's not any one thing that's worrisome; it's everything together....
Friday Squid Blogging: How the Acidification of the Oceans Affects Squid
It's not good. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Me on the Lou Dobbs Show
I was on the Lou Dobbs Show earlier this week....
US Offensive Cyberwar Policy
Today, the United States is conducting offensive cyberwar actions around the world. More than passively eavesdropping, we're penetrating and damaging foreign networks for both espionage and to ready them for attack. We're creating custom-designed Internet weapons, pretargeted and ready to be "fired" against some piece of another country's electronic infrastructure on a moment's notice. This is much worse than what...
The Japanese Response to Terrorism
Lessons from Japan's response to Aum Shinrikyo: Yet what's as remarkable as Aum's potential for mayhem is how little of it, on balance, they actually caused. Don't misunderstand me: Aum's crimes were horrific, not merely the terrible subway gassing but their long history of murder, intimidation, extortion, fraud, and exploitation. What they did was unforgivable, and the human cost, devastating....
New Details on Skype Eavesdropping
This article, on the cozy relationship between the commercial personal-data industry and the intelligence industry, has new information on the security of Skype. Skype, the Internet-based calling service, began its own secret program, Project Chess, to explore the legal and technical issues in making Skype calls readily available to intelligence agencies and law enforcement officials, according to people briefed on...
Love Letter to an NSA Agent
A fine piece: "A Love Letter to the NSA Agent who is Monitoring my Online Activity." A similar sentiment is expressed in this video....
The US Uses Vulnerability Data for Offensive Purposes
Companies allow US intelligence to exploit vulnerabilities before it patches them: Microsoft Corp. (MSFT), the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists...
Petition the NSA to Subject its Surveillance Program to Public Comment
I have signed a petition calling on the NSA to "suspend its domestic surveillance program pending public comment." This is what's going on: In a request today to National Security Agency director Keith Alexander and Defense Secretary Chuck Hagel, the group argues that the NSA's recently revealed domestic surveillance program is "unlawful" because the agency neglected to request public comments...
Finding Sociopaths on Facebook
On his blog, Scott Adams suggests that it might be possible to identify sociopaths based on their interactions on social media. My hypothesis is that science will someday be able to identify sociopaths and terrorists by their patterns of Facebook and Internet use. I'll bet normal people interact with Facebook in ways that sociopaths and terrorists couldn't duplicate. Anyone can...
Cost/Benefit Questions NSA Surveillance
John Mueller and Mark Stewart ask the important questions about the NSA surveillance programs: why were they secret, what have they accomplished, and what do they cost? This essay attempts to figure out if they accomplished anything, and this essay attempts to figure out if they can be effective at all....
Details of NSA Data Requests from US Corporations
Facebook (here), Apple (here), and Yahoo (here) have all released details of US government requests for data. They each say that they've turned over user data for about 10,000 people, although the time frames are different. The exact number isn't important; what's important is that it's much lower than the millions implied by the PRISM document. Now the big question:...
NSA Secrecy and Personal Privacy
In an excellent essay about privacy and secrecy, law professor Daniel Solove makes an important point. There are two types of NSA secrecy being discussed. It's easy to confuse them, but they're very different. Of course, if the government is trying to gather data about a particular suspect, keeping the specifics of surveillance efforts secret will decrease the likelihood of...
Evidence that the NSA Is Storing Voice Content, Not Just Metadata
Interesting speculation that the NSA is storing everyone's phone calls, and not just metadata. Definitely worth reading. I expressed skepticism about this just a month ago. My assumption had always been that everyone's compressed voice calls is just too much data to move around and store. Now, I don't know. There's a bit of a conspiracy-theory air to all of...
Project C-43: A Final Piece of Public-Key Cryptography History
This finally explains what John Ellis was talking about in "The Possibility of Non-Secret Encryption" when he dropped a tantalizing hint about wartime work at Bell Labs....
Blowback from the NSA Surveillance
There's one piece of blowback that isn't being discussed -- aside from the fact that Snowden killed the chances of a liberal arts major getting a job at the DoD for a decade -- and that's how the massive NSA surveillance of the Internet affects the US's role in Internet governance. Ron Deibert makes this point: But there are unintended...
Friday Squid Blogging: Sperm Consumption in the Southern Bottletail Squid
It's a novel behavior. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Sixth Annual Movie-Plot Threat Contest Semifinalists
On April 1, I announced the Sixth Annual Movie Plot Threat Contest: I want a cyberwar movie-plot threat. (For those who don't know, a movie-plot threat is a scare story that would make a great movie plot, but is much too specific to build security policy around.) Not the Chinese attacking our power grid or shutting off 911 emergency services...
Ricin as a Terrorist Tool
This paper (full paper behind paywall) -- from Environment International (2009) -- does a good job of separating fact from fiction: Abstract: In recent years there has been an increased concern regarding the potential use of chemical and biological weapons for mass urban terror. In particular, there are concerns that ricin could be employed as such an agent. This has...
Trading Privacy for Convenience
Ray Wang makes an important point about trust and our data: This is the paradox. The companies contending to win our trust to manage our digital identities all seem to have complementary (or competing) business models that breach that trust by selling our data. ...and by turning it over to the government. The current surveillance state is a result of...
More on Feudal Security
Facebook regularly abuses the privacy of its users. Google has stopped supporting its popular RSS feeder. Apple prohibits all iPhone apps that are political or sexual. Microsoft might be cooperating with some governments to spy on Skype calls, but we don't know which ones. Both Twitter and LinkedIn have recently suffered security breaches that affected the data of hundreds of...
Essays Related to NSA Spying Documents
Here's a quick list of some of my older writings that are related to the current NSA spying documents: "The Internet Is a Surveillance State ," 2013. The importance of government transparency and accountability, 2013. The dangers of a government/corporate eavesdropping partnership, 2013. "Why Data Mining Won't Stop Terror," 2006. "The Eternal Value of Privacy," 2006. The dangers of our...
Prosecuting Snowden
Edward Snowden broke the law by releasing classified information. This isn't under debate; it's something everyone with a security clearance knows. It's written in plain English on the documents you have to sign when you get a security clearance, and it's part of the culture. The law is there for a good reason, and secrecy has an important role in...
The Psychology of Conspiracy Theories
Interesting. Crazy as these theories are, those propagating them are not -- theyre quite normal, in fact. But recent scientific research tells us this much: if you think one of the theories above is plausible, you probably feel the same way about the others, even though they contradict one another. And its very likely that this isn't the only news...
Trust in IT
Ignore the sensationalist headline. This article is a good summary of the need for trust in IT, and provides some ideas for how to enable more of it. Virtually everything we work with on a day-to-day basis is built by someone else. Avoiding insanity requires trusting those who designed, developed and manufactured the instruments of our daily existence. All these...
Government Secrets and the Need for Whistle-blowers
Yesterday, we learned that the NSA received all calling records from Verizon customers for a three-month period starting in April. That's everything except the voice content: who called who, where they were, how long the call lasted -- for millions of people, both Americans and foreigners. This "metadata" allows the government to track the movements of everyone during that period,...
Friday Squid Blogging: Squid Comic
A squid comic about the importance of precise language in security warnings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Audio Interview with Me
In this podcast interview, I talk about security, power, and the various things I have been thinking about recently....
A Really Good Article on How Easy it Is to Crack Passwords
Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break them. The winner got 90% of them, the loser 62% -- in a few hours. The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456,"...
The Cost of Terrorism in Pakistan
This study claims "terrorism has cost Pakistan around 33.02% of its real national income" between the years 1973 and 2008, or about 1% per year. The St. Louis Fed puts the real gross national income of the U.S. at about $13 trillion total, hand-waving an average over the past few years. The best estimate I've seen for the increased cost...
Security and Human Behavior (SHB 2013)
I'm at the Sixth Interdisciplinary Workshop on Security and Human Behavior (SHB 2013). This year we're in Los Angeles, at USC -- hosted by CREATE. My description from last year still applies: SHB is an invitational gathering of psychologists, computer security researchers, behavioral economists, sociologists, law professors, business school professors, political scientists, anthropologists, philosophers, and others -- all of whom...
The Problems with CALEA-II
The FBI wants a new law that will make it easier to wiretap the Internet. Although its claim is that the new law will only maintain the status quo, it's really much worse than that. This law will result in less-secure Internet products and create a foreign industry in more-secure alternatives. It will impose costly burdens on affected companies. It...
The Security Risks of Unregulated Google Search
Someday I need to write an essay on the security risks of secret algorithms that become part of our infrastructure. This paper gives one example of that. Could Google tip an election by manipulating what comes up from search results on the candidates? The studys participants, selected to resemble the US voting population, viewed the results for two candidates on...
The Problems with Managing Privacy by Asking and Giving Consent
New paper from the Harvard Law Review by Daniel Solove: "Privacy Self-Management and the Consent Dilemma": Privacy self-management takes refuge in consent. It attempts to be neutral about substance -- whether certain forms of collecting, using, or disclosing personal data are good or bad -- and instead focuses on whether people consent to various privacy practices. Consent legitimizes nearly any...
Friday Squid Blogging: Squid Pronouns
The translated version of a Spanish menu contains the entry "squids in his (her, your) ink." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
The Rise of Amateurs Recording Events
Interesting article on a greatly increased aspect of surveillance: "the ordinary citizen who by chance finds himself in a position to record events of great public import, and to share the results with the rest of us."...
Why We Lie
This, by Judge Kozinski, is from a Federal court ruling about false statements and First Amendment protection Saints may always tell the truth, but for mortals living means lying. We lie to protect our privacy ("No, I don't live around here"); to avoid hurt feelings ("Friday is my study night"); to make others feel better ("Gee you've gotten skinny"); to...
Are We Finally Thinking Sensibly About Terrorism?
This article wonders if we are: Yet for pretty much the first time there has been a considerable amount of media commentary seeking to put terrorism in context -- commentary that concludes, as a Doyle McManus article in the Los Angeles Times put it a day after the attack, "Were safer than we think." Similar tunes were sung by Tom...
Nassim Nicholas Taleb on Risk Perception
From his Facebook page: An illustration of how the news are largely created, bloated and magnified by journalists. I have been in Lebanon for the past 24h, and there were shells falling on a suburb of Beirut. Yet the news did not pass the local *social filter* and did [not] reach me from social sources.... The shelling is the kind...
The Politics of Security in a Democracy
Terrorism causes fear, and we overreact to that fear. Our brains aren't very good at probability and risk analysis. We tend to exaggerate spectacular, strange and rare events, and downplay ordinary, familiar and common ones. We think rare risks are more common than they are, and we fear them more than probability indicates we should. Our leaders are just as...
Friday Squid Blogging: Eating Giant Squid
How does he know this? Chris Cosentino, the Bay Areas "Offal Chef" at Incanto in San Francisco and PIGG at Umamicatessen in Los Angeles, opted for the most intimidating choice of all -- giant squid. "When it comes to underutilized fish, I wish the public wasn't so afraid of different shapes and sizes outside of the standard fillet," he said....
Training Baggage Screeners
The research in G. Giguère and B.C. Love, "Limits in decision making arise from limits in memory retrieval," Proceedings of the National Academy of Sciences v. 19 (2013) has applications in training airport baggage screeners. Abstract: Some decisions, such as predicting the winner of a baseball game, are challenging in part because outcomes are probabilistic. When making such decisions, one...
New Report on Teens, Social Media, and Privacy
Interesting report from the From the Pew Internet and American Life Project: Teens are sharing more information about themselves on their social media profiles than they did when we last surveyed in 2006: 91% post a photo of themselves, up from 79% in 2006. 71% post their school name, up from 49%. 71% post the city or town where they...
One-Shot vs. Iterated Prisoner's Dilemma
This post by Aleatha Parker-Wood is very applicable to the things I wrote in Liars & Outliers: A lot of fundamental social problems can be modeled as a disconnection between people who believe (correctly or incorrectly) that they are playing a non-iterated game (in the game theory sense of the word), and people who believe that (correctly or incorrectly) that...
"The Global Cyber Game"
This 127-page report was just published by the UK Defence Academy. I have not read it yet, but it looks really interesting. Executive Summary: This report presents a systematic way of thinking about cyberpower and its use by a variety of global players. The urgency of addressing cyberpower in this way is a consequence of the very high value of...
DDOS as Civil Disobedience
For a while now, I have been thinking about what civil disobedience looks like in the Internet Age. Certainly DDOS attacks, and politically motivated hacking in general, is a part of that. This is one of the reasons I found Molly Sauter's recent thesis, "Distributed Denial of Service Actions and the Challenge of Civil Disobedience on the Internet," so interesting:...
Surveillance and the Internet of Things
The Internet has turned into a massive surveillance tool. We're constantly monitored on the Internet by hundreds of companies -- both familiar and unfamiliar. Everything we do there is recorded, collected, and collated -- sometimes by corporations wanting to sell us stuff and sometimes by governments wanting to keep an eye on us. Ephemeral conversation is over. Wholesale surveillance is...
Security Risks of Too Much Security
All of the anti-counterfeiting features of the new Canadian $100 bill are resulting in people not bothering to verify them. The fanfare about the security features on the bills, may be part of the problem, said RCMP Sgt. Duncan Pound. "Because the polymer series' notes are so secure ... there's almost an overconfidence among retailers and the public in terms...
Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture
Technically, it's a cuttlefish and not a squid. But it's still nice art. I posted a photo of a real striped pyjama squid way back in 2006. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Applied Cryptography on Elementary
In the episode that aired on May 9th, about eight or nine minutes in, there's a scene with a copy of Applied Cryptography prominently displayed on the coffee table. This isn't the first time that my books have appeared on that TV show....
Bluetooth-Controlled Door Lock
Here is a new lock that you can control via Bluetooth and an iPhone app. That's pretty cool, and I can imagine all sorts of reasons to get one of those. But I'm sure there are all sorts of unforeseen security vulnerabilities in this system. And even worse, a single vulnerability can affect all the locks. Remember that vulnerability found...
Transparency and Accountability
As part of the fallout of the Boston bombings, we're probably going to get some new laws that give the FBI additional investigative powers. As with the Patriot Act after 9/11, the debate over whether these new laws are helpful will be minimal, but the effects on civil liberties could be large. Even though most people are skeptical about sacrificing...
Friday Squid Blogging: Squid Festival in Monterey
It's at the end of May. Note that it's being put on by the Calamari Entertainment Group. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
The Onion on Browser Security
Wise advice: At Chase Bank, we recognize the value of online banking -- its quick, convenient, and available any time you need it. Unfortunately, though, the threats posed by malware and identity theft are very real and all too common nowadays. Thats why, when youre finished with your online banking session, we recommend three simple steps to protect your personal...
Mail Cover
From a FOIAed Department of Transportation document on investigative techniques: A "mail cover" is the process by which the U.S. Postal Service records any data appearing on the outside cover of any class of mail, sealed or unsealed, or by which a record is made of the contents of unsealed (second-, third-, or fourth-class) mail matter as allowed by law....
The Economist on Guantanamo
Maybe the tide is turning: America is in a hole. The last response of the blowhards and cowards who have put it there is always: "So what would you do: set them free?" Our answer remains, yes. There is clearly a risk that some of them would then commit some act of violence -- in Yemen, elsewhere in the Middle...
Reidentifying Anonymous Data
Latanya Sweeney has demonstrated how easy it can be to identify people from their birth date, gender, and zip code. The anonymous data she reidentified happened to be DNA data, but that's not relevant to her methods or results. Of the 1,130 volunteers Sweeney and her team reviewed, about 579 provided zip code, date of birth and gender, the three...
Evacuation Alerts at the Airport
Last week, an employee error caused the monitors at LAX to display a building evacuation order: At a little before 9:47 p.m., the message read: "An emergency has been declared in the terminal. Please evacuate." An airport police source said officers responded to the scene at the Tom Bradley International Terminal, believing the system had been hacked. But an airport...
Is the U.S. Government Recording and Saving All Domestic Telephone Calls?
I have no idea if "former counterterrorism agent for the FBI" Tom Clemente knows what he's talking about, but that's certainly what he implies here: More recently, two sources familiar with the investigation told CNN that Russell had spoken with Tamerlan after his picture appeared on national television April 18. What exactly the two said remains under investigation, the sources...
Intelligence Analysis and the Connect-the-Dots Metaphor
The FBI and the CIA are being criticized for not keeping better track of Tamerlan Tsarnaev in the months before the Boston Marathon bombings. How could they have ignored such a dangerous person? How do we reform the intelligence community to ensure this kind of failure doesn't happen again? It's an old song by now, one we heard after the...
Michael Chertoff on Google Glass
Interesting op-ed by former DHS head Michael Chertoff on the privacy risks of Google Glass. Now imagine that millions of Americans walk around each day wearing the equivalent of a drone on their head: a device capable of capturing video and audio recordings of everything that happens around them. And imagine that these devices upload the data to large-scale commercial...
Honeywords
Here is a simple but clever idea. Seed password files with dummy entries that will trigger an alarm when used. That way a site can know when a hacker is trying to decrypt the password file....
Friday Squid Blogging: Squid Escape Artist
It's amazing how small a hole he can fit through. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Another WWII Message Decoded
It's a really interesting code and story. (The first link has the most detailed information about the code and the cryptanalysis.)...
The Public/Private Surveillance Partnership
Our government collects a lot of information about us. Tax records, legal records, license records, records of government services received-- it's all in databases that are increasingly linked and correlated. Still, there's a lot of personal information the government can't collect. Either they're prohibited by law from asking without probable cause and a judicial order, or they simply have no...
Risks of Networked Systems
Interesting research: Helbing's publication illustrates how cascade effects and complex dynamics amplify the vulnerability of networked systems. For example, just a few long-distance connections can largely decrease our ability to mitigate the threats posed by global pandemics. Initially beneficial trends, such as globalization, increasing network densities, higher complexity, and an acceleration of institutional decision processes may ultimately push human-made or...
More on FinSpy/FinFisher
FinFisher (also called FinSpy) is a commercially sold spyware package that is used by governments world-wide, including the U.S. There's a new report that has a bunch of new information: Our new findings include: We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria. Taken together...
Google Pays $31,000 for Three Chrome Vulnerabilities
Google is paying bug bounties. This is important; there's a market in vulnerabilities that provides incentives for their being kept secret and exploitable; for Google to buy and patch them makes us all more secure. The U.S. government should do the same....
Details of a Cyberheist
Really interesting article detailing how criminals steal from a company's accounts over the Internet. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years. Basically, the criminals break into the...
The Importance of Backups
I've already written about the guy who got a new trial because a virus ate his court records. Here's someone who will have to redo his thesis research because someone stole his only copy of the data. Remember the rule: no one ever wants backups, but everyone always wants restores. I have no idea if that image is real or...
Pinging the Entire Internet
Turns out there's a lot of vulnerable systems out there: Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could to let anyone take control of them. On Tuesday, Moore published results on a particularly troubling segment...
More Links on the Boston Terrorist Attacks
Max Abrahms has two sensible essays. Probably the ultimate in security theater: Williams-Sonoma stops selling pressure cookers "out of respect." They say it's temporary. (I bought a Williams-Sonoma pressure cooker last Christmas; I wonder if I'm now on a list.) A tragedy: Sunil Tripathi, whom Reddit and other sites wrongly identified as one of the bombers, was found dead in...
Friday Squid Blogging: Lego Giant Squid Model
This is a fantastic Lego model of a space kraken attacking a Star Wars Super Star Destroyer. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Tor Needs Bridges
The Internet anonymity service Tor needs people who are willing to run bridges. It's a goodness for the world; do it if you can....
Cryptanalyst on British Postage Stamps
A 92-year-old World War II Bletchley Park codebreaker has had a set of commemorative stamps issued in his honor....
Random Links on the Boston Terrorist Attack
Encouraging poll data says that maybe Americans are starting to have realistic fears about terrorism, or at least are refusing to be terrorized. Good essay by Scott Atran on terrorism and our reaction. Reddit apologizes. I think this is a big story. The Internet is going to help in everything, including trying to identify terrorists. This will happen whether or...
Ellen on Protecting Passwords
Pretty good video. Ellen makes fun of the "Internet Password Minder," which is -- if you think about it -- only slightly different than Password Safe....
More Plant Security Countermeasures
I've talked about plant security systems, both here and in Beyond Fear. Specifically, I've talked about tobacco plants that call air strikes against insects that eat them, by releasing a scent that attracts predators to those insects. Here's another defense: the plants also tag caterpillars for predators by feeding them a sweet snack (full episode here) that makes them give...
The Police Now Like Amateur Photography
PhotographyIsNotACrime.com points out the obvious: after years of warning us that photography is suspicious, the police were happy to accept all of those amateur photographs and videos at the Boston Marathon. Adding to the hypocrisy is that these same authorities will most likely start clamping down on citizens with cameras more than ever once the smoke clears and we once...
Securing Members of Congress from Transparency
I commented in this article on the repeal of the transparency provisions of the STOCK Act: Passed in 2012 after a 60 Minutes report on insider trading practices in Congress, the STOCK Act banned members of Congress and senior executive and legislative branch officials from trading based on government knowledge. To give the ban teeth, the law directed that many...
About Police Shoot Outs and Spectators
Hopefully this advice is superfluous for my audience, but it's so well written it's worth reading nonetheless: 7. SO, the bottom line is this: If you are in a place where you hear steady, and sustained, and nearby (lets call that, for some technical reasons, anything less than 800 meters) gunfire, do these things: Go to your basement. You are...
The Boston Marathon Bomber Manhunt
I generally give the police a lot of tactical leeway in times like this. The very armed and very dangerous suspects warranted extraordinary treatment. They were perfectly capable of killing again, taking hostages, planting more bombs -- and we didn't know the extent of the plot or the group. That's why I didn't object to the massive police dragnet, the...
Me at the Berkman Center
Earlier this month I spent a week at the Berkman Center for Internet and Society, talking to people about power, security, technology, and threats (details here). As part of that week, I gave a public talk at Harvard. Because my thoughts are so diffuse and disjoint, I didn't think I could pull it all together into a coherent talk. Instead,...
Friday Squid Blogging: Giant Squid Bike Rack
It's the first on this page. Apparently this is the finished version of the design I blogged about last year. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
NSA Cryptography Course
This article, from some internal NSA publication, is about Lambros Callimahos, who taught an intensive 18-week course on cryptology for many years and died in 1977. Be sure to notice the great redacted photo of him and his students on page 17....
The Nemim.gen Trojan
This clever piece of malware evades forensic examination by deleting its own components....
Initial Thoughts on the Boston Bombings
I rewrote my "refuse to be terrorized" essay for the Atlantic. David Rothkoph (author of the great book Power, Inc.) wrote something similar, and so did John Cole. It's interesting to see how much more resonance this idea has today than it did a dozen years ago. If other people have written similar essays, please post links in the comments....
FBI and Cell Phone Surveillance
We're learning a lot about how the FBI eavesdrops on cell phones from a recent court battle....
Google Glass Enables New Forms of Cheating
It's mentioned here: Mr. Doerr said he had been wearing the glasses and uses them especially for taking pictures and looking up words while playing Scattergories with his family, though it is questionable whether that follows the game's rules. Questionable? Questionable? It just like using a computer's dictionary while playing Scrabble, or a computer odds program while playing poker, or...
Friday Squid Blogging: Illegal Squid Fishing
While we we're on the subject of squid fishing in Argentina, the country is dealing with foreign boats illegally fishing for squid inside its territorial waters. So yet again, squid and security collide. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Remotely Hijacking an Aircraft
There is a lot of buzz on the the Internet about a talk at the Hack-in-the Box conference by Hugo Teso, who claims he can hack in to remotely control an airplane's avionics. He even wrote an Android app to do it. I honestly can't tell how real this is, and how much of it is the unique configuration of...
Thieves Use Video Camera to Stake Out Properties
If the police can use cameras, so can the burglars....
Security Externalities and DDOS Attacks
Ed Felten has a really good blog post about the externalities that the recent Spamhaus DDOS attack exploited: The attackers' goal was to flood Spamhaus or its network providers with Internet traffic, to overwhelm their capacity to handle incoming network packets. The main technical problem faced by a DoS attacker is how to amplify the attacker's traffic-sending capacity, so that...
Last Battle of Midway Cryptanalyst
The last cryptanalyst at the Battle of Midway, Rear Admiral Donald "Mac" Showers, USN-Ret, passed away 19 October 2012. His interment at Arlington National Cemetery at Arlington, Virginia, will be Monday, April 15, at 3:00. The family made this a public event to celebrate his life and contributions to the cryptologic community....
Nice Security Mindset Example
A real-world one-way function: Alice and Bob procure the same edition of the white pages book for a particular town, say Cambridge. For each letter Alice wants to encrypt, she finds a person in the book whose last name starts with this letter and uses his/her phone number as the encryption of that letter. To decrypt the message Bob has...
Bitcoins in the Mainstream Media
Interesting article from the New Yorker. I'm often asked what I think about bitcoins. I haven't analyzed the security, but what I have seen looks good. The real issues are economic and political, and I don't have the expertise to have an opinion on that. BTW, here's a recent criticism of BitCoins....
Elite Panic
I hadn't heard of this term before, but it's an interesting one. The excerpt below is from an interview with Rebecca Solnit, author of A Paradise Built in Hell: The Extraordinary Communities That Arise in Disaster: The term "elite panic" was coined by Caron Chess and Lee Clarke of Rutgers. From the beginning of the field in the 1950s to...
Government Use of Hackers as an Object of Fear
Interesting article about the perception of hackers in popular culture, and how the government uses the general fear of them to push for more power: But these more serious threats don't seem to loom as large as hackers in the minds of those who make the laws and regulations that shape the Internet. It is the hacker -- a sort...
Friday Squid Blogging: Nighttime Squid Fishing Seen from Space
Page 18 of this thesis explains that squid fishing is done at night, and the lighting is so bright shows up in the satellite surveys of planetary lighting. This video shows the phenomenon off the coast line of Argentina. As usual, you can also use this squid post to talk about the security stories in the news that I haven't...
Apple's iMessage Encryption Seems to Be Pretty Good
The U.S. Drug Enforcement Agency has complained (in a classified report, not publicly) that Apple's iMessage end-to-end encryption scheme can't be broken. On the one hand, I'm not surprised; end-to-end encryption of a messaging system is a fairly easy cryptographic problem, and it should be unbreakable. On the other hand, it's nice to have some confirmation that Apple is looking...
Skein Collision Competition
Xkcd had a Skein collision competition. The contest is over -- Carnegie Mellon University won, with 384 (out of 1024) mismatched bits -- but it's explained here....
IT for Oppression
Whether it's Syria using Facebook to help identify and arrest dissidents or China using its "Great Firewall" to limit access to international news throughout the country, repressive regimes all over the world are using the Internet to more efficiently implement surveillance, censorship, propaganda, and control. They're getting really good at it, and the IT industry is helping. We're helping by...
Narratives of Secrecy
How people talked about the secrecy surrounding the Manhattan project....
Sixth Movie-Plot Threat Contest
It's back, after a two-year hiatus. Terrorism is boring; cyberwar is in. Cyberwar, and its kin: cyber Pearl Harbor, cyber 9/11, cyber Armageddon. (Or make up your own: a cyber Black Plague, cyber Ragnarok, cyber comet-hits-the-earth.) This is how we get budget and power for militaries. This is how we convince people to give up their freedoms and liberties. This...
What I've Been Thinking About
I'm starting to think about my next book, which will be about power and the Internet -- from the perspective of security. My objective will be to describe current trends, explain where those trends are leading us, and discuss alternatives for avoiding that outcome. Many of my recent essays have touched on various facets of this, although Im still looking...
Friday Squid Blogging: Bomb Discovered in Squid at Market
Really: An unexploded bomb was found inside a squid when the fish was slaughtered at a fish market in Guangdong province. Oddly enough, this doesn't seem to be the work of terrorists: The stall owner, who has been selling fish for 10 years, told the newspaper the 1-meter-long squid might have mistaken the bomb for food. Clearly there's much to...
The Dangers of Surveillance
Interesting article, "The Dangers of Surveillance," by Neil M. Richards, Harvard Law Review, 2013. From the abstract: ....We need a better account of the dangers of surveillance. This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of "surveillance studies," I explain what those harms are and why they...
New RC4 Attack
This is a really clever attack on the RC4 encryption algorithm as used in TLS. We have found a new attack against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical flaws in the keystream generated by the RC4 algorithm which become apparent...
Unwitting Drug Smugglers
This is a story about a physicist who got taken in by an imaginary Internet girlfriend and ended up being arrested in Argentina for drug smuggling. Readers of this blog will see it coming, of course, but it's a still a good read. I don't know whether the professor knew what he was doing -- it's pretty clear that the...
Security Awareness Training
Should companies spend money on security awareness training for their employees? It's a contentious topic, with respected experts on both sides of the debate. I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry's focus on training serves to obscure greater...
The NSA's Cryptolog
The NSA has published declassified versions of its Cryptolog newsletter. All the issues from Aug 1974 through Summer 1997 are on the web, although there are some pretty heavy redactions in places. (Here's a link to the documents on a non-government site, in case they disappear.) I haven't even begun to go through these yet. If you find anything good,...
Identifying People from Mobile Phone Location Data
Turns out that it's pretty easy: Researchers at the Massachusetts Institute of Technology (MIT) and the Catholic University of Louvain studied 15 months' worth of anonymised mobile phone records for 1.5 million individuals. They found from the "mobility traces" - the evident paths of each mobile phone - that only four locations and times were enough to identify a particular...
Our Internet Surveillance State
I'm going to start with three data points. One: Some of the Chinese military hackers who were implicated in a broad set of attacks against the U.S. government and corporations were identified because they accessed Facebook from the same network infrastructure they used to carry out their attacks. Two: Hector Monsegur, one of the leaders of the LulzSac hacker movement,...
Friday Squid Blogging: Giant Squid Genetics
Despite looking very different from each other and being distributed across the world's oceans, all giant squid are the same species. There's also not a lot of genetic diversity. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Changes to the Blog
I have made a few changes to my blog that I'd like to talk about. The first is the various buttons associated with each post: a Facebook Like button, a Retweet button, and so on. These buttons are ubiquitous on the Internet now. We publishers like them because it makes it easier for our readers to share our content. I...
FBI Secretly Spying on Cloud Computer Users
Both Google and Microsoft have admitted it. Presumably every other major cloud service provider is getting these National Security Letters as well. If you've been following along, you know that a U.S. District Court recently ruled National Security Letters unconstitutional. Not that this changes anything yet....
Text Message Retention Policies
The FBI wants cell phone carriers to store SMS messages for a long time, enabling them to conduct surveillance backwards in time. Nothing new there -- data retention laws are being debated in many countries around the world -- but this was something I did not know: Wireless providers' current SMS retention policies vary. An internal Justice Department document (PDF)...
When Technology Overtakes Security
A core, not side, effect of technology is its ability to magnify power and multiply force -- for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems. The problem is that it's not balanced: Attackers generally benefit from new...
Lessons From the FBI's Insider Threat Program
This article is worth reading. One bit: For a time the FBI put its back into coming up with predictive analytics to help predict insider behavior prior to malicious activity. Rather than coming up with a powerful tool to stop criminals before they did damage, the FBI ended up with a system that was statistically worse than random at ferreting...
FinSpy
Twenty five countries are using the FinSpy surveillance software package (also called FinFisher) to spy on their own citizens: The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States...
A 1962 Speculative Essay on Computers and Intelligence
From the CIA archives: Orrin Clotworthy, "Some Far-out Thoughts on Computers," Studies in Intelligence v. 6 (1962)....
Prison Escape
Audacious daytime prison escape by helicopter. The escapees have since been recaptured....
Friday Squid Blogging: WTF, Evolution?
WTF, Evolution? is a great blog, and they finally mentioned squid....
Stuxnet is Much Older than We Thought
Symantec has found evidence of Stuxnet variants from way back in 2005. That's much older than the 2009 creation date we originally thought it had. More here and here. What's impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then....
On Secrecy
Interesting law paper: "The Implausibility of Secrecy," by Mark Fenster. Abstract: Government secrecy frequently fails. Despite the executive branchs obsessive hoarding of certain kinds of documents and its constitutional authority to do so, recent high-profile events among them the WikiLeaks episode, the Obama administrations celebrated leak prosecutions, and the widespread disclosure by high-level officials of flattering confidential information to...
Nationalism on the Internet
For technology that was supposed to ignore borders, bring the world closer together, and sidestep the influence of national governments the Internet is fostering an awful lot of nationalism right now. We've started to see increased concern about the country of origin of IT products and services; U.S. companies are worried about hardware from China; European companies are worried about...
Security Theater on the Wells Fargo Website
Click on the "Establishing secure connection" link at the top of this page. It's a Wells Fargo page that displays a progress bar with a bunch of security phrases -- "Establishing Secure Connection," "Sending credentials," "Building Secure Environment," and so on -- and closes after a few seconds. It's complete security theater; it doesn't actually do anything but make account...
Hacking Best-seller Lists
It turns out that you can buy a position for your book on best-seller lists....
Cisco IP Phone Hack
Nice work: All current Cisco IP phones, including the ones seen on desks in the White House and aboard Air Force One, have a vulnerability that allows hackers to take complete control of the devices....
"The Logic of Surveillance"
Interesting essay: Surveillance is part of the system of control. "The more surveillance, the more control" is the majority belief amongst the ruling elites. Automated surveillance requires fewer "watchers", and since the watchers cannot watch all the surveillance, long term storage increases the ability to find some "crime" anyone is guilty of. [...] This is one of the biggest problems...
Dead Drop from the 1870s
Hats: De Blowitz was staying at the Kaiserhof. Each day his confederate went there for lunch and dinner. The two never acknowledged one another, but they hung their hats on neighboring pegs. At the end of the meal the confederate departed with de Blowitz's hat, and de Blowitz innocently took the confederate's. The communications were hidden in the hat's lining....
Is Software Security a Waste of Money?
I worry that comments about the value of software security made at the RSA Conference last week will be taken out of context. John Viega did not say that software security wasn't important. He said: For large software companies or major corporations such as banks or health care firms with large custom software bases, investing in software security can prove...
Friday Squid Blogging: Squid/Whale Yin-Yang
Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Ross Anderson's Security Engineering Online
The second edition of Ross Anderson's fantastic book, Security Engineering, is now free online. Required reading for any security engineer....
Oxford University Blocks Google Docs
Google Docs is being used for phishing. Oxford University felt that it had to block the service because Google isn't responding to takedown requests quickly enough. Think about this in light of my essay on feudal security. Oxford University has to trust that Google will act in its best interest, and has no other option if it doesn't....
How the FBI Intercepts Cell Phone Data
Good article on "Stingrays," which the FBI uses to monitor cell phone data. Basically, they trick the phone into joining a fake network. And, since cell phones inherently trust the network -- as opposed to computers which inherently do not trust the Internet -- it's easy to track people and collect data. There are lots of questions about whether or...
Browser Security
Interesting discussion on browser security from Communications of the ACM. Also, an article on browser and web privacy from the same issue....
The NSA's Ragtime Surveillance Program and the Need for Leaks
A new book reveals details about the NSA's Ragtime surveillance program: A book published earlier this month, "Deep State: Inside the Government Secrecy Industry," contains revelations about the NSA's snooping efforts, based on information gleaned from NSA sources. According to a detailed summary by Shane Harris at the Washingtonian yesterday, the book discloses that a codename for a controversial NSA...
Al Qaeda Document on Avoiding Drone Strikes
Interesting: 3 Spreading the reflective pieces of glass on a car or on the roof of the building. 4 Placing a group of skilled snipers to hunt the drone, especially the reconnaissance ones because they fly low, about six kilometers or less. 5 Jamming of and confusing of electronic communication using the ordinary water-lifting dynamo fitted with...
Marketing at the RSA Conference
Marcus Ranum has an interesting screed on "booth babes" in the RSA Conference exhibition hall: I'm not making a moral argument about sexism in our industry or the objectification of women. I could (and probably should) but it's easier to just point out the obvious: the only customers that will be impressed by anyone's ability to hire pretty models to...
Technologies of Surveillance
It's a new day for the New York Police Department, with technology increasingly informing the way cops do their jobs. With innovation comes new possibilities but also new concerns. For one, the NYPD is testing a new type of security apparatus that uses terahertz radiation to detect guns under clothing from a distance. As Police Commissioner Ray Kelly explained to...
New Internet Porn Scam
I hadn't heard of this one before. In New Zealand, people viewing adult websites -- it's unclear whether these are honeypot sites, or malware that notices the site being viewed -- get a pop-up message claiming it's from the NZ Police and demanding payment of an instant fine for viewing illegal pornography....
Getting Security Incentives Right
One of the problems with motivating proper security behavior within an organization is that the incentives are all wrong. It doesn't matter how much management tells employees that security is important, employees know when it really isn't -- when getting the job done cheaply and on schedule is much more important. It seems to me that his co-workers understand the...
Friday Squid Blogging: Another Squid Cartoon.
Another. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Me on "Virtually Speaking"
Last week I was on "Virtually Speaking."...
Phishing Has Gotten Very Good
This isn't phishing; it's not even spear phishing. It's laser-guided precision phishing: One of the leaked diplomatic cables referred to one attack via email on US officials who were on a trip in Copenhagen to debate issues surrounding climate change. "The message had the subject line 'China and Climate Change' and was spoofed to appear as if it were from...
The Court of Public Opinion
Recently, Elon Musk and the New York Times took to Twitter and the Internet to argue the data -- and their grievances -- over a failed road test and car review. Meanwhile, an Applebee's server is part of a Change.org petition to get her job back after posting a pastor's no-tip receipt comment online. And when he wasn't paid quickly...
Brazen Physical Thefts
Three brazen robberies are in the news this week. The first was a theft at a small museum of gold nuggets worth $750,000: Police said the daring heist happened between daytime tours, during a 20-minute window. Museum employees said the thief used an ax to smash the acrylic window, and then left the ax behind. "He just grabbed it, threw...
Alan F. Westin Died
Obituary here. His 1967 book, Privacy and Freedom, almost single-handedly created modern privacy law....
How Complex Systems Fail
Good summary list. It's not directly about security, but it's all fundamentally about security. Any real-world security system is inherently complex. I wrote about this long ago in Beyond Fear....
Security Lessons from the Battle of Hoth
Someone has analyzed the security mistakes in the Battle of Hoth, from the movie The Empire Strikes Back....
House Hearing: How Well Is the TSA Doing?
I would have liked to participate in this hearing: Committee on Homeland Security, Subcommittee on Oversight and Management Efficiency: "Assessing DHS 10 Years Later: How Wisely is DHS Spending Taxpayer Dollars?" February 15, 2013....
Me at the RSA Conference
I'll be speaking twice at the RSA Conference this year. I'm giving a solo talk Tuesday at 1:00, and participating in a debate about training Wednesday at noon. This is a short written preview of my solo talk, and this is an audio interview on the topic. Additionally: Akamai is giving away 1,500 copies of Liars and Outliers, and Zcaler...
Another Essay about Liars and Outliers
The Montréal Review asked me to write an essay about my latest book. Not much that regular readers haven't seen before....
Friday Squid Blogging: Land Squids
Funny. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
I Was on Inventing the Future
I was a guest on Inventing the Future, for an episode on surveillance technology. The video is here....
Hacking the Papal Election
As the College of Cardinals prepares to elect a new pope, security people like me wonder about the process. How does it work, and just how hard would it be to hack the vote? The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The...
All Those Companies that Can't Afford Dedicated Security
This is interesting: In the security practice, we have our own version of no-man's land, and that's midsize companies. Wendy Nather refers to these folks as being below the "Security Poverty Line." These folks have a couple hundred to a couple thousand employees. That's big enough to have real data interesting to attackers, but not big enough to have a...
More on Chinese Cyberattacks
Wow, is this a crazy media frenzy. We should know better. These attacks happen all the time, and just because the media is reporting about them with greater frequency doesn't mean that they're happening with greater frequency. Hype aside, the Mandiant report on the hackers is very good, especially the part where the Chinese hackers outted themselves through poor opsec:...
Age Biases in Perceptions of Trust
Interesting research (full article is behind a paywall): Abstract: Older adults are disproportionately vulnerable to fraud, and federal agencies have speculated that excessive trust explains their greater vulnerability. Two studies, one behavioral and one using neuroimaging methodology, identified age differences in trust and their neural underpinnings. Older and younger adults rated faces high in trust cues similarly, but older adults...
Fixing Soccer Matches
How international soccer matches are fixed. Right now, Dan Tan's programmers are busy reverse-engineering the safeguards of online betting houses. About $3 billion is wagered on sports every day, most of it on soccer, most of it in Asia. That's a lot of noise on the big exchanges. We can exploit the fluctuations, rig the bets in a way that...
19th-Century Traffic Analysis
There's a nice example of traffic analysis in the book No Name, by Wilkie Collins (1862). The attacker, Captain Wragge, needs to know whether a letter has been placed in the mail. He knows who it will have been addressed to if it has been mailed, and with that information, is able to convince the postmaster to tell him that...
Hacking Citation Counts
Hacking citation counts using Google Scholar....
More State-Sponsored Hacking
After the New York Times broke the story of what seemed to be a state-sponsored hack from China against the newspaper, the Register has stories of two similar attacks: one from Burma and another from China....
Automobile Data Surveillance and the Future of Black Boxes
Tesla Motors gave one of its electric cars to John Broder, a very outspoken electric-car skeptic from the New York Times, for a test drive. After a negative review, Tesla revealed that it logged a dizzying amount of data from that text drive. The company then matched the reporter's claims against its logs and published a rebuttal. Broder rebutted the...
Friday Squid Blogging: More on Flying Squid
Japanese squid researchers have confirmed flying squid can fly, and how they do it. (Note: I have written about flying squid before.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Jacob Appelbaum's 29C3 Keynote Speech
This QNsePZj_Yks">speech from last December's 29C3 (29th Chaos Communication Congress) is worth listening to. He talks about what we can do in the face of oppressive power on the Internet. I'm not sure his answers are right, but am glad to hear someone talking about the real problems....
Guessing Smart Phone PINs by Monitoring the Accelerometer
"Practicality of Accelerometer Side Channels on Smartphones," by Adam J. Aviv. Benjamin Sapp, Matt Blaze, and Jonathan M. Smith. Abstract: Modern smartphones are equipped with a plethora of sensors that enable a wide range of interactions, but some of these sensors can be employed as a side channel to surreptitiously learn about user input. In this paper, we show that...
Using the iWatch for Authentication
Usability engineer Bruce Tognazzini talks about how an iWatch -- which seems to be either a mythical Apple product or one actually in development -- can make authentication easier. Passcodes. The watch can and should, for most of us, eliminate passcodes altogether on iPhones, and Macs and, if Apple's smart, PCs: As long as my watch is in range, let...
Anti-Cheating Security in Casinos
Long article. With over a thousand cameras operating 24/7, the monitoring room creates tremendous amounts of data every day, most of which goes unseen. Six technicians watch about 40 monitors, but all the feeds are saved for later analysis. One day, as with OCR scanning, it might be possible to search all that data for suspicious activity. Say, a baccarat...
Real-World Prisoner's Dilemma from France
This is a real story of a pair of identical twins who are suspected in a crime. There is there is CCTV and DNA evidence that could implicate either suspect. Detailed DNA testing that could resolve the guilty twin is prohibitively expensive. So both have been arrested in the hope that one may confess or implicate the other....
New al Qaeda Encryption Tool
There's not a lot of information -- and quite a lot of hyperbole -- in this article: With the release of the Asrar Al Dardashah plugin, GIMF promised "secure correspondence" based on the Pidgin chat client, which supports multiple chat platforms, including Yahoo Messenger, Windows Live Messenger, AOL Instant Messenger, Google Talk and Jabber/XMPP. "The Asrar Al Dardashah plugin supports...
Massive Police Shootout in Cleveland Despite Lack of Criminals
This is an amazing story. I urge you to read the whole thing, but here's the basics: A November car chase ended in a "full blown-out" firefight, with glass and bullets flying, according to Cleveland police officers who described for investigators the chaotic scene at the end of the deadly 25-minute pursuit. But when the smoky haze -- caused by...
Our New Regimes of Trust
Society runs on trust. Over the millennia, we've developed a variety of mechanisms to induce trustworthy behavior in society. These range from a sense of guilt when we cheat, to societal disapproval when we lie, to laws that arrest fraudsters, to door locks and burglar alarms that keep thieves out of our homes. They're complicated and interrelated, but they tend...
Really Clever TLS Attack
This is an extremely clever man-in-the-middle timing attack against AES that exploits the interaction between how the protocol implements AES in CBC mode for encryption, and HMAC-SHA1 for authentication. (And this is a really good plain-language description of it.)...
Platform Fragmentation as a Security Issue
Interesting article about the difficulty Google has pushing security updates onto Android phones. The problem is that the phone manufacturer is in charge, and there are a lot of different phone manufacturers of varying ability and interest....
Friday Squid Blogging: Squid Recipe
Chorizo-stuffed squid with potatoes, capers and sage. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
I Seem to Be a Physical Security Expert Now
This seems so obviously written by someone who Googled me on the Internet, without any other knowledge of who I am or what i do....
Millennials and Cybersecurity
This long report looks at risky online behavior among the Millennial generation, and finds that they respond positively to automatic reminders and prodding. No surprise, really....
Inauguration Security
A first-person account of the security surrounding the second inauguration of President Obama....
Tide Becomes Drug Currency
Basically, Tide detergent is a popular product with a very small profit margin. So small non-chain grocery and convenience stores are happy to buy it cheaply, no questions asked. This makes it easy to sell if you steal it. And drug dealers have started taking it as currency, large bottles being worth about $5....
Over $3M in Prizes to Hack Google Chrome
Google's contest at the CanSecWest conference: Today were announcing our third Pwnium competitionPwnium 3. Google Chrome is already featured in the Pwn2Own competition this year, so Pwnium 3 will have a new focus: Chrome OS. Well issue Pwnium 3 rewards for Chrome OS at the following levels, up to a total of $3.14159 million USD: $110,000: browser or system level...
Why Is Quantum Computing So Hard?
Blog post (and two papers) by Ross Anderson and Robert Brady. News article....
New York Times Hacked by China
This was big news last week, and I spent a lot of time doing press interviews about it. But while it is an important story -- hacking a newspaper, looking for confidential sources is fundamentally different from hacking for financial gain -- it's not much different than GhostNet in 2009, Google's Chinese hacking stories from 2010 and 2011, or others....
Proactive Defense Papers
I just printed this out: "Proactive Defense for Evolving Cyber Threats," a Sandia Report by Richard Colbaugh and Kristin Glass. It's a collection of academic papers, and it looks interesting....
Security Seals
I don't see a lot written about security seals, despite how common they are. This article is a very basic overview of the technologies....
Using Imagery to Avoid Censorship
Interesting: "It's really hard for the government to censor things when they don't understand the made-up words or meaning behind the imagery," said Kevin Lee, COO of China Youthology, in conversation at the DLD conference in Munich on Monday. "The people there aren't even relying on text anymore It's audio, visual, photos. All the young people are creating their own...
Friday Squid Blogging: Squid Anchor
Webpage says that it's "the most effective lightweight, portable anchor around." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Pentagon Staffs Up U.S. Cyber Command
The Washington Post has the story: The move, requested by the head of the Defense Department's Cyber Command, is part of an effort to turn an organization that has focused largely on defensive measures into the equivalent of an Internet-era fighting force. The command, made up of about 900 personnel, will expand to include 4,900 troops and civilians. [...] The...
Jared Diamond on Common Risks
Jared Diamond has an op-ed in the New York Times where he talks about how we overestimate rare risks and underestimate common ones. Nothing new here -- I and others have written about this sort of thing extensively -- but he says that this is a bias found more in developed countries than in primitive cultures. I first became aware...
The Eavesdropping System in Your Computer
Dan Farmer has an interesting paper (long version here; short version here) discussing the Baseboard Management Controller on your computer's motherboard: The BMC is an embedded computer found on most server motherboards made in the last 10 or 15 years. Often running Linux, the BMC's CPU, memory, storage, and network run independently. It runs Intel's IPMI out-of-band systems management protocol...
Power and the Internet
All disruptive technologies upset traditional power balances, and the Internet is no exception. The standard story is that it empowers the powerless, but that's only half the story. The Internet empowers everyone. Powerful institutions might be slow to make use of that new power, but since they are powerful, they can use it more effectively. Governments and corporations have woken...
"People, Process, and Technology"
Back in 1999 when I formed Counterpane Internet Security, Inc., I popularized the notion that security was a combination of people, process, and technology. Back then, it was an important notion; security back then was largely technology-only, and I was trying to push the idea that people and process needed to be incorporated into an overall security system. This blog...
Who Does Skype Let Spy?
Lately I've been thinking a lot about power and the Internet, and what I call the feudal model of IT security that is becoming more and more pervasive. Basically, between cloud services and locked-down end-user devices, we have less control and visibility over our security -- and have no point but to trust those in power to keep us safe....
Backdoors Built in to Barracuda Networks Equipment
Don't we know enough not to do this anymore?...
Complexity and Security
I have written about complexity and security for over a decade now (for example, this from 1999). Here's the results of a survey that confirms this: Results showed that more than half of the survey respondents from mid-sized (identified as 50-2500 employees) and enterprise organizations (identified as 2500+ employees) stated that complex policies ultimately led to a security breach, system...
Dangerous Security Theater: Scrambling Fighter Jets
This story exemplifies everything that's wrong with our see-something-say-something war on terror: a perfectly innocent person on an airplane, a random person identifying him as a terrorist threat, and a complete overreaction on the part of the authorities. Typical overreaction, but in this case -- as in several others over the past decade -- F-15 fighter jets were scrambled to...
Violence as a Contagious Disease
This is fascinating: Intuitively we understand that people surrounded by violence are more likely to be violent themselves. This isn't just some nebulous phenomenon, argue Slutkin and his colleagues, but a dynamic that can be rigorously quantified and understood. According to their theory, exposure to violence is conceptually similar to exposure to, say, cholera or tuberculosis. Acts of violence are...
Friday Squid Blogging: Squirming Tentacle USB Drive
Just the thing. (Note that this is different than the previous squid USB drive I blogged about.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Video Interview with Me
This interview was conducted last month, at an artificial intelligence conference at Oxford....
Shaming as Punishment for Repeated Drunk Driving
Janesville, Wisconsin, has published information about repeated drunk driving offenders since 2010. The idea is that the public shame will reduce future incidents....
Identifying People from their Writing Style
It's called stylometry, and it's based on the analysis of things like word choice, sentence structure, syntax and punctuation. In one experiment, researchers were able to identify 80% of users with a 5,000-word writing sample. Download tools here, including one to anonymize your writing style....
Identifying People from their DNA
Interesting: The genetic data posted online seemed perfectly anonymous - strings of billions of DNA letters from more than 1,000 people. But all it took was some clever sleuthing on the Web for a genetics researcher to identify five people he randomly selected from the study group. Not only that, he found their entire families, even though the relatives had...
The Security of the Mega File-Sharing Service
Ever since the launch of Kim Dotcom's file-sharing service, I have been asked about the unorthodox encryption and security system. I have not reviewed it, and don't have an opinion. All I know is what I read: this, this, this, this, and this. Please add other links in the comments....
Commenting on Aaron Swartz's Death
There has been an enormous amount written about the suicide of Aaron Swartz. This is primarily a collection of links, starting with those that use his death to talk about the broader issues at play: Orin Kerr, Larry Lessig, Jennifer Granick, Glenn Greenwald, Henry Farrell, danah boyd, Cory Doctorow, James Fallows, Brewster Kahle, Carl Malamud, and Mark Bernstein. Here are...
Google's Authentication Research
Google is working on non-password authentication techniques. But for Google's password-liberation plan to really take off, theyre going to need other websites to play ball. "Others have tried similar approaches but achieved little success in the consumer world," they write. "Although we recognize that our initiative will likewise remain speculative until we've proven large scale acceptance, were eager to test...
Thinking About Obscurity
This essay is worth reading: Obscurity is the idea that when information is hard to obtain or understand, it is, to some degree, safe. Safety, here, doesn't mean inaccessible. Competent and determined data hunters armed with the right tools can always find a way to get it. Less committed folks, however, experience great effort as a deterrent. Online, obscurity is...
TSA Removing Rapiscan Full-Body Scanners from U.S. Airports
This is big news: The U.S. Transportation Security Administration will remove airport body scanners that privacy advocates likened to strip searches after OSI Systems Inc. (OSIS) couldn't write software to make passenger images less revealing. This doesn't mean the end of full-body scanning. There are two categories of these devices: backscatter X-ray and millimeter wave. The government said Friday it...
Friday Squid Blogging: The Search for the Colossal Squid
Now that videographers have bagged a giant squid, the search turns to the colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Man-in-the-Middle Attacks Against Browser Encryption
Last week, a story broke about how Nokia mounts man-in-the-middle attacks against secure browser sessions. The Finnish phone giant has since admitted that it decrypts secure data that passes through HTTPS connections -- including social networking accounts, online banking, email and other secure sessions -- in order to compress the data and speed up the loading of Web pages. The...
Essay on FBI-Mandated Backdoors
Good essay by Matt Blaze and Susan Landau....
Cheating at Chess
There's a fascinating story about a probable tournament chess cheat. No one knows how he does it; there's only the facts that 1) historically he's not nearly as good as his recent record, and 2) his moves correlate almost perfectly with one of best computer chess programs. The general question is how valid statistical evidence is when there is no...
Lexical Warfare
This essay, which uses the suicide of Aaron Swartz as a jumping off point for how the term "hactivist" has been manipulated by various powers, has this to say about "lexical warfare": I believe the debate itself is far broader than the specifics of this unhappy case, for if there was prosecutorial overreach it raises the question of whether we...
Anti-Surveillance Clothing
It's both an art project and a practical clothing line. ...Harvey's line of "Stealth Wear" clothing includes an "anti-drone hoodie" that uses metalized material designed to counter thermal imaging used by drones to spot people on the ground. He's also created a cellphone pouch made of a special "signal attenuating fabric." The pocket blocks your phone signal so that it...
The Origins of War
Philosophy professor David Livingstone Smith on the origins of war....
Friday Squid Blogging: Giant Squid Video
Last week, I blogged about an upcoming Discovery Channel program with actual video footage of a live giant squid. ABC News has a tantalizingly short sneak peak. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Experimental Results: Liars and Outliers Trust Offer
Last August, I offered to sell Liars and Outliers for $11 in exchange for a book review. This was much less than the $30 list price; less even than the $16 Amazon price. For readers outside the U.S., where books can be very expensive, it was a great price. I sold 800 books from this offer -- much more than...
The Politics and Philosophy of National Security
This essay explains why we're all living in failed Hobbesian states: What do these three implications -- states have a great deal of freedom to determine what threatens a people and how to respond to those threats, and in making those determinations, they are influenced by the interests and ideologies of their primary constituencies; states have strong incentives and have...
Denial-of-Service Attack Against Facebook
Just claim the person is dead. All you need to do is fake an online obituary....
Cat Smuggler
Not a cat burglar, a cat smuggler. Guards thought there was something suspicious about a little white cat slipping through a prison gate in northeastern Brazil. A prison official says that when they caught the animal, they found a cellphone, drills, small saws and other contraband taped to its body. Another article, with video. A prison spokesperson was quoted by...
DHS Gets to Spy on Everyone
This Wall Street Journal investigative piece is a month old, but well worth reading. Basically, the Total Information Awareness program is back with a different name: The rules now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure...
Details of an Internet Scam
Interesting details of an Amazon Marketplace scam. Worth reading. Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or...
Friday Squid Blogging: Giant Squid Finally Captured on Video
We'll see it later this month. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
What Facebook Gives the Police
This is what Facebook gives the police in response to a subpoena. (Note that this isn't in response to a warrant; it's in response to a subpoena.) This might be the first one of these that has ever become public....
Classifying a Shape
This is a great essay: Spheres are special shapes for nuclear weapons designers. Most nuclear weapons have, somewhere in them, that spheres-within-spheres arrangement of the implosion nuclear weapon design. You dont have to use spheres -- cylinders can be made to work, and there are lots of rumblings and rumors about non-spherical implosion designs around these here Internets -- but...
Apollo Robbins, Pickpocket
Fascianting story: "Come on," Jillette said. "Steal something from me." Again, Robbins begged off, but he offered to do a trick instead. He instructed Jillette to place a ring that he was wearing on a piece of paper and trace its outline with a pen. By now, a small crowd had gathered. Jillette removed his ring, put it down on...
Terms of Service as a Security Threat
After the Instagram debacle, where it changed its terms of service to give itself greater rights over user photos and reversed itself after a user backlash, it's worth thinking about the security threat stemming from terms of service in general. As cloud computing becomes the norm, as Internet security becomes more feudal, these terms of service agreements define what our...
Friday Squid Blogging: William Gilly, Squid Researcher
Good article. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
I Seem to Be a Verb
From "The Insider's TSA Dictionary": Bruce Schneiered: (V, ints) When a passenger uses logic in order to confound and perplex an officer into submission. Ex: "A TSA officer took my Swiss army knife, but let my scissors go. I then asked him wouldn't it be more dangerous if I were to make my scissors into two blades, or to go...
Becoming a Police Informant in Exchange for a Lighter Sentence
Fascinating article. Snitching has become so commonplace that in the past five years at least 48,895 federal convicts -- one of every eight -- had their prison sentences reduced in exchange for helping government investigators, a USA TODAY examination of hundreds of thousands of court cases found. The deals can chop a decade or more off of their sentences. How...
Breaking Hard-Disk Encryption
The newly announced ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt. And it's only $300. How does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes...
Public Shaming as a Security Measure
In Liars and Outliers, I talk a lot about the more social forms of security. One of them is reputational. This post is about that squishy sociological security measure: public shaming as a way to punish bigotry (and, by extension, to reduce the incidence of bigotry). It's a pretty rambling post, first listing some of the public shaming sites, then...
Cryptography Engineering Available as an eBook
Finally, Cryptography Engineering is available as an ebook. Even better, it's today's deal of the day at O'Reilly: $27.50 (50% off) and no copy protection. (The discount won't show until you add the book to your cart.)...
Hackers Use Backdoor to Break System
Industrial control system comes with a backdoor: Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. "[Th]e published backdoor URL provided the same level of access to the company's control system as the password-protected administrator login," said the memo. The security of this...
Peruvian Spider Species Creates Decoys
Clyclosa spiders create decoys to fool predators....
Phishing via Twitter
Interesting firsthand phishing story: A few nights ago, I got a Twitter direct message (DM) from a friend saying that someone was saying nasty things about me, with a link. The link was a shortened (t.co) link, so it was hard to see exactly what it pointed to. I followed the link on my cell phone, and got to a...
Friday Squid Blogging: Laughing Squid
The small San Francisco film and video company is celebrating its 17th anniversary. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
This Week's Overreactions
Schools go into lockdown over a thermometer, a car backfiring, a bank robbery a few blocks away, a student alone in a gym, a neighbor on the street, and some vague unfounded rumors. And one high-school kid was arrested for drawing pictures of guns. Everywhere else, post-traumatic stupidity syndrome." (It's not a new phrase -- Google shows hits back to...
Amazon Replacement-Order Scam
Clever: Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon....
China Now Blocking Encryption
The "Great Firewall of China" is now able to detect and block encryption: A number of companies providing "virtual private network" (VPN) services to users in China say the new system is able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems. China Unicom, one of the biggest telecoms providers in the...
Information-Age Law Enforcement Techniques
This is an interesting blog post: Buried inside a recent United Nations Office on Drugs and Crime report titled Use of Internet for Terrorist Purposes one can carve out details and examples of law enforcement electronic surveillance techniques that are normally kept secret. [...] Point 280: International members of the guerilla group Revolutionary Armed Forces of Colombia (FARC) communicated with...
Nasty Samsung Phone Exploit
There's a new exploit against Samsung Galaxy phones that allows a rogue app access to all memory. A hacker could copy all of your data, erase all of your data, and basically brick your phone. I haven't found an offical Samsung response, but there is a quick fix....
Possible Decryption of World War II Pigeon Message
A Canadian claims that the message is based on a WWI codebook. A spokesman from GCHQ remains dubious, but says they'll be happy to look at the proposed solution....
Friday Squid Blogging: Giant PVC Squid
Neat art project. Another link. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Book Review: Against Security
Against Security: How We Go Wrong at Airports, Subways, and Other Sites of Ambiguous Danger, by Harvey Molotch, Princeton University Press, 278 pages, $35 Security is both a feeling and a reality, and the two are different things. People can feel secure when theyre actually not, and they can be secure even when they believe otherwise. This discord explains much...
The History of Security Economics
Ross Anderson recalls the history of security economics (presentation and paper.)...
The Internet in North Korea
How Internet censorship works in North Korea....
QR Code Scams
There's a rise in QR codes that point to fraudulent sites. One of the warning signs seems to be a sticker with the code, rather than a code embedded in an advertising poster. This brings up another question: does anyone actually use these things?...
Detecting Edited Audio
Interesting development in forensic analysis: Comparing the unique pattern of the frequencies on an audio recording with a database that has been logging these changes for 24 hours a day, 365 days a year provides a digital watermark: a date and time stamp on the recording. Philip Harrison, from JP French Associates, another forensic audio laboratory that has been logging...
Drone Flights Over the US
The EFF has been prying data out of the government and analyzing it....
The National Cyber Security Framework Manual
This book is available as a free pdf download: The National Cyber Security Framework Manual provides detailed background information and in-depth theoretical frameworks to help the reader understand the various facets of National Cyber Security, according to different levels of public policy formulation. The four levels of government -- political, strategic, operational and tactical/technical -- each have their own perspectives...
Dictators Shutting Down the Internet
Excellent article: "How to Shut Down Internets." First, he describes what just happened in Syria. Then: Egypt turned off the internet by using the Border Gateway Protocol trick, and also by switching off DNS. This has a similar effect to throwing bleach over a map. The location of every street and house in the country is blotted out. All the...
Bypassing Two-Factor Authentication
Yet another way two-factor authentication has been bypassed: For a user to fall prey to Eurograbber, he or she must first be using a computer infected with the trojan. This was typically done by luring the user onto a malicious web page via a round of unfortunate web surfing or email phishing attempts. Once infected, the trojan would monitor that...
Buy Your Own ATM Skimmer for $3000
I have no idea if this is real. If I had to guess, I would say no....
Squids on the Economist Cover
Four squids on the cover of this week's Economist represent the four massive (and intrusive) data-driven Internet giants: Google, Facebook, Apple, and Amazon. Interestingly, these are the same four companies I've been listing as the new corporate threat to the Internet. The first of three pillars propping up this outside threat are big data collectors, which in addition to Apple...
Comedy and Cryptography
Not the sort of pairing I normally think of, but: Robin Ince and Brian Cox are joined on stage by comedian Dave Gorman, author and Enigma Machine owner Simon Singh and Bletchley Park enthusiast Dr Sue Black as they discuss secret science, code-breaking and the extraordinary achievements of the team working at Bletchley during WW II. Audio here....
Roger Williams' Cipher Cracked
Another historical cipher, this one from the 1600s, has been cracked: Senior math major Lucas Mason-Brown, who has done the majority of the decoding, said his first instinct was to develop a statistical tool. The 21-year-old from Belmont, Mass., used frequency analysis, which looks at the frequency of letters or groups of letters in a text, but initially didn't get...
Feudal Security
Its a feudal world out there. Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft...
Friday Squid Blogging: Possible Squid Eyeball Found in Florida
It's the size of a softball. No sign of the squid it came from. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Hacking by the Syrian Government
Good article on how the Syrian government hacked into the computers of dissidents: The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the Arab Spring was reaching a crescendo, the government in Damascus suddenly reversed a long-standing ban on websites such as Facebook, Twitter, YouTube, and the Arabic version of Wikipedia. It was an odd...
Advances in Attacking ATMs
Cash traps and card traps are the new thing: [Card traps] involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customers card from being ejected from the ATM when the transaction is completed. "Spring traps are still being widely used," EAST wrote in its most recently European Fraud Update. "Once the...
James Bond Movie-Plot Threats
Amusing post on the plausibility of the evil plans from the various movies....
The Psychology of IT Security Trade-offs
Good article. I agree with the conclusion that the solution isn't to convince people to make better choices, but to change the IT architecture so that it's easier to make better choices....
Classified Information Confetti
Some of the confetti at the Macy's Thanksgiving Day Parade in New York consisted of confidential documents from the Nassau County Police Department, shredded sideways....
Hackback
Stewart Baker, Orin Kerr, and Eugene Volokh on the legality of hackback....
Liars and Outliers Ebook 50% Off and DRM-Free
Today only, O'Reilly is offering 50% off all its ebooks, including Liars and Outliers. This is probably the cheapest you'll find a DRM-free copy of the book....
Homeland Security Essay Contest
The Naval Postgraduate School's Center for Homeland Defense and Security is running its sixth annual essay competition. There are cash prizes. (Info on previous years here.)...
Friday Squid Blogging: Another Squid Comic
Another squid comic. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Preventing Catastrophic Threats
"Recommendations to Prevent Catastrophic Threats." Federation of American Scientists, 9 November 2012. It's twelve specific sets of recommendations for twelve specific threats. See also this....
Cell Phone Surveillance
Good article on the different ways the police can eavesdrop on cell phone calls....
Decrypting a Secret Society's Documents from the 1740s
Great story, both the cryptanalysis process and the Oculists....
Anonymous Claims it Sabotaged Rove Election Hacking
Can anyone make heads or tails of this story? (More links.) For my part, I'd like a little -- you know -- evidence. Remember that Ohio was not the deciding state in the election. Neither was Florida or Virginia. It was Colorado. So even if there was this magic election-stealing software running in Ohio, it wouldn't have made any difference....
E-Mail Security in the Wake of Petraeus
I've been reading lots of articles articles discussing how little e-mail and Internet privacy we actually have in the U.S. This is a good one to start with: The FBI obliged apparently obtaining subpoenas for Internet Protocol logs, which allowed them to connect the senders anonymous Google Mail account to others accessed from the same computers, accounts that belonged to...
Security Theater in American Diplomatic Missions
I noticed this in an article about how increased security and a general risk aversion is harming US diplomatic missions: "Barbara Bodine, who was the U.S. ambassador to Yemen during the Qaeda bombing of the U.S.S. Cole in 2000, told me she believes that much of the security American diplomats are forced to travel with is counterproductive. "There's this idea...
Friday Squid Blogging: Vampire Squid
Vampire squid eats marine wastes (paper and video). As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Stealing VM Keys from the Hardware Cache
Research into one VM stealing crypto keys from another VM running on the same hardware. ABSTRACT: This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized...
The Terrorist Risk of Food Trucks
This is idiotic: Public Intelligence recently posted a Powerpoint presentation from the NYC fire department (FDNY) discussing the unique safety issues mobile food trucks present. Along with some actual concerns (many food trucks use propane and/or gasoline-powered generators to cook; some *gasp* aren't properly licensed food vendors), the presenter decided to toss in some DHS speculation on yet another way...
Webmail as Dead Drop
I noticed this amongst the details of the Petraeus scandal: Petraeus and Broadwell apparently used a trick, known to terrorists and teenagers alike, to conceal their email traffic, one of the law enforcement officials said. Rather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder...
Keys to the Crown Jewels Stolen?
At least, that's the story: The locks at the Tower of London, home to the Crown Jewels, had to be changed after a burglar broke in and stole keys. The intruder scaled gates and took the keys from a sentry post. Guards spotted him but couldn't give chase as they are not allowed to leave their posts. But the story...
Free Online Cryptography Course
Dan Boneh of Stanford University is offering a free online cryptography course. The course runs for six weeks, and has five to seven hours of coursework per week. It just started last week....
Fairy Wren Passwords
Mother fairy wrens teach their children passwords while they're still in their eggs to tell them from cuckoo impostors: She kept 15 nests under constant audio surveillance, and discovered that fairy-wrens call to their unhatched chicks, using a two-second trill with 19 separate elements to it. They call once every four minutes while sitting on their eggs, starting on the...
Encryption in Cloud Computing
This article makes the important argument that encryption -- where the user and not the cloud provider holds the keys -- is critical to protect cloud data. The problem is, it upsets cloud providers' business models: In part it is because encryption with customer controlled keys is inconsistent with portions of their business model. This architecture limits a cloud provider's...
Friday Squid Blogging: Squid Ink as a Condiment
Burger King introduces a black burger with ketchup that includes squid ink. Only in Japan, of course....
How To Tell if Your Hotel Guest Is a Terrorist
From the Department of Homeland Security, a handy list of 19 suspicious behaviors that could indicate that a hotel guest is actually a terrorist. I myself have done several of these. More generally, this is another example of why all the "see something say something" campaigns fail: "If you ask amateurs to act as front-line security personnel, you shouldn't be...
How Terrorist Groups Disband
Interesting research from RAND: Abstract: How do terrorist groups end? The evidence since 1968 indicates that terrorist groups rarely cease to exist as a result of winning or losing a military campaign. Rather, most groups end because of operations carried out by local police or intelligence agencies or because they join the political process. This suggests that the United States...
Gary McGraw on National Cybersecurity
Good essay, making the point that cyberattack and counterattack aren't very useful -- actual cyberdefense is what's wanted. Creating a cyber-rock is cheap. Buying a cyber-rock is even cheaper since zero-day attacks exist on the open market for sale to the highest bidder. In fact, if the bad guy is willing to invest time rather than dollars and become an...
Micromorts
Here's a great concept: a micromort: Shopping for coffee you would not ask for 0.00025 tons (unless you were naturally irritating), you would ask for 250 grams. In the same way, talking about a 1/125,000 or 0.000008 risk of death associated with a hang-gliding flight is rather awkward. With that in mind. Howard coined the term "microprobability" (¼p) to refer...
New SSL Vulnerability
It's hard for me to get too worked up about this vulnerability: Many popular applications, HTTP(S) and WebSocket transport libraries, and SOAP and REST Web-services middleware use SSL/TLS libraries incorrectly, breaking or disabling certificate validation. Their SSL and TLS connections are not authenticated, thus they -- and any software using them -- are completely insecure against a man-in-the-middle attacker. Great...
Regulation as a Prisoner's Dilemma
This is the sort of thing I wrote about in my latest book. The Prisoners Dilemma as outlined above can be seen in action in two variants within regulatory activities, and offers a clear insight into why those involved in regulation act as they do. The first relationship is that between the various people and organisations being regulated banks,...
Three-Rotor Enigma Machine Up for Auction
Expensive, but it's in complete working order. They're also auctioning off a complete set of rotors; those are even rarer than the machines -- which are often missing their rotors....
Wanted: RSA Exhibitor for Book Signing
Is anyone out there interested in buying a pile of copies of my Liars and Outliers for a giveaway and book signing at the RSA Conference? I can guarantee enormous crowds at your booth for as long as there are books to give away. This could also work for an after-hours event. Please let me know. I can get you...
New Vulnerability Against Industrial Control Systems
It doesn't look good. These are often called SCADA vulnerabilities, although it isn't SCADA that's involved here. They're against programmable logic controllers (PLCs): the same industrial controllers that Stuxnet attacked....
New Jersey Allows Voting by E-Mail
I'm not filled with confidence, but this seems like the best of a bunch of bad alternatives....
New WWII Cryptanalysis
I'd sure like to know more about this: Government code-breakers are working on deciphering a message that has remained a secret for 70 years. It was found on the remains of a carrier pigeon that was discovered in a chimney, in Surrey, having been there for decades. It is thought the contents of the note, once decoded, could provide fresh...
On the Ineffectiveness of Airport Security Pat-Downs
I've written about it before, but not half as well as this story: "That search was absolutely useless." I said. "And just shows how much of all of this is security theatre. You guys are just feeling up passengers for no good effect, which means that you get all the downsides of a search -- such as annoyed travellers who...
Loopholes
Interesting This American Life show on loopholes. The first part is about getting around the Church's ban against suicide. The second part is about an interesting insurance scheme....
Peter Neumann Profile
Really nice profile in the New York Times. It includes a discussion of the Clean Slate program: Run by Dr. Howard Shrobe, an M.I.T. computer scientist who is now a Darpa program manager, the effort began with a premise: If the computer industry got a do-over, what should it do differently? The program includes two separate but related efforts: Crash,...
Doping in Professional Sports
I updated a 2006 essay of mine on the security issues around sports doping....
Dan Ariely on Dishonesty
Good talk, and I've always liked these animators....
Detecting Fake Hurricane Photographs
A short tutorial here. Actually, it's good advice even if there weren't a hurricane....
Protecting (and Collecting) the DNA of World Leaders
There's a lot of hype and hyperbole in this story, but here's the interesting bit: According to Ronald Kessler, the author of the 2009 book In the Presidents Secret Service, Navy stewards gather bedsheets, drinking glasses, and other objects the president has touchedthey are later sanitized or destroyedin an effort to keep would be malefactors from obtaining his genetic material....
Friday Squid Blogging: Squid from the Power Ranger Universe
Ika Origami....
Hacking TSA PreCheck
I have a hard time getting worked up about this story: I have X'd out any information that you could use to change my reservation. But it's all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps....
The Risks of Trusting Experts
I'm not sure what to think about this story: Six Italian scientists and an ex-government official have been sentenced to six years in prison over the 2009 deadly earthquake in L'Aquila. A regional court found them guilty of multiple manslaughter. Prosecutors said the defendants gave a falsely reassuring statement before the quake, while the defence maintained there was no way...
Risks of Data Portability
Peter Swire and Yianni Lagos have pre-published a law journal article on the risks of data portability. It specifically addresses an EU data protection regulation, but the security discussion is more general. ...Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person's data. Previous access requests by individuals were...
Camera Jammer that Protects Licence Plates
noPhoto reacts to a camera flash, and then jams the image with a bright light. The website makes the point that this is legal, but that can't last....
Friday Squid Blogging: Squid Insurance
This was once a real insurance product. Squid Insurance Marketing was the low-end offering at Astonish, complete with the tagline "Nothing Kills a Squid!" As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Stoking Cyber Fears
A lot of the debate around President Obama's cubsersecurity initiative center on how much of a burden it would be on industry, and how that should be financed. As important as that debate is, it obscures some of the larger issues surrounding cyberwar, cyberterrorism, and cybersecurity in general. It's difficult to have any serious policy discussion amongst the fear mongering....
Analysis of How Bitcoin Is Actually Used
"Quantitative Analysis of the Full Bitcoin Transaction Graph," by Dorit Ron and Adi Shamir: Abstract. The Bitcoin scheme is a rare example of a large scale global payment system in which all the transactions are publicly accessible (but in an anonymous way). We downloaded the full history of this scheme, and analyzed many statistical properties of its associated transaction graph....
Genetic Privacy
New report from the Presidential Commission for the Study of Biothethical Issues. It's called "Privacy and Progress in Whole Genome Sequencing." The Commission described the rapid advances underway in the field of genome sequencing, but also noted growing concerns about privacy and security. The report lists twelve recommendations to improve current practices and to help safeguard privacy and security, including...
Studying Zero-Day Attacks
Interesting paper: "Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World," by Leyla Bilge and Tudor Dumitras: Abstract: Little is known about the duration and prevalence of zeroday attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing,...
Apple Turns on iPhone Tracking in iOS6
This is important: Previously, Apple had all but disabled tracking of iPhone users by advertisers when it stopped app developers from utilizing Apple mobile device data via UDID, the unique, permanent, non-deletable serial number that previously identified every Apple device. For the last few months, iPhone users have enjoyed an unusual environment in which advertisers have been largely unable to...
Master Keys
Earlier this month, a retired New York City locksmith was selling a set of "master keys" on eBay: Three of the five are standard issue for members of the FDNY, and the set had a metal dog tag that was embossed with an FDNY lieutenant's shield number, 6896. The keys include the all-purpose "1620," a master firefighter key that with...
Another Liars and Outliers Review
I was reviewed in Science: Thus it helps to have a lucid and informative account such as Bruce Schneier's Liars and Outliers. The book provides an interesting and entertaining summary of the state of play of research on human social behavior, with a special emphasis on trust and trustworthiness. [...] Free from preoccupations and personal attachments to any of the...
Friday Squid Blogging: Squid Car
A squid art car. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
"Ask Nicely" Doesn't Work as a Security Mechanism
Apple's map application shows more of Taiwan than Google Maps: The Taiwanese government/military, like many others around the world, requests that satellite imagery providers, such as Google Maps, blur out certain sensitive military installations. Unfortunately, Apple apparently didn't get that memo. [...] According to reports the Taiwanese defence ministry hasn't filed a formal request with Apple yet but thought it...
The Insecurity of Networks
Not computer networks, networks in general: Findings so far suggest that networks of networks pose risks of catastrophic danger that can exceed the risks in isolated systems. A seemingly benign disruption can generate rippling negative effects. Those effects can cost millions of dollars, or even billions, when stock markets crash, half of India loses power or an Icelandic volcano spews...
Story of a CIA Burglar
This is a fascinating story of a CIA burglar, who worked for the CIA until he tried to work against the CIA. The fact that he stole code books and keys from foreign embassies makes it extra interesting, and the complete disregard for the Constitution at the end makes it extra scary....
New Developments in Captchas
In the never-ending arms race between systems to prove that you're a human and computers that can fake it, here's a captcha that tests whether you have human feelings. Instead of your run-of-the-mill alphanumeric gibberish, or random selection of words, the Civil Rights Captcha presents you with a short blurb about a Civil Rights violation and asks you how you...
Friday Squid Blogging: Giant Squid Engraving from the 1870s
Neat book illustration. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
When Will We See Collisions for SHA-1?
On a NIST-sponsored hash function mailing list, Jesse Walker (from Intel; also a member of the Skein team) did some back-of-the-envelope calculations to estimate how long it will be before we see a practical collision attack against SHA-1. I'm reprinting his analysis here, so it reaches a broader audience. According to E-BASH, the cost of one block of a SHA-1...
Maps Showing Spread of ZeroAccess Botnet
The folks at F-Secure have plotted ZeroAccess infections across the U.S. and across Europe. It's interesting to see, but I'm curious to see the data normalized to the number of computers on the Internet....
Authentication Stories
Anecdotes from Asia on seals versus signatures on official documents....
Keccak is SHA-3
NIST has just announced that Keccak has been selected as SHA-3. It's a fine choice. I'm glad that SHA-3 is nothing like the SHA-2 family; something completely different is good. Congratulations to the Keccak team. Congratulations -- and thank you -- to NIST for running a very professional, interesting, and enjoyable competition. The process has increased our understanding about the...
2013 U.S. Homeland Security Budget
Among other findings in this CBO report: Funding for homeland security has dropped somewhat from its 2009 peak of $76 billion, in inflation-adjusted terms; funding for 2012 totaled $68 billion. Nevertheless, the nation is now spending substantially more than what it spent on homeland security in 2001. Note that this is just direct spending on homeland security. This does not...
Scary iPhone Malware Story
This story sounds pretty scary: Developed by Robert Templeman at the Naval Surface Warfare Center in Indiana and a few buddies from Indiana University, PlaceRader hijacks your phone's camera and takes a series of secret photographs, recording the time, and the phone's orientation and location with each shot. Using that information, it can reliably build a 3D model of your...
NPR on Biometric Data Collection
Interesting Talk of the Nation segment....
Replacing Alice and Bob
A proposal to replace cryptography's Alice and Bob with Sita and Rama: Any book on cryptography invariably involves the characters Alice and Bob. It is always Alice who wants to send a message to Bob. This article replaces the dramatis personnae of cryptography with characters drawn from Hindu mythology....
Using Agent-Based Simulations to Evaluate Security Systems
Kay Hamacher and Stefan Katzenbeisser, "Public Security: Simulations Need to Replace Conventional Wisdom," New Security Paradigms Workshop, 2011. Abstract: Is more always better? Is conventional wisdom always the right guideline in the development of security policies that have large opportunity costs? Is the evaluation of security measures after their introduction the best way? In the past, these questions were frequently...
Quantum Cryptography
Long article on quantum cryptography and cryptanalysis....
Security Vulnerability in Windows 8 Unified Extensible Firmware Interface (UEFI)
This is the first one discovered, I think....
SHA-3 to Be Announced
NIST is about to announce the new hash algorithm that will become SHA-3. This is the result of a six-year competition, and my own Skein is one of the five remaining finalists (out of an initial 64). It's probably too late for me to affect the final decision, but I am hoping for "no award." It's not that the new...
Friday Squid Blogging: Beached Firefly Squid
Pretty photo of firefly squid beached along a coast. I've written about firefly squid before. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Another Review of Liars and Outliers
I usually don't post reviews of Liars and Outliers -- they're all here -- but I am particularly proud of this one....
Accountable Algorithms
Ed Felten has two posts about accountable algorithms. Good stuff....
The NSA and the Risk of Off-the-Shelf Devices
Interesting article on how the NSA is approaching risk in the era of cool consumer devices. There's a discussion of the president's network-disabled iPad, and the classified cell phone that flopped because it took so long to develop and was so clunky. Turns out that everyone wants to use iPhones. Levine concluded, "Using commercial devices to process classified phone calls,...
Analysis of PIN Data
An analysis of 3.4 million four-digit PINs. ("1234" is the most common: 10.7% of all PINs. The top 20 PINs are 26.8% of the total. "8068" is the least common PIN -- that'll probably change now that the fact is published.)...
Recent Developments in Password Cracking
A recent Ars Technica article made the point that password crackers are getting better, and therefore passwords are getting weaker. It's not just computing speed; we now have many databases of actual passwords we can use to create dictionaries of common passwords, or common password-generation techniques. (Example: dictionary word plus a single digit.) This really isn't anything new. I wrote...
Friday Squid Blogging: Octonaut
A space-traveling squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Diamond Swallowing as a Ruse
It's a known theft tactic to swallow what you're stealing. It works for food at the supermarket, and it also can work for diamonds. Here's a twist on that tactic: Police say he could have swallowed the stone in an attempt to distract the diamond's owner, Suresh de Silva, while his accomplice stole the real gem. Mr de Silva told...
Friday Squid Blogging: Giant Squid Museum
In Valdés, Spain. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Schneier on Security on Elementary
Two of my books can be seen in the background in CBS' new Sherlock Holmes drama, Elementary. A copy of Schneier on Security is prominently displayed on Sherlock Holmes' bookshelf. You can see it in the first few minutes of the pilot episode. The show's producers contacted me early on to ask permission to use my books, so it didn't...
Man-in-the-Middle Bank Fraud Attack
This sort of attack will become more common as banks require two-factor authentication: Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount. Next, it initiates a transfer. At this point Tatanga uses a Web Inject to trick the user into believing...
Estimating the Probability of Another 9/11
This statistical research says once per decade: Abstract: Quantities with right-skewed distributions are ubiquitous in complex social systems, including political conflict, economics and social networks, and these systems sometimes produce extremely large events. For instance, the 9/11 terrorist events produced nearly 3000 fatalities, nearly six times more than the next largest event. But, was this enormous loss of life statistically...
Steganography in the Wild
Steganographic information is embedded in World of Warcraft screen shots....
Stopping Terrorism
Nice essay on the futility of trying to prevent another 9/11: "Never again." It is as simplistic as it is absurd. It is as vague as it is damaging. No two words have provided so little meaning or context; no catchphrase has so warped policy discussions that it has permanently confused the public's understanding of homeland security. It convinced us...
A Real Movie-Plot Threat Contest
The "Australia's Security Nightmares: The National Security Short Story Competition" is part of Safeguarding Australia 2012. To aid the national security community in imagining contemporary threats, the Australian Security Research Centre (ASRC) is organising Australia's Security Nightmares: The National Security Short Story Competition. The competition aims to produce a set of short stories that will contribute to a better conception...
New Attack Against Chip-and-Pin Systems
Well, new to us: You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and...
Security at the 9/11 WTC Memorial
There's a lot: Advance tickets are required to enter this public, outdoor memorial. To book them, youre obliged to provide your home address, email address, and phone number, and the full names of everyone in your party. It is strongly recommended that you print your tickets at home, which is where you must leave explosives, large bags, hand soap, glass...
Another Stuxnet Post
Larry Constantine disputes David Stanger's book about Stuxnet: So, what did he get wrong? First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that...
Friday Squid Blogging: Controlling Squid Chromatophores with Music
Wacky. Other stories about the story. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Hacking Marathon Races
Truly bizarre story of someone who seems to have figured out how to successfully cheat at marathons. The evidence of his cheating is overwhelming, but no one knows how he does it....
CSOs/CISOs Wanted: Cloud Security Questions
I'm trying to separate cloud security hype from reality. To that end, I'd like to talk to a few big corporate CSOs or CISOs about their cloud security worries, requirements, etc. If you're willing to talk, please contact me via e-mail. Eventually I will share the results of this inquiry. Thank you....
Database of 12 Million Apple UDIDs Haked
In this story, we learn that hackers got their hands on a database of 12 million Apple Apple Unique Device Identifiers (UDIDs) by hacking an FBI laptop. When I first read the story, my questions were not about the hack but about the data. Why does an FBI agent have user identification information about 12 million iPhone users on his...
Wall Street Journal Review of Liars and Outliers
Liars and Outliers (along with two other books: Kip Hawley's memoir of his time at the TSA and Against Security, by Harvey Molotch) has been reviewed in the Wall Street Journal....
Hacking Brain-Computer Interfaces
In this fascinating piece of research, the question is asked: can we surreptitiously collect secret information from the brains of people using brain-computer interface devices? One article: A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal...
Eye Twitch Patterns as a Biometric
Yet another biometric: eye twitch patterns: ...a person's saccades, their tiny, but rapid, involuntary eye movements, can be measured using a video camera. The pattern of saccades is as unique as an iris or fingerprint scan but easier to record and so could provide an alternative secure biometric identification technology. Probably harder to fool than iris scanners....
Friday Squid Blogging: "The Seasick Squid"
A fable. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Conversation about Liars and Outliers on The WELL
I'm on The WELL right now -- for the next week or so -- discussing my new book with anyone who wants to participate. I'm also at Dragon*Con this weekend in Atlanta....
The Psychological Effects of Terrorism
Shelly C. McArdle, Heather Rosoff, Richard S. John (2012), "The Dynamics of Evolving Beliefs, Concerns Emotions, and Behavioral Avoidance Following 9/11: A Longitudinal Analysis of Representative Archival Samples," Risk Analysis v. 32, pp. 744761. Abstract: September 11 created a natural experiment that enables us to track the psychological effects of a large-scale terror event over time. The archival data came...
Shared Lock
A reader sent me this photo of a shared lock. It's at the gate of a large ranch outside of Victoria, Texas. Multiple padlocks secure the device, but when a single padlock is removed, the center pin can be fully lifted and the gate can be opened. The point is to allow multiple entities (oil and gas, hunting parties, ranch...
The Importance of Security Engineering
In May, neuroscientist and popular author Sam Harris and I debated the issue of profiling Muslims at airport security. We each wrote essays, then went back and forth on the issue. I don't recommend reading the entire discussion; we spent 14,000 words talking past each other. But what's interesting is how our debate illustrates the differences between a security engineer...
Friday Squid Blogging: Squid Sacrifices Arms to Avoid Predators
The squid Octopoteuthis deletron will drop portions of an arm to escape from a predator. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Internet Safety Talking Points for Schools
A surprisingly sensible list. E. Why are you penalizing the 95% for the 5%? You don't do this in other areas of discipline at school. Even though you know some students will use their voices or bodies inappropriately in school, you don't ban everyone from speaking or moving. You know some students may show up drunk to the prom, yet...
Fear and How it Scales
Nice post: The screaming fear in your stomach before you give a speech to 12 kids in the fifth grade is precisely the same fear a presidential candidate feels before the final debate. The fight-or-flight reflex that speeds up your heart when you're about to get a speeding ticket you don't deserve isn't very different than the chemical reaction in...
Exaggerating Cybercrime
Finally, someone takes a look at the $1 trillion number government officials are quoting as the cost of cybercrime. While it's a good figure to scare people, it doesn't have much of a basis in reality....
Video Filter that Detects a Pulse
Fascinating. How long before someone claims he can use this technology to detect nervous people in airports?...
Five "Neglects" in Risk Management
Good list, summarized here: 1. Probability neglect people sometimes dont consider the probability of the occurrence of an outcome, but focus on the consequences only. 2. Consequence neglect just like probability neglect, sometimes individuals neglect the magnitude of outcomes. 3. Statistical neglect instead of subjectively assessing small probabilities and continuously updating them, people choose to use rules-of-thumb...
Poll: Americans Like the TSA
Gallup has the results: Despite recent negative press, a majority of Americans, 54%, think the U.S. Transportation Security Administration is doing either an excellent or a good job of handling security screening at airports. At the same time, 41% think TSA screening procedures are extremely or very effective at preventing acts of terrorism on U.S. airplanes, with most of the...
Is iPhone Security Really this Good?
Simson Garfinkel writes that the iPhone has such good security that the police can't use it for forensics anymore: Technologies the company has adopted protect Apple customers' content so well that in many situations it's impossible for law enforcement to perform forensic examinations of devices seized from criminals. Most significant is the increasing use of encryption, which is beginning to...
Help Cryptanalyze Gauss
Kaspersky is looking for help decrypting the Gauss payload....
Passive Sensor that Sees Through Walls
A new technology uses the radiation given off by wi-fi devices to sense the positions of people through a one-foot-thick brick wall....
The View from an Israeli Security Checkpoint
This is an extraordinary (and gut-wrenching) first-person account of what it's like to staff an Israeli security checkpoint. It shows how power corrupts: how it's impossible to make humane decisions in such a circumstance....
Friday Squid Blogging: Efforts to Film a Live Giant Squid
Japanese researchers are attempting to film the elusive giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
$200 for a Fake Security System
This is pretty funny: Moving red laser beams scare away potential intruders Laser beams move along floor and wall 180 degrees Easy to install, 110v comes on automatically w/timer Watch the video. This is not an alarm, and it doesn't do anything other than the laser light show. But, as the product advertisement says, "perception can be an excellent deterrent...
Rudyard Kipling on Societal Pressures
In the short story "A Wayside Comedy," published in 1888 in Under the Deodars, Kipling wrote: You must remember, though you will not understand, that all laws weaken in a small and hidden community where there is no public opinion. When a man is absolutely alone in a Station he runs a certain risk of falling into evil ways. This...
An Analysis of Apple's FileVault 2
This is an analysis of Apple's disk encryption program, FileVault 2, that first appeared in the Lion operating system. Short summary: they couldn't break it. (Presumably, the version in Mountain Lion isn't any different.)...
Lousy Password Security on Tesco Website
Good post, not because it picks on Tesco but because it's filled with good advice on how not to do it wrong....
Sexual Harassment at DefCon (and Other Hacker Cons)
Excellent blog post by Valerie Aurora about sexual harassment at the DefCon hackers conference. Aside from the fact that this is utterly reprehensible behavior by the perpetrators involved, this is a real problem for our community. The response of "this is just what hacker culture is, and changing it will destroy hackerdom" is just plain wrong. When swaths of the...
Liars and Outliers on Special Discount
Liars and Outliers has been out since late February, and while it's selling great, I'd like it to sell better. So I have a special offer for my regular readers. People in the U.S. can buy a signed copy of the book for $11, Media Mail postage included. (Yes, I'm selling the book at a loss.) People in other countries...
Schneier in the News
Here are links to three news articles about me, and two video interviews with me....
Measuring Cooperation and Defection using Shipwreck Data
In Liars and Outliers, I talk a lot about social norms and when people follow them. This research uses survival data from shipwrecks to measure it. The authors argue that shipwrecks can actually tell us a fair bit about human behavior, since everyone stuck on a sinking ship has to do a bit of cost-benefit analysis. People will weigh their...
Cryptocat
I'm late writing about this one. Cryptocat is a web-based encrypted chat application. After Wired published a pretty fluffy profile on the program and its author, security researcher Chris Soghoian wrote an essay criticizing the unskeptical coverage. Ryan Singal, the editor (not the writer) of the Wired piece, responded by defending the original article and attacking Soghoian. At this point,...
Preventive vs. Reactive Security
This is kind of a rambling essay on the need to spend more on infrastructure, but I was struck by this paragraph: Here's a news flash: There are some events that no society can afford to be prepared for to the extent that we have come to expect. Some quite natural events -- hurricanes, earthquakes, tsunamis, derechos -- have such...
U.S. and China Talking About Cyberweapons
Stuart Baker calls them "proxy talks" because they're not government to government, but it's a start....
Friday Squid Blogging: Dumpling Squid
The sex life of the dumpling squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Termite Suicide Bombers
Some termites blow themselves up to expel invaders from their nest....
11-Year-Old Bypasses Airport Security
Sure, stories like this are great fun, but I don't think it's much of a security concern. Terrorists can't build a plot around random occasional security failures....
Rolling Stone Magazine Writes About Computer Security
It's a virus that plays AC/DC, so it makes sense. Surreal, though. Another article....
Detecting Spoofed GPS Signals
This is the latest in the arms race between spoofing GPS signals and detecting spoofed GPS signals. Unfortunately, the countermeasures all seem to be patent pending....
Chinese Gang Sells Fake Professional Certifications
They were able to hack into government websites: The gangs USP, and the reason it could charge up to 10,000 yuan (£1,000) per certificate, was that it could hack the relevant government site and tamper with the back-end database to ensure that the fake certs name and registration number appeared legitimate. The gang made £30M before being arrested....
Yet Another Risk of Storing Everything in the Cloud
A hacker can social-engineer his way into your cloud storageand delete everything you have. It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud....
Peter Swire Testifies on the Inadequacy of Privacy Self-Regulation
Ohio State University Law Professor Peter Swire testifies before Congress on the inadequacy of industry self-regulation to protect privacy....
Verifying Elections Using Risk-Limiting Auditing
Interesting article on using risk-limiting auditing in determining if an election's results are likely to be valid. The risk, in this case, is in the chance of a false negative, and the election being deemed valid. The risk level determines the extent of the audit....
Breaking Microsoft's PPTP Protocol
Some things never change. Thirteen years ago, Mudge and I published a paper breaking Microsoft's PPTP protocol and the MS-CHAP authentication system. I haven't been paying attention, but I presume it's been fixed and improved over the years. Well, it's been broken again. ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise...
State-by-State Report on Electronic Voting
The Verified Voting Foundation has released a comprehensive state-by-state report on electronic voting machines (report, executive summary, and news coverage). Let's hope it does some good....
Friday Squid Blogging: SQUIDS and Quantum Computing
It seems that quantum computers might use superconducting quantum interference devices (SQUIDs). As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Unsafe Safes
In a long article about insecurities in gun safes, there's this great paragraph: Unfortunately, manufacturers and consumers are deceived and misled into a false sense of security by electronic credentials, codes, and biometrics. We have seen this often, even with high security locks. Our rule: electrons do not open doors; mechanical components do. If you can compromise the mechanisms then...
Overreaction and Overly Specific Reactions to Rare Risks
Horrific events, such as the massacre in Aurora, can be catalysts for social and political change. Sometimes it seems that they're the only catalyst; recall how drastically our policies toward terrorism changed after 9/11 despite how moribund they were before. The problem is that fear can cloud our reasoning, causing us to overreact and to overly focus on the specifics....
Court Orders TSA to Answer EPIC
Year ago, EPIC sued the TSA over full body scanners (I was one of the plantiffs), demanding that they follow their own rules and ask for public comment. The court agreed, and ordered the TSA to do that. In response, the TSA has done nothing. Now, a year later, the court has again ordered the TSA to answer EPIC's position....
Hotel Door Lock Vulnerability
The attack only works sometimes, but it does allow access to millions of hotel rooms worldwide that are secured by Onity brand locks. Basically, you can read the unit's key out of the power port on the bottom of the lock, and then feed it back to the lock to authenticate an open command using the same power port....
Profile on Eugene Kaspersky
Wired has an interesting and comprehensive profile on Eugene Kaspersky. Especially note Kaspersky Lab's work to uncover US cyberespionage against Iran, Kaspersky's relationship with Russia's state security services, and the story of the kidnapping of Kaspersky's son, Ivan. Kaspersky responded (not kindly) to the article, and the author responded to the response....
Lone Shooters and Body Armor
The new thing about the Aurora shooting wasn't the weaponry, but the armor: What distinguished Holmes wasn't his offense. It was his defense. At Columbine, Harris and Klebold did their damage in T-shirts and cargo pants. Cho and Loughner wore sweatshirts. Hasan was gunned down in his Army uniform. Holmes' outfit blew these jokers away. He wore a ballistic helmet,...
Fake Irises Fool Scanners
We already know you can wear fake irises to fool a scanner into thinking you're not you, but this is the first fake iris you can use for impersonation: to fool a scanner into thinking you're someone else....
Hacking Tool Disguised as a Power Strip
This is impressive: The device has Bluetooth and Wi-Fi adapters, a cellular connection, dual Ethernet ports, and hacking and remote access tools that let security professionals test the network and call home to be remotely controlled via the cellular network. The device comes with easy-to-use scripts that cause it to boot up and then phone home for instructions. A "text-to-bash"...
Fear-Mongering at TED
This TED talk trots out the usual fear-mongering that technology leads to terrorism. The facts are basically correct, but there are no counterbalancing facts, and the conclusions all one-sided. I'm not impressed with the speaker's crowdsourcing solution, either. Sure, crowdsourcing is a great tool for a lot of problems, but it's not the single thing that's going to protect us...
Detroit Bomb Threats
There have been a few hoax bomb threats in Detroit recently (Windsor tunnel, US-Canada bridge, Tiger Stadium). The good news is that police learned; during the third one, they didn't close down the threatened location....
Friday Squid Blogging: Tentacle Doorstop
Now this is neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Liars and Outliers Summed Up in Two Comic Strips
I don't know the context, but these strips sum up my latest book nicely....
Criminals Using Commercial Spamflooding Services
Cybercriminals are using commercial spamflooding services to distract their victims during key moments of a cyberattack. Clever, but in retrospect kind of obvious....
Police Sting Operation Yields No Mobile Phone Thefts
Police in Hastings, in the UK, outfitted mobile phones with tracking devices and left them in bars and restaurants, hoping to catch mobile phone thieves in the act. But no one stole them: Nine premises were visited in total and officers were delighted that not one of the bait phones was 'stolen'. In fact, on nearly every occasion good hearted...
Making Handcuff Keys with 3D Printers
Handcuffs pose a particular key management problem. Officers need to be able to unlock handcuffs locked by another officer, so they're all designed to be opened by a standard set of keys. This system only works if the bad guys can't get a copy of the key, and modern handcuff manufacturers go out of their way to make it hard...
Implicit Passwords
This is a really interesting research paper (article here) on implicit passwords: something your unconscious mind remembers but your conscious mind doesn't know. The Slashdot post is a nice summary: A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still...
How the Norwegians Reacted to Terrorism
An antidote to the American cycle of threat, fear, and overspending in response to terrorism is this, about Norway on the first anniversary of its terrorist massacre: And at the political level, the Prime Minister Jens Stoltenberg pledged to do everything to ensure the country's core values were not undermined. "The Norwegian response to violence is more democracy, more openness...
Friday Squid Blogging: Preserved Squid
Science or art? As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Camera-Transparent Plastic
I just wrote about the coming age of invisible surveillance. Here's another step along that process. The material is black in color and cannot be seen through with the naked eye. However, if you point a black and white camera at a sheet of Black-Ops Plastic, it becomes transparent allowing the camera to record whatever is on the other side....
Chinese Airline Rewards Crew for Resisting Hijackers
Normally, companies instruct their employees not to resist. But Hainan Airlines did the opposite: Two safety officers and the chief purser got cash and property worth 4m yuan ($628,500; £406,200) each. The rest got assets worth 2.5m yuan each. That's a lot of money, especially in China. I'm sure it will influence future decisions by crew, and even passengers, about...
Remote Scanning Technology
I don't know if this is real or fantasy: Within the next year or two, the U.S. Department of Homeland Security will instantly know everything about your body, clothes, and luggage with a new laser-based molecular scanner fired from 164 feet (50 meters) away. From traces of drugs or gun powder on your clothes to what you had for breakfast...
Friday Squid Blogging: Barbecued Squid -- New Summer Favorite
In the UK, barbecued squid is in: Sales of squid have tripled in recent months due to the growing popularity of Mediterranean food and the rise of the Dukan diet, as calamari looks set to become the barbecue hit of the summer....
Hacking BMW's Remote Keyless Entry System
It turns out to be surprisingingly easy: The owner, who posted the video at 1addicts.com, suspects the thieves broke the glass to access the BMW's on-board diagnostics port (OBD) in the footwell of the car, then used a special device to obtain the car's unique key fob digital ID and reprogram a blank key fob to start the car. It...
All-or-Nothing Access Control for Mobile Phones
This paper looks at access control for mobile phones. Basically, it's all or nothing: either you have a password that protects everything, or you have no password and protect nothing. The authors argue that there should be more user choice: some applications should be available immediately without a password, and the rest should require a password. This makes a lot...
Dropped USB Sticks in Parking Lot as Actual Attack Vector
For years, it's been a clever trick to drop USB sticks in parking lots of unsuspecting businesses, and track how many people plug them into computers. I have long argued that the problem isn't that people are plugging the sticks in, but that the computers trust them enough to run software off of them. This is the first time I've...
Petition the U.S. Government to Force the TSA to Follow the Law
This is important: In July 2011, a federal appeals court ruled that the Transportation Security Administration had to conduct a notice-and-comment rulemaking on its policy of using "Advanced Imaging Technology" for primary screening at airports. TSA was supposed to publish the policy in the Federal Register, take comments from the public, and justify its policy based on public input. The...
Cryptanalyze the Agrippa Code
William Gibson's Grippa Code is available for cryptanalysis. Break the code, win a prize....
Attacking Fences
From an article on the cocaine trade between Mexico and the U.S.: "They erect this fence," he said, "only to go out there a few days later and discover that these guys have a catapult, and they're flinging hundred-pound bales of marijuana over to the other side." He paused and looked at me for a second. "A catapult," he repeated....
Sensible Comments about Terrorism
Two, at least: "Bee stings killed as many in UK as terrorists, says watchdog." "Americans Are as Likely to Be Killed by Their Own Furniture as by Terrorism." Is this a new trend in common sense? In case you forgot, here's a comprehensive list of ridiculous predictions about terrorist attacks (and an essay). And here's the best data on U.S....
Students Hack DHS Drone
A team at the University of Texas successfully spoofed the GPS and took control of a DHS drone, for about $1,000 in off-the-shelf parts. Does anyone think that the bad guys won't be able to do this?...
Friday Squid Blogging: Dissecting a Squid
This was suprisingly interesting. When a body is mysterious, you cut it open. You peel back the skin and take stock of its guts. It is the science of an arrow, the epistemology of a list. There and here and look: You tick off organs, muscles, bones. Its belly becomes fact. It glows like fluorescent lights. The air turns aseptic...
Me on Military Cyberattacks and Cyberweapons Treaties
I did a short Q&A for Network World....
Naming Pets
Children are being warned that the name of their first pet should contain at least eight characters and a digit....
So You Want to Be a Security Expert
I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice. First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating...
Commercial Espionage Virus
It's designed to steal blueprints and send them to China. Note that although this is circumstantial evidence that the virus is from China, it is possible that the Chinese e-mail accounts that are collecting the blueprints are simply drops, and the controllers are elsewhere on the planet....
WEIS 2012
Last week I was at the Workshop on Economics and Information Security in Berlin. Excellent conference, as always. Ross Anderson liveblogged the event; see the comments for summaries of the talks. On the second day, Ross and I debated -- well, discussed -- cybersecurity spending. A the first WEIS, he and I had a similar discussion: I argued that we...
Friday Squid Blogging: Another Giant Squid Found
A dead 13-foot-long giant squid has been found off the coast of New South Wales. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
FireDogLake Book Salon for Liars and Outliers
Here's the permalink....
On Securing Potentially Dangerous Virology Research
Abstract: The problem of securing biological research data is a difficult and complicated one. Our ability to secure data on computers is not robust enough to ensure the security of existing data sets. Lessons from cryptography illustrate that neither secrecy measures, such as deleting technical details, nor national solutions, such as export controls, will work. --------- Science and Nature have...
Nuclear Fears
Interesting review -- by David Roepik -- of The Rise of Nuclear Fear, by Spencer Weart: Along with contributing to the birth of the environmental movement, Weart shows how fear of radiation began to undermine society's faith in science and modern technology. He writes "Polls showed that the number of Americans who felt 'a great deal' of confidence in science...
Top Secret America on the Post-9/11 Cycle of Fear and Funding
I'm reading Top Secret America: The Rise of the New American Security State, by Dana Priest and William M. Arkin. Both work for The Washington Post. The book talks about the rise of the security-industrial complex in post 9/11 America. This short quote is from Chapter 3: Such dread was a large part of the post-9/11 decade. A culture of...
Russian Nuclear Launch Code Backup Procedure
If the safe doesn't open, use a sledgehammer: The sledgehammer's existence first came to light in 1980, when a group of inspecting officers from the General Staff visiting Strategic Missile Forces headquarters asked General Georgy Novikov what he would do if he received a missile launch order but the safe containing the launch codes failed to open. Novikov said he...
E-Mail Accounts More Valuable than Bank Accounts
This informal survey produced the following result: "45% of the users found their email accounts more valuable than their bank accounts." The author believes this is evidence of some sophisticated security reasoning on the part of users: From a security standpoint, I cant agree more with these people. Email accounts are used most commonly to reset other websites account passwords,...
Resilience
There was a conference on resilience (highlights here, and complete videos here) earlier this year. Here's an interview with professor Sander van der Leeuw on the topic. Although he never mentions security, it's all about security. Any system, whether its the financial system, the environmental system, or something else, is always subject to all kinds of pressures. If it can...
Op-ed Explaining why Terrorism Doesn't Work
Good essay by Max Abrams. I've written about his research before....
Friday Squid Blogging: Giant Mutant Squid at the Queen's Jubilee
I think this is a parody, but you can never be sure. Millions of Britons turned out for the Queens four-day celebrations, undaunted by the 500-foot mutant squid that was destroying London. Huge crowds of well-wishers lined the banks of the Thames on Sunday to watch a spectacular flotilla, continuing to cheer and wave even as tentacles thicker than tree...
Colbert Report on the Orangutan Cyberthreat
Very funny video exposé of the cyberthreat posed by giving iPads to orangutans. Best part is near the end, when Richard Clarke suddenly realizes that he's being interviewed about orangutans -- and not the Chinese....
Economic Analysis of Bank Robberies
Yes, it's clever: The basic problem is the average haul from a bank job: for the three-year period, it was only £20,330.50 (~$31,613). And it gets worse, as the average robbery involved 1.6 thieves. So the authors conclude, "The return on an average bank robbery is, frankly, rubbish. It is not unimaginable wealth. It is a very modest £12,706.60 per...
Far-Fetched Scams Separate the Gullible from Everyone Else
Interesting conclusion by Cormac Herley, in this paper: "Why Do Nigerian Scammers Say They are From Nigeria?" Abstract: False positives cause many promising detection technologies to be unworkable in practice. Attackers, we show, face this problem too. In deciding who to attack true positives are targets successfully attacked, while false positives are those that are attacked but yield nothing. This...
Apple Patents Data-Poisoning
It's not a new idea, but Apple Computer has received a patent on "Techniques to pollute electronic profiling": Abstract: Techniques to pollute electronic profiling are provided. A cloned identity is created for a principal. Areas of interest are assigned to the cloned identity, where a number of the areas of interest are divergent from true interests of the principal. One...
Rand Paul Takes on the TSA
Paul Rand has introduced legislation to rein in the TSA. There are two bills: One bill would require that the mostly federalized program be turned over to private screeners and allow airports with Department of Homeland Security approval to select companies to handle the work. This seems to be a result of a fundamental misunderstanding of the economic...
Switzerland National Defense
Interesting blog post about this book about Switzerland's national defense. To make a long story short, McPhee describes two things: how Switzerland requires military service from every able-bodied male Swiss citizen -- a model later emulated and expanded by Israel -- and how the Swiss military has, in effect, wired the entire country to blow in the event of foreign...
Attack Against Point-of-Sale Terminal
Clever attack: When you pay a restaurant bill at your table using a point-of-sale machine, are you sure it's legit? In the past three months, Toronto and Peel police have discovered many that aren't. In what is the latest financial fraud, crooks are using distraction techniques to replace merchants' machines with their own, police say. At the end of the...
The Failure of Anti-Virus Companies to Catch Military Malware
Mikko Hyponnen of F-Secure attempts to explain why anti-virus companies didn't catch Stuxnet, DuQu, and Flame: When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but...
England's Prince Phillip on Security
On banning guns: "If a cricketer, for instance, suddenly decided to go into a school and batter a lot of people to death with a cricket bat,which he could do very easily, I mean, are you going to ban cricket bats?" In a Radio 4 interview shortly after the Dunblane shootings in 1996. He said to the interviewer off-air afterwards:...
Honor System Farm Stands
Many roadside farm stands in the U.S. are unmanned. They work on the honor system: take what you want, and pay what you owe. And today at his farm stand, Cochran says, just as at the donut shop years ago, most customers leave more money than they owe. That doesn't surprise social psychologist Michael Cunningham of the University of Louisville...
Friday Squid Blogging: Woman's Mouth Inseminated by Cooked Squid
This story is so freaky I'm not even sure I want to post it. But if I don't, you'll all send me the links. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
FireDogLake Book Salon for Liars and Outliers
On Sunday, I will be participating in a public discussion about my new book on the FireDogLake website. James Fallows will be the moderator, and I will be answering questions from all comers -- you do have to register an ID, though -- from 5:00 - 7:00 EDT. Stop by and join the discussion....
Rare Rational Comment on al Qaeda's Capabilities
From "CNN national security analyst" Peter Bergen: Few Americans harbor irrational fears about being killed by a lightning bolt. Abu Yahya al-Libi's death on Monday should remind them that fear of al Qaeda in its present state is even more irrational. Will anyone listen?...
Cheating in Online Classes
Interesting article: In the case of that student, the professor in the course had tried to prevent cheating by using a testing system that pulled questions at random from a bank of possibilities. The online tests could be taken anywhere and were open-book, but students had only a short window each week in which to take them, which was not...
Cyberwar Treaties
We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat. If you read the press and listen to government leaders, we're already in the middle of a...
Teaching the Security Mindset
In 2008 I wrote about the security mindset and how difficult it is to teach. Two professors teaching a cyberwarfare class gave an exam where they expected their students to cheat: Our variation of the Kobayashi Maru utilized a deliberately unfair exam -- write the first 100 digits of pi (3.14159...) from memory and took place in the pilot offering...
High-Quality Fake IDs from China
USA Today article: Most troubling to authorities is the sophistication of the forgeries: Digital holograms are replicated, PVC plastic identical to that found in credit cards is used, and ink appearing only under ultraviolet light is stamped onto the cards. Each of those manufacturing methods helps the IDs defeat security measures aimed at identifying forged documents. The overseas forgers are...
Israel Demanding Passwords at the Border
There have been a bunch of stories about employers demanding passwords to social networking sites, like Facebook, from prospective employees, and several states have passed laws prohibiting this practice. This is the first story I've seen of a country doing this at its borders. The country is Israel, and they're asking for passwords to e-mail accounts....
Changing Surveillance Techniques for Changed Communications Technologies
New paper by Peter P. Swire -- "From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud": Abstract: This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The...
Friday Squid Blogging: Baby Opalescent Squid
Baby squid larvae are transparent after they hatch, so you can see the chromataphores (color control mechanisms) developing after a few days. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
The Catastrophic Consequences of 9/11
This is an interesting essay -- it claims to be the first in a series -- that looks at the rise of "homeland security" as a catastrophic consequence of the 9/11 terrorist attacks: In this usage catastrophic is not a pejorative, it is a description of an atypically radical shift in perception and behavior from one condition to another very...
Homeland Security as Security Theater Metaphor
Look at the last sentence in this article on hotel cleanliness: "I relate this to homeland security. We are not any safer, but many people believe that we are," he said. It's interesting to see the waste-of-money meme used so cavalierly....
Ghostery
Ghostery is a Firefox plug-in that tracks who is tracking your browsing habits in cyberspace. Here's a TED talk by Gary Kovacs, the CEO of Mozilla Corp., on it. I use AdBlock Plus, and dump my cookies whenever I close Firefox. Should I switch to Ghostery? What do other people do for web privacy?...
Security and Human Behavior (SHB 2012)
I'm at the Fifth Interdisciplinary Workshop on Security and Human Behavior, SHB 2012. Google is hosting this year, at its offices in lower Manhattan. SHB is an invitational gathering of psychologists, computer security researchers, behavioral economists, sociologists, law professors, business school professors, political scientists, anthropologists, philosophers, and others -- all of whom are studying the human side of security --...
Interesting Article on Libyan Internet Intelligence Gathering
This is worth reading, for the insights it provides on how a country goes about monitoring its citizens in the information age: a combination of targeted attacks and wholesale surveillance. I'll just quote one bit, this list of Western companies that helped: Amesys, with its Eagle system, was just one of Libya's partners in repression. A South African firm called...
The Unreliability of Eyewitness Testimony
Interesting article: The reliability of witness testimony is a vastly complex subject, but legal scholars and forensic psychologists say it's possible to extract the truth from contradictory accounts and evolving memories. According to Barbara Tversky, professor emerita of psychology at Stanford University, the bottom line is this: "All other things equal, earlier recountings are more likely to be accurate than...
Flame
Flame seems to be another military-grade cyber-weapon, this one optimized for espionage. The worm is at least two years old, and is mainly confined to computers in the Middle East. (It does not replicate and spread automatically, which is certainly so that its controllers can target it better and evade detection longer.) And its espionage capabilities are pretty impressive. We'll...
Friday Squid Blogging: Mimicking Squid Camouflage
Interesting: Cephalopods - squid, cuttlefish and octopuses - change colour by using tiny muscles in their skins to stretch out small sacs of black colouration. These sacs are located in the animal's skin cells, and when a cell is ready to change colour, the brain sends a signal to the muscles and they contract. This makes the sacs expand and...
Obama's Role in Stuxnet and Iranian Cyberattacks
Really interesting article....
The Vulnerabilities Market and the Future of Security
Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. It's not just software companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And it's not only criminal organizations, who pay for vulnerabilities they can exploit. Now there are governments, and companies who...
Tax Return Identity Theft
I wrote about this sort of thing in 2006 in the UK, but it's even bigger business here: The criminals, some of them former drug dealers, outwit the Internal Revenue Service by filing a return before the legitimate taxpayer files. Then the criminals receive the refund, sometimes by check but more often though a convenient but hard-to-trace prepaid debit card....
Bar Code Switching
A particularly clever form of retail theft -- especially when salesclerks are working fast and don't know the products -- is to switch bar codes. This particular thief stole Lego sets. If you know Lego, you know there's a vast price difference between the small sets and the large ones. He was caught by in-store surveillance....
The Psychology of Immoral (and Illegal) Behavior
When I talk about Liars and Outliers to security audiences, one of the things I stress is our traditional security focus -- on technical countermeasures -- is much narrower than it could be. Leveraging moral, repetitional, and institutional pressures are likely to be much more effective in motivating cooperative behavior. This story illustrates the point. It's about the psychology of...
The Problem of False Alarms
The context is tornado warnings: The basic problem, Smith says, it that sirens are sounded too often in most places. Sometimes they sound in an entire county for a warning that covers just a sliver of it; sometimes for other thunderstorm phenomena like large hail and/or strong straight-line winds; and sometimes for false alarm warnings warnings for tornadoes that...
Backdoor Found in Chinese-Made Military Silicon Chips
We all knew this was possible, but researchers have found the exploit in the wild: Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption...
Interview with a Safecracker
The legal kind. It's interesting: Q: How realistic are movies that show people breaking into vaults? A: Not very! In the movies it takes five minutes of razzle-dazzle; in real life it's usually at least a couple of hours of precision work for an easy, lost combination lockout. [...] Q: Have you ever met a lock you couldn't pick? A:...
My Last Post About Ethnic Profiling at Airports
Remember my rebuttal of Sam Harris's essay advocating the profiling of Muslims at airports? That wasn't the end of it. Harris and I conducted a back-and-forth e-mail discussion, the results of which are here. At 14,000+ words, I only recommend it for the most stalwort of readers....
Friday Squid Blogging: Squid Ink from the Jurassic
Seems that squid ink hasn't changed much in 160 million years. From this, researchers argue that the security mechanism of spraying ink into the water and escaping is also that old. Simon and his colleagues used a combination of direct, high-resolution chemical techniques to determine that the melanin had been preserved. The researchers also compared the chemical composition of the...
The Explosive from the Latest Foiled Al Qaeda Underwear Bomb Plot
Interesting: Although the plot was disrupted before a particular airline was targeted and tickets were purchased, al Qaeda's continued attempts to attack the U.S. speak to the organization's persistence and willingness to refine specific approaches to killing. Unlike Abdulmutallab's bomb, the new device contained lead azide, an explosive often used as a detonator. If the new underwear bomb had been...
The Ubiquity of Cyber-Fears
A new study concludes that more people are worried about cyber threats than terrorism. ...the three highest priorities for Americans when it comes to security issues in the presidential campaign are: Protecting government computer systems against hackers and criminals (74 percent) Protecting our electric power grid, water utilities and transportation systems against computer or terrorist attacks (73 percent) Homeland security...
The Banality of Surveillance Photos
Interesting essay on a trove on surveillance photos from Cold War-era Prague. Cops, even secret cops, are for the most part ordinary people. Working stiffs concerned with holding down jobs and earning a living. Even those who thought it was important to find enemies recognized the absurdity of their task. I take photos all the time and these empty blurry...
Lessons in Trust from Web Hoaxes
Interesting discussion of trust in this article on web hoaxes. Kelly's students, like all good con artists, built their stories out of small, compelling details to give them a veneer of veracity. Ultimately, though, they aimed to succeed less by assembling convincing stories than by exploiting the trust of their marks, inducing them to lower their guard. Most of us...
Privacy Concerns Around "Social Reading"
Interesting paper: "The Perils of Social Reading," by Neil M. Richards, from the Georgetown Law Journal. Abstract: Our law currently treats records of our reading habits under two contradictory rules rules mandating confidentiality, and rules permitting disclosure. Recently, the rise of the social Internet has created more of these records and more pressures on when and how they should...
Racism as a Vestigal Remnant of a Security Mechanism
"Roots of Racism," by Elizabeth Culotta in Science: Our attitudes toward outgroups are part of a threat-detection system that allows us to rapidly determine friend from foe, says psychologist Steven Neuberg of ASU Tempe. The problem, he says, is that like smoke detectors, the system is designed to give many false alarms rather than miss a true threat. So outgroup...
Security Incentives and Advertising Fraud
Details are in the article, but here's the general idea: Let's follow the flow of the users: Scammer buys user traffic from PornoXo.com and sends it to HQTubeVideos. HQTubeVideos loads, in invisible iframes, some parked domains with innocent-sounding names (relaxhealth.com, etc). In the parked domains, ad networks serve display and PPC ads. The click-fraud sites click on the ads that...
Friday Squid Blogging: Squid Scalp Massager
Cheap! As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Kip Hawley Reviews Liars and Outliers
In his blog: I think the most important security issues going forward center around identity and trust. Before knowing I would soon encounter Bruce again in the media, I bought and read his new book Liars & Outliers and it is a must-read book for people looking forward into our security future and thinking about where this all leads. For...
Cybersecurity at the Doctor's Office
I like this essay because it nicely illustrates the security mindset....
Rules for Radicals
It was written in 1971, but this still seems like a cool book: For an elementary illustration of tactics, take parts of your face as the point of reference; your eyes, your ears, and your nose. First the eyes: if you have organized a vast, mass-based people's organization, you can parade it visibly before the enemy and openly show your...
USB Drives and Wax Seals
Need some pre-industrial security for your USB drive? How about a wax seal? Neat, but I recommend combining it with encryption for even more security!...
Security Vulnerabilities in Airport Full-Body Scanners
According to a report from the DHS Office of Inspector General: Federal investigators "identified vulnerabilities in the screening process" at domestic airports using so-called "full body scanners," according to a classified internal Department of Homeland Security report. EPIC obtained an unclassified version of the report in a FOIA response. Here's the summary....
U.S. Exports Terrorism Fears
To New Zealand: United States Secretary of Homeland Security Janet Napolitano has warned the New Zealand Government about the latest terrorist threat known as "body bombers." [...] "Do we have specific credible evidence of a [body bomb] threat today? I would not say that we do, however, the importance is that we all lean forward." Why the headline of this...
The Trouble with Airport Profiling
Why do otherwise rational people think it's a good idea to profile people at airports? Recently, neuroscientist and best-selling author Sam Harris related a story of an elderly couple being given the twice-over by the TSA, pointed out how these two were obviously not a threat, and recommended that the TSA focus on the actual threat: "Muslims, or anyone who...
Friday Squid Blogging: New Book on Squid
Kraken: The Curious, Exciting, and Slightly Disturbing Science of Squid. And a review. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Smart Phone Privacy App
MobileScope looks like a great tool for monitoring and controlling what information third parties get from your smart phone apps: We built MobileScope as a proof-of-concept tool that automates much of what we were doing manually; monitoring mobile devices for surprising traffic and highlighting potentially privacy-revealing flows [...] Unlike PCs, we have little control over the underlying privacy and security...
RuggedCom Inserts Backdoor into Its Products
All RuggedCom equipment comes with a built-in backdoor: The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, "factory," that was assigned by the vendor and can't be...
A Foiled Terrorist Plot
We don't know much, but here are my predictions: There's a lot more hyperbole to this story than reality. The explosive would have either 1) been caught by pre-9/11 security, or 2) not been caught by post-9/11 security. Nonetheless, it will be used to justify more invasive airport security....
Overreacting to Potential Bombs
This is a ridiculous overreaction: The police bomb squad was called to 2 World Financial Center in lower Manhattan at midday when a security guard reported a package that seemed suspicious. Brookfield Properties, which runs the property, ordered an evacuation as a precaution. That's the entire building, a 44-story, 2.5-million-square-foot office building. And why? The bomb squad determined the package...
Naval Drones
With all the talk about airborne drones like the Predator, it's easy to forget that drones can be in the water as well. Meet the Common Unmanned Surface Vessel (CUSV): The boat -- painted in Navy gray and with a striking resemblance to a PT boat -- is 39 feet long and can reach a top speed of 28 knots....
Friday Squid Blogging: Squid Bicycle Parking Sculpture
Neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Tampon-Shaped USB Drive
This vendor is selling a tampon-shaped USB drive. Although it's less secure now that there are blog posts about it....
Facial Recognition of Avatars
I suppose this sort of thing might be useful someday. In Second Life, avatars are easily identified by their username, meaning police can just ask San Francisco-based Linden Labs, which runs the virtual world, to look up a particular user. But what happens when virtual worlds start running on peer-to-peer networks, leaving no central authority to appeal to? Then there...
Criminal Intent Prescreening and the Base Rate Fallacy
I've often written about the base rate fallacy and how it makes tests for rare events -- like airplane terrorists -- useless because the false positives vastly outnumber the real positives. This essay uses that argument to demonstrate why the TSA's FAST program is useless: First, predictive software of this kind is undermined by a simple statistical problem known as...
Al Qaeda Steganography
The reports are still early, but it seems that a bunch of terrorist planning documents were found embedded in a digital file of a porn movie. Several weeks later, after laborious efforts to crack a password and software to make the file almost invisible, German investigators discovered encoded inside the actual video a treasure trove of intelligence -- more than...
Cybercrime as a Tragedy of the Commons
Two very interesting points in this essay on cybercrime. The first is that cybercrime isn't as big a problem as conventional wisdom makes it out to be. We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority....
When Investigation Fails to Prevent Terrorism
I've long advocated investigation, intelligence, and emergency response as the places where we can most usefully spend our counterterrorism dollars. Here's an example where that didn't work: Starting in April 1991, three FBI agents posed as members of an invented racist militia group called the Veterans Aryan Movement. According to their cover story, VAM members robbed armored cars, using the...
JCS Chairman Sows Cyberwar Fears
Army General Martin E. Dempsey, the chairman of the Joint Chiefs of Staff, said: A cyber attack could stop our society in its tracks. Gadzooks. A scared populace is much more willing to pour money into the cyberwar arms race....
Vote for Liars and Outliers
Actionable Books is having a vote to determine which of four books to summarize on their site. If you are willing, please go there and vote for Liars and Outliers. (Voting requires a Facebook ID.) Voting closes Monday at noon EST, although I presume they mean EDT....
Friday Squid Blogging: Chesapeake Bay Squid
Great pictures. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Attack Mitigation
At the RSA Conference this year, I noticed a trend of companies that have products and services designed to help victims recover from attacks. Kelly Jackson Higgins noticed the same thing: "Damage Mitigation as the New Defense." That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop...
Biometric Passports Make it Harder for Undercover CIA Officers
Last year, I wrote about how social media sites are making it harder than ever for undercover police officers. This story talks about how biometric passports are making it harder than ever for undercover CIA agents. Busy spy crossroads such as Dubai, Jordan, India and many E.U. points of entry are employing iris scanners to link eyeballs irrevocably to a...
Fear and the Attention Economy
danah boyd is thinking about -- in a draft essay, and as a recording of a presentation -- fear and the attention economy. Basically, she is making the argument that the attention economy magnifies the culture of fear because fear is a good way to get attention, and that this is being made worse by the rise of social media....
Amazing Round of "Split or Steal"
In Liars and Outliers, I use the metaphor of the Prisoner's Dilemma to exemplify the conflict between group interest and self-interest. There are a gazillion academic papers on the Prisoner's Dilemma from a good dozen different academic disciplines, but the weirdest dataset on real people playing the game is from a British game show called Golden Balls. In the final...
Alan Turing Cryptanalysis Papers
GCHQ, the UK government's communications headquarters, has released two new -- well, 70 years old, but new to us -- cryptanalysis documents by Alan Turing. The papers, one entitled The Applications of Probability to Crypt, and the other entitled Paper on the Statistics of Repetitions, discuss mathematical approaches to code breaking. [...] According to the GCHQ mathematician, who identified himself...
Friday Squid Blogging: Extracting Squid Ink
How to extract squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Liars & Outliers Update
Liars & Outliers has been available for about two months, and is selling well both in hardcover and e-book formats. More importantly, I'm very pleased with the book's reception. The reviews I've gotten have been great, and I read a lot of tweets from people who have enjoyed the book. My goal was to give people new ways to think...
TSA Behavioral Detection Statistics
Interesting data from the U.S. Government Accounting Office: But congressional auditors have questions about other efficiencies as well, like having 3,000 "behavior detection" officers assigned to question passengers. The officers sidetracked 50,000 passengers in 2010, resulting in the arrests of 300 passengers, the GAO found. None turned out to be terrorists. Yet in the same year, behavior detection teams apparently...
Dance Moves As an Identifier
A burglar was identified by his dance moves, captured on security cameras: "The 16-year-old juvenile suspect is known for his 'swag,' or signature dance move," Heyse said, "and [he] does it in the hallways at school." Presumably, although the report doesn't make it clear, a classmate or teacher saw the video, recognized the distinctive swag and notified authorities. But is...
Smart Meter Hacks
Brian Krebs writes about smart meter hacks: But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet....
Password Security at Linode
Here's something good: We have implemented sophisticated brute force protection for Linode Manager user accounts that combines a time delay on failed attempts, forced single threading of log in attempts from a given remote address, and automatic tarpitting of requests from attackers. And this: Some of you may have noticed a few changes to the Linode Manger over the past...
Stolen Phone Database
This article talks about a database of stolen cell phone IDs that will be used to deny service. While I think this is a good idea, I don't know how much it would deter cell phone theft. As long as there are countries that don't implement blocking based on the IDs in the databases -- and surely there will always...
Forever-Day Bugs
That's a nice turn of phrase: Forever day is a play on "zero day," a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or "infinite days" by some researchers, forever days refer to bugs that never get fixed--even when they're acknowledged by the company that developed the software....
Outliers in Intelligence Analysis
From the CIA journal Studies in Intelligence: "Capturing the Potential of Outlier Ideas in the Intelligence Community." In war you will generally find that the enemy has at any time three courses of action open to him. Of those three, he will invariably choose the fourth. Helmuth Von Moltke With that quip, Von Moltke may have launched a spirited debate...
Hawley Channels His Inner Schneier
Kip Hawley wrote an essay for the Wall Street Journal on airport security. In it, he says so many sensible things that people have been forwarding it to me with comments like "did you ghostwrite this?" and "it looks like you won an argument" and "how did you convince him?" (Sadly, the essay was published in the Journal, which means...
How Information Warfare Changes Warfare
Really interesting paper on the moral and ethical implications of cyberwar, and the use of information technology in war (drones, for example): "Information Warfare: A Philosophical Perspective," by Mariarosaria Taddeo, Philosophy and Technology, 2012. Abstract: This paper focuses on Information Warfare -- the warfare characterised by the use of information and communication technologies. This is a fast growing phenomenon, which...
Friday Squid Blogging: Squid Fiction
Great short story in Nature. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Me at RSA 2012
This is not a video of my talk at the RSA Conference earlier this year. This is a 16-minute version of that talk -- TED-like -- that the conference filmed the day after for the purpose of putting it on the Internet. Today's Internet threats are not technical; they're social and political. They aren't criminals, hackers, or terrorists. They're the...
Disguising Tor Traffic as Skype Video Calls
One of the problems with Tor traffic is that it can de detected and blocked. Here's SkypeMorph, a clever system that disguises Tor traffic as Skype video traffic. To prevent the Tor traffic from being recognized by anyone analyzing the network flow, SkypeMorph uses what's known as traffic shaping to convert Tor packets into User Datagram Protocol packets, as used...
Bomb Threats As a Denial-of-Service Attack
The University of Pittsburgh has been the recipient of 50 bomb threats in the past two months (over 30 during the last week). Each time, the university evacuates the threatened building, searches it top to bottom -- one of the threatened buildings is the 42-story Cathedral of Learning -- finds nothing, and eventually resumes classes. This seems to be nothing...
Brian Snow on Cybersecurity
Interesting video of Brian Snow speaking from last November. (Brian used to be the Technical Director of NSA's Information Assurance Directorate.) About a year and a half ago, I complained that his words were being used to sow cyber-fear. This talk -- about 30 minutes -- is a better reflection of what he really thinks....
"Raise the Crime Rate"
I read this a couple of months ago, and I'm still not sure what I think about it. It's definitely of the most thought-provoking essays I've read this year. According to government statistics, Americans are safer today than at any time in the last forty years. In 1990, there were 2,245 homicides in New York City. In 2010, there were...
A Heathrow Airport Story about Trousers
Usually I don't bother posting random stories about dumb or inconsistent airport security measures. But this one is particularly interesting: "Sir, your trousers." "Pardon?" "Sir, please take your trousers off." A pause. "No." "No?" The security official clearly was not expecting that response. He begins to look like he doesn't know what to do, bless him. "You have no power...
Teenagers and Privacy
Good article debunking the myth that young people don't care about privacy on the Intenet. Most kids are well aware of risks, and make "fairly sophisticated" decisions about privacy settings based on advice and information from their parents, teachers, and friends. They differentiate between people they don't know out in the world (distant strangers) and those they don't know in...
Laptops and the TSA
The New York Times tries to make sense of the TSA's policies on computers. Why do you have to take your tiny laptop out of your bag, but not your iPad? Their conclusion: security theater....
Friday Squid Blogging: Squid Art
Happy Easter. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
A Systems Framework for Catastrophic Disaster Response
The National Academies Press has published Crisis Standards of Care: A Systems Framework for Catastrophic Disaster Response. When a nation or region prepares for public health emergencies such as a pandemic influenza, a large-scale earthquake, or any major disaster scenario in which the health system may be destroyed or stressed to its limits, it is important to describe how standards...
James Randi on Magicians and the Security Mindset
Okay, so he doesn't use that term. But he explains how a magician's inherent ability to detect deception can be useful to science. We can't make magicians out of scientists -- we wouldn't want to -- but we can help scientists "think in the groove" -- think like a magician. And we should. We are not scientists with a...
Helen Nussenbaum, Privacy, and the Federal Trade Commission
Good article....
JetBlue Captain Clayton Osbon and Resilient Security
This is the most intelligent thing I've read about the JetBlue incident where a pilot had a mental breakdown in the cockpit: For decades, public safety officials and those who fund them have focused on training and equipment that has a dual-use function for any hazard that may come our way. The post-9/11 focus on terrorism, with all the gizmos...
The Battle for Internet Governance
Good article on the current battle for Internet governance: The War for the Internet was inevitable -- a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers...
Lost Smart Phones and Human Nature
Symantec deliberately "lost" a bunch of smart phones with tracking software on them, just to see what would happen: Some 43 percent of finders clicked on an app labeled "online banking." And 53 percent clicked on a filed named "HR salaries." A file named "saved passwords" was opened by 57 percent of finders. Social networking tools and personal e-mail were...
Law Enforcement Forensics Tools Against Smart Phones
Turns out the password can be easily bypassed: XRY works by first jailbreaking the handset. According to Micro Systemation, no backdoors created by Apple used, but instead it makes use of security flaws in the operating system the same way that regular jailbreakers do. Once the iPhone has been jailbroken, the tool then goes on to brute-force the passcode, trying...
Computer Forensics: An Example
Paul Ceglia's lawsuit against Facebook is fascinating, but that's not the point of this blog post. As part of the case, there are allegations that documents and e-mails have been electronically forged. I found this story about the forensics done on Ceglia's computer to be interesting....
Buying Exploits on the Grey Market
This article talks about legitimate companies buying zero-day exploits, including the fact that "an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit." The price goes up if the hack is exclusive, works on the latest version of the software, and is unknown to the developer of that particular software. Also, more popular software results in a higher...
Friday Squid Blogging: How Squid Hear
Interesting research: The squid use two closely spaced organs called statocysts to sense sound. "I think of a statocyst as an inside-out tennis ball," explains Dr Mooney. "It's got hairs on the inside and this little dense calcium stone that sits on those hair cells. "What happens is that the sound wave actually moves the squid back and forth, and...
Summer Schools in Cryptography and Software Security at Penn State
Normally I just delete these as spam, but this summer program for graduate students 1) looks interesting, and 2) has some scholarship money available....
Harms of Post-9/11 Airline Security
As I posted previously, I have been debating former TSA Administrator Kip Hawley on the Economist website. I didn't bother reposting my opening statement and rebuttal, because -- even thought I thought I did a really good job with them -- they were largely things I've said before. In my closing statement, I talked about specific harms post-9/11 airport security...
SHARCS Conference
Last weekend was the 2012 SHARCS (Special-Purpose Hardware for Attacking Cryptographic Systems) conference. The presentations are online....
The Effects of Data Breach Litigation
"Empirical Analysis of Data Breach Litigation," Sasha Romanosky, David Hoffman, and Alessandro Acquisti: Abstract: In recent years, a large number of data breaches have resulted in lawsuits in which individuals seek redress for alleged harm resulting from an organization losing or compromising their personal information. Currently, however, very little is known about those lawsuits. Which types of breaches are litigated,...
Congressional Testimony on the TSA
I was supposed to testify today about the TSA in front of the House Committee on Oversight and Government Reform. I was informally invited a couple of weeks ago, and formally invited last Tuesday: The hearing will examine the successes and challenges associated with Advanced Imaging Technology (AIT), the Screening of Passengers by Observation Techniques (SPOT) program, the Transportation Worker...
Rare Spanish Enigma Machine
This is a neat story: A pair of rare Enigma machines used in the Spanish Civil War have been given to the head of GCHQ, Britain's communications intelligence agency. The machines - only recently discovered in Spain - fill in a missing chapter in the history of British code-breaking, paving the way for crucial successes in World War II. Fun...
Friday Squid Blogging: Giant Squid Eyes
It seems that the huge eyes of the giant squid are optimized to see sperm whales....
The Economist Debate on Airplane Security
On The Economist website, I am currently debating Kip Hawley on airplane security. On Tuesday we posted our initial statements, and today (London time) we posted our rebuttals. We have one more round to go. I've set it up to talk about the myriad of harms airport security has caused: loss of trust in government, increased fear, creeping police state,...
Can the NSA Break AES?
In an excellent article in Wired, James Bamford talks about the NSA's codebreaking capability. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the...
Another Liars and Outliers Excerpt
IT World published an excerpt from Chapter 4....
Unprinter
A way to securely erase paper: "The key idea was to find a laser energy level that is high enough to ablate - or vaporise - the toner that at the same time is lower than the destruction threshold of the paper substrate. It turns out the best wavelength is 532 nanometres - that's green visible light - with a...
Hacking Critical Infrastructure
A otherwise uninteresting article on Internet threats to public infrastructure contains this paragraph: At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead...
Avi Rubin on Computer Security
Avi Rubin has a TEDx talk on hacking various computer devices: medical devices, automobiles, police radios, smart phones, etc....
Australian Security Theater
I like the quote at the end of this excerpt: Aviation officials have questioned the need for such a strong permanent police presence at airports, suggesting they were there simply "to make the government look tough on terror". One senior executive said in his experience, the officers were expensive window-dressing. "When you add the body scanners, the ritual humiliation of...
Friday Squid Blogging: Squid-Shaped USB Drive
It looks great. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
BitCoin Security Musings
Jon Callas talks about BitCoin's security model, and how susceptible it would be to a Goldfinger-style attack (destroy everyone else's BitCoins)....
Non-Lethal Heat Ray
The U.S. military has a non-lethal heat ray. No details on what "non-lethal" means in this context....
Assorted Schneier News Stories
I have several stories in the news (and one podcast), mostly surrounding the talks I gave at the RSA Conference last month....
More "Liars and Outliers" Links
First, five new reviews of the book. Second, four new AV interviews about the book. Third, I take the Page 99 Test....
On Cyberwar Hype
Good article by Thomas Rid on the hype surrounding cyberwar. It's well worth reading. And in a more academic paper, published in the RUSI Journal, Thomas Rid and Peter McBurney argue that cyber-weapons aren't all that destructive and that we've been misled by some bad metaphors. Some fundamental questions on the use of force in cyberspace are still unanswered. Worse,...
A Negative Liars and Outliers Review
Ths person didn't like it at all. It'll go up on the book's webpage, along with all the positive reviews....
The Security of Multi-Word Passphrases
Interesting research on the security of passphrases. From a blog post on the work: We found about 8,000 phrases using a 20,000 phrase dictionary. Using a very rough estimate for the total number of phrases and some probability calculations, this produced an estimate that passphrase distribution provides only about 20 bits of security against an attacker trying to compromise 1%...
Video Shows TSA Full-Body Scanner Failure
The Internet is buzzing about this video, showing a blogger walking through two different types of full-body scanners with metal objects. Basically, by placing the object on your side, the black image is hidden against the scanner's black background. This isn't new, by the way. This vulnerability was discussed in a paper published last year by the Journal of Transportation...
Jamming Speech with Recorded Speech
This is cool: The idea is simple. Psychologists have known for some years that it is almost impossible to speak when your words are replayed to you with a delay of a fraction of a second. Kurihara and Tsukada have simply built a handheld device consisting of a microphone and a speaker that does just that: it records a person's...
Friday Squid Blogging: Humboldt Squid Can Dive to 1.5 km
Yet another impressive Humboldt squid feat: "We've seen them make really impressive dives up to a kilometre and a half deep, swimming straight through a zone where there's really low oxygen," the Hopkins Marine Station researcher said. "They're able to spend several hours at this kilometre-and-a-half-deep, and then they go back up and continue their normal daily swimming behaviour. It's...
Liars and Outliers: Book Excerpt
Gizmodo published the beginning of Chapter 17: the last chapter....
Cloud Computing As a Man-in-the-Middle Attack
This essay uses the interesting metaphor of the man-in-the-middle attacker to describe cloud providers like Facebook and Google. Basically, they get in the middle of our interactions with others and eavesdrop on the data going back and forth....
NSA's Secure Android Spec
The NSA has released its specification for a secure Android. One of the interesting things it's requiring is that all data be tunneled through a secure VPN: Inter-relationship to Other Elements of the Secure VoIP System The phone must be a commercial device that supports the ability to pass data over a commercial cellular network. Standard voice phone calls, with...
How Changing Technology Affects Security
Security is a tradeoff, a balancing act between attacker and defender. Unfortunately, that balance is never static. Changes in technology affect both sides. Society uses new technologies to decrease what I call the scope of defection -- what attackers can get away with -- and attackers use new technologies to increase it. What's interesting is the difference between how the...
The Keywords the DHS Is Using to Analyze Your Social Media Posts
According to this document, received by EPIC under the Freedom of Information Act, the U.S. Department of Homeland Security is combing through the gazillions of social media postings looking for terrorists. A partial list of keywords is included in the document (pages 2023), and is reprinted in this blog post....
Themes from the RSA Conference
Last week was the big RSA Conference in San Francisco: something like 20,000 people. From what I saw, these were the major themes on the show floor: Companies that deal with "Advanced Persistent Threat." Companies that help you recover after you've been hacked. Companies that deal with "Bring Your Own Device" at work, also known as consumerization. Who else went...
Friday Squid Blogging: Squid Vision
Some squid can see aspects of light that are invisible to humans, including polarized light. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Liars and Outliers: The Big Idea
My big idea is a big question. Every cooperative system contains parasites. How do we ensure that society's parasites don't destroy society's systems? It's all about trust, really. Not the intimate trust we have in our close friends and relatives, but the more impersonal trust we have in the various people and systems we interact with in society. I trust...
GPS Spoofers
Great movie-plot threat: Financial institutions depend on timing that is accurate to the microsecond on a global scale so that stock exchanges in, say, London and New York are perfectly synchronised. One of the main ways of doing this is through GPS, and major financial institutions will have a GPS antenna on their main buildings. "They are always visible because...
State Department Redacts Wikileaks Cables
The ACLU filed a FOIA request for a bunch of cables that Wikileaks had already released complete versions of. This is what happened: The agency released redacted versions of 11 and withheld the other 12 in full. The five excerpts below show the government's selective and self-serving decisions to withhold information. Because the leaked versions of these cables have already...
Detect Which Social Networking Sites Website Visitors Are Logged Into
Clever hack....
FBI Special Agent and Counterterrorism Expert Criticizes the TSA
Good essay. Nothing I haven't said before, but it's good to hear it from someone with a widely different set of credentials than I have....
"Cyberwar Is the New Yellowcake"
Good essay on the dangers of cyberwar rhetoric -- and the cyberwar arms race....
Liars and Outliers: Interview on The Browser
I was asked to talk about five books related to privacy. You're best known as a security expert but our theme today is "trust". How would you describe the connection between the two? Security exists to facilitate trust. Trust is the goal, and security is how we enable it. Think of it this way: As members of modern society, we...
U.S. Federal Court Rules that it is Unconstitutional for the Police to Force Someone to Decrypt their Laptop
A U.S. Federal Court ruled that it is unconstitutional for the police to force someone to decrypt their laptop computer: Thursdays decision by the 11th U.S. Circuit Court of Appeals said that an encrypted hard drive is akin to a combination to a safe, and is off limits, because compelling the unlocking of either of them is the equivalent of...
Friday Squid Blogging: Squid Can Fly to Save Energy
There's a new study that shows that squid are faster in the air than in the water. Squid of many species have been seen to 'fly' using the same jet-propulsion mechanisms that they use to swim: squirting water out of their mantles so that they rocket out of the sea and glide through the air. Until now, most researchers have...
Liars and Outliers News
The book is selling well. (Signed copies are still available on the website.) All the online stores have it, and most bookstores as well. It is available in Europe and elsewhere outside the U.S. And for those who wanted a DRM-free electronic copy, it's available on the OReilly.com bookstore for $11.99. I have collected four new reviews. And a bunch...
Press Mentions
One article on me, and a podcast about my RSA talk next week....
Mention of Cryptography in a Rap Song
The new movie Safe House features the song "No Church in the Wild," by Kanye West, which includes this verse: I live by you, desire I stand by you, walk through the fire Your love is my scripture Let me into your encryption...
Computer Security when Traveling to China
Interesting: When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film. He leaves his cellphone and laptop at home and instead brings "loaner" devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables...
Another Piece of the Stuxnet Puzzle
We can now conclusively link Stuxnet to the centrifuge structure at the Natanz nuclear enrichment lab in Iran. Watch this new video presentation from Ralph Langner, the researcher who has done the most work on Stuxnet. It's a long clip, but the good stuff is between 21:00 and 29:00. The pictures he's referring to are still up. My previous writings...
Mobile Malware Is Increasing
According to a report by Juniper, mobile malware is increasing dramatically. In 2011, we saw unprecedented growth of mobile malware attacks with a 155 percent increase across all platforms. Most noteworthy was the dramatic growth in Android Malware from roughly 400 samples in June to over 13,000 samples by the end of 2011. This amounts to a cumulative increase of...
"1234" and Birthdays Are the Most Common PINs
Research paper: "A birthday present every eleven wallets? The security of customer-chosen banking PINs," by Joseph Bonneau, Sören Preibusch, and Ross Anderson: Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression...
Covert Communications Channel in Tarsiers
Marissa A. Ramsier, Andrew J. Cunningham, Gillian L. Moritz, James J. Finneran, Cathy V. Williams, Perry S. Ong, Sharon L. Gursky-Doyen, and Nathaniel J. Dominy (2012), "Primate communication in the pure ultrasound," Biology Letters. Abstract: Few mammals -- cetaceans, domestic cats and select bats and rodents -- can send and receive vocal signals contained within the ultrasonic domain, or pure...
Friday Squid Blogging: Squid Desk Lamp
Beautiful sculpture. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Self-Domestication in Bonobos and Other Animals
Self-domestication happens when the benefits of cooperation outweigh the costs: But why and how could natural selection tame the bonobo? One possible narrative begins about 2.5 million years ago, when the last common ancestor of bonobos and chimpanzees lived both north and south of the Zaire River, as did gorillas, their ecological rivals. A massive drought drove gorillas from the...
Cryptanalysis of Satellite Phone Encryption Algorithms
From the abstract of the paper: In this paper, we analyze the encryption systems used in the two existing (and competing) satphone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the...
Lousy Random Numbers Cause Insecure Public Keys
There's some excellent research (paper, news articles) surveying public keys in the wild. Basically, the researchers found that a small fraction of them (27,000 out of 7.1 million, or 0.38%) share a common factor and are inherently weak. The researchers can break those public keys, and anyone who duplicates their research can as well. The cause of this is almost...
Dumb Risk of the Day
Geotagged images of children: Joanne Kuzma of the University of Worcester, England, has analyzed photos that clearly show children's faces on the photo sharing site Flickr. She found that a significant proportion of those analyzed were geotagged and a large number of those were associated with 50 of the more expensive residential zip codes in the USA. The location information...
The Sudafed Security Trade-Off
This writer wrestles with the costs and benefits of tighter controls on pseudoephedrine, a key chemical used to make methamphetamine: Now, personally, I sincerely doubt that the pharmaceutical industry has reliable estimates of how many of their purchasers actually have colds--or that they would share data indicating that half of their revenues came from meth cooks. But let's say this...
Trust Requires Transparency
Adam Shostack explains to Verisign that trust requires transparency. This is a lesson Path should have learned....
Liars and Outliers Update
Liars and Outliers is available. Amazon and Barnes & Noble have ben shipping the book since the beginning of the month. Both the Kindle and the Nook versions are available for download. I have received 250 books myself. Everyone who read and commented on a draft will get a copy in the mail. And as of today, I have shipped...
What Happens When the Court Demands You Decrypt a Document and You Forget the Key?
Last month, a U.S. court demanded that a defendent surrender the encryption key to a laptop so the police could examine it. Now it seems that she's forgotten the key. What happens now? It seems as if this excuse would always be available to someone who doesn't want the police to decrypt her files. On the other hand, it might...
Friday Squid Blogging: Squid's Beard
It's an acoustic bluegrass band. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Securing iPads for Exams
Interesting blog post about locking down an iPad so students can take exams on them....
Security Implications of "Lower-Risk Aircraft"
Interesting paper: Paul J. Freitas (2012), "Passenger aviation security, risk management, and simple physics," Journal of Transportation Security. Abstract: Since the September 11, 2001 suicide hijacking attacks on the United States, preventing similar attacks from recurring has been perhaps the most important goal of aviation security. In addition to other measures, the US government has increased passenger screening requirements to...
Solving the Underlying Economic Problem of Internet Piracy
This essay is definitely thinking along the correct directions....
Error Rates of Hand-Counted Voting Systems
The error rate for hand-counted ballots is about two percent. All voting systems have nonzero error rates. This doesn't surprise technologists, but does surprise the general public. There's a myth out there that elections are perfectly accurate, down to the single vote. They're not. If the vote is within a few percentage points, they're likely a statistical tie. (The problem,...
The Failure of Two-Factor Authentication
In 2005, I wrote an essay called "The Failure of Two-Factor Authentication," where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint. This BBC article describes exactly that: After logging in to the bank's real site, account holders are being tricked...
Friday Squid Blogging: Clothing that Keeps an Exercise Journal
It's called Squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
The Problems of Too Much Information Sharing
Funny. Fake, but funny....
VeriSign Hacked, Successfully and Repeatedly, in 2010
Reuters discovered the information: The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published. The company, unsurprisingly,...
Prisons in the U.S.
Really good article on the huge incarceration rate in the U.S., its causes, its effects, and its value: Over all, there are now more people under "correctional supervision" in America -- more than six million -- than were in the Gulag Archipelago under Stalin at its height. That city of the confined and the controlled, Lockuptown, is now the second...
The Idaho Loophole
Brian C. Kalt (2012), "The Idaho Loophole," Georgetown Law Journal, Vol. 93, No. 2. Abstract: This article argues that there is a 50-square-mile swath of Idaho in which one can commit felonies with impunity. This is because of the intersection of a poorly drafted statute with a clear but neglected constitutional provision: the Sixth Amendment's Vicinage Clause. Although lesser criminal...
Possibly the Most Incompetent TSA Story Yet
The storyline: TSA screener finds two pipes in passenger's bags. Screener determines that they're not a threat. Screener confiscates them anyway, because of their "material and appearance." Because they're not actually a threat, screener leaves them at the checkpoint. Everyone forgets about them. Six hours later, the next shift of TSA screeners notices the pipes and -- not being able...
Biases in Forensic Science
Some errors in forensic science may be the result of the biases of the medical examiners: Though they cannot prove it, Dr Dror and Dr Hampikian suspect the difference in contextual information given to the examiners was the cause of the different results. The original pair may have subliminally interpreted ambiguous information in a way helpful to the prosecution, even...
Liars and Outliers Update
According to my publisher, the book was printed last week and the warehouse is shipping orders to booksellers today. Amazon is likely to start shipping books on Thursday. (Yes, Amazon's webpage claims that the book will be published on February 21, 2012, but they'll ship copies as soon as they get them -- this ain't Harry Potter.) The Kindle edition...
British Tourists Arrested in the U.S. for Tweeting
Does this story make sense to anyone? The Department of Homeland Security flagged him as a potential threat when he posted an excited tweet to his pals about his forthcoming trip to Hollywood which read: 'Free this week, for quick gossip/prep before I go and destroy America'. After making their way through passport control at Los Angeles International Airport (LAX)...
The Nature of Cyberwar
This was pretty good, I thought: However, it may be difficult to write military doctrine for many aspects of cyberconflict that are truly revolutionary. Here are no fewer than 10 to consider: The Internet is an artificial environment that can be shaped in part according to national security requirements. The blinding proliferation of technology and hacker tools makes it impossible...
Password Sharing Among American Teenagers
Interesting article from the New York Times on password sharing as a show of affection. "It's a sign of trust," Tiffany Carandang, a high school senior in San Francisco, said of the decision she and her boyfriend made several months ago to share passwords for e-mail and Facebook. "I have nothing to hide from him, and he has nothing to...
Evidence on the Effectiveness of Terrorism
Readers of this blog will know that I like the works of Max Abrams, and regularly blog them. He has a new paper (full paper behind paywall) in Defence and Peace Economics, 22:6 (2011), 58394, "Does Terrorism Really Work? Evolution in the Conventional Wisdom since 9/11, Defence and Peace Economics": The basic narrative of bargaining theory predicts that, all else...
Federal Judge Orders Defendant to Decrypt Laptop
A U.S. federal judge has ordered a defendent to decrypt her laptop....
Supreme Court Rules that GPS Tracking Requires a Warrant
The U.S Supreme Court has ruled that the police cannot attach a GPS tracking device to a car without a warrant....
Research into an Information Security Risk Rating
The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals: Existing risk management techniques are based on annual audits and only provide a snapshot of a partner's security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all...
Using Plant DNA for Authentication
Turns out you can create unique signatures from plant DNA. The idea is to spray this stuff on military components in order to verify authentic items and detect counterfeits, similar to SmartWater. It's a good idea in theory, but my guess is that the security is not going to center around counterfeiting the plant DNA, but rather in subverting the...
Authentication by "Cognitive Footprint"
DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when...
The Continued Militarization of the U.S. Police
The state of Texas gets an armed PT boat. I guess armed drones weren't enough for them....
Using False Alarms to Disable Security
I wrote about this technique in Beyond Fear: Beginning Sunday evening, the robbers intentionally set off the gallery's alarm system several times without entering the building, according to police. The security staffers on duty, who investigated and found no disturbances, subsequently disabled at least one alarm. The burglars then entered through a balcony door....
Going Dark to Protest SOPA/PIPA
Tomorrow, from 8 am to 8 pm EDT, this site, Schneier on Security, is going on strike to protest SOPA and PIPA. In doing so, I'll be joining Wikipedia (in English), BoingBoing, WordPress, and many others. A list of participants, and HTML and JavaScript code for anyone who wants to participate, can be found here....
The Importance of Good Backups
Thankfully, this doesn't happen very often: A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings....
PCI Lawsuit
This is a first: ...the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to...
Friday Squid Blogging: Argentina Attempts a Squid Blockage against the Falkland Islands
Yet another story that combines squid and security. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Recovering a Hacked Gmail Account
Long (but well-written and interesting) story of someone whose Gmail account was hacked and erased, and eventually restored. Many interesting lessons about the security of largely support-free cloud services....
"Going Dark" vs. a "Golden Age of Surveillance"
It's a policy debate that's been going on since the crypto wars of the early 1990s. The FBI, NSA, and other agencies continue to claim they're losing their ability to engage in surveillance: that it's "going dark." Whether the cause of the problem is encrypted e-mail, digital telephony, or Skype, the bad guys use it to communicate, so we need...
Abolish the Department of Homeland Security
I have a love/hate relationship with the CATO Institute. Most of their analysis I strongly disagree with, but some of it I equally strongly agree with. Last September 11 -- the tenth anniversary of 9/11 -- CATO's David Rittgers published "Abolish the Department of Homeland Security": DHS has too many subdivisions in too many disparate fields to operate effectively. Agencies...
TSA Cupcake Update
The TSA claims that the cupcake they confiscated was in a jar. So this is a less obviously stupid story than I previously thought....
A Theory of Online Jihadist Sites
Very interesting: The counterterrorism community has spent years trying to determine why so many people are engaged in online jihadi communities in such a meaningful way. After all, the life of an online administrator for a hard-line Islamist forum is not as exciting as one might expect. You don't get paid, and you spend most of your time posting links...
Apple Split-Key Patent
Apple has a patent on splitting a key between a portable device and its power supply. Clever idea....
Protecting Your Privacy at International Borders
The EFF has published a good guide. My own advice is here and here....
Collecting Expert Predictions about Terrorist Attacks
John Mueller has been collecting them: Some 116 of these Very People were surveyed in 2006 by Foreign Policy magazine in a joint project with the Center for America Progress. The magazine stressed that its survey drew from the "highest echelons of Americas foreign policy establishment" and included the occasional secretary of state and national security adviser, as well as...
Stealing Source Code
Hackers stole some source code to Symantec's products. We don't know what was stolen or how recent the code is -- the company is, of course, minimizing the story -- but it's hard to get worked up about this. Yes, maybe the bad guys will comb the code looking for vulnerabilities, and maybe there's some smoking gun that proves Symantec's...
The TSA Proves its Own Irrelevance
Have you wondered what $1.2 billion in airport security gets you? The TSA has compiled its own "Top 10 Good Catches of 2011": 10) Snakes, turtles, and birds were found at Miami (MIA) and Los Angeles (LAX). Im just happy there werent any lions, tigers, and bears& [...] 3) Over 1,200 firearms were discovered at TSA checkpoints across the nation...
Time to Patch Your HP Printers
It's a serious vulnerability. Note that this is the research that was mistakenly reported as allowing hackers to set your printer on fire. Here's a list of all the printers affected....
Improving the Security of Four-Digit PINs on Cell Phones
The author of this article notices that it's often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits. Then he points out that if your PIN has only three different digits...
Liars and Outliers News
The Liars and Outliers webpage is live. On it you can find links to order both paper and e-book copies from a variety of online retailers, and signed copies directly from me. I've also posted the jacket copy, the table of contents, the first chapter, the 15 figures from the book, an image of the full wraparound cover, and all...
Newly Released Papers from NSA Journals
The papers are old, but they have just been released under FOIA....
Sending Coded Messages with Postage Stamps
The history of coded messages in postage-stamp placement. I wonder how prevalent this actually was. My guess is that it was more a clever idea than an actual signaling system. And I notice that a lot of the code systems don't have a placement that indicates "no message; this is just as stamp."...
Allocating Security Resources to Protect Critical Infrastructure
Alan T. Murray and Tony H. Grubesic, "Critical Infrastructure Protection: The Vulnerability Conundrum," Telematics & Informatics, 29 (February 2012): 5665 (full article behind paywall). Abstract: Critical infrastructure and key resources (CIKR) refer to a broad array of assets which are essential to the everyday functionality of social, economic, political and cultural systems in the United States. The interruption of CIKR...
Applying Game Theory to Cyberattacks and Defenses
Behzad Zare Moayedi, Mohammad Abdollahi Azgomi, "A Game Theoretic Framework for Evaluation of the Impacts of Hackers Diversity on Security Measures," Reliability Engineering & System Safety, 99 (2012): 45-54 (full article behind paywall). Abstract: Game theoretical methods offer new insights into quantitative evaluation of dependability and security. Currently, there is a wide range of useful game theoretic approaches to model...
Studying Airport Security
Alan A. Kirschenbaum, Michele Mariani, Coen Van Gulijk, Sharon Lubasz, Carmit Rapaport, and Hinke Andriessen, "Airport Security: An Ethnographic Study," Journal of Air Transport Management, 18 (January 2012): 68-73 (full article is behind a paywall). Abstract: This paper employs a behavioral science perspective of airport security to, examine security related decision behaviors using exploratory ethnographic observations. Sampling employees from a...
Tying Up Phone Lines as a Cyberattack Tactic
There's a service that can be hired to tie up target phone lines indefinitely. The article talks about how this can be used as a diversionary tactic to mask a cyberattack, but that seems a bit odd to me. I'd be more concerned about how this sort of thing could be used to disrupt the operations of a political candidate...
Hacking Marconi's Wireless in 1903
A great story: Yet before the demonstration could begin, the apparatus in the lecture theatre began to tap out a message. At first, it spelled out just one word repeated over and over. Then it changed into a facetious poem accusing Marconi of "diddling the public". Their demonstration had been hacked -- and this was more than 100 years before...
Butt Identification
Here's a new biometric: how you sit: ...researchers there developed a system that can recognize a person by the backside when the person takes a seat. The system performs a precise measurement of the person's posterior, its contours and the way the person applies pressure on the seat. The developers say that in lab tests, the system was able to...
The Collar Bomb Robbery
Really interesting story of the collar-bomb robbery -- and subsequent investigation -- from 2003....
Hacking Subway's POS System
The story of how Subway's point-of-sale system was hacked for $3M....
Merry Christmas from the TSA
Cupcakes deemed security threat: Rebecca Hains says she was going through security at the airport in Las Vegas when a TSA agent pulled her aside and said the cupcake frosting was "gel-like" enough to constitute a security risk. The TSA has officially jumped the shark....
Friday Squid Blogging: Goldman Sachs and the Vampire Squid Metaphor
It's a metaphor that will not die. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Me on Airport Security
Charles Mann made me the central focus of his article on airport security for Vanity Fair. (Mann also wrote about me in 2002 for The Atlantic.) The article was supposed to have been in the tenth-anniversary-of-9/11 issue, but got delayed....
Human Ear Biometric
I have no idea how good this biometric actually is....
Giveaway: Liars and Outliers Galleys
My box of galley copies arrived in the mail yesterday. They're filled with uncorrected typos, but otherwise look great. Wiley printed about 500 of them, and they're mostly going to journalists and book reviewers, with some going to different wholesale and retail outlets. I have 20 copies to give away to readers of my blog and Crypto-Gram. Earlier this month,...
Chinese Hacking of iBahn Internet Services
Citing unexplained "intelligence data," an unnamed "senior intelligence official," and an anonymous "privacy security official," Bloomberg News claims that iBahn -- the company that runs Internet services for a bunch of hotel chains -- has been hacked by the Chinese. The rest of the story is pretty obvious: all sorts of private e-mails stolen, corporate networks hacked via iBahn, China...
Multiple Protocol Attacks
In 1997, I wrote about something called a chosen-protocol attack, where an attacker can use one protocol to break another. Here's an example of the same thing in the real world: two different parking garages that mask different digits of credit cards on their receipts. Find two from the same car, and you can reconstruct the entire number. I have...
How to Open a Padlock with a Coke Can
A nice tutorial on making and using shims to open padlocks....
Plasmonics Anti-Counterfeiting Technology
This could be interesting: NOtES exploits an obscure area of physics to accomplish its bright and sharp display, known as plasmonics. Light waves interact with the array of nano-scale holes on a NOtES display--which are typically 100-200 nanometers in diameter--in a way that creates what are called "surface plasmons." In the words of the company, this means light "[collects] on...
Friday Squid Blogging: Squid Season
It's squid season off the coast of Southern California. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Me Speaking on Cryptography in 1997
In 1997, I spoke at the Beyond HOPE Conference in New York. (HOPE stood for "Hackers Over Planet Earth.) A video of that talk is available online....
Cameo in a Rock Video
At the 1:46 mark, you'll see my first cameo appearance in a transvestite-themed rock video....
More on the Captured U.S. Drone
There's a report that Iran hacked the drones' GPS systems: "The GPS navigation is the weakest point," the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran's "electronic ambush" of the highly classified US drone. "By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its...
Snow Cone Machines for Homeland Security
When you give out money based on politics, without any accounting, this is what you get: The West Michigan Shoreline Regional Development Commission (WMSRDC) is a federal- and state-designated agency responsible for managing and administrating the homeland security program in Montcalm County and 12 other counties. The WMSRDC recently purchased and transferred homeland security equipment to these counties -- including...
Liars and Outliers Galleys
My publisher is printing galley copies of Liars and Outliers. If anyone out there has a legitimate reason to get one, like writing book reviews for a newspaper, magazine, popular blog, etc., send me an e-mail and I'll forward your request to Wiley's PR department. I think they'll be ready in a week or so, although it might be after...
Investigative Report on "Buckshot Yankee"
This is a really good analysis about the Buckshot Yankee attack against the classified military computer network in 2008. It contains a bunch of details I had not previously known....
Feeling vs. Reality of Security in Sparrows
Sparrows have fewer surviving offspring if they feel insecure, regardless of whether they actually are insecure. Liana Y. Zanette, Aija F. White, Marek C. Allen, and Michael Clinchy, "Perceived Predation Risk Reduces the Number of Offspring Songbirds Produce per Year," Science, 9 Dec 2011: Abstract: Predator effects on prey demography have traditionally been ascribed solely to direct killing in studies...
Yet More Fear-Mongering from the DHS
Al Qaeda is sewing bombs into people. Actually, not really. This is an "aspirational" terrorist threat, which basically means that someone mentioned it while drunk in a bar somewhere. Of course, that won't stop the DHS from trying to terrorize people with the idea and the security-industrial complex from selling us an expensive "solution" to reduce our fears. Wired: "So:...
Assessing Terrorist Threats to Commercial Aviation
This article on airplane security says many of the same things I've been saying for years: Given the breadth and complexity of threats to commercial aviation, those who criticize the TSA and other aviation security regulatory agencies for reactive policies and overly narrow focus appear to have substantial grounding. Three particularly serious charges can be levied against the TSA: it...
Iranians Capture U.S. Drone
Iran has captured a U.S. surveillance drone. No one is sure how it happened. Looking at the pictures of the drone, it wasn't shot down and it didn't crash. The various fail-safe mechanisms on the drone seem to have failed; otherwise, it would have returned home. The U.S. claims that it was a simple "malfunction," but that doesn't make a...
Dumbest Camera Ban Ever
In London: While photography bans are pretty common, the station has decided to only ban DSLRs due to "their combination of high quality sensor and high resolution". Other cameras are allowed in, as long as they don't look "big" enough to shoot amazing photos. The iPhone 4S camera is pretty amazing....
First-Person Account of a TSA Airport Screener
This is a few years old, but I seem not to have blogged it before....
Friday Squid Blogging: Humbolt Squid Mystery Solved
Humbolt Squid off the coast of Mexico are spawning younger and smaller than usual. El Nino is to blame. The mystery was solved by a class of biology students. (A blog of the expedition.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Lockable USB Hard Drive
Just in time for Christmas, a USB drive housed in a physical combination lock....
DARPA Unshredding Contest
DARPA held an unshredding contest, and there's a winner: "Lots of experts were skeptical that a solution could be produced at all let alone within the short time frame," said Dan Kaufman, director, DARPA Information Innovation Office. "The most effective approaches were not purely computational or crowd-sourced, but used a combination blended with some clever detective work. We are impressed...
Skype Security Flaw
Just announced: The researchers found several properties of Skype that can track not only users' locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without...
Tagging People with Invisible Ink
In Montreal, police marked protesters with invisible ink to be able to identify them later. The next step is going to be a spray that marks people surreptitiously, maybe with SmartWater....
Security Problems with U.S. Cloud Providers
Invasive U.S. surveillance programs, either illegal like the NSA's wiretapping of AT&T phone lines or legal as authorized by the PATRIOT Act, are causing foreign companies to think twice about putting their data in U.S. cloud systems. I think these are legitimate concerns. I don't trust the U.S. government, law or no law, not to spy on my data if...
Recent Developments in Full Disclosure
Last week, I had a long conversation with Robert Lemos over an article he was writing about full disclosure. He had noticed that companies have recently been reacting more negatively to security researchers publishing vulnerabilities about their products. The debate over full disclosure is as old as computing, and I've written about it before. Disclosing security vulnerabilities is good for...
GCHQ Hacking Contest
GCHQ is holding a hacking contest to drum up ">new recruits....
Carrier IQ Spyware
Spyware on many smart phones monitors your every action, including collecting individual keystrokes. The company that makes and runs this software on behalf of different carriers, Carrier IQ, freaked when a security researcher outed them. It initially claimed it didn't monitor keystrokes -- an easily refuted lie -- and threatened to sue the researcher. It took EFF getting involved to...
I Received an Honorary Doctorate
Last weekend, I received an honorary PhD from the University of Westminster, in London. I have had mixed feelings about this since I was asked early this year. The best piece of advice I've read is: "It's a great honor, but it is an honor, not a degree."...
Hacking Printers and Setting Them on Fire
It's the kind of research result that screams hype, but online attacks that have physical-world consequences are fundamentally a different sort of threat. I suspect we'll learn more about what's actually possible in the coming weeks. HP has issued a rebuttal....
Walls as Security Theater
Interesting essay on walls and their effects: Walls, then, are built not for security, but for a sense of security. The distinction is important, as those who commission them know very well. What a wall satisfies is not so much a material need as a mental one. Walls protect people not from barbarians, but from anxieties and fears, which can...
Full-Disk Encryption Works
According to researchers, full-disk encryption is hampering police forensics. The authors of the report suggest there are some things law enforcement can do, but they all must happen prior to a drive being buttoned up by encryption. Specifically, they say that law enforcement should stop turning computers off to bring them to another location for study, doing so only causes...
Status Report: Liars and Outliers
After a long and hard year, Liars and Outliers is done. I submitted the manuscript to the publisher on Oct 1, got edits back from both an outside editor and a copyeditor about a week later, spent another week integrating the comments and edits, and submitted the final manuscript to the publisher just before Thanksgiving. Now it's being laid out,...
Full Disclosure in Biology
The debate over full disclosure in computer security has been going on for the better part of two decades now. The stakes are much higher in biology: The virus is an H5N1 avian influenza strain that has been genetically altered and is now easily transmissible between ferrets, the animals that most closely mimic the human response to flu. Scientists believe...
Bad CIA Operational Security
I have no idea if this story about CIA spies in Lebanon is true, and it will almost certainly never be confirmed or denied: But others inside the American intelligence community say sloppy "tradecraft" -- the method of covert operations -- by the CIA is also to blame for the disruption of the vital spy networks. In Beirut, two Hezbollah...
Security Systems as a Marker for High-Value Targets
If something is protected by heavy security, it's obviously worth stealing. Here's an example from the insect world: Maize plants, like many others, protect themselves with poisons. They pump their roots with highly toxic insecticides called BXDs, which deters hungry mandibles. But these toxins dont come free. The plant needs energy to act as its own pharmacist, so it distributes...
Shopper Surveillance Using Cell Phones
Electronic surveillance is becoming so easy that even marketers can do it: The cellphone tracking technology, called Footpath, is made by Path Intelligence Ltd., a Portsmouth, U.K.-based company. It uses sensors placed throughout the mall to detect signals from mobile phones and track their path around the mall. The sensors cannot gather phone numbers or other identifying data, or intercept...
Spider Webs Contain Ant Poison
Shichang Zhang, Teck Hui Koh, Wee Khee Seah, Yee Hing Lai, Mark A. Elgar, and Daiqin Li (2011), "A Novel Property of Spider Silk: Chemical Defence Against Ants," Proceedings of the Royal Society B: Biological Sciences (full text is behind a paywall). Abstract: Spider webs are made of silk, the properties of which ensure remarkable efficiency at capturing prey. However,...
The DHS Partners with Major League Soccer to Promote Fear
It seems to be harder and harder to keep people scared: The Departments "If You See Something, Say Something"" partnership with the MLS Cup will feature a "If You See Something, Say Something"" graphic that will aired on the video board during the MLS Cup championship game in Carson City, Calif. Safety messaging will also be printed on the back...
Friday Squid Blogging: Cephalopod Art Conference
There was an interdisciplinary cephalopod art conference earlier this year, in Minneapolis. Videos of the conference are available online. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Android Malware
The Android platform is where the malware action is: What happens when anyone can develop and publish an application to the Android Market? A 472% increase in Android malware samples since July 2011. These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications. [...] In...
Free Cryptography Class
Dan Boheh of Stanford University is teaching a free cryptography class starting in January....
Hack Against SCADA System
A hack against a SCADA system controlling a water pump in Illinois destroyed the pump. We know absolutely nothing here about the attack or the attacker's motivations. Was it on purpose? An accident? a fluke?...
Friday Squid Blogging: Squid Camouflage
Some squid can switch their camouflage instantly. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
A Link between Altruism and Fairness
I write a lot about altruism, fairness, and cooperation in my new book (out in February!), and this sort of thing interests me a lot: In a new study, researchers had 15-month old babies watch movies of a person distributing crackers or milk to two others, either evenly or unevenly. Babies look at things longer when they're surprised, so measuring...
EU Bans X-Ray Body Scanners
The European Union has banned X-ray full body scanners at airports. Millimeter wave scanners are allowed as long as they conform to privacy guidelines. Under the new EU legislation the use of security scanners is only allowed in accordance with minimum conditions such as for example that: security scanners shall not store, retain, copy, print or retrieve images; any unauthorised...
Detecting Psychopaths by their Speech Patterns
Interesting: The researchers interviewed 52 convicted murderers, 14 of them ranked as psychopaths according to the Psychopathy Checklist-Revised, a 20-item assessment, and asked them to describe their crimes in detail. Using computer programs to analyze what the men said, the researchers found that those with psychopathic scores showed a lack of emotion, spoke in terms of cause-and-effect when describing their...
Paul Kocher
Really nice article on crypotographer Paul Kocher and his company, Cryptography Research, Inc....
Sam Harris on Self-Defense
I thought this was very interesting. His three principles are: Avoid dangerous people and dangerous places. Do not defend your property. Respond immediately and escape....
Identity Theft Call Center
There's a group who charges to make social engineering calls to obtain missing personal information for identity theft. This doesn't surprise me at all. Fraud is a business, too....
More SSL Woes
From Mikko Hypponen: "We found a malware sample. Which was signed. With a valid certificate. Belonging to the Government of Malaysia."...
Remotely Opening Prison Doors
This seems like a bad vulnerability: Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems. [...] The researchers began their work after Strauchs was called in by a...
Commentary on Strong Passwords
It turns out that "2bon2btitq" is not a strong password....
Advanced Persistent Threat (APT)
It's taken me a few years, but I've come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker. A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security...
Unlocking any iPad2 using a Smart Cover
This security bug is just plain weird....
Cutting Wallets Out of Drunks' Pockets on New York City Subways
It's a crime with finesse: But he is actually a middle-aged or older man who has been doing this for a very long time. And he is a fading breed. "It's like a lost art," the lieutenant said. "It's all old-school guys who cut the pocket. They die off." And they do not seem to be replacing themselves, he said....
Fake Documents that Alarm if Opened
This sort of thing seems like a decent approach, but it has a lot of practical problems: In the wake of Wikileaks, the Department of Defense has stepped up its game to stop leaked documents from making their way into the hands of undesirables -- be they enemy forces or concerned citizens. A new piece of software has created a...
Friday Squid Blogging: Star Trek IV, now with Squid
Someone edited Star Trek IV, removing the whales and replacing them with giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Weaponized UAV Drones in the Hands of Local Police
Why does anyone think this is a good idea? The police in Montgomery County and area north of Houston, Texas is the first local police in the united States to deploy a drone that can carry weapons. [...] He said they are designed to carry weapons for local law enforcement. "The aircraft has the capability to have a...
Journal Article on Cyberwar
From the Journal of Strategic Studies: "Cyber War Will Not Take Place" (full article is behind a paywall): Abstract: For almost two decades, experts and defense establishments the world over have been predicting that cyber war is coming. But is it? This article argues in three steps that cyber war has never happened in the past, that cyber war does...
Underage Children on Facebook
Interesting research on how parents help their children lie about their age to get onto Facebook. One reaction to our data might be that companies should not be allowed to restrict access to children on their sites. Unfortunately, getting the parental permission required by COPPA is technologically difficult, financially costly, and ethically problematic. Sites that target children take on this...
DARPA Cyber Colloquium
I note that the three "industry leaders" speaking at the DARPA Cyber Colloquium next week have about 75 years of government experience between them....
Cell Phone Surveillance System
I was not surprised that police forces are buying this system, but at its capabilities. Britain's largest police force is operating covert surveillance technology that can masquerade as a mobile phone network, transmitting a signal that allows authorities to shut off phones remotely, intercept communications and gather data about thousands of users in a targeted area. The surveillance system has...
Another ATM Theft Tactic
This brazen tactic is from Malaysia. Robbers sabotage the machines, and then report the damage to the bank. When the banks send repair technicians to open and repair the machines, the robbers take the money at gunpoint. It's hardly a technology-related attack. But from what I know about ATM machines, the security of the money safe inside the machine is...
Friday Squid Blogging: Video of Kid Eating Squid
It's hard to tell if he likes it. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Full Extent of the Attack that Compromised RSA in March
Brian Kerbs has done the analysis; it's something like 760 companies that were compromised. Among the more interesting names on the list are Abbott Labs, the Alabama Supercomputer Network, Charles Schwabb & Co., Cisco Systems, eBay, the European Space Agency, Facebook, Freddie Mac, Google, the General Services Administration, the Inter-American Development Bank, IBM, Intel Corp., the Internal Revenue Service (IRS),...
Secret Codes in Bacteria
Neat: Researchers have invented a new form of secret messaging using bacteria that make glowing proteins only under certain conditions. In addition to being useful to spies, the new technique could also allow companies to encode secret identifiers into crops, seeds, or other living commodities. [...] The new scheme replaces the fuse with seven colonies of Escherichia coli bacteria, each...
The Security of SSL
EFF reports on the security of SSL: The most interesting entry in that table is the "CA compromise" one, because those are incidents that could affect any or every secure web or email server on the Internet. In at least 248 cases, a CA chose to indicate that it had been compromised as a reason for revoking a cert. Such...
Cracking the Copiale Cipher
I don't follow historical cryptography, so all of this comes as a surprise to me. But something called the Copiale Cipher from the 18th Century has been cracked....
Demands from Law Enforcement for Google Data
Google releases statistics: Google received more than 15,600 requests in the January-June period, 10 percent more than the final six months of last year. The requests in the latest period spanned more than 25,400 individual accounts worldwide - a tiny fraction of Google's more than billion users. [...] The highest volume of government demands for user data came from the...
Twofish Mentioned in Thriller Novel
I've been told that the Twofish encryption algorithm is mentioned in the book Abuse of Power, in the first paragraph of Chapter 3. Did rhe terrorists use it? Did our hero break it? I am unlikely to read it; can someone scan the page for me....
NSA Acronyms
The second document in this file is the recently unclassified "Guide to Historical Cryptologic Acronyms and Abbreviations, 1940-1980," from the NSA Note that there are still some redactions....
Blue Coat Products Enable Web Censorship in Syria
It's illegal for Blue Coat to sell its technology for this purpose, but there are lots of third-parties who are willing to act as middlemen: "Blue Coat does not sell to Syria. We comply with US export laws and we do not allow our partners to sell to embargoed countries," [Blue Coat spokesman Steve] Schick told the Bureau. "In addition,...
Facebook Patent to Track Users Even When They are Not Logged In to Facebook
Patent number 2,011,023,240: Communicating Information in a Social Network System about Activities from Another Domain Abstract: In one embodiment, a method is described for tracking information about the activities of users of a social networking system while on another domain. The method includes maintaining a profile for each of one or more users of the social networking system, each profile...
Random Passwords in the Wild
Interesting analysis: the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach...
New Malware: Duqu
A newly discovered piece of malware, Duqu, seems to be a precursor to the next Stuxnet-like worm and uses some of the same techniques as the original....
Discovering What Facebook Knows About You
Things are getting interesting in Europe: Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues. In Europe there is a requirement that entities with data about individuals make it available to them if they request it. That's how Max ended up with a...
Friday Squid Blogging: Prehistoric Sentient SquidOr Not
There's big news in the world of giant squid: Researchers initially thought that this strange grouping of 45-foot-long marine reptiles had either died en masse from a poisonous plankton bloom or had become stranded in shallow water. But recent geological analysis of the fossil site indicates that the park was deep underwater when these shonisaurs swam the prehistoric seas. So...
Burglars Tip Off Police About Bigger Crime
I find this fascinating: A central California man has been arrested for possession of child pornography, thanks to a tip from burglars who robbed the man's property, authorities said. I am reminded of the UK story of a burglar finding some military secrets on a laptop -- or perhaps a USB drive -- that he stole, and returning them with...
Weird World War II Security Puzzle
Read this. Anyone have any ideas?...
Official Malware from the German Police
The Chaos Computer Club has disassembled and analyzed the Trojan used by the German police for legal intercept. In its default mode, it takes regular screenshots of the active window and sends it to the police. It encrypts data in AES Electronic Codebook mode with -- are you ready? -- a fixed key across all versions. There's no authentication built...
New Attacks on CAPTCHAs
Nice research: Abstract: We report a novel attack on two CAPTCHAs that have been widely deployed on the Internet, one being Google's home design and the other acquired by Google (i.e. reCAPTCHA). With a minor change, our attack program also works well on the latest ReCAPTCHA version, which uses a new defence mechanism that was unknown to us when we...
U.S. Drones Have a Computer Virus
You'd think we would be more careful than this: A computer virus has infected the cockpits of Americas Predator and Reaper drones, logging pilots every keystroke as they remotely fly missions over Afghanistan and other warzones. [...] "We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told...
Friday Squid Blogging: Hundreds of Squid Wash Up on Southern California Beaches
Humboldt squid are washing up on beaches across Southern California. Seems like it's no big deal; the squid just swam too close to shore....
Security Seals on Voting Machines
Related to this blog post from Wednesday, here's a paper that looks at security seals on voting machines. Andrew W. Appel, "Security Seals on Voting Machines: A Case Study," ACM Transactions on Information and System Security, 14 (2011): 129. Abstract: Tamper-evident seals are used by many states' election officials on voting machines and ballot boxes, either to protect the computer...
FBI-Sponsored Backdoors
From a review of Susan Landau's Surveillance or Security?: To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build "backdoors" into their products. If Muellers wish were granted, the FBI would gain undetected real-time access to suspects Skype calls, Facebook chats, and other online communicationsand...
Status Report: Liars and Outliers
Last weekend, I completely reframed the book. I realized that the book isn't about security. It's about trust. I'm writing about how society induces people to behave in the group interest instead of some competing personal interest. It's obvious that society needs to do this; otherwise, it can never solve collective action problems. And as a social species, we have...
Insider Attack Against Diebold Voting Machines
This is both news and not news: Indeed, the Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code. It was carried out by inserting a piece of inexpensive "alien electronics" into the machine. It's not news because we already know that if you have access to the internals of a voting machine,...
Security Cartoon
Nice cartoon on the problems of content filtering....
National Cybersecurity Awareness Month
October is National Cybersecurity Awareness Month, sponsored by the Department of Homeland Security. The website has some sample things you can do to to celebrate, but they're all pretty boring. Surely we can do better. Post your suggestions in comments....
Isaac Asimov on Security Theater
A great find: In his 1956 short story, "Let's Get Together," Isaac Asimov describes security measures proposed to counter a terrorist threat: "Consider further that this news will leak out as more and more people become involved in our countermeasures and more and more people begin to guess what we're doing. Then what? The panic might do us more harm...
HTC Android Vulnerability
Custom HTC firmware breaks standard permissions and allows rogue apps to access location, address book, and account info without authorization....
Friday Squid Blogging: Interesting Squid Recipes
Plus a slide show of pretty dishes....
Insecure Chrome Extensions
An analysis of extensions to the Chrome browser shows that 25% of them are insecure: We reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web...
Problems with Mac OS X Lion Passwords
Seems like some dumb mistakes. News article....
Tor Arms Race
Iran blocks Tor, and Tor releases a workaround on the same day. How did the filter work technically? Tor tries to make its traffic look like a web browser talking to an https web server, but if you look carefully enough you can tell some differences. In this case, the characteristic of Tor's SSL handshake they looked at was the...
Friday Squid Blogging: Sex Life of Deep-Sea Squid
There's evidence of indiscriminate fertilization in deep-sea squid. They mate with any other squid the encounter, male or female. This unusual behaviour, they said, may be explained by the fact the squid is boosting its chances of successfully passing on its genes in the challenging environment it lives in. In the Royal Society paper the team writes: "In the deep,...
Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0
It's the Browser Exploit Against SSL/TLS Tool, or BEAST: The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text sent by the target's browser into the encrypted request stream to determine the shared key. The code can be injected into the user's browser through JavaScript associated with a malicious advertisement distributed through...
Three Emerging Cyber Threats
On Monday I participated a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal: The Rise of Big Data. By this I mean industries that trade on our data. These include traditional...
An Interesting Software Liability Proposal
This proposal is worth thinking about. Clause 1. If you deliver software with complete and buildable source code and a license that allows disabling any functionality or code by the licensee, then your liability is limited to a refund. This clause addresses how to avoid liability: license your users to inspect and chop off any and all bits of your...
U.S.-Australia Cyberwar Treaty
The long-standing ANZUS military treaty now includes cyberspace attacks: According to Reuters, the decision was made in discussions between the two countries this week. The extension of the treaty would mean that a cyber-attack on either country would be considered an attack on both. Exactly what this means in practice is less clear: practically every government with a connection to...
Shifting Risk Instead of Reducing Risk
Risks of teen driving: For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash data...
Complex Electronic Banking Fraud in Malaysia
The interesting thing about this attack is how it abuses a variety of different security systems. Investigations revealed that the syndicate members had managed to retrieve personal particulars including the usernames, passwords from an online banking kiosk at a bank in Petaling Jaya and even obtained the transaction authorisation code (TAC) which is sent out by the bank to the...
Pretty Creepy Type of Cyberstalking
Luis "Guicho" Mijangos, "sextortionist."...
The Effectiveness of Plagiarism Detection Software
As you'd expect, it's not very good: But this measure [Turnitin] captures only the most flagrant form of plagiarism, where passages are copied from one document and pasted unchanged into another. Just as shoplifters slip the goods they steal under coats or into pocketbooks, most plagiarists tinker with the passages they copy before claiming them as their own. In other...
Identifying Speakers in Encrypted Voice Communication
I've already written how it is possible to detect words and phrases in encrypted VoIP calls. Turns out it's possible to detect speakers as well: Abstract: Most of the voice over IP (VoIP) traffic is encrypted prior to its transmission over the Internet. This makes the identity tracing of perpetrators during forensic investigations a challenging task since conventional speaker recognition...
Domain-in-the-Middle Attacks
It's an easy attack. Register a domain that's like your target except for a typo. So it would be countrpane.com instead of counterpane.com, or mailcounterpane.com instead of mail.counterpane.com. Then, when someone mistypes an e-mail address to someone at that company and you receive it, just forward it on as if nothing happened. These are called "doppleganger domains." To test the...
Sharing Security Information and the Prisoner's Dilemma
New paper: Dengpan Liu, Yonghua Ji, and Vijay Mookerjee (2011), "Knowledge Sharing and Investment Decisions in Information Security," Decision Support Systems, in press. Abstract: We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary...
A Status Report: "Liars and Outliers"
It's been a long hard year, but the book is almost finished. It's certainly the most difficult book I've ever written, mostly because I've had to learn academic fields I don't have a lot of experience in. But the book is finally coming together as a coherent whole, and I am optimistic that the results will prove to be worth...
Risk Tolerance and Culture
This is an interesting study on cultural differences in risk tolerance. The Cultures of Risk Tolerance Abstract: This study explores the links between culture and risk tolerance, based on surveys conducted in 23 countries. Altogether, more than 4,000 individuals participated in the surveys. Risk tolerance is associated with culture. Risk tolerance is relatively low in countries where uncertainty avoidance is...
TSA Administrator John Pistole on the Future of Airport Security
There's a lot here that's worth watching. He talks about expanding behavioral detection. He talks about less screening for "trusted travelers." So, what do the next 10 years hold for transportation security? I believe it begins with TSA's continued movement toward developing and implementing a more risk-based security system, a phrase you may have heard the last few months. When...
Human Pattern-Matching Failures in Airport Screening
I've written about this before: the human brain just isn't suited to finding rare anomalies in a screening situation. The Role of the Human Operator in Image-Based Airport Security Technologies Abstract: Heightened international concerns relating to security and identity management have led to an increased interest in security applications, such as face recognition and baggage and passenger screening at airports....
Risk Perception and Terrorism
I've been posting about a lot of academic articles of late, because that's what I'm reading. Here's another. Clinton M. Jenkin (2006), Risk Perception and Terrorism, Homeland Security Affairs....
More 9/11 Retrospectives
Joseph Stiglitz on the price of 9/11. How 9/11 changed surveillance. New scientific research as a result of 9/11. A good controversial piece. The day we lost our privacy and power. The probability of another 9/11-magnitude terrorist attack. To justify the current U.S. spending on homeland security -- not including our various official and unofficial wars -- we'd have to...
ACLU Report on the War on Terror
This report is really good: "A Call to Courage: Reclaiming Our Liberties Ten Years After 9/11."...
Friday Squid Blogging: Beautiful Squid Drawings
From Italy. As before, use the comments to this post to write about and discuss security stories that don't have their own post....
New Lows in Secret Questions
I've already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here's a new one, courtesey of the National Archives: "What is your preferred internet password?" I have been told that Priceline has the same one, which implies that this is some third-party login service or...
The Legality of Government Critical Infrastructure Monitoring
Mason Rice, Robert Miller, and Sujeet Shenoi (2011), "May the US Government Monitor Private Critical Infrastructure Assets to Combat Foreign Cyberspace Threats?" International Journal of Critical Infrastructure Protection, 4 (April 2011): 313. Abstract: The government owns the entire US airspaceit can install radar systems, enforce no-fly zones and interdict hostile aircraft. Since the critical infrastructure and the associated cyberspace are...
Outing a CIA Agent
Interesting article on how difficult it is to keep an identity secret in the information age....
Optimizing Airport Security
New research: Adrian J. Lee and Sheldon H. Jacobson (2011), "The Impact of Aviation Checkpoint Queues on Optimizing Security Screening Effectiveness," Reliability Engineering & System Safety, 96 (August): 900911. Abstract: Passenger screening at aviation security checkpoints is a critical component in protecting airports and aircraft from terrorist threats. Recent developments in screening device technology have increased the ability to detect...
Where Are All the Terrorists?
From Foreign Policy: "Why Is It So Hard to Find a Suicide Bomber These Days?" And from Stratfor: "Why al Qaeda is Unlikely to Execute Another 9/11." Me from May 2010: "Where Are All the Terrorist Attacks?"...
Friday Squid Blogging: SQUIDS Game
It's coming to the iPhone and iPad, then to other platforms: In SQUIDS, players will command a small army of stretchy, springy sea creatures to protect an idyllic underwater kingdom from a sinister emerging threat. An infectious black ooze is spreading through the lush seascape, turning ordinary crustaceans into menacing monsters. Now a plucky team of Squidseach with unique personalities,...
The Efficacy of Post-9/11 Counterterrorism
This is an interesting article. The authors argue that the whole war-on-terror nonsense is useless -- that's not new -- but that the security establishment knows it doesn't work and abandoned many of the draconian security measures years ago, long before Obama became president. All that's left of the war on terror is political, as lawmakers fund unwanted projects in...
A Professional ATM Theft
Fidelity National Information Services Inc. (FIS) lost $13M to an ATM theft earlier this year: KrebsOnSecurity recently discovered previously undisclosed details of the successful escapade. According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform's "open-loop" prepaid debit cards. The balances on these prepaid cards aren't stored on the cards themselves;...
Unredacted U.S. Diplomatic WikiLeaks Cables Published
It looks as if the entire mass of U.S. diplomatic cables that WikiLeaks had is available online somewhere. How this came about is a good illustration of how security can go wrong in ways you don't expect. Near as I can tell, this is what happened: In order to send the Guardian the cables, WikiLeaks encrypted them and put them...
Forged Google Certificate
There's been a forged Google certificate out in the wild for the past month and a half. Whoever has it -- evidence points to the Iranian government -- can, if they're in the right place, launch man-in-the-middle attacks against Gmail users and read their mail. This isn't Google's mistake; the certificate was issued by a Dutch CA that has nothing...
Job Opening: TSA Public Affairs Specialist
This job can't be fun: This Public Affairs Specialist position is located in the Office of Strategic Communications and Public Affairs (SCPA), Transportation Security Administration (TSA), Department of Homeland Security (DHS). If selected for this position, you will serve as the Press Secretary and senior representative/liaison working with Federal and stakeholder partners. You will utilize your expert knowledge and mastery...
The Effects of Social Media on Undercover Policing
Social networking sites make it very difficult, if not impossible, to have undercover police officers: "The results found that 90 per cent of female officers were using social media compared with 81 per cent of males." The most popular site was Facebook, followed by Twitter. Forty seven per cent of those surveyed used social networking sites daily while another 24...
Facebook Privacy Guide
It's actually pretty good. Also note that the site is redesigning its privacy. As we learned from Microsoft, nothing motivates a company to improve its security like competition....
Details of the RSA Hack
We finally have some, even though the company isn't talking: So just how well crafted was the e-mail that got RSA hacked? Not very, judging by what F-Secure found. The attackers spoofed the e-mail to make it appear to come from a "web master" at Beyond.com, a job-seeking and recruiting site. Inside the e-mail, there was just one line of...
Screenshots of Chinese Hacking Tool
It's hard to know how serious this really is: The screenshots appear as B-roll footage in the documentary for six secondsbetween 11:04 and 11:10 minutes -- showing custom built Chinese software apparently launching a cyber-attack against the main website of the Falun Gong spiritual practice, by using a compromised IP address belonging to a United States university. As of Aug....
Friday Squid Blogging: Squid Fishing in Ulleungdo, Korea
The industry is in decline: A generation ago, most of the island's 10,000 residents worked in the squid industry, either as sellers like Kim or as farmer-fishermen who toiled in the fields each winter and went to sea during summer. Ulleungdo developed a reputation for large, tasty squid that were once exported to the mainland and Japan. The volcanic island,...
Preventing the Theft of Wire Cutters
This is a picture of a pair of wire cutters secured to a table with a wire. Someone isn't thinking this through.......
The Problem with Using the Cold War Metaphor to Describe Cyberspace Risks
Nice essay on the problems with talking about cyberspace risks using "Cold War" metaphors: The problem with threat inflation and misapplied history is that there are extremely serious risks, but also manageable responses, from which they steer us away. Massive, simultaneous, all-encompassing cyberattacks on the power grid, the banking system, transportation networks, etc. along the lines of a Cold War...
Terrorism in the U.S. Since 9/11
John Mueller and his students analyze the 33 cases of attempted terrorism in the U.S. since 9/11. So few of them are actually real, and so many of them were created or otherwise facilitated by law enforcement....
Funniest Joke at the Edinburgh Fringe Festival
Nick Helm won an award for the funniest joke at the Edinburgh Fringe Festival: Nick Helm: "I needed a password with eight characters so I picked Snow White and the Seven Dwarves." Note that two other jokes were about security: Tim Vine: "Crime in multi-storey car parks. That is wrong on so many different levels." Andrew Lawrence: "I admire these...
Moving 211 Tons of Gold
The security problems associated with moving $12B in gold from London to Venezuela. It seems to me that Chávez has four main choices here. He can go the FTs route, and just fly the gold to Caracas while insuring each shipment for its market value. He can go the Spanish route, and try to transport the gold himself, perhaps making...
The Security Risks of Not Teaching Malware
Essay by George Ledin on the security risks of not teaching students malware....
Stealing ATM PINs with a Thermal Camera
It's easy: Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn't work against metal pads but on plastic pads the success rate of detecting all the digits was 80% after 10 seconds and 60% after 45 seconds. If you...
Smartphone Keystroke Logging Using the Motion Sensor
Clever: "When the user types on the soft keyboard on her smartphone (especially when she holds her phone by hand rather than placing it on a fixed surface), the phone vibrates. We discover that keystroke vibration on touch screens are highly correlated to the keys being typed." Applications like TouchLogger could be significant because they bypasses protections built into both...
Security for Implanted Medical Devices
Worried about someone hacking your implanted medical devices? Here's a signal-jamming device you can wear....
Cheating at Casinos with Hidden Cameras
Sleeve cameras aren't new, but they're now smaller than ever and the cheaters are getting more sophisticated: In January, at the newly opened $4-billion Cosmopolitan casino in Las Vegas, a gang called the Cutters cheated at baccarat. Before play began, the dealer offered one member of the group a stack of eight decks of cards for a pre-game cut. The...
Movie-Plot Threat: Open Airplane Cockpit Doors During Bathroom Breaks
James Fallows has a nice debunking of a movie-plot threat....
How Microsoft Develops Security Patches
I thought this was an interesting read....
Pseudonymity
Long essay on the value of pseudonymity. From the conclusions: Here lies the huge irony in this discussion. Persistent pseudonyms aren't ways to hide who you are. They provide a way to be who you are. You can finally talk about what you really believe; your real politics, your real problems, your real sexuality, your real family, your real self....
Looking Backward at Terrorism
Nice essay on the danger of too much security: The great lie of the war on terror is not that we can sacrifice a little liberty for greater security. It is that fear can be eliminated, and that all we need to do to improve our society is defeat terrorism, rather than look at the other causes of our social,...
The Dilemma of Counterterrorism Policy
Any institution delegated with the task of preventing terrorism has a dilemma: they can either do their best to prevent terrorism, or they can do their best to make sure they're not blamed for any terrorist attacks. I've talked about this dilemma for a while now, and it's nice to see some research results that demonstrate its effects. A. Peter...
Steven Pinker on Terrorism
It's almost time for a deluge of "Ten Years After 9/11" essays. Here's Steven Pinker: The discrepancy between the panic generated by terrorism and the deaths generated by terrorism is no accident. Panic is the whole point of terrorism, as the root of the word makes clear: "Terror" refers to a psychological state, not an enemy or an event. The...
New Attack on AES
"Biclique Cryptanalysis of the Full AES," by Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Abstract. Since Rijndael was chosen as the Advanced Encryption Standard, improving upon 7-round attacks on the 128-bit key variant or upon 8-round attacks on the 192/256-bit key variants has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a...
Alarm Geese
A prison in Brazil uses geese as part of its alarm system. There's a long tradition of this. Circa 400 BC, alarm geese alerted a Roman citadel to a Gaul attack....
Security by Default
Nice essay by Christopher Soghoian on why cell phone and Internet providers need to enable security options by default....
Search Redirection and the Illicit Online Prescription Drug Trade
Really interesting research. Search-redirection attacks combine several well-worn tactics from black-hat SEO and web security. First, an attacker identifies high-visibility websites (e.g., at universities) that are vulnerable to code-injection attacks. The attacker injects code onto the server that intercepts all incoming HTTP requests to the compromised page and responds differently based on the type of request: Requests from search-engine crawlers...
New, Undeletable, Web Cookie
A couple of weeks ago Wired reported the discovery of a new, undeletable, web cookie: Researchers at U.C. Berkeley have discovered that some of the nets most popular sites are using a tracking service that cant be evaded -- even when users block cookies, turn off storage in Flash, or use browsers incognito functions. The Wired article was very short...
Interview with Me
Here's an interview with me from the Homeland Security News Wire....
Friday Squid Blogging: Giant Squid Painted on Canal Narrowboat
Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....
Liars and Outliers Cover
My new book, Liars and Outliers, has a cover. Publication is still scheduled for the end of February -- in time for the RSA Conference -- assuming I finish the manuscript in time....
Rat that Applies Poison to its Fur
The African crested rat applies tree poison to its fur to make itself more deadly. The researchers made their discovery after presenting a wild-caught crested rat with branches and roots of the Acokanthera tree, whose bark includes the toxin ouabain. The animal gnawed and chewed the tree's bark but avoided the nontoxic leaves and fruit. The rat then applied the...
Counterfeit Pilot IDs and Uniforms Will Now Be Sufficient to Bypass Airport Security
This seems like a really bad idea: ...the Transportation Security Administration began a program Tuesday allowing pilots to skirt the security-screening process. The TSA has deployed approximately 500 body scanners to airports nationwide in a bid to prevent terrorists from boarding domestic flights, but pilots don't have to go through the controversial nude body scanners or other forms of screening....
Security Flaws in Encrypted Police Radios
"Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System," by Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze. Abstract: APCO Project 25a (P25) is a suite of wireless communications protocols used in the US and elsewhere for public safety two-way (voice) radio systems. The protocols include...
Friday Squid Blogging: Smaller Male Squid Have Bigger Sperm
Loligo bleekeri males have two different reproductive strategies, depending on their size. It's kind of like a covert channel....
GPRS Hacked
Just announced: Nohl's group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren't encrypted at all. When they were encrypted, Nohl adds, the ciphers were often...
"Taxonomy of Operational Cyber Security Risks"
I'm a big fan of taxonomies, and this -- from Carnegie Mellon -- seems like a useful one: The taxonomy of operational cyber security risks, summarized in Table 1 and detailed in this section, is structured around a hierarchy of classes, subclasses, and elements. The taxonomy has four main classes: actions of people -- action, or lack of action, taken...
Free-Riding on Plant Security Countermeasures
There's a security story from biology I've used a few times: plants that use chemicals to call in airstrikes by wasps on the herbivores attacking them. This is a new variation: a species of orchid that emits the same signals as a trick, to get pollinated....
MRI Lie Detectors
An article from Salon -- lots of interesting research. My previous blog post on the topic....
New Bank-Fraud Trojan
Nasty: The German Federal Criminal Police (the Bundeskriminalamt or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen...
Business Week on The Cyberwar Arms Race
I've been using the phrase "arms race" to describe the world's militaries' rush into cyberspace for a couple of years now. Here's a good article on the topic that uses the same phrase....
Friday Squid Blogging: Severed Hand is Actually A Dried Squid
I just can't make this stuff up: A report of a severed hand found at an Oahu seabird sanctuary has turned out to be dried squid. Remember: if you see something, say something. Again this week, please use the squid post to talk about the security stories in the news that I didn't cover....
Zodiac Cipher Cracked
I admit I don't pay much attention to pencil-and-paper ciphers, so I knew nothing about the Zodiac cipher. Seems it has finally been broken: The Zodiac Killer was a serial killer who preyed on couples in Northern California in the years between 1968 and 1970. Of his seven confirmed victims, five died. More victims and attacks are suspected. The killer...
German Police Call Airport Full-Body Scanners Useless
I'm not surprised: The weekly Welt am Sonntag, quoting a police report, said 35 percent of the 730,000 passengers checked by the scanners set off the alarm more than once despite being innocent. The report said the machines were confused by several layers of clothing, boots, zip fasteners and even pleats, while in 10 percent of cases the passenger's posture...
Hacking Lotteries
Two items on hacking lotteries. The first is about someone who figured out how to spot winner in a scratch-off tic-tac-toe style game, and a daily draw style game where expcted payout can exceed the ticket price. The second -- behind a paywall, sorry -- is about someone who has won the lottery four times, with speculation that she had...
New Information on the Inventor of the One-Time Pad
Seems that the one-time pad was not first invented by Vernam: He could plainly see that the document described a technique called the one-time pad fully 35 years before its supposed invention during World War I by Gilbert Vernam, an AT&T engineer, and Joseph Mauborgne, later chief of the Army Signal Corps. [...] The 1882 monograph that Dr. Bellovin stumbled...
Identifying People by their Writing Style
The article is in the context of the big Facebook lawsuit, but the part about identifying people by their writing style is interesting: Recently, a team of computer scientists at Concordia University in Montreal took advantage of an unusual set of data to test another method of determining e-mail authorship. In 2003, the Federal Energy Regulatory Commission, as part of...
Developments in Facial Recognition
Eventually, it will work. You'll be able to wear a camera that will automatically recognize someone walking towards you, and a earpiece that will relay who that person is and maybe something about him. None of the technologies required to make this work are hard; it's just a matter of getting the error rate down low enough for it to...
Attacking PLCs Controlling Prison Doors
Embedded system vulnerabilities in prisons: Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the countrys top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in...
Breaking the Xilinx Virtex-II FPGA Bitstream Encryption
It's a power-analysis attack, which makes it much harder to defend against. And since the attack model is an engineer trying to reverse-engineer the chip, it's a valid attack. Abstract: Over the last two decades FPGAs have become central components for many advanced digital systems, e.g., video signal processing, network routers, data acquisition and military systems. In order to protect...
Using Science Fiction to Teach Computer Security
Interesting paper: "Science Fiction Prototyping and Security Education: Cultivating Contextual and Societal Thinking in Computer Security Education and Beyond," by Tadayoshi Kohno and Brian David Johnson. Abstract: Computer security courses typically cover a breadth of technical topics, including threat modeling, applied cryptography, software security, and Web security. The technical artifacts of computer systems -- and their associated computer security risks...
Hacking Apple Laptop Batteries
Interesting: Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple's iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries...
ShareMeNot
ShareMeNot is a Firefox add-on for preventing tracking from third-party buttons (like the Facebook "Like" button or the Google "+1" button) until the user actually chooses to interact with them. That is, ShareMeNot doesn't disable/remove these buttons completely. Rather, it allows them to render on the page, but prevents the cookies from being sent until the user actually clicks on...
Data Privacy as a Prisoner's Dilemma
Good analysis: Companies would be better off if they all provided meaningful privacy protections for consumers, but privacy is a collective action problem for them: many companies would love to see the ecosystem fixed, but no one wants to put themselves at a competitive disadvantage by imposing unilateral limitations on what they can do with user data. The solution --...
Cryptography and Wiretapping
Matt Blaze analyzes the 2010 U.S. Wiretap Report. In 2000, government policy finally reversed course, acknowledging that encryption needed to become a critical part of security in modern networks, something that deserved to be encouraged, even if it might occasionally cause some trouble for law enforcement wiretappers. And since that time the transparent use of cryptography by everyday people (and...
Ars Technica on Liabilities and Computer Security
Good article: Halderman argued that secure software tends to come from companies that have a culture of taking security seriously. But it's hard to mandate, or even to measure, "security consciousness" from outside a company. A regulatory agency can force a company to go through the motions of beefing up its security, but it's not likely to be effective unless...
Duplicating Physical Keys from Photographs (Sneakey)
In this demonstration, researchers photographed keys from 200 feet away and then made working copies. From the paper: The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private -- that duplication should require either possession of the key or a priori knowledge of how it was cut....
iPhone Iris Scanning Technology
No indication about how well it works: The smartphone-based scanner, named Mobile Offender Recognition and Information System, or MORIS, is made by BI2 Technologies in Plymouth, Massachusetts, and can be deployed by officers out on the beat or back at the station. An iris scan, which detects unique patterns in a person's eyes, can reduce to seconds the time it...
Revenge Effects of Too-Safe Playground Equipment
Sometimes too much security isn't good. After observing children on playgrounds in Norway, England and Australia, Dr. Sandseter identified six categories of risky play: exploring heights, experiencing high speed, handling dangerous tools, being near dangerous elements (like water or fire), rough-and-tumble play (like wrestling), and wandering alone away from adult supervision. The most common is climbing heights. "Climbing equipment needs...
Smuggling Drugs in Unwitting People's Car Trunks
This is clever: A few miles away across the Rio Grande, the FBI determined that Chavez and Gomez were using lookouts to monitor the SENTRI Express Lane at the border. The lookouts identified "targets" -- people with regular commutes who primarily drove Ford vehicles. According to the FBI affidavit, the smugglers would follow their targets and get the vehicle identification...
Is There a Hacking Epidemic?
Freakonomics asks: "Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches?" They posted five answers, including mine: The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school...
Google Detects Malware in its Search Data
This is interesting: As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were...
Members of "Anonymous" Hacker Group Arrested
The police arrested sixteen suspected members of the Anonymous hacker group. Whatever you may think of their politics, the group committed crimes and their members should be arrested and prosecuted. I just hope we don't get a media flurry about how they were some sort of cyber super criminals. Near as I can tell, they were just garden variety hackers...
Telex Anti-Censorship System
This is really clever: Many anticensorship systems work by making an encrypted connection (called a tunnel) from the user's computer to a trusted proxy server located outside the censor's network. This server relays requests to censored websites and returns the responses to the user over the encrypted tunnel. This approach leads to a cat-and-mouse game, where the censor attempts to...
British Phone Hacking Scandal
Ross Anderson discusses the technical and policy details....
Interview in Infosecurity Magazine
I think I gave this interview at the RSA Conference in February....
Degree Plans of the Future
You can now get a Master of Science in Strategic Studies in Weapons of Mass Destruction. Well, maybe you can't: "It's not going to be open enrollment (or) traditional students," Giever said. "You worry about whether you might be teaching the wrong person this stuff." At first, the FBI will select students from within its ranks, though Giever wants to...
My Next Book Title: Liars and Outliers
Thank you for all your comments and suggestions regarding my next book title. It will be: Liars and Outliers: How Security Holds Society Together We're still deciding on a cover, but it won't be any of the five from the above link. Vaguely ominous crowd scenes are not what I want....
Physical Key Escrow
This creates far more security risks than it solves: The city council in Cedar Falls, Iowa has absolutely crossed the line. They voted 6-1 in favor of expanding the use of lock boxes on commercial property. Property owners would be forced to place the keys to their businesses in boxes outside their doors so that firefighters, in that one-in-a-million chance,...
Insurgent Groups Exhibit Learning Curve
Interesting research: After analyzing reams of publicly available data on casualties from Iraq, Afghanistan, Pakistan and decades of terrorist attacks, the scientists conclude that "insurgents pretty much seemed to be following a progress curve–or a learning curve–that's very common in the manufacturing literature," says physicist Neil Johnson of the University of Miami in Florida and lead author of the study....
Friday Squid Blogging: Giant Squid Egg
Interesting pictures. Article is in Italian, though. Google Translate translation....
Organized Crime in Ireland Evolves As Security Increases
The whole article is interesting, but here's just one bit: The favoured quick-fix money-making exercise of the average Irish organised crime gang had, for decades, been bank robberies. But a massive investment by banks in branch security has made the traditional armed hold-up raids increasingly difficult. The presence of CCTV cameras in most banks means any raider would need to...
Comparing al Qaeda and the IRA
A really interesting article: Al Qaeda played all out, spent all its assets in a few years. In my dumb-ass 2005 article, I called the Al Qaeda method "real war" and the IRA's slow-perc campaign "nerf war." That was ignorance talking, boyish war-loving ignorance. I wanted more action, that was all. I saw what an easy target the London transport...
Man Flies with Someone Else's Ticket and No Legal ID
Last week, I got a bunch of press calls about Olajide Oluwaseun Noibi, who flew from New York to Los Angeles using an expired ticket in someone else's name and a university ID. They all wanted to know what this says about airport security. It says that airport security isn't perfect, and that people make mistakes. But it's not something...
Research in Secure Chips
Unsuprisingly, the U.S. military is funding reseach in this....
Friday Squid Blogging: Giant Squid as an Emblem for Ocean Conservation
It's a proposal....
TDSS Rootkit
There's a new version: The latest TDL-4 version of the rootkit, which is used as a persistent backdoor to install other types of malware, infected 4.52 million machines in the first three months of this year, according to a detailed technical analysis published Wednesday by antivirus firm Kaspersky Lab. Almost a third of the compromised machines were located in the...
Menwith Hill
Article on the NSA's Menwith Hill listening station in the UK....
Chinese Army Developed Online Wargame
This is a really weird story: After setting up its own cyber-warfare team, China's military has now developed its first online war game aimed at improving combat skills and battle awareness, state press said on Wednesday. After setting up its own cyber-warfare team, China's military has now developed its first online war game aimed at improving combat skills and battle...
Yet Another "People Plug in Strange USB Sticks" Story
I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers. And if the drive or CD had an official logo on it, 90% were installed. Of course people plugged in UBS...
Common PINs
There's some great data on common iPhone passwords. I'm sure the results also apply to banking PINs....
Friday Squid Blogging: Eating Humboldt Squid
Chris Cosentino, chef at Incanto in San Francisco, wants to serve you Humboldt squid....
Selling a Good Reputation on eBay
Here's someone who is selling positive feedback on eBay: Hello, for sale is a picture of a tree. This tree is an original and was taken by me. I have gotten nothing but 100% feedback from people from this picture. Great Picture! Once payment is made I will send you picture via email. Once payment is made and I send...
Assisting a Hostage Taker via Facebook
It's a new world: An armed Valdez, 36, held a woman hostage at a motel in a tense 16-hour, overnight standoff with SWAT teams, all while finding time to keep his family and friends updated on Facebook. [...] In all, Valdez made six posts and added at least a dozen new friends. His family and friends responded with 100 comments....
Protecting Private Information on Smart Phones
AppFence is a technology -- with a working prototype -- that protects personal information on smart phones. It does this by either substituting innocuous information in place of sensitive information or blocking attempts by the application to send the sensitive information over the network. The significance of systems like AppFence is that they have the potential to change the balance...
NSA Style Manual
National Security Agency (NSA) SIGINT Reporter's Style and Usage Manual, 2010....
Insider Attack Against M&A Information in Document Titles
Protecting against insiders is hard. Kluger and two accomplices -- a Wall Street trader and a mortgage broker -- allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least...
Did Reason Evolve as a Persuasion Tool?
Many of our informal security systems involve convincing others to do what we want them to. Here's a theory that says human reasoning evolved not as a tool to better understand the world or solve problems, but to win arguments and persuade other humans. (Paper here.)...
My Next Book: Title and Cover
As my regular readers already know, I'm in the process of writing my next book. It's a book about why security exists: specifically, how a group of people protects itself from individuals within that group. My working title has been The Dishonest Minority. The idea behind the title is that "honesty" is defined by social convention, then those that don't...
The Problem with Cyber-crime Surveys
Good paper: "Sex, Lies and Cyber-crime Surveys," Dinei Florêncio and Cormac Herley, Microsoft Research. Abstract: Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the...
RAND Corporation on Trusted Traveler
New paper: "Assessing the Security Benefits of a Trusted Traveler Program in the Presence of Attempted Attacker Exploitation and Compromise": Current aviation security procedures screen all passengers uniformly. Varying the amount of screening individuals receive based on an assessment of their relative risk has the potential to reduce the security burdens on some travelers, while improving security overall. This paper...
Fourth SHB Workshop
I'm at SHB 2011, the fourth Interdisciplinary Workshop on Security and Human Behavior, at Carnegie Mellon University. This is a two-day invitational gathering of computer security researchers, psychologists, behavioral economists, sociologists, political scientists, anthropologists, philosophers, and others -- all of whom are studying the human side of security -- organized by Alessandro Acquisti, Ross Anderson, and me. It's not just...
Friday Squid Blogging: Beautiful Deep-Sea Squid Picture
From the Telegraph (also here)....
Court Ruling on "Reasonable" Electronic Banking Security
One of the pleasant side effects of being too busy to write longer blog posts is that -- if I wait long enough -- someone else writes what I would have wanted to. The ruling in the Patco Construction vs. People's United Bank case is important, because the judge basically ruled that the bank's substandard security was good enough --...
WEIS 2011
I'm at the Tenth Workshop on Economics of Information Security (WEIS 2011) , at George Mason University. Most of the papers are online, and Ross Anderson is liveblogging the talks....
The Non-Anonymity of Bubble Forms
It turns out that "fill-in-the-bubble" forms are not so anonymous....
Status Report on the War on Photography
Worth reading: Morgan Leigh Manning, "Less than Picture Perfect: The Legal Relationship between Photographers' Rights and Law Enforcement," Tennessee Law Review, Vol. 78, p. 105, 2010. Abstract: Threats to national security and public safety, whether real or perceived, result in an atmosphere conducive to the abuse of civil liberties. History is littered with examples: The Alien and Sedition Acts of...
Yet Another Way to Evade TSA's Full-Body Scanners
Last night, at the Third EPIC Champion of Freedom Awards Dinner, we gave an award to Susie Castillo, whose blog post and video of her treatment in the hands of the TSA has inspired thousands to complain about the agency and their treatment of travellers. Sitting with her at dinner, I learned yet another way to evade the TSA's full...
Why it's So Difficult to Trace Cyber-Attacks
I've been asked this question by countless reporters in the past couple of weeks. Here's a good explanation. Shorter answer: it's easy to spoof source destination, and it's easy to hijack unsuspecting middlemen and use them as proxies. No, mandating attribution won't solve the problem. Any Internet design will necessarily include anonymity....
Two Good Rants
Patrick Gray on why we secretly love LulzSec, and Robert Cringely on why we openly hate RSA....
New Airport Scanning Technology
Interesting: Iscon's patented, thermo-conductive technology combines infrared (IR) and heat transfer, for high-resolution imaging without using any radiation. The core of this is state of the art imaging which detects and processes a break in the established thermal balance between the clothes and a hidden object. The IR camera detects the heat radiating from even a tiny object, producing a...
Spam as a Business
Interesting research: Kirill Levchenko, et al. (2010), "Click Trajectories -- End-to-End Analysis of the Spam Value Chain," IEEE Symposium on Security and Privacy 2011, Oakland, California, 24 May 2011. Abstract: Spam-based advertising is a business. While it has engendered both widespread antipathy and a multi-billion dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise. We lack,...
25% of U.S. Criminal Hackers are Police Informants
I have no idea if this is true: In some cases, popular illegal forums used by cyber criminals as marketplaces for stolen identities and credit card numbers have been run by hacker turncoats acting as FBI moles. In others, undercover FBI agents posing as "carders" hackers specialising in ID theft have themselves taken over the management of crime...
Tennessee Makes Password Sharing Illegal
Here's a new law that won't work: State lawmakers in country music's capital have passed a groundbreaking measure that would make it a crime to use a friend's login -- even with permission -- to listen to songs or watch movies from services such as Netflix or Rhapsody. [...] The legislation was aimed at hackers and thieves who sell passwords...
Fighting Terrorism with Cupcakes
MI6 hacked into an online al-Qaeda magazine and replaced bomb-making instructions with a cupcake recipe. It's a more polite hack than subtly altering the recipe so it blows up during the making process. (I've been told, although I don't know for sure, that the 1971 Anarchist's Cookbook has similarly flawed recipes.)...
Analysis of Redaction Failures
Redaction failures are so common that I stopped blogging about them years ago. This is the first analysis I have seen of technical redaction failures. And here's the NSA on how to redact....
World War II Tunny Cryptanalysis Machine Rebuilt at Bletchley Park
Neat: The rebuild team had only a few photographs, partial circuit diagrams and the fading memories of a few original Tunny operators to go on. Nonetheless a team led by John Pether and John Whetter was able to complete this restoration work. Pether explained that getting the electronics to work proved to be the most difficult part of the restoration...
Security vs. Privacy
Daniel Solove on the security vs. privacy debate....
Open-Source Software Feels Insecure
At first glance, this seems like a particularly dumb opening line of an article: Open-source software may not sound compatible with the idea of strong cybersecurity, but.... But it's not. Open source does sound like a security risk. Why would you want the bad guys to be able to look at the source code? They'll figure out how it works....
Spear Phishing Attacks from China Against Gmail Accounts
Reporters have been calling me pretty much constantly about this story, but I can't figure out why in the world this is news. Attacks from China -- old news; attacks from China against Google -- old news; attacks from China against Google Gmail accounts -- old news. Spear phishing attacks from China against senior government officials -- old news. There's...
Man-in-the-Middle Attack Against the MCAT Exam
In Applied Cryptography, I wrote about the "Chess Grandmaster Problem," a man-in-the-middle attack. Basically, Alice plays chess remotely with two grandmasters. She plays Grandmaster 1 as white and Grandmaster 2 as black. After the standard opening of 1. e4, she just replays the moves from one game to the other, and convinces both of them that she's a grandmaster in...
Three-Volume History of Counterintelligence
CI Reader: An American Revolution Into the New Millennium, Volumes I, II, and III is published by the U.S. Office of the National Counterintelligence Executive. (No, I've never heard of them, either.)...
The U.S. Seems to Have a Secret Stealth Helicopter
That's what the U.S. destroyed after a malfunction in Pakistan during the Bin Laden assassination. (For helicopters, "stealth" is less concerned with radar signatures and more concerned with acoustical quiet.) There was some talk about Pakistan sending it to China, but they're returning it to the U.S. I presume that the Chinese got everything they needed quickly....
Keeping Sensitive Information Out of the Hands of Terrorists Through Self-Restraint
In my latest book (available February), I talk about various mechanisms for societal security: how we as a group protect ourselves from the "dishonest minority" within us. I have four types of societal security systems: moral systems -- any internal rewards and punishments; reputational systems -- any informal external rewards and punishments; rule-based systems -- any formal system of rewards...
Lockheed Martin Hack Linked to RSA's SecurID Breach
All I know is what I read in the news....
Aggressive Social Engineering Against Consumers
Cyber criminals are getting aggressive with their social engineering tactics. Val Christopherson said she received a telephone call last Tuesday from a man stating he was with an online security company who was receiving error messages from the computer at her Charleswood home. “He said he wanted to fix my problem over the phone,” Christopherson said. She said she was...
Friday Squid Blogging: Hand-Cut Paper Silhouette
Surprisingly pretty....
Apple's iOS 4 Hardware Encryption Cracked
All I know is what's in these two blog posts from Elcomsoft. Note that they didn't break AES-256; they figured out how to extract the keys from the hardware (iPhones, iPads). The company "will be releasing the product implementing this functionality for the exclusive use of law enforcement, forensic and intelligence agencies."...
U.S. Presidential Limo Defeated by Steep-Grade Parking Ramp
It's not something I know anything about -- actually, it's not something many people know about -- but I've posted some links about the security features of the U.S. presidential limousine. So it's amusing to watch the limo immobilized by a steep grade at the U.S. embassy in Dublin. (You'll get a glimpse of how thick the car doors are...
Blackhole Exploit Kit
It's now available as a free download: A free version of the Blackhole exploit kit has appeared online in a development that radically reduces the entry-level costs of getting into cybercrime. The Blackhole exploit kit, which up until now would cost around $1,500 for an annual licence, creates a handy way to plant malicious scripts on compromised websites. Surfers visiting...
New Siemens SCADA Vulnerabilities Kept Secret
SCADA systems -- computer systems that control industrial processes -- are one of the ways a computer hack can directly affect the real world. Here, the fears multiply. It's not bad guys deleting your files, or getting your personal information and taking out credit cards in your name; it's bad guys spewing chemicals into the atmosphere and dumping raw sewage...
Dropbox Security
I haven't written about Dropbox's security problems; too busy with the book. But here's an excellent summary article from The Economist. The meta-issue is pretty simple. If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to...
CDC on the Zombie Apocalypse
The Centers for Disease Control and Prevention weigh in on preparations for the zombie apocalypse....
The Normalization of Security
TSA-style security is now so normal that it's part of a Disney ride: The second room of the queue is now a security check area, similar to a TSA checkpoint. The two G-series droids are still there, G2-9T scanning luggage and G2-4T scanning passengers. For those attraction junkies, you'll remember that the G-series droids are so named because in the...
Forged Subway Passes in Boston
For years, an employee of Cubic Corp -- the company who makes the automatic fair card systems for most of the subway systems around the world -- forged forged and then sold monthly passes for the Boston MBTA system. The scheme was discovered by accident: Coakley said the alleged scheme was only discovered after a commuter rail operator asked a...
Bin Laden Maintained Computer Security with an Air Gap
From the Associated Ptress: Bin Laden's system was built on discipline and trust. But it also left behind an extensive archive of email exchanges for the U.S. to scour. The trove of electronic records pulled out of his compound after he was killed last week is revealing thousands of messages and potentially hundreds of email addresses, the AP has learned....
Mobile Phone Privacy App Contest
Entries due by the end of the month....
Fingerprint Scanner that Works at a Distance
Scanning fingerprints from six feet away. Slightly smaller than a square tissue box, AIRprint houses two 1.3 megapixel cameras and a source of polarized light. One camera receives horizontally polarized light, while the other receives vertically polarized light. When light hits a finger, the ridges of the fingerprint reflect one polarization of light, while the valleys reflect another. "That's where...
The Inner Workings of an FBI Surveillance Device
This FBI surveillance device, designed to be attached to a car, has been taken apart and analyzed. A recent ruling by the 9th U.S. Circuit Court of Appeals affirms that it's legal for law enforcement to secretly place a tracking device on your car without a warrant, even if it's parked in a private driveway....
Friday Squid Blogging: Squid Sous Vide
Yum: We learned to cook squid sous vide at 59°C when we were at Atelier in Canada. The cooking time and temperature we picked up produce squid which is meaty, juicy and rich in texture. Here we marinated the squid with mango pickle and then cooked them for three hours at 59°C. Then we cooled them down in an ice...
Interview with Me About the Sony Hack
These are what I get for giving interviews when I'm in a bad mood. For the record, I think Sony did a terrible job with its customers' security. I also think that most companies do a terrible job with customers' security, simply because there isn't a financial incentive to do better. And that most of us are pretty secure, despite...
Drugging People and Then Robbing Them
This is a pretty scary criminal tactic from Turkey. Burglars dress up as doctors, and ring doorbells handing out pills under some pretense or another. They're actually powerful sedatives, and when people take them they pass out, and the burglars can ransack the house. According to the article, when the police tried the same trick with placebos, they got an...
RFID Tags Protecting Hotel Towels
The stealing of hotel towels isn't a big problem in the scheme of world problems, but it can be expensive for hotels. Sure, we have moral prohibitions against stealing -- that'll prevent most people from stealing the towels. Many hotels put their name or logo on the towels. That works as a reputational societal security system; most people don't want...
"Resilience of the Internet Interconnection Ecosystem"
This blog post by Richard Clayton is worth reading. If you have more time, there's 238-page report and a 31-page executive summary....
Medieval Tally Stick Discovered in Germany
Interesting: The well-preserved tally stick was used in the Middle Ages to count the debts owed by the holder in a time when most people were unable to read or write. "Debts would have been carved into the stick in the form of small notches. Then the stick would have been split lengthways, with the creditor and the borrower each...
The Era of "Steal Everything"
Good comment: "We're moving into an era of 'steal everything'," said David Emm, a senior security researcher for Kaspersky Labs. He believes that cyber criminals are now no longer just targeting banks or retailers in the search for financial details, but instead going after social and other networks which encourage the sharing of vast amounts of personal information. As both...
Vulnerabilities in Online Payment Systems
This hack was conducted as a research project. It's unlikely it's being done in the wild: In one attack, Wang and colleagues used a plug-in for the Firefox web browser to examine data being sent and received by the online retailer Buy.com. When users make a purchase, Buy.com directs them to PayPal. Once they have paid, PayPal sends Buy.com a...
Status Report: The Dishonest Minority
Three months ago, I announced that I was writing a book on why security exists in human societies. This is basically the book's thesis statement: All complex systems contain parasites. In any system of cooperative behavior, an uncooperative strategy will be effective -- and the system will tolerate the uncooperatives -- as long as they're not too numerous or too...
Friday Squid Blogging: Noise Pollution and Squid
It literally blows holes in their heads: In the study, led by Michel André of the Technical University of Catalonia in Barcelona, biologists exposed 87 individual cephalopods of four species -- Loligo vulgaris, Sepia officinalis, Octopus vulgaris and Illex coindeti -- to short sweeps of relatively low intensity, low frequency sound between 50 and 400 Hertz (Hz). Then they examined...
Friday Squid Blogging: Squids in Space
There are live squids on the last Endeavor mission....
Forged Memory
A scary development in rootkits: Rootkits typically modify certain areas in the memory of the running operating system (OS) to hijack execution control from the OS. Doing so forces the OS to present inaccurate results to detection software (anti-virus, anti-rootkit). For example rootkits may hide files, registries, processes, etc., from detection software. So rootkits typically modify memory. And anti-rootkit tools...
Stolen Camera Finder
Here's a clever Web app that locates your stolen camera by searching the EXIF data on public photo databases for your camera's serial number....
Extreme Authentication
Exactly how did they confirm it was Bin Laden's body? Officials compared the DNA of the person killed at the Abbottabad compound with the bin Laden "family DNA" to determine that the 9/11 mastermind had in fact been killed, a senior administration official said. It was not clear how many different family members' samples were compared or whose DNA was...
Osama's Death Causes Spike in Suspicious Package Reports
It's not that the risk is greater, it's that the fear is greater. Data from New York: There were 10,566 reports of suspicious objects across the five boroughs in 2010. So far this year, the total was 2,775 as of Tuesday compared with 2,477 through the same period last year. [...] The daily totals typically spike when terrorist plot makes...
"Operation Pumpkin"
Wouldn't it be great if this were not a joke: the security contingency that was in place in the event that Kate Middleton tried to run away just before the wedding. After protracted, top-secret negotiations between royal staff from Clarence House and representatives from the Metropolitan Police, MI5 and elements of the military, a compromise was agreed. In the event...
Unintended Security Consequences of the New Pyrex Recipe
This is interesting: When World Kitchen took over the Pyrex brand, it started making more products out of prestressed soda-lime glass instead of borosilicate. With pre-stressed, or tempered, glass, the surface is under compression from forces inside the glass. It is stronger than borosilicate glass, but when it's heated, it still expands as much as ordinary glass does. It doesn't...
Decline in Cursive Writing Leads to Increase in Forgery Risk?
According to this article, students are no longer learning how to write in cursive. And, if they are learning it, they're forgetting how. Certainly the ubiquity of keyboards is leading to a decrease in writing by hand. Relevant to this blog, the article claims that this is making signtatures easier to forge. While printing might be legible, the less complex...
Nikon Image Authentication System Cracked
Not a lot of details: ElcomSoft research shows that image metadata and image data are processed independently with a SHA-1 hash function. There are two 160-bit hash values produced, which are later encrypted with a secret (private) key by using an asymmetric RSA-1024 algorithm to create a digital signature. Two 1024-bit (128-byte) signatures are stored in EXIF MakerNote tag 0×0097...
LiveBlogging the Bin Ladin Assassination
"VirtualReality" tweeted the Bin Ladin assassination without realizing it....
Hijacking the Coreflood Botnet
Earlier this month, the FBI seized control of the Coreflood botnet and shut it down: According to the filing, ISC, under law enforcement supervision, planned to replace the servers with servers that it controlled, then collect the IP addresses of all infected machines communicating with the criminal servers, and send a remote "stop" command to infected machines to disable the...
Friday Squid Blogging: Giant Squid Eye Preserved in a Jar
Great picture from the Smithsonian Institution....
TED Talk
This is a surprise. My TED talk made it to the website. It's a surprise because I didn't speak at TED. I spoke last year at a regional TED event, TEDxPSU. And not all talks from the regional events get on the main site, only the good ones....
The Cyberwar Arms Race
Good paper: "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," by Jerry Brito and Tate Watkins. Over the past two years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that "cyberweapons...
Social Solidarity as an Effect of the 9/11 Terrorist Attacks
It's standard sociological theory that a group experiences social solidarity in response to external conflict. This paper studies the phenomenon in the United States after the 9/11 terrorist attacks. Conflict produces group solidarity in four phases: (1) an initial few days of shock and idiosyncratic individual reactions to attack; (2) one to two weeks of establishing standardized displays of solidarity...
Security Risks of Running an Open WiFi Network
As I've written before, I run an open WiFi network. It's stories like these that may make me rethink that. The three stories all fall along the same theme: a Buffalo man, Sarasota man, and Syracuse man all found themselves being raided by the FBI or police after their wireless networks were allegedly used to download child pornography. "You're a...
Friday Squid Blogging: Squid Fabric Designs
Some of these are actually nice....
Hard-Drive Steganography through Fragmentation
Clever: Khan and his colleagues have written software that ensures clusters of a file, rather than being positioned at the whim of the disc drive controller chip, as is usually the case, are positioned according to a code. All the person at the other end needs to know is which file's cluster positions have been encoded. The code depends on...
Friday Squid Blogging: Squid Prints
Okay, this is a little weird: This year's Earth Day will again include the celebrated "squid printing" activity with two big, beautiful Pacific Humboldt squid donated from the Gulf of the Farallones National Marine Sanctuary. We'll be inking them up and laying them out on paper to create fascinating one-of-a- kind imprints of their bodies. I don't know what's worse:...
Declassified World War I Security Documents
The CIA has just declassified six (1, 2, 3, 4, 5, and 6) documents about World War I security techniques. (The media is reporting they're CIA documents, but the CIA didn't exist before 1947.) Lots of stuff about secret writing and pre-computer tradecraft....
Large-Scale Food Theft
A criminal gang is stealing truckloads of food: Late last month, a gang of thieves stole six tractor-trailer loads of tomatoes and a truck full of cucumbers from Florida growers. They also stole a truckload of frozen meat. The total value of the illegal haul: about $300,000. The thieves disappeared with the shipments just after the price of Florida tomatoes...
Costs of Security
Interesting blog post on the security costs for the $50B Air Force bomber program -- estimated to be $8B. This isn't all computer security, but the original article specifically calls out Chinese computer espionage as a primary threat....
Software as Evidence
Increasingly, chains of evidence include software steps. It's not just the RIAA suing people -- and getting it wrong -- based on automatic systems to detect and identify file sharers. It's forensic programs used to collect and analyze data from computers and smart phones. It's audit logs saved and stored by ISPs and websites. It's location data from cell phones....
WikiLeaks Cable about Chinese Hacking of U.S. Networks
We know it's prevelent, but there's some new information: Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches -- colorfully code-named "Byzantine Hades" by U.S. investigators -- to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China's People's Liberation Army. Privately,...
Friday Squid Blogging: Omega 3 Oil from Squid
New health supplement....
"Schneier's Law"
Back in 1998, I wrote: Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. In 2004, Cory Doctorow called this Schneier's law: ...what I think of as Schneier's Law: "any person can invent a security system so clever that she or he can't think of how to break it." The...
Unanticipated Security Risk of Keeping Your Money in a Home Safe
In Japan, lots of people -- especially older people -- keep their life savings in cash in their homes. (The country's banks pay very low interest rates, so the incentive to deposit that money into bank accounts is lower than in other countries.) This is all well and good, until a tsunami destroys your home and washes your money out...
Changing Incentives Creates Security Risks
One of the things I am writing about in my new book is how security equilibriums change. They often change because of technology, but they sometimes change because of incentives. An interesting example of this is the recent scandal in the Washington, DC, public school system over teachers changing their students' test answers. In the U.S., under the No Child...
Security Fears of Wi-Fi in London Underground
The London Underground is getting Wi-Fi. Of course there are security fears: But Will Geddes, founder of ICP Group which specialises in reducing terror or technology-related threats, said the plan was problematic. He said: "There are lots of implications in terms of terrorism and security. "This will enable people to use their laptop on the Tube as if it was...
Euro Coin Recycling Scam
This story is just plain weird. Regularly, damaged coins are taken out of circulation. They're destroyed and then sold to scrap metal dealers. That makes sense, but it seems that one- and two-euro coins aren't destroyed very well. They're both bi-metal designs, and they're just separated into an inner core and an outer ring and then sold to Chinese scrap...
Israel's Counter-Cyberterrorism Unit
You'd think the country would already have one of these: Israel is mulling the creation of a counter-cyberterrorism unit designed to safeguard both government agencies and core private sector firms against hacking attacks. The proposed unit would supplement the efforts of Mossad and other agencies in fighting cyberespionage and denial of service attacks....
How did the CIA and FBI Know that Australian Government Computers were Hacked?
Newspapers are reporting that, for about a month, hackers had access to computers "of at least 10 federal ministers including the Prime Minister, Foreign Minister and Defence Minister." That's not much of a surprise. What is odd is the statement that "Australian intelligence agencies were tipped off to the cyber-spy raid by US intelligence officials within the Central Intelligence Agency...
New French Law Reduces Website Security
I didn't know about this: The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded. Police, the fraud office, customs, tax and social security bodies...
The CIA and Assassinations
The former CIA general counsel, John A. Rizzo, talks about his agency's assassination program, which has increased dramatically under the Obama administration: The hub of activity for the targeted killings is the CIA's Counterterrorist Center, where lawyersthere are roughly 10 of them, says Rizzo -- write a cable asserting that an individual poses a grave threat to the United States....
Friday Squid Blogging: A New Book About Squid
Wendy Williams, Kraken: The Curious, Exciting, and Slightly Disturbing Science of Squid. Kraken is the traditional name for gigantic sea monsters, and this book introduces one of the most charismatic, enigmatic, and curious inhabitants of the sea: the squid. The pages take the reader on a wild narrative ride through the world of squid science and adventure, along the way...
Get Your Terrorist Alerts on Facebook and Twitter
Colors are so last decade: The U.S. government's new system to replace the five color-coded terror alerts will have two levels of warnings elevated and imminent that will be relayed to the public only under certain circumstances for limited periods of time, sometimes using Facebook and Twitter, according to a draft Homeland Security Department plan obtained by The...
Pinpointing a Computer to Within 690 Meters
This is impressive, and scary: Every computer connected to the web has an internet protocol (IP) address, but there is no simple way to map this to a physical location. The current best system can be out by as much as 35 kilometres. Now, Yong Wang, a computer scientist at the University of Electronic Science and Technology of China in...
Detecting Cheaters
Our brains are specially designed to deal with cheating in social exchanges. The evolutionary psychology explanation is that we evolved brain heuristics for the social problems that our prehistoric ancestors had to deal with. Once humans became good at cheating, they then had to become good at detecting cheating -- otherwise, the social group would fall apart. Perhaps the most...
Optical Stun Ray
It's been patented; no idea if it actually works. ...newly patented device can render an assailant helpless with a brief flash of high-intensity light. It works by overloading the neural networks connected to the retina, saturating the target's world in a blinding pool of white light. "It's the inverse of blindness–the technical term is a loss of contrast sensitivity," says...
Counterterrorism Security Cost-Benefit Analysis
"Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of Homeland Security," by John Mueller and Mark Stewart: Abstract:The cumulative increase in expenditures on US domestic homeland security over the decade since 9/11 exceeds one trillion dollars. It is clearly time to examine these massive expenditures applying risk assessment and cost-benefit approaches that have been standard for decades. Thus...
Epsilon Hack
I have no idea why the Epsilon hack is getting so much press. Yes, millions of names and e-mail addresses might have been stolen. Yes, other customer information might have been stolen, too. Yes, this personal information could be used to create more personalized and better targeted phishing attacks. So what? These sorts of breaches happen all the time, and...
Reducing Bribery by Legalizing the Giving of Bribes
Here's some very clever thinking from India's chief economic adviser. In order to reduce bribery, he proposes legalizing the giving of bribes: Under the current law, discussed in some detail in the next section, once a bribe is given, the bribe giver and the bribe taker become partners in crime. It is in their joint interest to keep this fact...
Ebook Fraud
Interesting post -- and discussion -- on Making Light about ebook fraud. Currently there are two types of fraud. The first is content farming, discussed in these two interesting blog posts. People are creating automatically generated content, web-collected content, or fake content, turning it into a book, and selling it on an ebook site like Amazon.com. Then they use multiple...
34 SCADA Vulnerabilities Published
It's hard to tell how serious this is. Computer security experts who examined the code say the vulnerabilities are not highly dangerous on their own, because they would mostly just allow an attacker to crash a system or siphon sensitive data, and are targeted at operator viewing platforms, not the backend systems that directly control critical processes. But experts caution...
Comodo Group Issues Bogus SSL Certificates
This isn't good: The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com. The certificates would have allowed the attacker to craft fake pages that would have...
How Peer Review Doesn't Work
In this amusing story of a terrorist plotter using pencil-and-paper cryptography instead of actually secure cryptography, there's this great paragraph: Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim also rejected the use of a sophisticated code program called "Mujhaddin Secrets", which implements all the AES candidate cyphers, "because 'kaffirs', or non-believers, know about it so it...
Federated Authentication
New paper by Ross Anderson: "Can We Fix the Security Economics of Federated Authentication?": There has been much academic discussion of federated authentication, and quite some political manoeuvring about `e-ID'. The grand vision, which has been around for years in various forms but was recently articulated in the US National Strategy for Trustworthy Identities in Cyberspace (NSTIC), is that a...
Biliteral Ciphers
Interesting article on William Friedman and biliteral ciphers....
Friday Squid Blogging: Squid Fabric Designs
Some of these are actually nice....
Authenticating the Authenticators
This is an interesting read: It was a question that changed his life, and changed mine, and may have changed -- even saved -- all of ours by calling attention to flaws in our nuclear command and control system at the height of the Cold War. It was a question that makes Maj. Hering an unsung hero of the nuclear...
Identifying Tor Users Through Insecure Applications
Interesting research: "One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users": Abstract: Tor is a popular low-latency anonymity network. However, Tor does not protect against the exploitation of an insecure application to reveal the IP address of, or trace, a TCP stream. In addition, because of the linkability of Tor streams sent together over...
Detecting Words and Phrases in Encrypted VoIP Calls
Interesting: Abstract: Although Voice over IP (VoIP) is rapidly being adopted, its security implications are not yet fully understood. Since VoIP calls may traverse untrusted networks, packets should be encrypted to ensure confidentiality. However, we show that it is possible to identify the phrases spoken within encrypted VoIP calls when the audio is encoded using variable bit rate codecs. To...
Transmitting Data Through Steel
This is cool: Tristan Lawry, doctoral candidate in electrical and computer engineering, has developed equipment which can transmit data at high rates through thick, solid steel or other barriers. Significantly, Lawry's kit also transmits power. One obvious application here would be transmission through the steel pressure hull of a submarine: at the moment such hulls must have hundreds of penetrations...
Threats vs. Vulnerabilities
I found this article on the difference between threats and vulnerabilities to be very interesting. I like his taxonomy....
Folk Models in Home Computer Security
This is a really interesting paper: "Folk Models of Home Computer Security," by Rick Wash. It was presented at SOUPS, the Symposium on Usable Privacy and Security, last year. Abstract: Home computer systems are frequently insecure because they are administered by untrained, unskilled users. The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and...
Times Square Video Screen Hacked with an iPhone
I didn't post about it when I first saw it because I suspected a hoax. Turns out, I was right. It wasn't even two guys faking hacking a Times Square video screen. It was a movie studio faking two guys faking hacking a Times Square video screen....
RSA Security, Inc Hacked
The company, not the algorithm. Here's the corporate spin. Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at...
Zombie Fungus
The security connection is pretty tenuous, so I figured I'd blog this on a Saturday. Once it infects an ant, the fungus uses as-yet-unidentified chemicals to control the ant's behavior, Hughes told LiveScience. It directs the ant to leave its colony (a very un-ant-like thing to do) and bite down on the underside of a leaf – the ant's soon-to-be...
Hacking ATM Users by Gluing Down Keys
Clever hack: The thieves glue down the "enter," "cancel" and "clear" buttons on the keypad and wait until the customer goes into the bank for help before withdrawing money from their account. The robbed customers have already punched in their PINs when they realize the keypad buttons are stuck. The unwitting customers either do not know that they can use...
Hacking Cars with MP3 Files
Impressive research: By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car....
Using Language Patterns to Identify Anonymous E-Mail
Interesting research. It only works when there's a limited number of potential authors: To test the accuracy of their technique, Fung and his colleagues examined the Enron Email Dataset, a collection which contains over 200,000 real-life emails from 158 employees of the Enron Corporation. Using a sample of 10 emails written by each of 10 subjects (100 emails in all),...
Video Interview with Me
This three-part video interview with me was conducted at the RSA Conference last month....
FBI and the Future of Wiretapping
Last month I posted Susan Landau's testimony before the House Judiciary Committee, Subcommittee on Crime, Terrorism, and Homeland Security on government eavesdropping. In fairness to the other side, here's testimony of Valerie Caproni, General Counsel of the FBI....
Full Body Scanners
Wired.com has a good three-part story on full-body scanners....
Malware as Job Security
A programmer installed malware into the Whack-a-Mole arcade game as a form of job security. It didn't work....
Criminals Stealing Cars by Calling Tow Trucks
It's a clever hack, but an old problem: the authentication in these sorts of normal operations isn't good enough to prevent abuse....
Recently Declassified NSA History Document
"American Cryptography During the Cold War 1945-1989; Book IV: Cryptologic Rebirth 1981-1989." Document was first declassified in 2009. Here are some newly declassified pages....
Friday Squid Blogging: Giant Squid Washes Ashore
A giant squid washed ashore in New South Wales....
Interesting Research in Using Animals to Detect Substances
Fascinating research summarized in The Economist. Basically, detecting dogs respond to unconscious cues from their handlers, and generate false alarms because of them. It makes sense, as dogs are so attuned to humans. I'll bet bomb-sniffing bees don't make the same mistakes....
Pickpockets are a Dying Breed
Pickpockets in America are dying out. This is the bit I found interesting: And perhaps most important, the centuries-old apprenticeship system underpinning organized pickpocketing has been disrupted. Pickpocketing has always perpetuated itself by having older hooks -- nicknamed "Fagins," after the crime boss in Oliver Twist -- teach younger ones the art, and then absorbing them into canons. But due...
NIST SHA-3 News
NIST has finally published its rationale for selecting the five finalists....
Erasing Data from Flash Drives
"Reliably Erasing Data From Flash-Based Solid State Drives," by Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson. Abstract: Reliably erasing data from storage media (sanitizing the media) is a critical component of secure data management. While sanitizing entire disks and individual files is well-understood for hard drives, flash-based solid state disks have a very different internal architecture,...
Anonymous vs HBGary
One of the effects of writing a book is that I don't have the time to devote to other writing. So while I've been wanting to write about Anonymous vs HBGary, I don't think I will have time. Here's an excellent series of posts on the topic from ArsTechnica. In cyberspace, the balance of power is on the side of...
Friday Squid Blogging: Squid Tattoo
Impressive, even if it isn't real....
HBGary and the Future of the IT Security Industry
This is a really good piece by Paul Roberts on Anonymous vs. HBGary: not the tactics or the politics, but what HBGary demonstrates about the IT security industry. But I think the real lesson of the hack - and of the revelations that followed it - is that the IT security industry, having finally gotten the attention of law makers,...
Good Article About the Terrorist Non-Threat
From Reason: Know thy enemy is an ancient principle of warfare. And if America had heeded it, it might have refrained from a full-scale "war" on terrorism whose price tag is touching $2 TRILLION. That's because the Islamist enemy it is confronting is not some hyper-power capable of inflicting existential -- or even grave -- harm. It is, rather, a...
Susan Landau on Government Surveillance of the Internet
Excellent House testimony....
Terrorist-Catching Con Man
Interesting story about a con man who conned the U.S. government, and how the government is trying to hide its dealings with him. For eight years, government officials turned to Dennis Montgomery, a California computer programmer, for eye-popping technology that he said could catch terrorists. Now, federal officials want nothing to do with him and are going to extraordinary lengths...
Friday Squid Blogging: Research into Squid Hearing
Interesting: Squid can hear, scientists have confirmed. But they don't detect the changes in pressure associated with sound waves, like we do. They have another, more primitive, technique for listening: They sense the motion generated by sound waves. [...] Squid have two sac-like organs called statocysts near the base of their brains. Hair cells line the sac and project into...
Biometric Wallet
Not an electronic wallet, a physical one: Virtually indestructible, the dunhill Biometric Wallet will open only with touch of your fingerprint. It can be linked via Bluetooth to the owner's mobile phone sounding an alarm if the two are separated by more than 5 metres! This provides a brilliant warning if either the phone or wallet is stolen or...
NIST Defines New Versions of SHA-512
NIST has just defined two new versions of SHA-512. They're SHA-512/224 and SHA-512/256: 224- and 256-bit truncations of SHA-512 with a new IV. They've done this because SHA-512 is faster than SHA-256 on 64-bit CPUs, so these new SHA variants will be faster. This is a good thing, and exactly what we did in the design of Skein. We defined...
Historical Study of the NSA Scientific Advisory Board
Recently declassified: "Historical Study: The National Security Agency Scientific Advisory Board 1952¿1963."...
Romanian Hackers
Interesting article from Wired: "How a Remote Town in Romania Has Become Cybercrime Central."...
The Seven Types of Hackers
Roger Grimes has an article describing "the seven types of malicious hackers." I generally like taxonomies, and this one is pretty good. He says the seven types are: Cyber criminals Spammers and adware spreaders Advanced persistent threat (APT) agents Corporate spies Hactivists Cyber warriors Rogue hackers...
Societal Security
Humans have a natural propensity to trust non-kin, even strangers. We do it so often, so naturally, that we don't even realize how remarkable it is. But except for a few simplistic counterexamples, it's unique among life on this planet. Because we are intelligently calculating and value reciprocity (that is, fairness), we know that humans will be honest and nice:...
Credit Card Fraud Ring
It amazes me that credit card fraud is so easy that you can run it from prison....
Friday Squid Blogging: Squid Pheromone
A newly discovered female squid pheromone sparks aggression in male squids. Article....
Julian Sanchez on Balancing Privacy and Security
From a blog post: In my own area of study, the familiar trope of "balancing privacy and security" is a source of constant frustration to privacy advocates, because while there are clearly sometimes tradeoffs between the two, it often seems that the zero-sum rhetoric of "balancing" leads people to view them as always in conflict. This is, I suspect, the...
How Feed-Over-Email Circumvents Chinese Censorship
Neat article, both the technology and the hacker who created it....
Hacking Scratch Lottery Tickets
Design failure means you can pick winning tickets before scratching the coatings off. Most interesting is that there's statistical evidence that this sort of attack has been occurring in the wild: not necessarily this particular attack, but some way to separate winners from losers without voiding the tickets. Since this article was published in Wired, another technique of hacking scratch...
Bomb-Sniffing Mice
I was interviewed for this story on a mouse-powered explosives detector. Animal senses are better than any detection machine current technology can build, which makes it a good idea. But the challenges of using animals in this sort of situation are considerable. The neat thing about the technology profiled in the article, which the article didn't make as clear as...
Micromorts
I'd never heard the term "micromort" before. It's a probability: a one-in-a-million probability of death. For example, one-micromort activities are "travelling 230 miles (370 km) by car (accident)," and "living 2 days in New York or Boston (air pollution)." I don't know if that data is accurate; it's from the Wikipedia entry. In any case, I think it's a useful...
Scareware: How Crime Pays
Scareware is fraudulent software that uses deceptive advertising to trick users into believing they're infected with some variety of malware, then convinces them to pay money to protect themselves. The infection isn't real, and the software they buy is fake, too. It's all a scam. Here's one scareware operator who sold "more than 1 million software products" at "$39.95 or...
Friday Squid Blogging: Reducing Squid Odor
Research from Japan: "Improvement of 'kurozukuri ika-shiokara' (fermented squid meat with ink) odor with Staphylococcus nepalensis isolated from the fish sauce mush of frigate mackerel Auxis rochei."...
UK Immigration Officer Puts Wife on the No-Fly List
A UK immigration officer decided to get rid of his wife by putting her on the no-fly list, ensuring that she could not return to the UK from abroad. This worked for three years, until he put in for a promotion and -- during the routine background check -- someone investigated why his wife was on the no-fly list. Okay,...
Terrorist Targets of Choice
This makes sense. Generally, militants prefer to attack soft targets where there are large groups of people, that are symbolic and recognizable around the world and that will generate maximum media attention when attacked. Some past examples include the World Trade Center in New York, the Taj Mahal Hotel in Mumbai and the London Underground. The militants' hope is that...
ATM Skimmer on Bank Door Lock
This is a clever development in ATM skimming technology. It's a skimmer that attaches to the ATM-room door lock, not the ATM itself. Combined with a hidden camera, it's an ATM skimmer that requires no modification to the ATM....
Hacking HTTP Status Codes
One website can learn if you're logged into other websites. When you visit my website, I can automatically and silently determine if you're logged into Facebook, Twitter, GMail and Digg. There are almost certainly thousands of other sites with this issue too, but I picked a few vulnerable well known ones to get your attention. You may not care that...
Kip Hawley Comments on the Domodedovo Airport Bombing
This is the first piece of writing I've seen from Kip Hawley since he left the TSA in 2009. It's mostly generalities and platitudes....
Me on Color-Coded Terrorist Threat Levels
I wrote an op-ed for CNN.com on the demise of the color-coded terrorist theat level system. It's nothing I haven't said before, so I won't reprint it here. The best thing about the system was the jokes it inspired late-night comedians, and others, to make. In memoriam, people should post the funniest of those jokes here....
Jury Says it's Okay to Record the TSA
The Seattle man who refused to show ID to the TSA and recorded the whole incident has been cleared of all charges: [The jury] returned not guilty verdicts for charges that included concealing his identity, refusing to obey a lawful order, trespassing, and disorderly conduct. Papers, Please! says the acquittal proves what TSA critics have said all along: That checkpoint...
Trojan Steals Credit Card Numbers
It's only a proof of concept, but it's scary nonetheless. It's a Trojan for Android phones that looks for credit-card numbers, either typed or spoken, and relays them back to its controller. Software released for Android devices has to request permissions for each system function it accesses–with apps commonly requesting access to the network, phone call functionality, internal and external...
Domodedovo Airport Bombing
I haven't written anything about the suicide bombing at Moscow's Domodedovo Airport because I didn't think there was anything to say. The bomber was outside the security checkpoint, in the area where family and friends wait for arriving passengers. From a security perspective, the bombing had nothing to do with airport security. He could have just as easily been in...
$100 to Put a Bomb on an Airplane
An undercover TSA agent successfully bribed JetBlue ticket agent to check a suitcase under a random passenger's name and put it on an airplane. As with a lot of these tests, I'm not that worried because it's not a reliable enough tactic to build a plot around. But untrustworthy airline personnel -- or easily bribeable airline personal -- could be...
Whitelisting vs. Blacklisting
The whitelist/blacklist debate is far older than computers, and it's instructive to recall what works where. Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock. We do it this way not because it's easier -- although it is generally much easier...
U.S. Strategy to Prevent Leaks is Leaked
As the article says, it doesn't get any more ironic than that. More importantly, it demonstrates how hard it is to keep secrets in the age of the Internet. Me: I think the government is learning what the music and movie industries were forced to learn years ago: it's easy to copy and distribute digital files. That's what's different between...
Security Theater in the Theater
This is a bit surreal: Additional steps are needed to prepare Broadway theaters in New York City for a potential WMD attack or other crisis, a New York state legislature subcommittee said yesterday. [...] Broadway district personnel did not know "what to do in case of an emergency as well as the unique problems that a theater workplace poses in...
Unsecured IP Security Cameras
It's amazing how many security cameras are on the Internet, accessible by anyone. And it's not just for viewing; a lot of these cameras can be reprogrammed by anyone....
Bioencryption
A group of students at the Chinese University in Hong Kong have figured out how to store data in bacteria. The article talks about how secure it is, and the students even coined the term "bioencryption," but I don't see any encryption. It's just storage. Another article: They have also developed a three-tier security fence to encode the data, which...
REAL-ID Implementation
According to this study, REAL-ID has not only been cheaper to implement than the states estimated, but also helpful in reducing fraud. States are finding that implementation of the 2005 REAL ID Act is much easier and less expensive than previously thought, and is a significant factor in reducing fraud. In cases like Indiana, REAL ID has significantly improved customer...
Hacking Tamper-Evident Devices
At the Black Hat conference lasts week, Jamie Schwettmann and Eric Michaud presented some great research on hacking tamper-evident seals. Jamie Schwettmann and Eric Michaud of i11 Industries went through a long list of tamper evident devices at the conference here and explained, step-by-step, how each seal can be circumvented with common items, such as various solvents, hypodermic needles, razors,...
Brute-Force Safecracking
This safecracking robot tries every possible combination, one after another: Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination "forbidden zones", we reduced the number of possible combinations by about an order of magnitude. Opening the safe took "just a few hours." Along the same lines, here's a Lego robot that...
Blowfish in Good Time Max
This screen shot is from the movie "Good Time Max." 17 minutes and 52 seconds into the movie, it shows Blowfish being used as an encryption algorithm....
Cyberwar is Overhyped
A new report from the OECD says the threat of cyberwar has been grossly exaggerated. (Hey, that's what I said.) There are lots of news articles. Also worth reading is this article on cyberwar hype and how it isn't serving our national interests, with some good policy guidelines....
The Legality of the Certificate Authority Trust Model
Interesting research: We looked at the standard legal documents issued by the certificate authorities or "CAs," including exemplar Subscriber Agreements (agreements between CAs and website operators); "Certification Practice Statements" (statements by CAs outlining their business practices); and Relying Party Agreements (purported agreements between CAs and "relying parties," such as end-users). What we found was surprising: "Relying Party Agreements" purport to...
Cost-Benefit Analysis of Full-Body Scanners
Research paper from Mark Stewart and John Mueller: The Transportation Security Administration (TSA) has been deploying Advanced Imaging Technologies (AIT) that are full-body scanners to inspect a passenger's body for concealed weapons, explosives, and other prohibited items. The terrorist threat that AITs are primarily dedicated to is preventing the downing of a commercial airliner by an IED (Improvised Explosive Device)...
Do Corporations Have a Right to Privacy?
This week, the U.S. Supreme Court will hear arguments about whether or not corporations have the same rights to "personal privacy" that individuals do. This is a good analysis of the case. I signed on to a "friend of the court" brief put together by EPIC, arguing that they do not. More background here. And an editorial from The Washington...
Odd Art Forger
He's not in it for the money: Mr. Landis...has been one of the most prolific forgers American museums have encountered in years, writing, calling and presenting himself at their doors, where he tells well-concocted stories about his family's collection and donates small, expertly faked works, sometimes in honor of nonexistent relatives. Unlike most forgers, he does not seem to be...
Movie-Plot Threats at the U.S. Capitol
This would make a great movie: Rep. Dan Burton, R-Ind., renewed his call for the installation of an impenetrable, see-through security shield around the viewing gallery overlooking the House floor. Burton points out that, while guns and some bombs would be picked up by metal detectors, a saboteur could get into the Capitol concealing plastic explosives. The House floor, he...
More Stuxnet News
This long New York Times article includes some interesting revelations. The article claims that Stuxnet was a joint Israeli-American project, and that its effectiveness was tested on live equipment: "Behind Dimona's barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran's at Natanz, where Iranian scientists are struggling to enrich uranium." The worm itself now appears...
New Revelations in the Mahmoud al-Mabhouh Assassination
I wrote a lot last year about the assassination of Mahmoud al-Mabhouh in Dubai. There's a new article by an Israeli investigative journalist that tells the story we already knew, and adds a bunch of interesting details. Well worth reading....
Friday Squid Blogging: Deep-Sea Squid Video
"Anthology of Deep-Sea Squids," from the Monterey Bay Aquarium....
Me on Airport Security
Last week, I spoke at an airport security conference hosted by EPIC: The Stripping of Freedom: A Careful Scan of TSA Security Procedures. Here's the video of my half-hour talk....
Loaded Gun Slips Past TSA
I'm not really worried about mistakes like this. Sure, a gun slips through occasionally, and a knife slips through even more often. (I'm sure the TSA doesn't catch 100% of all bombs in tests, either.) But these items are caught by the TSA often enough, and when the TSA does catch someone, they're going to call the police and totally...
Surviving a Terrorist's Nuclear Attack
Interesting reading, mostly for the probable effects of a terrorist-sized nuclear bomb. A terrorist bomb is likely to be relatively small -- possibly only a fraction of the Hiroshima bomb's explosive power -- and likely exploded at ground level. This means that the area totally destroyed by the explosion is likely to be much smaller than the area exposed to...
Stealing SIM Cards from Traffic Lights
Johannesburg installed hundreds of networked traffic lights on its streets. The lights use a cellular modem and a SIM card to communicate. Those lights introduced a security risk I'll bet no one gave a moment's thought to: that criminals might steal the SIM cards from the traffic lights and use them to make free phone calls. But that's exactly what...
The Security Threat of Forged Law-Enforcement Credentials
Here's a U.S. Army threat assessment of forged law-enforcement credentials. The authors bought a bunch of fake badges: Between November 2009 and March 2010, undercover investigators were able to purchase nearly perfect counterfeit badges for all of the Department of Defense's military criminal investigative organizations to include the Army Criminal Investigation Command (Army CID), Naval Criminal Investigative Service (NCIS), Air...
Attacking High-Frequency Trading Networks
Turns out you can make money by manipulating the network latency. cPacket has developed a proof of concept showing that these side-channel attacks can be used to create tiny delays in the transmission of market data and trades. By manipulating specific trading activities by several microseconds, an attacker could gain unfair trading advantage. And because the operation occurs outside the...
"Homeland Security Hasn't Made Us Safer"
This will be nothing new to readers of this blog, but it's nice to read other people saying it too....
James Fallows on Political Shootings
Interesting: So the train of logic is: anything that can be called an "assassination" is inherently political; very often the "politics" are obscure, personal, or reflecting mental disorders rather than "normal" political disagreements. But now a further step, the political tone of an era can have some bearing on violent events. The Jonestown/Ryan and Fromme/Ford shootings had no detectable source...
Friday Squid Blogging: Biggest Squid Ever
It's an oil field: Brazil's state-run Petrobras confirmed Wednesday that oil fields recently discovered offshore contained 8.3 billion barrels of recoverable crude and gas -- and said the biggest field was being renamed "Lula." That nomenclature happens to be the nickname of President Luiz Inacio Lula da Silva, who steps down on Saturday after overseeing eight years of prosperity in...
The Social Dynamics of Terror
Good essay: Nineteenth-century anarchists promoted what they called the "propaganda of the deed," that is, the use of violence as a symbolic action to make a larger point, such as inspiring the masses to undertake revolutionary action. In the late 1960s and early 1970s, modern terrorist organizations began to conduct operations designed to serve as terrorist theater, an undertaking greatly...
SMS of Death
This will be hard to fix: Using only Short Message Service (SMS) communications–messages that can be sent between mobile phones–a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. As well as text messages, the SMS protocol can be used to transmit small programs, called "binaries," that run...
Sony PS3 Security Broken
Sony used an ECDSA signature scheme to protect the PS3. Trouble is, they didn't pay sufficient attention to their random number generator....
Eavesdropping on GSM Calls
It's easy and cheap: Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network "sniffers," a laptop computer, and a variety of open source software. The encryption is lousy: Several of the individual...
Guard Towers at WalMart
This feels very creepy and police-state-like. What on earth could WalMart be worried about?...
Polar Bears Destroying Hidden Cameras
Watch the video. What valuable security lessons does this teach? EDITED TO ADD (1/3): And why aren't the polar bears destroying the hidden cameras that are filming the polar bears destroying the hidden cameras?...
Friday Squid Blogging: Research into Squid Skin
DoD awarded a $6M grant to study squid skin: "Our internal nickname for this project is 'squid skin,' but it is really about fundamental research," said Naomi Halas, a nano-optics pioneer at Rice and the principal investigator on the four-year grant. "Our deliverable is knowledge -- the basic discoveries that will allow us to make materials that are observant, adaptive...
TSA Inspecting Thermoses
This is new: Adm. James Winnefeld told The Associated Press Friday that the Transportation Security Administration is "always trying to think ahead." Winnefeld is the head of the U.S. Northern Command, which is charged with protecting the homeland. TSA officials had said Thursday that in coming days, passengers flying within and to the U.S. may notice additional security measures related...
Terrorism Reading List
Interesting interview, discussing five books (none of which I've read, by the way)....
An Honest Privacy Policy
Funny: The data we collect is strictly anonymous, unless you've been kind enough to give us your name, email address, or other identifying information. And even if you have been that kind, we promise we won't sell that information to anyone else, unless of course our impossibly obtuse privacy policy says otherwise and/or we change our minds tomorrow. There's a...
This Suspicious Photography Stuff Is Confusing
See: Last week, Metro Transit Police received a report from a rider about suspicious behavior at the L'Enfant Plaza station and on an Orange Line train to Vienna. The rider told Metro he saw two men acting suspiciously and videotaping platforms, trains and riders. "The men, according to the citizen report, were trying to be inconspicuous, holding the cameras at...
PlugBot
Interesting: PlugBot is a hardware bot. It's a covert penetration testing device designed for use during physical penetration tests. PlugBot is a tiny computer that looks like a power adapter; this small size allows it to go physically undetected all the while powerful enough to scan, collect and deliver test results externally. How do you use it? Gain access to...
Cyberwar Movie Plot from an Actual Thriller Writer
It could make a good movie....
Interview with the European Union Privacy Chief
Interesting interview with Viviane Reding, the vice president of the EU Justice Commission and head of privacy regulation: The basic values in Europe are that we have the right to our own private, personal data. It's mine. And if one agrees to give that data,then it is available. That is known as opt-in consent and we've had that as law...
Adam Shostack on TSA Threat Modeling
Good commentary: I've said before and I'll say again, there are lots of possible approaches to threat modeling, and they all involve tradeoffs. I've commented that much of the problem is the unmeetable demands TSA labors under, and suggested fixes. If TSA is trading planned responses to Congress for effective security, I think Congress ought to be asking better questions....
Recording the Police
I've written a lot on the "War on Photography," where normal people are harassed as potential terrorists for taking pictures of things in public. This article is different; it's about recording the police: Allison's predicament is an extreme example of a growing and disturbing trend. As citizens increase their scrutiny of law enforcement officials through technologies such as cell phones,...
Book Review: Cyber War
Cyber War: The Next Threat to National Security and What to do About It by Richard Clarke and Robert Knake, HarperCollins, 2010. Cyber War is a fast and enjoyable read. This means you could give the book to your non-techy friends, and they'd understand most of it, enjoy all of it, and learn a lot from it. Unfortunately, while there's...
Computational Forensics
Interesting article from IEEE Spectrum: During two years of deliberation by the National Academy's forensic science committee (of which I was a member), a troubling picture emerged. A large part of current forensics practice is skill and art rather than science, and the influences present in a typical law-enforcement setting are not conducive to doing the best science. Also, many...
"Architecture of Fear"
I like the phrase: Németh said the zones not only affect the appearance of landmark buildings but also reflect an 'architecture of fear' as evidenced, for example, by the bunker-like appearance of embassies and other perceived targets. Ultimately, he said, these places impart a dual message -- simultaneously reassuring the public while causing a sense of unease. And in the...
Friday Squid Blogging: Prosthetic Tentacle
Impressive: Designed for a class project while getting her degree at the Industrial Design Department at the University of Washington, Kaylene Kau has not only exploded perceptions of how prosthetic arms should look, but sent an entire subset of Japanese Hentai fans to their feet, cheering her on. If that's not worth an employer's attention, I don't know what is....
Hiding PETN from Full-Body Scanners
From the Journal of Transporation Security, "An evaluation of airport x-ray backscatter units based on image characteristics," by Leon Kaufman and Joseph W. Carlson: Abstract: Little information exists on the performance of x-ray backscatter machines now being deployed through UK, US and other airports. We implement a Monte Carlo simulation using as input what is known about the x-ray spectra...
Did the FBI Plant Backdoors in OpenBSD?
It has been accused of it. I doubt this is true. One, it's a very risky thing to do. And two, there are more than enough exploitable security vulnerabilities in a piece of code that large. Finding and exploiting them is a much better strategy than planting them. But maybe someone at the FBI is that dumb. Further information is...
Fake Amazon Receipt Generators
They can be used to scam Amazon Marketplace merchants: What happens once our scammer is armed with his fake receipt? Well, many sellers on Amazon will ask you to send them a copy of your receipt should you run into trouble, have orders go missing, lose your license key for a piece of software and so on. The gag here...
Security in 2020
There's really no such thing as security in the abstract. Security can only be defined in relation to something else. You're secure from something or against something. In the next 10 years, the traditional definition of IT security–that it protects you from hackers, criminals, and other bad guys–will undergo a radical shift. Instead of protecting you from the bad guys,...
Realistic Masks
They're causing problems: A white bank robber in Ohio recently used a "hyper-realistic" mask manufactured by a small Van Nuys company to disguise himself as a black man, prompting police there to mistakenly arrest an African American man for the crimes. In October, a 20-year-old Chinese man who wanted asylum in Canada used one of the same company's masks to...
Evan Kohlmann
Interesting profile of Evan Kohlmann: Evan Kohlmann spends his days lurking in the darkest corners of the Internet, where jihadists recruit sympathizers from across the globe. He has testified in over two dozen terrorism trials -- and sees danger everywhere he looks. Is he prescient or naïve?...
Proprietary Encryption in Car Immobilizers Cracked
This shouldn't be a surprise: Karsten Nohl's assessment of dozens of car makes and models found weaknesses in the way immobilisers are integrated with the rest of the car's electronics. The immobiliser unit should be connected securely to the vehicle's electronic engine control unit, using the car's internal data network. But these networks often use weaker encryption than the immobiliser...
Sometimes CCTV Cameras Work
Sex attack caught on camera. Hamilton police have arrested two men after a sex attack on a woman early today was caught on the city's closed circuit television (CCTV) cameras. CCTV operators contacted police when they became concerned about the safety of a woman outside an apartment block near the intersection of Victoria and Collingwood streets about 5am today. Remember,...
CRB Check Backlash
Against stupid CRB checks: Last January, Annabel Hayter, chairwoman of Gloucester Cathedral Flower Guild, received an email saying that she and her 60 fellow flower arrangers would have to undergo a CRB check. CRB stands for Criminal Records Bureau, and a CRB check is a time-consuming, sometimes expensive, pretty much always pointless vetting procedure that you must go through if...
Interview with TSA Administrator John Pistole
He's more realistic than one normally hears: So if they get through all those defenses, they get to Reagan [National Airport] over here, and they've got an underwear bomb, they got a body cavity bomb -- what's reasonable to expect TSA to do? Hopefully our behavior detection people will see somebody sweating, or they're dancing on their shoes or something,...
Friday Squid Blogging: Glowing Squid
Recent research. And an older video....
New TSA Security Test
I experienced a new TSA security check at Phoenix Airport last Thursday. The agent took my over-three-ounce bottle of saline, put a drop of it on a white cardboard strip, and then put a drop of another liquid on top of that. Nothing changed color, and she let me go. Anyone know what the test is, and what it's testing...
NIST Announces SHA-3 Finalists (Skein is One of Them)
Yesterday, NIST announced the five hash functions to advance to the third (and final) round in the SHA-3 selection process: BLAKE, Grøstl, JH, Keccak, and Skein. Not really a surprise; my predictions -- which I did not publish -- listed ECHO instead of JH, but correctly identified the other four. (Most of the predictions I saw guessed BLAKE, Grøstl, Keccak,...
Alternate Scanning Technologies
Iscon uses infrared light rather than X-rays. I have no idea how well it works. And Rapiscan has a new patent: Abstract: The present invention is directed towards an X-ray people screening system capable of rapidly screening people for detection of metals, low Z materials (plastics, ceramics and illicit drugs) and other contraband which might be concealed beneath the person's...
Department of Homeland Security Getting a Little too 1984ish
A DHS video message, reminding people to look out for and report suspicious activity, will be displayed at WalMart stores around the country....
WikiLeaks
I don't have a lot to say about WikiLeaks, but I do want to make a few points. 1. Encryption isn't the issue here. Of course the cables were encrypted, for transmission. Then they were received and decrypted, and -- so it seems -- put into an archive on SIPRNet, where lots of people had access to them. 2. Secrets...
Never Let the Terrorists Know How We're Storing Road Salt
This seems not to be a joke: The American Civil Liberties Union has filed a lawsuit against the state after it refused to release the construction plans for a barn used to store road salt, on the basis that doing so would be a security risk. [...] Chiaffarano filed an OPRA request for the state's building plans, but was denied...
Sane Comments on Terrorism
From Michael Leiter, the director of the National Counterterrorism Center: Ultimately, Leiter said, it'll be the "quiet, confident resilience" of Americans after a terrorist attack that will "illustrate ultimately the futility of terrorism." That doesn't mean not to hit back: Leiter quickly added that "we will hold those accountable [and] we will be ready to respond to those attacks." But...
Profiling Lone Terrorists
Masters Thesis from the Naval Postgraduate School: "Patterns of Radicalization: Identifying the Markers and Warning Signs of Domestic Lone Wolf Terrorists in Our Midst." Abstract: This thesis will scrutinize the histories of our nation's three most prolific domestic lone wolf terrorists: Tim McVeigh, Ted Kaczynski, and Eric Rudolph. It will establish a chronological pattern to their radicalization and reveal that...
FTC Privacy Report
The U.S. Federal Trade Commission released its privacy report: "Protecting Consumer Privacy in an Era of Rapid Change." From the press release: One method of simplified choice the FTC staff recommends is a "Do Not Track" mechanism governing the collection of information about consumer's Internet activity to deliver targeted advertisements and for other purposes. Consumers and industry both support increased...
Cyberwar and the Future of Cyber Conflict
The world is gearing up for cyberwar. The U.S. Cyber Command became operational in November. NATO has enshrined cyber security among its new strategic priorities. The head of Britain's armed forces said recently that boosting cyber capability is now a huge priority for the UK. And we know China is already engaged in broad cyber espionage attacks against the west....
Friday Squid Blogging: New Species of Squid Discovered
New species of squid discovered in the Southern Indian Ocean....
Football Match Fixing
Detecting fixed football (soccer) games. There is a certain buzz of expectation, because Oscar, one of the fraud analysts, has spotted a game he is sure has been fixed. "We've been watching this for a couple of weeks now," he says. "The odds have gone to a very suspicious level. We believe that this game will finish in an away...
Full Body Scanners: What's Next?
Organizers of National Opt Out Day, the Wednesday before Thanksgiving when air travelers were urged to opt out of the full-body scanners at security checkpoints and instead submit to full-body patdowns -- were outfoxed by the TSA. The government pre-empted the protest by turning off the machines in most airports during the Thanksgiving weekend. Everyone went through the metal...
Close the Washington Monument
Securing the Washington Monument from terrorism has turned out to be a surprisingly difficult job. The concrete fence around the building protects it from attacking vehicles, but there's no visually appealing way to house the airport-level security mechanisms the National Park Service has decided are a must for visitors. It is considering several options, but I think we should close...
Brian Snow Sows Cyber Fears
That's no less sensational than the Calgary Herald headline: "Total cyber-meltdown almost inevitable, expert tells Calgary audience." That's former NSA Technical Director Brian Snow talking to a university audience. "It's long weeks to short months at best before there's a security meltdown," said Snow, as a guest lecturer for the Institute for Security, Privacy and Information Assurance, an interdisciplinary group...
Risk Reduction Strategies on Social Networking Sites
By two teenagers: Mikalah uses Facebook but when she goes to log out, she deactivates her Facebook account. She knows that this doesn't delete the account that's the point. She knows that when she logs back in, she'll be able to reactivate the account and have all of her friend connections back. But when she's not logged in, no...
Software Monoculture
In 2003, a group of security experts -- myself included -- published a paper saying that 1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous. Marcus Ranum responded with an essay that basically said we were full of it. Now, eight years later, Marcus and I thought it would...
The Constitutionality of Full-Body Scanners
Jeffrey Rosen opines: Although the Supreme Court hasn't evaluated airport screening technology, lower courts have emphasized, as the U.S. Court of Appeals for the 9th Circuit ruled in 2007, that "a particular airport security screening search is constitutionally reasonable provided that it 'is no more extensive nor intensive than necessary, in the light of current technology, to detect the presence...
Mohamed Osman Mohamud
I agree with Glenn Greenwald. I don't know if it's an actual terrorist that the FBI arrested, or if it's another case of entrapment. All of the information about this episode -- all of it -- comes exclusively from an FBI affidavit filed in connection with a Criminal Complaint against Mohamud. As shocking and upsetting as this may be to...
Zoo Security
From a study on zoo security: Among other measures, the scientists recommend not allowing animals to walk freely within the zoo grounds, and ensuring there is a physical barrier marking the zoo boundaries, and preventing individuals from escaping through drains, sewers or any other channels. Isn't all that sort of obvious?...
Causing Terror on the Cheap
Total cost for the Yemeni printer cartridge bomb plot: $4200. "Two Nokia mobiles, $150 each, two HP printers, $300 each, plus shipping, transportation and other miscellaneous expenses add up to a total bill of $4,200. That is all what Operation Hemorrhage cost us," the magazine said. Even if you add in costs for training, recruiting, logistics, and everything else, that's...
Friday Squid Blogging: Studying Squid Hearing
At Woods Hole: It is known now, through the work of Mooney and others, that the squid hearing system has some similarities and some differences compared to human hearing. Squid have a pair of organs called statocysts, balance mechanisms at the base of the brain that contain a tiny grain of calcium, which maintains its position as the animal maneuvers...
Psychopaths and Security
I have been thinking a lot about security against psychopaths. Or, at least, how we have traditionally secured social systems against these sorts of people, and how we can secure our socio-technical systems against them. I don't know if I have any conclusions yet, only a short reading list....
The Withdrawal of the A5/2 Encryption Algorithm
Interesting story of the withdrawal of the A5/2 encryption algorithm from GSM phones....
The DHS is Getting Rid of the Color-Coded Terrorism Alert System
Good. It was always a dumb idea: The color-coded threat levels were doomed to fail because "they don't tell people what they can do -- they just make people afraid," said Bruce Schneier, an author on security issues. He said the system was "a relic of our panic after 9/11" that "never served any security purpose." I wrote this in...
New ATM Skimming Attack
In Europe, although the article doesn't say where: Many banks have fitted ATMs with devices that are designed to thwart criminals from attaching skimmers to the machines. But it now appears in some areas that those devices are being successfully removed and then modified for skimming, according to the latest report from the European ATM Security Team (EAST), which collects...
David Kahn Donates his Cryptography Collection to the National Cryptologic Museum
Good for him. I think that's where my collection will be going, too....
Spoofing Geolocation
How to spoof your location on Facebook with your BlackBerry....
Me on Airport Security
Yesterday I participated in a New York Times "Room for Debate" discussion on airline security. My contribution is nothing I haven't said before, so I won't reprint it here. The other participants are worth reading too. I also did an interview in -- or all places -- Popular Mechanics....
Defeating al Qaeda
Rare common sense: But Gen Richards told the BBC it was not possible to defeat the Taliban or al-Qaeda militarily. "You can't. We've all said this. David Petraeus has said it, I've said it. "The trick is the balance of things that you're doing and I say that the military are just about, you know, there. "The biggest problem's been...
Stuxnet News
Another piece of the puzzle: New research, published late last week, has established that Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate at very high speeds, between 807 Hz and 1210 Hz. The malware is designed to change the output...
Friday Squid Blogging: Flying Squid
Photographic evidence from Jamaica....
Me on Cyberwar
Last week, I gave a talk on cyberwar and cyberconflict at the Institute for International and European Affairs in Dublin. Here's the video. It was only the second time I've given the talk. About three quarters in, I noticed that I didn't have my fourth and final page of notes. So if the ending feels a bit scattered, that's why....
TSA Backscatter X-ray Backlash
Things are happening so fast that I don't know if I should bother. But here are some links and observations. The head of the Allied Pilots Association is telling its members to avoid both the full body scanners and the patdowns. This first-hand report, from a man who refused to fly rather than subject himself to a full-body scan or...
Airplane Terrorism Twenty Years Ago
Excellent: Here's a scenario: Middle Eastern terrorists hijack a U.S. jetliner bound for Italy. A two-week drama ensues in which the plane's occupants are split into groups and held hostage in secret locations in Lebanon and Syria. While this drama is unfolding, another group of terrorists detonates a bomb in the luggage hold of a 747 over the North Atlantic,...
Unsolicited Terrorism Tips to the U.S. Government
Adding them all up, the U.S. government "receives between 8,000 and 10,000 pieces of information per day, fingering just as many different people as potential threats. They also get information about 40 supposed plots against the United States or its allies daily." All of this means that first-time suspects and isolated pieces of information are less likely to be exhaustively...
New Biometric
Eye movements instead of eye structures. The new system tracks the way a person's eye moves as he watches an icon roam around a computer screen. The way the icon moves can be different every time, but the user's eye movements include "kinetic features" -- slight variations in trajectory -- that are unique, making it possible to identify him....
Term Paper Writing for Hire
This recent essay (commentary here) reminded me of this older essay, both by people who write student term papers for hire. There are several services that do automatic plagiarism detection -- basically, comparing phrases from the paper with general writings on the Internet and even caches of previously written papers -- but detecting this kind of custom plagiarism work is...
Internet Quarantines
Last month, Scott Charney of Microsoft proposed that infected computers be quarantined from the Internet. Using a public health model for Internet security, the idea is that infected computers spreading worms and viruses are a risk to the greater community and thus need to be isolated. Internet service providers would administer the quarantine, and would also clean up and update...
Albert Gonzalez
Long article on convicted hacker Albert Gonzalez from The New York Times Magazine....
Camouflaging Test Cars
Interesting: In an effort to shield their still-secret products from prying eyes, automakers testing prototype models, often in the desert and at other remote locales, have long covered the grilles and headlamps with rubber, vinyl and tape the perfunctory equivalent of masks and hats. Now the old materials are being replaced or supplemented with patterned wrappings applied like wallpaper....
Bulletproof Service Providers
From Brian Krebs: Hacked and malicious sites designed to steal data from unsuspecting users via malware and phishing are a dime a dozen, often located in the United States, and are a key target for takedown by ISPs and security researchers. But when online miscreants seek stability in their Web projects, they often turn to so-called "bulletproof hosting" providers, mini-ISPs...
Changing Passwords
How often should you change your password? I get asked that question a lot, usually by people annoyed at their employer's or bank's password expiration policy: people who finally memorized their current password and are realizing they'll have to write down their new password. How could that possibly be more secure, they want to know. The answer depends on what...
Removing Belts at Airport Security
The TSA is making us remove our belts even when we don't have to. European airports have made us remove our belts for years. My normal tactic is to pull my shirt tails out of my pants and over my belt. Then I flash my waist and tell them I'm not wearing a belt. It doesn't set off the metal...
Securing the Washington Monument
Good article on security options for the Washington Monument: Unfortunately, the bureaucratic gears are already grinding, and what will be presented to the public Monday doesn't include important options, including what became known as the "tunnel" in previous discussions of the issue. Nor does it include the choice of more minimal visitor screening -- simple wanding or visual bag inspection...
Crowdsourcing Surveillance
Internet Eyes is a U.K. startup designed to crowdsource digital surveillance. People pay a small fee to become a "Viewer." Once they do, they can log onto the site and view live anonymous feeds from surveillance cameras at retail stores. If they notice someone shoplifting, they can alert the store owner. Viewers get rated on their ability to differentiate real...
Kahn, Diffie, Clark, and Me at Bletchley Park
Saturday, I visited Bletchley Park to speak at the Annual ACCU Security Fundraising Conference. They had a stellar line of speakers this year, and I was pleased to be a part of the day. Talk #1: "The Art of Forensic Warfare," Andy Clark. Riffing on Sun Tzu's The Art of War, Clark discussed the war -- the back and forth...
Young Man in "Old Man" Mask Boards Plane in Hong Kong
It's kind of an amazing story. A young Asian man used a rubber mask to disguise himself as an old Caucasian man and, with a passport photo that matched his disguise, got through all customs and airport security checks and onto a plane to Canada. The fact that this sort of thing happens occasionally doesn't surprise me. It's human nature...
The End of In-Flight Wi-Fi?
Okay, now the terrorists have really affected me personally: they're forcing us to turn off airplane Wi-Fi. No, it's not that the Yemeni package bombs had a Wi-Fi triggering mechanism -- they seem to have had a cell phone triggering mechanism, dubious at best -- but we can imagine an Internet-based triggering mechanism. Put together a sloppy and unsuccessful package...
"A Social Network Approach to Understanding an Insurgency"
Interesting....
The Business of Botnets
It can be lucrative: Avanesov allegedly rented and sold part of his botnet, a common business model for those who run the networks. Other cybercriminals can rent the hacked machines for a specific time for their own purposes, such as sending a spam run or mining the PCs for personal details and files, among other nefarious actions. Dutch prosecutors believe...
Did the FBI Invent the D.C. Bomb Plot?
Last week the police arrested Farooque Ahmed for plotting a terrorist attack on the D.C. Metro system. However, it's not clear how much of the plot was his idea and how much was the idea of some paid FBI informants: The indictment offers some juicy tidbits -- Ahmed allegedly proposed using rolling suitcases instead of backpacks to bomb the Metro...
Dan Geer on "Cybersecurity and National Policy"
Worth reading: Those with either an engineering or management background are aware that one cannot optimize everything at once that requirements are balanced by constraints. I am not aware of another domain where this is as true as it is in cybersecurity and the question of a policy response to cyber insecurity at the national level. In engineering, this...
Control Fraud
I had never heard the term "control fraud" before: Control fraud theory was developed in the savings and loan debacle. It explained that the person controlling the S&L (typically the CEO) posed a unique risk because he could use it as a weapon. The theory synthesized criminology (Wheeler and Rothman 1982), economics (Akerlof 1970), accounting, law, finance, and political science....
Halloween and the Irational Fear of Stranger Danger
From the Wall Street Journal: Take "stranger danger," the classic Halloween horror. Even when I was a kid, back in the "Bewitched" and "Brady Bunch" costume era, parents were already worried about neighbors poisoning candy. Sure, the folks down the street might smile and wave the rest of the year, but apparently they were just biding their time before stuffing...
Cargo Security
The New York Times writes: "Despite the increased scrutiny of people and luggage on passenger planes since 9/11, there are far fewer safeguards for packages and bundles, particularly when loaded on cargo-only planes." Well, of course. We've always known this. We've not worried about terrorism on cargo planes because it isn't very terrorizing. Packages aren't people. If a passenger plane...
Friday Squid Blogging: Dissecting a Giant Squid
Interesting television program from UK Channel 4....
Me at TED
Okay, it's not TED. It's one of the independent regional TED events: TEDxPSU. My talk was "Reconceptualizing Security," a condensation of the hour-long talk into 18 minutes....
New Orleans Scrapping Surveillance Cameras
They're not worth it: In seven years, New Orleans' crime camera program has yielded six indictments: three for crimes caught on video and three for bribes and kickbacks a vendor is accused of paying a former city official to sell the cameras to City Hall....
FBI Bugging Embassies in 1940
Old -- but recently released -- document discussing the bugging of the Russian embassy in 1940. The document also mentions bugging the embassies of France, Germany, Italy, and Japan....
Firesheep
Firesheep is a new Firefox plugin that makes it easy for you to hijack other people's social network connections. Basically, Facebook authenticates clients with cookies. If someone is using a public WiFi connection, the cookies are sniffable. Firesheep uses wincap to capture and display the authentication information for accounts it sees, allowing you to hijack the connection. Slides from the...
Declassified NSA Documents
It's a long list. These items are not online; they're at the National Archives and Records Administration in College Park, MD. You can either ask for copies by mail under FOIA (at a 75 cents per page) or come in in person. There, you can read and scan them for free, or photocopy them for about 20 cents a page....
Steganography in the Longfin Inshore Squid
Really: While the notion that a few animals produce polarization signals and use them in communication is not new, Mäthger and Hanlon's findings present the first anatomical evidence for a “hidden communication channel” that can remain masked by typical camouflage patterns. Their results suggest that it might be possible for squid to send concealed polarized signals to one another while...
Video Interview with Me from RSA Europe
I was interviewed this week at RSA Europe....
FaceTime for Mac Security Hole
Once a user has logged into FaceTime, anyone with access to the machine can change the user's Apple ID password without knowing the old password....
Electronic Car Lock Denial-of-Service Attack
Clever: Inspector Richard Haycock told local newspapers that the possible use of the car lock jammers would help explain a recent spate of thefts from vehicles that have occurred without leaving any signs of forced entry. "We do get quite a lot of car crime in the borough where there's no sign of a break-in and items have been taken...
Workshop on the Economics of Information Security
I am the program chair for WEIS 2011, which is to be held next June in Washington, DC. Submissions are due at the end of February. Please forward and repost the call for papers....
Predator Software Pirated?
This isn't good: Intelligent Integration Systems (IISi), a small Boston-based software development firm, alleges that their Geospatial Toolkit and Extended SQL Toolkit were pirated by Massachusetts-based Netezza for use by a government client. Subsequent evidence and court proceedings revealed that the "government client" seeking assistance with Predator drones was none other than the Central Intelligence Agency. IISi is seeking an...
Hiding in Plain Sight
Ha! When he's out and about near his Denver home, former Broncos quarterback John Elway has come up with a novel way to travel incognito–he wears his own jersey. "I do that all the time here," the 50-year-old Hall of Famer told me. "I go to the mall that way. They know it's not me because they say there's no...
Fingerprinting Telephone Calls
This is clever: The tool is called PinDr0p, and works by analysing the various characteristic noise artifacts left in audio by the different types of voice network -- cellular, VoIP etc. For instance, packet loss leaves tiny gaps in audio signals, too brief for the human ear to detect, but quite perceptible to the PinDr0p algorithms. Vishers and others wishing...
Indian OS
India is writing its own operating system so it doesn't have to rely on Western technology: India's Defence Research and Development Organisation (DRDO) wants to build an OS, primarily so India can own the source code and architecture. That will mean the country won't have to rely on Western operating systems that it thinks aren't up to the job of...
Picking a Single Voice out of a Crowd
Interesting new technology. Squarehead's new system is like bullet-time for sound. 325 microphones sit in a carbon-fiber disk above the stadium, and a wide-angle camera looks down on the scene from the center of this disk. All the operator has to do is pinpoint a spot on the court or field using the screen, and the Audioscope works out how...
Pen-and-Paper SQL Injection Attack Against Swedish Election
Some copycat imitated this xkcd cartoon in Sweden, hand writing an SQL injection attack onto a paper ballot. Even though the ballot was manually entered into the vote database, the attack (and the various other hijinks) failed. This time. Three news links, in Swedish....
The FBI is Tracking Whom?
They're tracking a college student in Silicon Valley. He's 20, partially Egyptian, and studying marketing at Mission College. He found the tracking device attached to his car. Near as he could tell, what he did to warrant the FBI's attention is be the friend of someone who did something to warrant the FBI's attention. Afifi retrieved the device from his...
The Mahmoud al-Mabhouh Assassination
Remember the Mahmoud al-Mabhouh assassination last January? The police identified 30 suspects, but haven't been able to find any of them. Police spent about 10,000 hours poring over footage from some 1,500 security cameras around Dubai. Using face-recognition software, electronic-payment records, receipts and interviews with taxi drivers and hotel staff, they put together a list of suspects and publicized it....
The Economist on Biometrics
Good article. Here's my essay on biometrics, from 1999....
The Ineffectiveness of Vague Security Warnings
From Slate: We do nothing, first and foremost, because there is nothing we can do. Unless the State Department gets specific–e.g., "don't go to the Eiffel Tower tomorrow"–information at that level of generality is completely meaningless. Unless we are talking about weapons of mass destruction, the chances of being hit by a car while crossing the street are still greater...
Hacking Trial Breaks D.C. Internet Voting System
Sounds like it was easy: Last week, the D.C. Board of Elections and Ethics opened a new Internet-based voting system for a weeklong test period, inviting computer experts from all corners to prod its vulnerabilities in the spirit of "give it your best shot." Well, the hackers gave it their best shot -- and midday Friday, the trial period was...
Stuxnet
Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes it's obvious. In the case of Stuxnet, there's a great story. As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and...
The Politics of Allocating Homeland Security Money to States
From the Journal of Homeland Security and Emergency Management: "Politics or Risks? An Analysis of Homeland Security Grant Allocations to the States." Abstract: In the days following the September 11 terrorist attacks on the United States, the nation's elected officials created the USA Patriot Act. The act included a grant program for the 50 states that was intended to assist...
Putting Unique Codes on Objects to Detect Counterfeiting
This will help some. At least two rival systems plan to put unique codes on packages containing antimalarials and other medications. Buyers will be able to text the code to a phone number on the package and get an immediate reply of "NO" or "OK," with the drug's name, expiration date, and other information. To defeat the system, the counterfeiter...
Analyzing CAPTCHAs
New research: "Attacks and Design of Image Recognition CAPTCHAs." Abstract. We systematically study the design of image recognition CAPTCHAs (IRCs) in this paper. We first review and examine all IRCs schemes known to us and evaluate each scheme against the practical requirements in CAPTCHA applications, particularly in large-scale real-life applications such as Gmail and Hotmail. Then we present a security...
Sky Marshals Flying First Class
I regularly say that security decisions are primarily made for non-security reasons. This article about the placement of sky marshals on airplanes is an excellent example. Basically, the airlines would prefer they fly coach instead of first class. Airline CEOs met recently with TSA administrator John Pistole and officials from the Federal Air Marshal Service requesting the TSA to reconsider...
Monitoring Employees' Online Behavior
Not their online behavior at work, but their online behavior in life. Using automation software that slogs through Facebook, Twitter, Flickr, YouTube, LinkedIn, blogs, and "thousands of other sources," the company develops a report on the "real you" --- not the carefully crafted you in your resume. The service is called Social Intelligence Hiring. The company promises a 48-hour turn-around....
My Recording Debut
Okay, so this isn't a normal blog post. It's not about security. I've been playing doumbek with a band at the Minneapolis Renaissance Festival called Brother Seamus. They've released a CD, "Hale and Sound," where I play on three of the tracks. If you're interested in a copy, it's only $15 -- including shipping anywhere in the world. If you're...
Me on Cyberwar
During the cyberwar debate a few months ago, I said this: If we frame this discussion as a war discussion, then what you do when there's a threat of war is you call in the military and you get military solutions. You get lockdown; you get an enemy that needs to be subdued. If you think about these threats in...
Master's Theses in Homeland Security
This is a list of master's theses from the Naval Postgraduate School's Center for Homeland Defense and Security, this year. Some interesting stuff in there....
Wiretapping the Internet
On Monday, The New York Times reported that President Obama will seek sweeping laws enabling law enforcement to more easily eavesdrop on the internet. Technologies are changing, the administration argues, and modern digital systems aren't as easy to monitor as traditional telephones. The government wants to force companies to redesign their communications systems and information networks to facilitate surveillance, and...
NSA Publications
There is an interesting list of NSA publications in this document, pages 30¿36. This document is a bunch of pages from the NSA intranet....
Stealing Money from a Safe with a Vacuum
Clever: The burglars broke into their latest store near Paris and drilled a hole in the "pneumatic tube" that siphons money from the checkout to the strong-room. They then sucked rolls of cash totalling £60,000 from the safe without even having to break its lock. I like attacks that bypass the defender's threat model....
Cultural Cognition of Risk
This is no surprise: The people behind the new study start by asking a pretty obvious question: "Why do members of the public disagree–sharply and persistently–about facts on which expert scientists largely agree?" (Elsewhere, they refer to the "intense political contestation over empirical issues on which technical experts largely agree.") In this regard, the numbers from the Pew survey are...
Isolating Terrorist Cells as a Security Countermeasure
It's better to try to isolate parts of a terrorist network than to attempt to destroy it as a whole, at least according to this model: Vos Fellman explains how terrorist networks are "typical of the structures encountered in the study of conflict, in that they possess multiple, irreducible levels of complexity and ambiguity." "This complexity is compounded by the...
New Attack Against ASP.NET
It's serious: The problem lies in the way that ASP.NET, Microsoft's popular Web framework, implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. A common mistake is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie...
Friday Squid Blogging: "Truck Carrying Squid Crashes In Broccoli Field"
You can't make up a headline like that....
Real-Time NSA Eavesdropping
In an article about Robert Woodward's new book, Obama's Wars, this is listed as one of the book's "disclosures": A new capability developed by the National Security Agency has dramatically increased the speed at which intercepted communications can be turned around into useful information for intelligence analysts and covert operators. "They talk, we listen. They move, we observe. Given the...
Analysis of Image File Metadata
As a photographer, I've wondered about this....
Evercookies
Extremely persistent browser cookies: evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local...
Details Removed from Book at Request of U.S. Department of Defense
From the AFP: A publisher has agreed to remove US intelligence details from a memoir by a former army officer in Afghanistan after the Pentagon raised last-minute objections, officials said Friday. The book, "Operation Dark Heart," had been printed and prepared for release in August but St. Martin's Press will now issue a revised version of the spy memoir after...
The Stuxnet Worm
It's impressive: The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals. "It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with...
Prepaid Electricity Meter Fraud
New attack: Criminals across the UK have hacked the new keycard system used to top up pre-payment energy meters and are going door-to-door, dressed as power company workers, selling illegal credit at knock-down prices. The pre-paid power meters use a key system. Normally people visit a shop to put credit on their key, which they then take home and slot...
Haystack
I stayed clear of Haystack -- the anonymity program that was going to protect the privacy of dissidents the world over -- because I didn't have enough details about the program to have an intelligent opinion. The project has since imploded, and here are two excellent essays about the program and the hype surrounding it....
Statistical Distribution of Combat Wounds to the Head
This is interesting: The study, led by physician Yuval Ran, looked at Israeli combat deaths from 2000 to 2004 and tracked where bullet entries appeared on the skull (illustrated above), finding that the lower back (occipital region) and front of the temple areas (anterior-temporal regions) were most likely. I'm not sure it's useful, but it is interesting....
Four Irrefutable Security Laws
This list is from Malcolm Harkins, Intel's chief information security officer, and it's a good one (from a talk at Forrester's Security Forum): Users want to click on things. Code wants to be wrong. Services want to be on. Security features can be used to harm. His dig at open source software is just plain dumb, though: Harkins cited mobile...
Questioning Terrorism Policy
Worth reading: ...what if we chose to accept the fact that every few years, despite all reasonable precautions, some hundreds or thousands of us may die in the sort of ghastly terrorist attack that a democratic republic cannot 100-percent protect itself from without subverting the very principles that make it worth protecting? Is this thought experiment monstrous? Would it be...
Master HDCP Key Cracked
The master key for the High-Bandwidth Digital Content Protection standard -- that's what encrypts digital television between set-top boxes and digital televisions -- has been cracked and published. (Intel confirmed that the key is real.) The ramifications are unclear: But even if the code is real, it might not immediately foster piracy as the cracking of CSS on DVDs did...
Automatic Document Declassification
DARPA is looking for something that can automatically declassify documents: I'll be honest: I'm not exactly sure what kind of technological solution you can build to facilitate declassification. From the way the challenge is structured, it sounds like a semantic-search problem: Plug in keywords that help you comb through deserts of stored information in the bowels of the Pentagon and...
DHS Still Worried About Terrorists Using Internet Surveillance
Profound analysis from the Department of Homeland Security: Detailed video obtained through live Web-based camera feeds combined with street-level and direct overhead imagery views from Internet imagery sites allow terrorists to conduct remote surveillance of multiple potential targets without exposing themselves to detection. Cameras, too. Remember, anyone who searches for anything on the Internet may be a terrorist. Report him...
Highway Honeypot
Police set up a highway sign warning motorists that there are random stops for narcotics checks ahead, but actually search people who take the next exit....
Not Answering Questions at U.S. Customs
Interesting story: I was detained last night by federal authorities at San Francisco International Airport for refusing to answer questions about why I had travelled outside the United States. The end result is that, after waiting for about half an hour and refusing to answer further questions, I was released because U.S. citizens who have produced proof of citizenship...
Vulnerabilities in US-CERT Network
You'd think US-CERT would do somewhat better....
Kenzero
Kenzero is a Japanese Trojan that collects and publishes users' porn surfing habits, and then blackmails them to remove the information....
Friday Squid Blogging: Cephalopod Consciousness
"Three Arguments for the Consciousness of Cephalopods."...
The Onion on National Security
"Smart, Qualified People Behind the Scenes Keeping America Safe: 'We Don't Exist'"...
Problems with Twitter's OAuth Authentication System
Interesting case study....
Orange Balls as an Anti-Robbery Device
In Japan: These balls full of orange paint are anti-theft devices. When someone robs a store, the clerk can throw the ball at the perp (or at the perp's feet) so they're easily identified after they escape. Seems to me the best way to escape from a robbery would be to throw a bunch of orange balls at a crowd....
Parental Fears vs. Realities
From NPR: Based on surveys Barnes collected, the top five worries of parents are, in order: Kidnapping School snipers Terrorists Dangerous strangers Drugs But how do children really get hurt or killed? Car accidents Homicide (usually committed by a person who knows the child, not a stranger) Abuse Suicide Drowning Why such a big discrepancy between worries and reality? Barnes...
Consumerization and Corporate IT Security
If you're a typical wired American, you've got a bunch of tech tools you like and a bunch more you covet. You have a cell phone that can easily text. You've got a laptop configured just the way you want it. Maybe you have a Kindle for reading, or an iPad. And when the next new thing comes along, some...
Terrorism Entrapment
Back in 2007, I wrote an essay, "Portrait of the Modern Terrorist as an Idiot," where I said: The JFK Airport plotters seem to have been egged on by an informant, a twice-convicted drug dealer. An FBI informant almost certainly pushed the Fort Dix plotters to do things they wouldn't have ordinarily done. The Miami gang's Sears Tower plot was...
UAE Man-in-the-Middle Attack Against SSL
Interesting: Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more...
Successful Attack Against a Quantum Cryptography System
Clever: Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it. So, in theory, it is impossible for an eavesdropper to intercept a quantum encryption key without disrupting it in a noticeable way, triggering alarm bells. Vadim Makarov at the Norwegian University of...
Cyber-Offence is the New Cyber-Defense
This is beyond stupid: The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary's computer network overseas–but it is still wrestling with how to pursue the strategy legally. The department is developing a range of weapons capabilities, including tools that would allow "attack and exploitation of...
Wanted: Skein Hardware Help
As part of NIST's SHA-3 selection process, people have been implementing the candidate hash functions on a variety of hardware and software platforms. Our team has implemented Skein in Intel's 32 nm ASIC process, and got some impressive performance results (presentation and paper). Several other groups have implemented Skein in FPGA and ASIC, and have seen significantly poorer performance. We...
More Skein News
Skein is my new hash function. Well, "my" is an overstatement; I'm one of the eight designers. It was submitted to NIST for their SHA-3 competition, and one of the 14 algorithms selected to advance to the second round. Here's the Skein paper; source code is here. The Skein website is here. Last week was the Second SHA-3 Candidate Conference....
Eavesdropping on Smart Homes with Distributed Wireless Sensors
"Protecting your daily in-home activity information from a wireless snooping attack," by Vijay Srinivasan, John Stankovic, and Kamin Whitehouse: Abstract: In this paper, we first present a new privacy leak in residential wireless ubiquitous computing systems, and then we propose guidelines for designing future systems to prevent this problem. We show that we can observe private activities in the home...
High School Teacher Assigns Movie-Plot Threat Contest Problem
In Australia: A high school teacher who assigned her class to plan a terrorist attack that would kill as many innocent people as possible had no intent to promote terrorism, the school principal said yesterday. The Year-10 students at Kalgoorlie-Boulder Community High School were asked to pretend they were terrorists making a political statement by releasing a chemical or biological...
Misidentification and the Court System
Chilling: How do most wrongful convictions come about? The primary cause is mistaken identification. Actually, I wouldn't call it mistaken identification; I'd call it misidentification, because you often find that there was some sort of misconduct by the police. In a lot of cases, the victim initially wasn't so sure. And then the police say, "Oh, no, you got the...
Security Theater on the Boston T
Since a fatal crash a few years ago, Boston T (their subway) operators have been forbidden from using -- or even having -- cell phones while on the job. Passengers are encouraged to report violators. But sometimes T operators need to use their official radios on the job, and passengers can't tell the difference. The solution: orange tape: The solution?...
Me at the EastWest Institute
Back in May, I attended the EastWest Institute's First Worldwide Cybersecurity Summit in Dallas. I only had eight minutes to speak, and tried to turn the dialog to security, privacy, and the individual....
Is the Whole Country an Airport Security Zone?
Full-body scanners in roving vans: American Science & Engineering, a company based in Billerica, Massachusetts, has sold U.S. and foreign government agencies more than 500 backscatter x-ray scanners mounted in vans that can be driven past neighboring vehicles to see their contents, Joe Reiss, a vice president of marketing at the company told me in an interview. This should be...
Detecting Deception in Conference Calls
Research paper: Detecting Deceptive Discussions in Conference Calls, by David F. Larcker and Anastasia A. Zakolyukina. Abstract: We estimate classification models of deceptive discussions during quarterly earnings conference calls. Using data on subsequent financial restatements (and a set of criteria to identify especially serious accounting problems), we label the Question and Answer section of each call as "truthful" or "deceptive"....
Social Steganography
From danah boyd: Carmen is engaging in social steganography. She's hiding information in plain sight, creating a message that can be read in one way by those who aren't in the know and read differently by those who are. She's communicating to different audiences simultaneously, relying on specific cultural awareness to provide the right interpretive lens. While she's focused primarily...
Skeletal Identification
And you thought fingerprints were intrusive. The Wright State Research Institute is developing a ground-breaking system that would scan the skeletal structures of people at airports, sports stadiums, theme parks and other public places that could be vulnerable to terrorist attacks, child abductions or other crimes. The images would then quickly be matched with potential suspects using a database of...
Malware Contributory Cause of Air Crash
This is a first, I think: The airline's central computer which registered technical problems on planes was infected by Trojans at the time of the fatal crash and this resulted in a failure to raise an alarm over multiple problems with the plane, according to Spanish daily El Pais (report here). The plane took off with flaps and slats retracted,...
Friday Squid Blogging: Flying Squid
Who knew? "Hulse was shooting with burst mode on his camera, so I know exactly what the interval is between the frames and I can calculate velocity of squid flying though the air," O'Dor says. "We now think there are dozens of species that do it. Squid are used to gliding in the water, so the same physiology probably allows...
Intel Buys McAfee
Intel McAfee. It's another example of a large non-security company buying a security company. I've been talking about this sort of thing for two and a half years: It's not consolidation as we're used to. In the security industry, there are waves of consolidation, you know, big companies scoop up little companies and then there's lots of consolidation. You've got...
"The Fear Tax"
Good essay by Seth Godin: We pay the fear tax every time we spend time or money seeking reassurance. We pay it twice when the act of seeking that reassurance actually makes us more anxious, not less. We pay the tax when we cover our butt instead of doing the right thing, and we pay the tax when we take...
Crypto 2010 Proceedings
The Crypto 2010 Conference is going on right now at the University of California, Santa Barbara. Springer-Verlag publishes the proceedings, but they're available as a free download for the next few days....
Hacking Cars Through Wireless Tire-Pressure Sensors
Still minor, but this kind of thing is only going to get worse: The new research shows that other systems in the vehicle are similarly insecure. The tire pressure monitors are notable because they're wireless, allowing attacks to be made from adjacent vehicles. The researchers used equipment costing $1,500, including radio sensors and special software, to eavesdrop on, and interfere...
Breaking into a Garage
In seconds. Garage doors with automatic openers have always seemed like a lot of security theater to me....
Friday Squid Blogging: Squid Computer Virus
It wasn't me: A hardened computer hacker has been arrested on suspicion of writing a computer virus that systematically destroys all the files on victims' PCs and replaces them with homemade manga images of squid, octopuses and sea urchins....
Cloning Retail Gift Cards
Clever attack. After researching how gift cards work, Zepeda purchased a magnetic card reader online, began stealing blank gift cards, on display for purchase, from Fred Meyer and scanning them with his reader. He would then return some of the scanned cards to the store and wait for a computer program to alert him when the cards were activated and...
Security Analysis of Smudges on Smart Phone Touch Screens
"Smudge Attacks on Smartphone Touch Screens": Abstract: Touch screens are an increasingly common feature on personal computing devices, especially smartphones, where size and user interface advantages accrue from consolidating multiple hardware components (keyboard, number pad, etc.) into a single software definable user interface. Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which...
Late Teens and Facebook Privacy
Facebook Privacy Settings: Who Cares?" by danah boyd and Eszter Hargittai. Abstract: With over 500 million users, the decisions that Facebook makes about its privacy settings have the potential to influence many people. While its changes in this domain have often prompted privacy advocates and news media to critique the company, Facebook has continued to attract more users to its...
Apple JailBreakMe Vulnerability
Good information from Mikko Hyppönen. It doesn't look good. Q: What is this all about? A: It's about a site called jailbreakme.com that enables you to Jailbreak your iPhones and iPads just by visiting the site. Q: So what's the problem? A: The problem is that the site uses a zero-day vulnerability to execute code on the device. Q: How...
A Revised Taxonomy of Social Networking Data
Lately I've been reading about user security and privacy -- control, really -- on social networking sites. The issues are hard and the solutions harder, but I'm seeing a lot of confusion in even forming the questions. Social networking sites deal with several different types of user data, and it's essential to separate them. Below is my taxonomy of social...
P ¿ NP?
There's a new paper circulating that claims to prove that P ¿ NP. The paper has not been refereed, and I haven't seen any independent verifications or refutations. Despite the fact that the paper is by a respected researcher -- HP Lab's Vinay Deolalikar -- and not a crank, my bet is that the proof is flawed....
Ant Warfare
Interesting: According to Moffett, we might actually learn a thing or two from how ants wage war. For one, ant armies operate with precise organization despite a lack of central command. "We're accustomed to being told what to do,” Moffett says. “I think there's something to be said for fewer layers of control and oversight." Which, according to Moffett, is...
Friday Squid Blogging: Canadian Squid Stamp
It's a giant fiberglass squid from Newfoundland....
Yet Another Way to Sneak Liquids onto an Airplane
Coffee cup disguised as a camera lens....
More Brain Scans to Detect Future Terrorists
Worked well in a test: For the first time, the Northwestern researchers used the P300 testing in a mock terrorism scenario in which the subjects are planning, rather than perpetrating, a crime. The P300 brain waves were measured by electrodes attached to the scalp of the make-believe "persons of interest" in the lab. The most intriguing part of the study...
NSA and the National Cryptologic Museum
Most people might not be aware of it, but there's a National Cryptologic Museum at Ft. Meade, at NSA Headquarters. It's hard to know its exact relationship with the NSA. Is it part of the NSA, or is it a separate organization? Can the NSA reclassify things in its archives? David Kahn has given his papers to the museum; is...
WikiLeaks Insurance File
Now this is an interesting development: In the wake of strong U.S. government statements condemning WikiLeaks' recent publishing of 77,000 Afghan War documents, the secret-spilling site has posted a mysterious encrypted file labeled "insurance." The huge file, posted on the Afghan War page at the WikiLeaks site, is 1.4 GB and is encrypted with AES256. The file's size dwarfs the...
UAE to Ban BlackBerrys
The United Arab Emirates -- Dubai, etc. -- is threatening to ban BlackBerrys because they can't eavesdrop on them. At the heart of the battle is access to the data transmitted by BlackBerrys. RIM processes the information through a handful of secure Network Operations Centers around the world, meaning that most governments can't access the data easily on their own....
Location-Based Quantum Encryption
Location-based encryption -- a system by which only a recipient in a specific location can decrypt the message -- fails because location can be spoofed. Now a group of researchers has solved the problem in a quantum cryptography setting: The research group has recently shown that if one sends quantum bits -- the quantum equivalent of a bit -- instead...
Eavesdropping Smartphone Apps
Seems there are a lot of them. They do it for marketing purposes. Really, they seem to do it because the code base they use does it automatically or just because they can. (Initial reports that an Android wallpaper app was malicious seems to have been an overstatement; they're just incompetent: inadvertently collecting more data than necessary.) Meanwhile, there's now...
Book Review: How Risky Is It, Really?
David Ropeik is a writer and consultant who specializes in risk perception and communication. His book, How Risky Is It, Really?: Why Our Fears Don't Always Match the Facts, is a solid introduction to the biology, psychology, and sociology of risk. If you're well-read on the topic already, you won't find much you didn't already know. But if this is...
Friday Squid Blogging: Squid Launcher from "Despicable Me"
Don't squid me, bro....
Doomsday Shelters
Selling fear: The Vivos network, which offers partial ownerships similar to a timeshare in underground shelter communities, is one of several ventures touting escape from a surface-level calamity. Radius Engineering in Terrell, Texas, has built underground shelters for more than three decades, and business has never been better, says Walton McCarthy, company president. The company sells fiberglass shelters that can...
Hacking ATMs
Hacking ATMs to spit out money, demonstrated at the Black Hat conference: The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system's remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the...
Security Vulnerabilities of Smart Electricity Meters
"Who controls the off switch?" by Ross Anderson and Shailendra Fuloria. Abstract: We're about to acquire a significant new cybervulnerability. The world's energy utilities are starting to install hundreds of millions of 'smart meters' which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay...
DNSSEC Root Key Split Among Seven People
The DNSSEC root key has been divided among seven people: Part of ICANN's security scheme is the Domain Name System Security, a security protocol that ensures Web sites are registered and "signed" (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate...
Pork-Filled Counter-Islamic Bomb Device
Okay, this is just weird: Mark S. Price, a specialist in public security, and his privately held company, Paradise Lost Antiterrorism Network of America (www.plan-a.us), have recently applied to the United States Patent and Trademark Office for a Utility Patent on their Suicide Bomb Deterrent, a security device designed, manufactured and distributed by PLAN-A. This device has been designed to...
WPA Cracking in the Cloud
It's a service: The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. For the more “premium” price of $35,...
1921 Book on Profiling
Here's a book from 1921 on how to profile people....
Technology is Making Life Harder for Spies
An article from The Economist makes a point that I have been thinking about for a while: the modern technology makes life harder for spies, not easier. It used to be the technology favored spycraft -- think James Bond gadgets -- but more and more, technology favors spycatchers. The ubiquitous collection of personal data makes it harder to maintain a...
Friday Squid Blogging: Squidbillies
Where do these TV shows come from? Follows the adventures of the Cuylers, an impoverished and dysfunctional family of anthropomorphic, air-breathing, redneck squids who live in a rural Appalachian community in the US state of Georgia....
The Washington Post on the U.S. Intelligence Industry
The Washington Post has published a phenomenal piece of investigative journalism: a long, detailed, and very interesting expose on the U.S. intelligence industry (overall website; parts 1, 2, and 3; blog; Washington reactions; top 10 revelations; many many many blog comments and reactions; and so on). It's a truly excellent piece of investigative journalism. Pity people don't care much about...
Internet Worm Targets SCADA
Stuxnet is a new Internet worm that specifically targets Siemens WinCC SCADA systems: used to control production at industrial plants such as oil rigs, refineries, electronics production, and so on. The worm seems to uploads plant info (schematics and production information) to an external website. Moreover, owners of these SCADA systems cannot change the default password because it would cause...
More Research on the Effectiveness of Terrorist Profiling
Interesting: The use of profiling by ethnicity or nationality to trigger secondary security screening is a controversial social and political issue. Overlooked is the question of whether such actuarial methods are in fact mathematically justified, even under the most idealized assumptions of completely accurate prior probabilities, and secondary screenings concentrated on the highest-probablity individuals. We show here that strong profiling...
EU Counterterrorism Strategy
Interesting journal article evaluating the EU's counterterrorism efforts....
Economic Considerations of Website Password Policies
Two interesting research papers on website password policies. "Where Do Security Policies Come From?": Abstract: We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics...
New GAO Cybersecurity Report
From the U.S. Government Accountability Office: "Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development." Thirty-six pages; I haven't read it....
Violating Terms of Service Possibly a Crime
From Wired News: The four Wiseguy defendants, who also operated other ticket-reselling businesses, allegedly used sophisticated programming and inside information to bypass technological measures -- including CAPTCHA -- at Ticketmaster and other sites that were intended to prevent such bulk automated purchases. This violated the sites' terms of service, and according to prosecutors constituted unauthorized computer access under the anti-hacking...
Embedded Code in U.S. Cyber Command Logo
This is excellent. And it's been cracked already....
Friday Squid Blogging: Hawaiian Bobtail Squid
Symbiotic relationship between the Hawaiian bobtail squid and bioluminescent bacteria, with bonus security implications....
Skype's Cryptography Reverse-Engineered
Someone claims to have reverse-engineered Skype's proprietary encryption protocols, and has published pieces of it. If the crypto is good, this is less of a big deal than you might think. Good cryptography is designed to be made public; it's only for business reasons that it remains secret....
The NSA's Perfect Citizen
In what creepy back room do they come up with these names? The federal government is launching an expansive program dubbed "Perfect Citizen" to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program. The surveillance by the National Security Agency, the government's...
Russian Intelligence Gets Source Code to Windows 7
I don't think this is a good idea....
Random Numbers from Quantum Noise
Not that we need more ways to get random numbers, but the research is interesting....
Burglary Detection through Video Analytics
This is interesting: Some of the scenarios where we have installed video analytics for our clients include: to detect someone walking in an area of their yard (veering off of the main path) that they are not supposed to be; to send an alarm if someone is standing too close to the front of a store window/front door after hours;...
Caller ID Spoofing on the Android
It's easy to access someone else's voicemail by spoofing the caller ID. This isn't new; what is new is that many people now have easy access to caller ID spoofing. The spoofing only works for voicemail accounts that don't have a password set up, but AT&T has no password as the default....
Hemingway Authentication Scheme
From 1955, intended as humor: In the future when I should ever call on the telephone to make a request or issue an order I will identify myself as follows: This is Hemingway, Ernest M. Hemingway speaking and my serial number is 0-363. That is an easy number to remember and is not the correct one which a con man...
The Chaocipher
The Chaocipher is a mechanical encryption algorithm invented in 1918. No one was able to reverse-engineer the algorithm, given sets of plaintexts and ciphertexts -- at least, nobody publicly. On the other hand, I don't know how many people tried, or even knew about the algorithm. I'd never heard of it before now. Anyway, for the first time, the algorithm...
Serial Killers Are Now Terrorists
Try to keep up: Leslie Van Houten, a one-time member of Charles Manson's infamous 'family' is up for parole for the 17th time today.... "These are serial killers," she said. "These would be domestic terrorists if it was today. So these are very dangerous people."...
Internet Kill Switch
Last month, Sen. Joe Lieberman, I-Conn., introduced a bill that might -- we're not really sure -- give the president the authority to shut down all or portions of the Internet in the event of an emergency. It's not a new idea. Sens. Jay Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, proposed the same thing last year, and some argue that...
Friday Squid Blogging: Squid Sex Organs
Riddles of squid sex: All cephalopods are hindered by their body shape, which comprises a closed hood-type structure called a mantle, which forms most of what appear to be a cephalopod's body and head. The animals use this mantle to move via jet propulsion, they must ventilate it to breathe, and they must also hide their excretory and sexual organs...
TSA Blocks Access to Websites with "Controversial Opinions"
I wonder if my blog counts....
Detecting Cheating at Colleges
The measures used to prevent cheating during tests remind me of casino security measures: No gum is allowed during an exam: chewing could disguise a student's speaking into a hands-free cellphone to an accomplice outside. The 228 computers that students use are recessed into desk tops so that anyone trying to photograph the screen–using, say, a pen with a hidden...
The Toronto 18
Long and interesting article from The Toronto Star on the Toronto 18, a terrorist cell arrested in 2006. Lots of stuff in this article I had not read before....
Surveillance and Morality
"Does Surveillance Make Us Morally Better?": Conclusion The upshot of these reflections is that the relation between surveillance and moral edification is complicated. In some contexts, surveillance helps keep us on track and thereby reinforces good habits that become second nature. In other contexts, it can hinder moral development by steering us away from or obscuring the saintly ideal of...
The Threat of Cyberwar Has Been Grossly Exaggerated
There's a power struggle going on in the U.S. government right now. It's about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top. "The United States is fighting a cyberwar today, and we are losing," said former...
"Don't Commit Crime"
This sign is from a gas station in the U.K. My first reaction was to laugh, but then I started thinking about it. We know that signs like "No Shoplifting" reduce shoplifting in the area around the sign, but those are warnings against a specific crime. Could a sign this general be effective? Clearly some comparative studies are needed....
Research Report on Cyberattack Capabilities
From the National Academies in 2009: Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. It's 390 pages....
Tracking Location Based on Water Isotope Ratios
Interesting: ...water molecules differ slightly in their isotope ratios depending on the minerals at their source. ...researchers found that water samples from 33 cities across the United State could be reliably traced back to their origin based on their isotope ratios. And because the human body breaks down water's constituent atoms of hydrogen and oxygen to construct the proteins that...
Friday Squid Blogging: Squid Robots
Two of them; one was blogged about last year....
Vigilant Citizens: Then vs. Now
This is from Atomic Bombing: How to Protect Yourself, published in 1950: Of course, millions of us will go through our lives never seeing a spy or a saboteur going about his business. Thousands of us may, at one time or another, think we see something like that. Only hundreds will be right. It would be foolish for all of...
Cryptography Failure Story
By Russian spies: Ricci said the steganographic program was activated by pressing control-alt-E and then typing in a 27-character password, which the FBI found written down on a piece of paper during one of its searches....
Data at Rest vs. Data in Motion
For a while now, I've pointed out that cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on. Cryptography was invented to protect communications: data in motion. This is how cryptography was used throughout most of...
Cryptography Success Story
From Brazil: the moral, of course, is to choose a strong key and to encrypt the entire drive, not just key files....
Space Terrorism
Space terrorism? Yes, space terrorism. This article, by someone at the European Space Policy Institute, hypes a terrorst threat I've never seen hyped before. The author waves a bunch of scare stories around, and then concludes that "the threat of 'Space Terrorism' is both real and latent," then talks about countermeasures. Certainly securing our satellites is a good idea, but...
Baby Terrorists
This, from Congressman Louie Gohmert of Texas, is about as dumb as it gets: I talked to a retired FBI agent who said that one of the things they were looking at were terrorist cells overseas who had figured out how to game our system. And it appeared they would have young women, who became pregnant, would get them into...
Third SHB Workshop
I'm at SHB 2010, the Third Interdisciplinary Workshop on Security and Human Behavior, at Cambridge University. This is a two-day gathering of computer security researchers, psychologists, behavioral economists, sociologists, philosophers, and others -- all of whom are studying the human side of security -- organized by Ross Anderson, Alessandro Acquisti, and myself. Here is the program. The list of attendees...
Friday Squid Blogging: Vampire Squid
The vampire squid can turn itself inside out to avoid predators....
Hacker Scare Story
"10 Everyday Items Hackers Are Targeting Right Now" 5. Your Blender. Yes, Your Blender That's right: your blender is under attack! Most mixers are self-contained and not hackable, but Siciliano says many home automation systems tap into appliances such as blenders and coffee machines. These home networks are then open to attack in surprising ways: A hacker might turn on...
Security Trade-Offs in Crayfish
Interesting: The experiments offered the crayfish stark decisions -- a choice between finding their next meal and becoming a meal for an apparent predator. In deciding on a course of action, they carefully weighed the risk of attack against the expected reward, Herberholz says. Using a non-invasive method that allowed the crustaceans to freely move, the researchers offered juvenile Louisiana...
TacSat-3 "Hyperspectral" Spy Satellite
It's operational: The idea of hyperspectral sensing is not, however, merely to "see" in the usual sense of optical telescopes, infrared nightscopes and/or thermal imagers. This kind of detection is used on spy satellites and other surveillance systems, but it suffers from the so-called "drinking straw effect" -- that is, you can only view a small area in enough detail...
WikiLeaks
Long, but interesting, profile of WikiLeaks's Julian Assange from The New Yorker. Assange is an international trafficker, of sorts. He and his colleagues collect documents and imagery that governments and other institutions regard as confidential and publish them on a Web site called WikiLeaks.org. Since it went online, three and a half years ago, the site has published an extensive...
Popsicle Makers a Security Threat
Chicago chef Rick Bayless photographed this security sign, posted before airport security as people were returning home from the Aspen Food & Wine Festival: No popsicle makers are allowed through security. Anyone have any idea why something like this is so dangerous? Is the TSA prohibiting random things to toy with us? Their blog is silent on this question....
How Much Counterterrorism Can We Afford?
In an article on using terahertz rays (is that different from terahertz radar?) to detect biological agents, we find this quote: "High-tech, low-tech, we can't afford to overlook any possibility in dealing with mass casualty events," according to center head Donald Sebastian. "You need multiple methods of detection and response. Terrorism comes in many forms; you have to see, smell,...
The Real Risk: Traffic Deaths
The New York Times Room for Debate blog did the topic: "Do We Tolerate Too Many Traffic Deaths?"...
Buying an ATM Skimmer
Interesting: TM skimmers -- or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data -- are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can...
Cheating on Tests, by the Teachers
If you give people enough incentive to cheat, people will cheat: Of all the forms of academic cheating, none may be as startling as educators tampering with children's standardized tests. But investigations in Georgia, Indiana, Massachusetts, Nevada, Virginia and elsewhere this year have pointed to cheating by educators. Experts say the phenomenon is increasing as the stakes over standardized testing...
AT&T's iPad Security Breach
I didn't write about the recent security breach that disclosed tens of thousands of e-mail addresses and ICC-IDs of iPad users because, well, there was nothing terribly interesting about it. It was yet another web security breach. Right after the incident, though, I was being interviewed by a reporter that wanted to know what the ramifications of the breach were....
Friday Squid Blogging: LOLSquid
It's supposed to be a classic, but I've never seen it before....
Remote Printing to an E-Mail Address
This is cool technology from HP: Each printer with the ePrint capability will be assigned its own e-mail address. If someone wants to print a document from an iPhone, the document will go to HP's data center, where it is rendered into the correct format, and then sent to the person's printer. The process takes about 25 seconds. Maybe this...
The Continuing Incompetence of Terrorists
The Atlantic on stupid terrorists: Nowhere is the gap between sinister stereotype and ridiculous reality more apparent than in Afghanistan, where it's fair to say that the Taliban employ the world's worst suicide bombers: one in two manages to kill only himself. And this success rate hasn't improved at all in the five years they've been using suicide bombers, despite...
Hot Dog Security
A nice dose of risk reality: Last week, the American Academy of Pediatrics issued a statement calling for large-type warning labels on the foods that kids most commonly choke on–grapes, nuts, carrots, candy and public enemy No. 1: the frank. Then the lead author of the report, pediatric emergency room doctor Gary Smith, went one step further. He called for...
Patrolling the U.S./Canada Border
Doesn't the DHS have anything else to do? As someone who believes that our nation has a right to enforce its borders, I should have been gratified when the Immigrations official at the border saw the canoe on our car and informed us that anyone who crossed the nearby international waterway illegally would be arrested and fined as much as...
Filming the Police
In at least three U.S. states, it is illegal to film an active duty policeman: The legal justification for arresting the "shooter" rests on existing wiretapping or eavesdropping laws, with statutes against obstructing law enforcement sometimes cited. Illinois, Massachusetts, and Maryland are among the 12 states in which all parties must consent for a recording to be legal unless, as...
Dating Recordings by Power Line Interference
Interesting: The capability, called "electrical network frequency analysis" (ENF), is now attracting interest from the FBI and is considered the exciting new frontier in digital forensics, with power lines acting as silent witnesses to crime. In the "high profile" murder trial, which took place earlier this year, ENF meant prosecutors were able to show that a seized voice recording that...
Reading Me
The number of different ways to read my essays, commentaries, and links has grown recently. Here's the rundown: You can read my writings daily on my blog. These are reprinted on my Facebook page. They are also reprinted on my LiveJournal feed. You can follow them on Twitter. And you can subscribe to the RSS feed, both full text and...
Fifth Annual Movie-Plot Threat Contest Winner
On April 1, I announced the Fifth Annual Movie Plot Threat Contest: Your task, ye Weavers of Tales, is to create a fable of fairytale suitable for instilling the appropriate level of fear in children so they grow up appreciating all the lords do to protect them. On May 15, I announced the five semi-finalists. Voting continued through the end...
Protecting Cars with The Club
From the Freakonomics blog: At some point, the Club was mentioned. The professional thieves laughed and exchanged knowing glances. What we knew was that the Club is a hardened steel device that attaches to the steering wheel and the brake pedal to prevent steering and/or braking. What we found out was that a pro thief would carry a short piece...
Behavioral Profiling at Airports
There's a long article in Nature on the practice: It remains unclear what the officers found anomalous about George's behaviour, and why he was detained. The TSA's parent agency, the Department of Homeland Security (DHS), has declined to comment on his case because it is the subject of a federal lawsuit that was filed on George's behalf in February by...
Mainstream Cost-Benefit Security Analysis
This essay in The New York Times is refreshingly cogent: You've seen it over and over. At a certain intersection in a certain town, there'll be an unfortunate accident. A child is hit by a car. So the public cries out, the town politicians band together, and the next thing you know, they've spent $60,000 to install speed bumps, guardrails...
Ninth Workshop on Economics and Information Security
Earlier this week, the Ninth Workshop on Economics and Information Security (WEIS 2010) was held at Harvard. As always, it was a great workshop with some very interesting papers. Ross Anderson liveblogged the event....
Hiring Hackers
Any essay on hiring hackers quickly gets bogged down in definitions. What is a hacker, and how is he different from a cracker? I have my own definitions, but I'd rather define the issue more specifically: Would you hire someone convicted of a computer crime to fill a position of trust in your computer network? Or, more generally, would you...
DARPA Research into Clean-Slate Network Security Redesign
This looks like a good research direction: Is it possible that given a clean slate and likely millions of dollars, engineers could come up with the ultimate in secure network technology? The scientists at the Defense Advanced Research Projects Agency (DARPA) think so and this week announced the Clean Slate Design of Resilient, Adaptive, Secure Hosts (CRASH) program that looks...
Terrorists Placing Fake Bombs in Public Places
Supposedly, the latest terrorist tactic is to place fake bombs -- suspicious looking bags, backpacks, boxes, and coolers -- in public places in an effort to paralyze the city and probe our defenses. The article is unclear about whether or not this has actually ever happened, only that the FBI is warning of the tactic. Citing an FBI informational document,...
Fear in a Political Ad
Carly Fiorina wants to scare Californians into voting for her. Yes, terrorists kill -- about as often as home appliances....
Bletchley Park Archives to Go Online
This is good: Simon Greenish, chief executive officer of the Bletchley Park Trust, said the plan was for the centre's entire archive to be digitised. [...] He said since the archive is so big nobody knows exactly what each individual document stored there contains. However, the information they expect to dig out will definitely include communication transcripts, communiques, memoranda, photographs,...
How to Spot a CIA Officer
How to spot a CIA officer, at least in the mid 1970s. The reason the CIA office was located in the embassy -- as it is in most of the other countries in the world -- is that by presidential order the State Department is responsible for hiding and housing the CIA. Like the intelligence services of most other countries,...
The Four Stages of Fear
Interesting: In the throes of intense fear, we suddenly find ourselves operating in a different and unexpected way. The psychological tools that we normally use to navigate the worldreasoning and planning before we actget progressively shut down. In the grip of the brain's subconscious fear centers, we behave in ways that to our rational mind seem nonsensical or worse. We...
World War II Sabotage Field Manual
The OSS Simple Sabotage Field Manual from 1944....
Intelligence Can Never Be Perfect
Go read this article -- "Setting impossible standards on intelligence" -- on laying blame for the intelligence "failure" that allowed the Underwear Bomber to board an airplane on Christmas Day. Although the CIA, FBI, and Defense, State, Treasury and Homeland Security departments have counterterrorism analytic units -- some even with information-gathering operations -- the assumption is that all of the...
Voluntary Security Inspections
What could possibly be the point of this? Cars heading to Austin-Bergstrom International Airport will see random, voluntary inspections Monday. The searches are part of an increase in security at the airport. It's a joint operation between the U.S. Department of Homeland Security, Austin Police, and airport security. The enhancements are not a response to specific threats, and the security...
Terrorizing Ourselves
Who needs actual terrorists? How's this for an ill-conceived emergency preparedness drill? An off-duty cop pretending to be a terrorist stormed into a hospital intensive care unit brandishing a handgun, which he pointed at nurses while herding them down a corridor and into a room. There, after harrowing moments, he explained that the whole caper was a training exercise. [...]...
Canada Spending $1B on Security for G8/G20 Summit in June
Amazing: The Canadian government disclosed Tuesday that the total price tag to police the elite Group of Eight meeting in Muskoka, as well as the bigger-tent Group of 20 summit starting a day later in downtown Toronto, has already climbed to more than $833-million. It said it's preparing to spend up to $930-million for the three days of meetings that...
Friday Squid Blogging: 500-Million-Year-Old Squid
Early squid: New Canadian research into 500 million-year-old carnivore fossils has revealed an early ancestor of modern-day squids and octopuses, solving the mystery surrounding a previously unclassifiable creature. "This is significant because it means that primitive cephalopods were around much earlier than we thought, and offers a reinterpretation of the long-held origins of this important group of marine animals," Martin...
Friday Squid Blogging: The Contents of Squid Stomachs
Not that interesting, really. Preliminarily, I can tell you that within my sample, cannibalism seems to be on the rise, myctophid consumption is falling, and a lot more squid may be dying hungry....
Another Scene from an Airport
I've gotten to the front of the security line at a different airport, and handed a different TSA officer my ID and ticket. TSA Officer: (Looks everything over. Reads the name on my passport.) The Bruce Schneier? Me: (Nods, managing not to say: "No no, just a Bruce Schneier; didn't you hear I come in six-packs?") TSA Officer: The security...
Low-Tech Burglars to Get Lighter Sentences in Louisiana
This is the kind of law that annoys me: A Senate bill to toughen penalties for crimes committed with the aid of Internet-generated "virtual maps," including acts of terrorism, won quick approval Monday in the House. [...] Adley's bill defines a "virtual street-level map" as one that is available on the Internet and can generate the location or picture of...
End-to-End Encrypted Cell Phone Calls
Android app. (Slashdot thread.)...
If You See Something, Think Twice About Saying Something
"If you see something, say something." Or, maybe not: The Travis County Criminal Justice Center was closed for most of the day on Friday, May 14, after a man reported that a "suspicious package" had been left in the building. The court complex was evacuated, and the APD Explosive Ordinance Disposal Unit was called in for a look-see. The package...
Infosec Television Commercial
LIGATT Security certainly hopes to scare people....
Scene from an Airport
I've gotten to the front of the security line and handed the TSA officer my ID and ticket. TSA Officer: (Looks at my ticket. Looks at my ID. Looks at me. Smiles.) Me: (Smiles back.) TSA Officer: (Looks at my ID. Looks at me. Smiles.) Me: (Tips hat. Smiles back.) TSA Officer: A beloved name from the blogosphere. Me: And...
Alerting Users that Applications are Using Cameras, Microphones, Etc.
Interesting research: "What You See is What They Get: Protecting users from unwanted use of microphones, cameras, and other sensors," by Jon Howell and Stuart Schechter. Abstract: Sensors such as cameras and microphones collect privacy-sensitive data streams without the user's explicit action. Conventional sensor access policies either hassle users to grant applications access to sensors or grant with no approval...
Applications Disclosing Required Authority
This is an interesting piece of research evaluating different user interface designs by which applications disclose to users what sort of authority they need to install themselves. Given all the recent concerns about third-party access to user data on social networking sites (particularly Facebook), this is particularly timely research. We have provided evidence of a growing trend among application platforms...
Automobile Security Analysis
"Experimental Security Analysis of a Modern Automobile," by a whole mess of authors: Abstract: Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In...
Detecting Browser History
Interesting research. Main results: [...] We analyzed the results from over a quarter of a million people who ran our tests in the last few months, and found that we can detect browsing histories for over 76% of them. All major browsers allow their users' history to be detected, but it seems that users of the more modern browsers such...
Militarized Marine Mammals
Dolphine and sea lions: A Navy seal - actually a sea lion - took less than a minute to find a fake mine under a pier near San Francisco's AT&T Park. A dolphin quickly located a terrorist lurking in the black water before another sea lion, using a device carried in its mouth, cuffed the pretend saboteur's ankle so authorities...
History of NSA Computers
A recently declassified history through 1964....
Outsourcing to an Indian Jail
This doesn't seem like the best idea: Authorities in the southern Indian state of Andhra Pradesh are planning to set up an outsourcing unit in a jail. The unit will employ 200 educated convicts who will handle back office operations like data entry, and process and transmit information. It's not necessarily a bad idea, as long as misuable information isn't...
Insect-Based Terrorism
Sounds like fearmongering to me. How real is the threat? Many of the world's most dangerous pathogens already are transmitted by arthropods, the animal phylum that includes mosquitoes. But so far the United States has not been exposed to a large-scale spread of vector-borne diseases like Rift Valley, chikungunya fever or Japanese encephalitis. But terrorists with a cursory knowledge of...
Software Liabilities in the UK
The British High Court ruled that a software vendor's EULA -- which denied all liability for poor software -- was not reasonable. I wrote about software liabilities back in 2003....
Friday Squid Blogging: Squid T-Shirts
Some nice ones (ignore the dinosaurs)....
New Windows Attack
It's still only in the lab, but nothing detects it right now: The attack is a clever "bait-and-switch" style move. Harmless code is passed to the security software for scanning, but as soon as it's given the green light, it's swapped for the malicious code. The attack works even more reliably on multi-core systems because one thread doesn't keep an...
Fifth Annual Movie-Plot Threat Contest Semi-Finalists
On April 1, I announced the Fifth Annual Movie Plot Threat Contest: Your task, ye Weavers of Tales, is to create a fable of fairytale suitable for instilling the appropriate level of fear in children so they grow up appreciating all the lords do to protect them. Submissions are in, and here are the semifinalists. Untitled story about polar bears,...
Worst-Case Thinking
At a security conference recently, the moderator asked the panel of distinguished cybersecurity leaders what their nightmare scenario was. The answers were the predictable array of large-scale attacks: against our communications infrastructure, against the power grid, against the financial system, in combination with a physical attack. I didn't get to give my answer until the afternoon, which was: "My nightmare...
"If You See Something, Say Something"
That slogan is owned by New York's Metropolitan Transit Authority (the MTA). Since obtaining the trademark in 2007, the authority has granted permission to use the phrase in public awareness campaigns to 54 organizations in the United States and overseas, like Amtrak, the Chicago Transit Authority, the emergency management office at Stony Brook University and three states in Australia. Of...
Biometric Wallet
Cool idea, or dumb idea? Its features include: Fingerprint access only Bluetooth enabled for notification alerts–automated notification via bluetooth if your wallet strays more than 10 feet from your body Protected against RFID electronic theft–the case shields all contents from RFID scanners...
SnapScouts
I sure hope this is a parody: SnapScouts Keep America Safe! Want to earn tons of cool badges and prizes while competing with you friends to see who can be the best American? Download the SnapScouts app for your Android phone (iPhone app coming soon) and get started patrolling your neighborhood. It's up to you to keep America safe! If...
9/11 Made us Safer?
There's an essay on the Computerworld website that claims I implied, and believe, so: OK, so strictly-speaking, he doesn't use those exact words, but the implication is certainly clear. In a discussion about why there aren't more terrorist attacks, he argues that 'minor' terrorist plots like the Times Square car bomb are counter-productive for terrorist groups, because "9/11 upped the...
Friday Squid Blogging: The Colossal Squid isn't a Vicious Predator
New research shows that, even though it's 15 meters long, it's not the kraken of myth: Its large size and predatory nature fuelled the ancient myth of the underwater "kraken" seamonster and modern speculation that the colossal squid must be aggressive and fast, attributes that allow it to prey on fish and even give sperm whales a hard time. Yet...
I Was Named as One of the Top 10 Science and Technology Writers
Someone named me as one of the top 10 science and technology writers of all time. Flattering though it is, I don't think I belong in the company of Einstein, Newton, Darwin, and Asimov....
Cory Doctorow Gets Phished
It can happen to anyone: Here's how I got fooled. On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop. In the process of reinstallation, I deleted all my stored passwords...
Nobody Encrypts their Phone Calls
From the Forbes blog: In an annual report published Friday by the U.S. judicial system on the number of wiretaps it granted over the past year ..., the courts revealed that there were 2,376 wiretaps by law enforcement agencies in 2009, up 26% from 1,891 the year before, and up 76% from 1999. (Those numbers, it should be noted, don't...
Why Aren't There More Terrorist Attacks?
As the details of the Times Square car bomb attempt emerge in the wake of Faisal Shahzad's arrest Monday night, one thing has already been made clear: Terrorism is fairly easy. All you need is a gun or a bomb, and a crowded target. Guns are easy to buy. Bombs are easy to make. Crowded targets -- not only in...
Preventing Terrorist Attacks in Crowded Areas
On the New York Times Room for Debate Blog, I -- along with several other people -- was asked about how to prevent terrorist attacks in crowded areas. This is my response. In the wake of Saturday's failed Times Square car bombing, it's natural to ask how we can prevent this sort of thing from happening again. The answer is...
Malcom Gladwell on Spies
Good quote: Translation: the proper function of spies is to remind those who rely on spies that the kinds of thing found out by spies can't be trusted. Nice article on the British Operation Mincemeat in World War II....
Security Analysis of India's Electronic Voting Machines
They're vulnerable to fraud....
Friday Squid Blogging: Squid Purity Test
I didn't know this: A Squid is a motorcycle rider who, experienced or not, rides outside his abilities and sets poor examples by attire, propriety, and general behavior on the motorcycle. 115 questions in the test....
Homeopathic Bomb
This is funny: The world has been placed on a heightened security alert following reports that New Age terrorists have harnessed the power of homeopathy for evil. "Homeopathic weapons represent a major threat to world peace," said President Barack Obama, "they might not cause any actual damage but the placebo effect could be quite devastating." [...] Homeopathic bombs are comprised...
Fun with Secret Questions
Ally Bank wants its customers to invent their own personal secret questions and answers; the idea is that an operator will read the question over the phone and listen for an answer. Ignoring for the moment the problem of the operator now knowing the question/answer pair, what are some good pairs? Some suggestions: Q: Do you know why I think...
Hypersonic Cruise Missiles
The U.S. is developing a weapon capable of striking anywhere on the planet within an hour. The article talks about the possibility of modifying Trident missiles -- problematic because they would be indistinguishable from nuclear weapons -- and using the Mach 5¿capable X-51 hypersonic cruise missile. Interesting technology, but we really need to think through the political ramifications of this...
Frank Furedi on Worst-Case Thinking
Nice essay by sociologist Frank Furedi on worse-case thinking, exemplified by our reaction to the Icelandic volcano: I am not a natural scientist, and I claim no authority to say anything of value about the risks posed by volcanic ash clouds to flying aircraft. However, as a sociologist interested in the process of decision-making, it is evident to me that...
Can Safes
Hiding your valuables in common household containers is an old trick. Diversion safes look like containers designed to hide your valuables in plain sight. Common diversion safes include fake brand name containers for soda pop, canned fruit, home cleaners, or even novels. Diversion can safes have removable tops or bottoms so that you can put your goods in them, and...
Seat Belt Use and Lessons for Security Awareness
From Lance Spitzner: In January of this year the National Highway Traffic Safety Administration released a report called "Analyzing the First Years Of the Ticket or Click It Mobilizations"... While the report is focused on the use of seat belts, it has fascinating applications to the world of security awareness. The report focuses on 2000 - 2006, when most states...
Attack Against Apache.org
This blog entry should serve as a model for open and transparent security self-reporting. I'm impressed. More news reports....
New York Police Protect Obama from Bicycles
They were afraid that they might contain pipe bombs. This is the correct reaction: In any case, I suspect someone somewhere just panicked at the possibility that something might explode near the President on his watch, since the whole operation has the finesse of a teenage stoner shoving his pot paraphernalia under the bed and desperately trying to clear the...
ICPP Pre-Trial Settlement Scam
Nasty scam, where the user is pressured into accepting a "pre-trial settlement" for copyright violations. The level of detail is impressive....
Punishing Security Breaches
The editor of the Freakonomics blog asked me to write about this topic. The idea was that they would get several opinions, and publish them all. They spiked the story, but I already wrote my piece. So here it is. In deciding what to do with Gray Powell, the Apple employee who accidentally left a secret prototype 4G iPhone in...
Video Interviews with Me
Mike Mimoso interviewed me at the RSA Conference last month....
NIST on Protecting Personally Identifiable Information
Just published: Special Publication (SP) 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)." It's 60 pages long; I haven't read it....
Security Fog
An odd burglary prevention tool: If a burglar breaks in, the system floods the business with a dense fog similar to what's used in theaters and nightclubs. An intense strobe light blinds and disorients the crook. [..] Mazrouei said the cost to install the system starts at around $3,000. Police point out that the system blinds interior security cameras as...
Personal Code Ink
Remember SmartWater: liquid imbued with a uniquely identifiable DNA-style code? Well, Mont Blanc is selling a pen with uniquely identifiable ink....
Young People, Privacy, and the Internet
There's a lot out there on this topic. I've already linked to danah boyd's excellent SXSW talk (and her work in general), my essay on privacy and control, and my talk -- "Security, Privacy, and the Generation Gap" -- which I've given four times in the past two months. Last week, two new papers were published on the topic. "Youth,...
The Effectiveness of Political Assassinations
This is an excellent read: I wouldn't have believed you if you'd told me 20 years ago that America would someday be routinely firing missiles into countries it's not at war with. For that matter, I wouldn't have believed you if you'd told me a few months ago that America would soon be plotting the assassination of an American citizen...
Lt. Gen. Alexander and the U.S. Cyber Command
Lt. Gen. Keith Alexander, the current Director of NSA, has been nominated to head the US Cyber Command. Last week Alexander appeared before the Senate Armed Services Committee to answer questions. The Chairman of the Armed Services Committee, Senator Carl Levin (D Michigan) began by posing three scenarios to Lieutenant General Alexander: Scenario 1. A traditional operation against an adversary,...
Life Recorder
In 2006, writing about future threats on privacy, I described a life recorder: A "life recorder" you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video. It'll be sold as a security device, so that no one can attack you without being recorded. I can't find...
Fake CCTV Cameras
CCTV cameras in Moscow have been accused of streaming prerecorded video instead of live images. What I can't figure out is why? To me, it seems easier for the cameras to stream live video than prerecorded images....
Guns Painted to Look Like Toys
Last weekend I was in New York, and saw posters on the subways warning people about real guns painted to look like toys. And today I find these pictures from the Baltimore police department. Seaching, I find this article from 2006 New York. I had no idea this was a thing....
Security for Implantable Medical Devices
Interesting study: "Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless Implantable Medical Devices," Tamara Denning, Alan Borning, Batya Friedman, Brian T. Gill, Tadayoshi Kohno, and William H. Maisel. Abstract: Implantable medical devices (IMDs) improve patients' quality of life and help sustain their lives. In this study, we explore patient views and values regarding their devices to inform...
Storing Cryptographic Keys with Invisible Tattoos
This idea, by Stuart Schechter at Microsoft Research, is -- I think -- clever: Abstract: Implantable medical devices, such as implantable cardiac defibrillators and pacemakers, now use wireless communication protocols vulnerable to attacks that can physically harm patients. Security measures that impede emergency access by physicians could be equally devastating. We propose that access keys be written into patients' skin...
Matt Blaze Comments on his 15-Year-Old "Afterword"
Fifteen years ago, Matt Blaze wrote an Afterword to my book Applied Cryptography. Here are his current thoughts on that piece of writing....
Externalities and Identity Theft
Chris Hoofnagle has a new paper: "Internalizing Identity Theft." Basically, he shows that one of the problems is that lenders extend credit even when credit applications are sketchy. From an article on the work: Using a 2003 amendment to the Fair Credit Reporting Act that allows victims of ID theft to ask creditors for the fraudulent applications submitted in their...
Terrorist Attacks and Comparable Risks, Part 2
John Adams argues that our irrationality about comparative risks depends on the type of risk: With "pure" voluntary risks, the risk itself, with its associated challenge and rush of adrenaline, is the reward. Most climbers on Mount Everest know that it is dangerous and willingly take the risk. With a voluntary, self-controlled, applied risk, such as driving, the reward is...
Terrorist Attacks and Comparable Risks, Part 1
Nice analysis by John Mueller and Mark G. Stewart: There is a general agreement about risk, then, in the established regulatory practices of several developed countries: risks are deemed unacceptable if the annual fatality risk is higher than 1 in 10,000 or perhaps higher than 1 in 100,000 and acceptable if the figure is lower than 1 in 1 million...
Man-in-the-Middle Attacks Againt SSL
Says Matt Blaze: A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much. Scary research by Christopher Soghoian and Sid Stamm: Abstract: This paper introduces a new attack, the compelled certificate creation attack, in which government agencies...
Makeup to Fool Face Recognition Software
An NYU student has been reverse-engineering facial recognition algorithms to devise makeup patterns to confuse face recognition software....
Me in CRN
CRN Magazine named me as one of its security superstars of 2010....
Schneier on "Security, Privacy, and the Generation Gap"
Last month at the RSA Conference, I gave a talk titled "Security, Privacy, and the Generation Gap." It was pretty good, but it was the first time I gave that talk in front of a large audience -- and its newness showed. Last week, I gave the same talk again, at the CACR Higher Education Security Summit at Indiana University....
Cryptanalysis of the DECT
New cryptanalysis of the proprietrary encryption algorithm used in the Digital Enhanced Cordless Telecommunications (DECT) standard for cordless phones. Abstract. The DECT Standard Cipher (DSC) is a proprietary 64-bit stream cipher based on irregularly clocked LFSRs and a non-linear output combiner. The cipher is meant to provide confidentiality for cordless telephony. This paper illustrates how the DSC was reverse-engineered from...
The Effectiveness of Air Marshals
Air marshals are being arrested faster than air marshals are making arrests. Actually, there have been many more arrests of Federal air marshals than that story reported, quite a few for felony offenses. In fact, more air marshals have been arrested than the number of people arrested by air marshals. We now have approximately 4,000 in the Federal Air Marshals...
Cryptography Broken on American Military Attack Video
Any ideas? At a news conference at the National Press Club, WikiLeaks said it had acquired the video from whistle-blowers in the military and viewed it after breaking the encryption code. WikiLeaks released the full 38-minute video as well as a 17-minute edited version. And this quote from the WikiLeaks Twitter feed on Feb 20th: Finally cracked the encryption to...
New York and the Moscow Subway Bombing
People intent on preventing a Moscow-style terrorist attack against the New York subway system are proposing a range of expensive new underground security measures, some temporary and some permanent. They should save their money - and instead invest every penny they're considering pouring into new technologies into intelligence and old-fashioned policing. Intensifying security at specific stations only works against terrorists...
Privacy and Control
In January, Facebook Chief Executive, Mark Zuckerberg, declared the age of privacy to be over. A month earlier, Google Chief Eric Schmidt expressed a similar sentiment. Add Scott McNealy's and Larry Ellison's comments from a few years earlier, and you've got a whole lot of tech CEOs proclaiming the death of privacy--especially when it comes to young people. It's just...
Detecting Being Watched
This seems like science fiction to me: The camera uses the same "red eye" effect of from camera flashes to project it hundreds of meters, allowing it to identify binoculars, sniper scopes, cameras and even human eyeballs that are staring at you.......
"Protecting Europe Against Large-Scale Cyber-Attacks"
Report from the House of Lords in the UK (pdf version)....
iPhone Secret Decoder Ring
It'll protect your secrets from your kid sister, unless she's smarter than that. Looks cool, though....
DHS Cybersecurity Awareness Campaign Challenge
This is a little hokey, but better them than the NSA: The National Cybersecurity Awareness Campaign Challenge Competition is designed to solicit ideas from industry and individuals alike on how best we can clearly and comprehensively discuss cybersecurity with the American public. Key areas that should be factored into the competition are the following: Teamwork Ability to quantify the distribution...
Explosive Breast Implants -- Not an April Fool's Joke
Is MI5 playing a joke on us? Female homicide bombers are being fitted with exploding breast implants which are almost impossible to detect, British spies have reportedly discovered. [...] MI5 has also discovered that extremists are inserting the explosives into the buttocks of some male bombers. "Women suicide bombers recruited by Al Qaeda are known to have had the explosives...
Fifth Annual Movie-Plot Threat Contest
Once upon a time, men and women throughout the land lived in fear. This caused them to do foolish things that made them feel better temporarily, but didn't make them any safer. Gradually, some people became less fearful, and less tolerant of the foolish things they were told to submit to. The lords who ruled the land tried to revive...
Security Cameras in the New York City Subways
The New York Times has an article about cameras in the subways. The article is all about how horrible it is that the cameras don't work: Moreover, nearly half of the subway system's 4,313 security cameras that have been installed – in stations and tunnels throughout the system – do not work, because of either shoddy software or construction problems,...
Should the Government Stop Outsourcing Code Development?
Information technology is increasingly everywhere, and it's the same technologies everywhere. The same operating systems are used in corporate and government computers. The same software controls critical infrastructure and home shopping. The same networking technologies are used in every country. The same digital infrastructure underpins the small and the large, the important and the trivial, the local and the global;...
Leaders Make Better Liars
According to new research: The researchers found that subjects assigned leadership roles were buffered from the negative effects of lying. Across all measures, the high-power liars -- the leaders -- resembled truthtellers, showing no evidence of cortisol reactivity (which signals stress), cognitive impairment or feeling bad. In contrast, low-power liars -- the subordinates -- showed the usual signs of stress...
Jeremy Clarkson on Security Guards
Nice essay: Of course, we know why he's really there. He's really there so that if the bridge is destroyed by terrorists, the authorities can appear on the television news and say they had taken all possible precautions. Plus, if you employ a security guard, then I should imagine that your insurance premiums are going to be significantly lower. This...
Master Thief
The amazing story of Gerald Blanchard. Thorough as ever, Blanchard had spent many previous nights infiltrating the bank to do recon or to tamper with the locks while James acted as lookout, scanning the vicinity with binoculars and providing updates via a scrambled-band walkie-talkie. He had put a transmitter behind an electrical outlet, a pinhole video camera in a thermostat,...
Identifying People by their Bacteria
A potential new forensic: To determine how similar a person's fingertip bacteria are to bacteria left on computer keys, the team took swabs from three computer keyboards and compared bacterial gene sequences with those from the fingertips of the keyboard owners. Today in the Proceedings of the National Academy of Sciences, they conclude that enough bacteria can be collected from...
Schneier Blogging Template
Eerily accurate: Catchy one-liner ("interesting," with link): In this part of the blog post, Bruce quotes something from the article he links to in the catchy phrase. It might be the abstract to an academic article, or the key points in a subject he's trying to get across. To get the post looking right, you have to include at least...
Hard Drives in Photocopy Machines
Modern photocopy machines contain hard drives that often have scans of old documents. This matters when an office disposes of an old copier. It also matters if you make your copies at a commercial copy center like Kinko's....
Side-Channel Attacks on Encrypted Web Traffic
Nice paper: "Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow," by Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang. Abstract. With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is split into browser-side and server-side components. A subset of the application's internal...
I'll be in Second Life Tonight
James Fallows and I are being interviewed in Second Life tonight, 9:00 PM Eastern Time....
How to Become a Nuclear Power
Sarcastic, yet a bit too close to the truth....
Natural Language Shellcode
Nice: In this paper we revisit the assumption that shellcode need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shellcode that is superficially similar to English prose. We argue that this new development poses significant challenges for inline payloadbased inspection (and emulation) as a defensive measure, and...
Acrobatic Thieves
Some movie-plot attacks actually happen: They never touched the floor–that would have set off an alarm. They didn't appear on store security cameras. They cut a hole in the roof and came in at a spot where the cameras were obscured by advertising banners. And they left with some $26,000 in laptop computers, departing the same way they came in–down...
Dead on the No-Fly List
Such "logic": If a person on the no-fly list dies, his name could stay on the list so that the government can catch anyone trying to assume his identity. But since a terrorist might assume anyone's identity, by the same logic we should put everyone on the no-fly list. Otherwise, it's an interesting article on how the no-fly list works....
New Book: Cryptography Engineering
I have a new book, sort of. Cryptography Engineering is really the second edition of Practical Cryptography. Niels Ferguson and I wrote Practical Cryptography in 2003. Tadayoshi Kohno did most of the update work–and added exercises to make it more suitable as a texbook–and is the third author on Cryptography Engineering. (I didn't like it that Wiley changed the title;...
Electronic Health Record Security Analysis
In British Columbia: When Auditor-General John Doyle and his staff investigated the security of electronic record-keeping at the Vancouver Coastal Health Authority, they found trouble everywhere they looked. "In every key area we examined, we found serious weaknesses," wrote Doyle. "Security controls throughout the network and over the database were so inadequate that there was a high risk of external...
Back Door in Battery Charger
Amazing: The United States Computer Emergency Response Team (US-CERT) has warned that the software included in the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access. That's actually misleading. Even though the charger is an USB device, it does not contain the harmful installer described in the article–it has no storage capacity. The software has...
PDF the Most Common Malware Vector
MS Word has been dethroned: Files based on Reader were exploited in almost 49 per cent of the targeted attacks of 2009, compared with about 39 per cent that took aim at Microsoft Word. By comparison, in 2008, Acrobat was targeted in almost 29 per cent of attacks and Word was exploited by almost 35 per cent. Details....
Even More on the al-Mabhouh Assassination
This, from a former CIA chief of station: The point is that in this day and time, with ubiquitous surveillance cameras, the ability to comprehensively analyse patterns of cell phone and credit card use, computerised records of travel documents which can be shared in the blink of an eye, the growing use of biometrics and machine-readable passports, and the ability...
Friday Squid Blogging: Preserving Your Giant Squid
Plastination: For several years von Hagens and his team experimented using smaller squid, and found that the fragility of the skin needed a slower replacement process than other animal specimens. Some 1500 litres of silicone later, the plastination of the giant cephalopods was completed in January....
Bringing Lots of Liquids on a Plane at Schiphol
This would worry me, if the liquid ban weren't already useless. The reporter found the security flaw in the airport's duty-free shopping system. At Schiphol airport, passengers flying to countries outside the Schengan Agreement Area can buy bottles of alcohol at duty-free shops before going through security. They are then permitted to take these bottles onto flights, provided that they...
Security Trade-Offs and Sacred Values
Interesting research: Psychologist Jeremy Ginges and his colleagues identified this backfire effect in studies of the Israeli-Palestinian conflict in 2007. They interviewed both Israelis and Palestinians who possessed sacred values toward key issues such as ownership over disputed territories like the West Bank or the right of Palestinian refugees to return to villages they were forced to leave–these people viewed...
Disabling Cars by Remote Control
Who didn't see this coming? More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments. [...] Ramos-Lopez's account had been closed when he was terminated from Texas Auto Center...
Casino Hack
Nice hack: Using insider knowledge the two hacked into software that controlled remote betting machines on live roulette wheels, the report said. The machines would print out winning betting slips regardless of the results on the wheel, Peterborough Today said. I'd like to know how they got caught....
Secret Questions
Interesting research: Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, because this triggers an account lock-down), none of the name distributions we looked at gave more than 8 bits of effective security except for full names. That...
USB Combination Lock
Here's a promotional security product designed by someone who knows nothing about security. The USB drive is "protected" by a combination lock. There are only two dials, so there are only 100 possible combinations. And when the drive is "locked" and the connector is retracted, the contact are still accessible. Maybe it should be given away by companies that sell...
Typosquatting
"Measuring the Perpetrators and Funders of Typosquatting," by Tyler Moore and Benjamin Edelman: Abstract. We describe a method for identifying "typosquatting", the intentional registration of misspellings of popular website addresses. We estimate that at least 938 000 typosquatting domains target the top 3 264 .com sites, and we crawl more than 285 000 of these domains to analyze their revenue...
Friday Squid Blogging: Cipherlopods
This makes no sense to me, even though -- I suppose -- it's a squid cryptography joke....
More Hollow Coins
A hollowed-out U.S. nickel can hold a microSD card. Pound and euro coins are also available. I blogged about this about a year ago as well....
Wikibooks Cryptography Textbook
Over at Wikibooks, they're trying to write an open source cryptography textbook....
Wanted: Trust Detector
It's good to dream: IARPA's five-year plan aims to design experiments that can measure trust with high certainty -- a tricky proposition for a psychological study. Developing such experimental protocols could prove very useful for assessing levels of trust within one-on-one talks, or even during group interactions. A second part of the IARPA proposal might involve using new types of...
Nose Biometrics
Really: Since they are hard to conceal, the study says, noses would work well for identification in covert surveillance. The researchers say noses have been overlooked in the growing field of biometrics, studies into ways of identifying distinguishing traits in people. "Noses are prominent facial features and yet their use as a biometric has been largely unexplored," said the University...
The Limits of Identity Cards
Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, "Identity and its Verification," in Computer Law & Security Review, Volume 26, Number 1, Jan 2010. Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question, 'Identity with what?' An enquirer equipped with the answer...
Marc Rotenberg on Google's Italian Privacy Case
Interesting commentary: I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established...
Guide to Microsoft Police Forensic Services
The "Microsoft Online Services Global Criminal Compliance Handbook (U.S. Domestic Version)" (also can be found here, here, and here) outlines exactly what Microsoft will do upon police request. Here's a good summary of what's in it: The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also...
Google in The Onion
Funny: MOUNTAIN VIEW, CA–Responding to recent public outcries over its handling of private data, search giant Google offered a wide-ranging and eerily well-informed apology to its millions of users Monday. "We would like to extend our deepest apologies to each and every one of you," announced CEO Eric Schmidt, speaking from the company's Googleplex headquarters. "Clearly there have been some...
Eating a Flash Drive
How not to destroy evidence: In a bold and bizarre attempt to destroy evidence seized during a federal raid, a New York City man grabbed a flash drive and swallowed the data storage device while in the custody of Secret Service agents, records show. The article wasn't explicit about this -- odd, as it's the main question any reader would...
De-Anonymizing Social Network Users
Interesting paper: "A Practical Attack to De-Anonymize Social Network Users." Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data. In this paper, we introduce...
Friday Squid Blogging: Squid Teapot
Squid teapot. Could be squiddier....
Another Interview with Me
I gave this one two days ago, at the RSA Conference....
Mariposa Botnet Shut Down
The Spanish police arrested three people in connection with the 13-million-computer Mariposa botnet....
Comprehensive National Cybersecurity Initiative
On Tuesday, the White House published an unclassified summary of its Comprehensive National Cybersecurity Initiative (CNCI). Howard Schmidt made the announcement at the RSA Conference. These are the 12 initiatives in the plan: Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet. Initiative #2. Deploy an intrusion detection system of sensors across the Federal...
Crypto Implementation Failure
Look at this new AES-encrypted USB memory stick. You enter the key directly into the stick via the keypad, thereby bypassing any eavesdropping software on the computer. The problem is that in order to get full 256-bit entropy in the key, you need to enter 77 decimal digits using the keypad. I can't imagine anyone doing that; they'll enter an...
Tom Engelhardt on Fear on Terrorism
Nice essay. Similar sentiment from Newsweek....
More on the Al-Madhouh Assassination
Interesting essay by a former CIA field officer on the al-Mabhouh assassination: The truth is that Mr. Mabhouh's assassination was conducted according to the book -- a military operation in which the environment is completely controlled by the assassins. At least 25 people are needed to carry off something like this. You need "eyes on" the target 24 hours a...
Breaking in to Hotel Rooms
Is this how the al-Mabhouh assassins got in?...
Friday Squid Blogging: Squid Homophone Lessons
Squids make great examples....
Me on Surveillance Cameras
My fourth essay for CNN.com, on surveillance cameras. The Al-Mabhouh assassination made a nice news hook....
Hitler and Cloud Computing
Funny video by Marcus Ranum and Gunnar Peterson....
Small Planes and Lone Terrorist Nutcases
A Washington Post article concludes that small planes are not the next terror threat: Pilots of private planes fly about 200,000 small and medium-size aircraft in the United States, using 19,000 airports, most of them small. The planes' owners say the aircraft have little in common with airliners. "I don't see a gaping security hole here," said Tom Walsh, an...
Remotely Spying on Kids with School Laptops
It's a really creepy story. A school issues laptops to students, and then remotely and surreptitiously turns on the camera. (Here's the lawsuit. This is an excellent technical investivation of what actually happened. This investigation into the remote spying allegedly being conducted against students at Lower Merion represents an attempt to find proof of spying and a look into the...
NSA Historical Documents
Just declassified: "A Reference Guide to Selected Historical Documents Relating to the National Security Agency/Central Security Service, 1931¿1985." Formerly "Top Secret UMBRA." From my quick scan, there are minimal redactions....
The Doghouse: Demiurge Consulting
They claim to be "one of the nation's only and most respected security and intelligence providers" -- I've never heard of them -- but their blog consists entirely of entries copied from my blog since December 24. They don't even cull the ones that are obviously me: posts about interviews I've given, for example. I contacted them last week and...
Mark Twain on Risk Analysis
From 1871: I hunted up statistics, and was amazed to find that after all the glaring newspaper headings concerning railroad disasters, less than three hundred people had really lost their lives by those disasters in the preceding twelve months. The Erie road was set down as the most murderous in the list. It had killed forty-six–or twenty-six, I do not...
TSA Logo Contest Winner
In January I announced a contest to redesign the TSA logo. Last week I announced the five finalists -- chosen by Patrick Smith from "Ask the Pilot" and myself -- and asked you all to vote on the winner. Four hundred and seven votes later, we have a tie. No really; we have a tie. Rhys Gibson and "I love...
Another Debit Card Skimmer
This one is installed inside gas pumps. There's nothing the customer can detect....
Cyber Shockwave Test
There was a big U.S. cyberattack exercise this week. We didn't do so well: In a press release issued today, the Bipartisan Policy Center (BPC) -- which organized "Cyber Shockwave" using a group of former government officials and computer simulations -- concluded the U.S is "unprepared for cyber threats." [...] ...the U.S. defenders had difficulty identifying the source of the...
Al-Mabhouh Assassination
It reads like a very professional operation: Security footage of the killers' movements during the afternoon, released by police in Dubai yesterday, underlines the professionalism of the operation. The group switched hotels several times and wore disguises including false beards and wigs, while surveillance teams rotated in pairs through the hotel lobby, never hanging around for too long and paying...
Opening Locks with Foil Impressioning
Interesting blog post, with video demonstration, about an improved tool to open high security locks with a key that will just "form itself" if you insert it into the lock and wiggle it a little. The basic technique is a few years old, but the improvements discussed here allow the tool to open a wider variety of locks than before....
Bruce Schneier Facebook Page
I finally have control of my Facebook page. There'll be nothing on it that isn't on my blog, but some of you might prefer following my writing from there. (I also have a Twitter account, although I've never posted.)...
Botnets Attacking Each Other
A new Trojan Horse named Spy Eye has code that kills Zeus, a rival botnet....
Detecting Cheating by Analyzing Erased Answers
I had no idea this was being done, but erased answers are now analyzed on standardized tests. Schools with a high number of wrong-to-right changes across multiple tests are presumed to have cheated: teachers changing the answers after the students are done....
James Fallows on the Chinese Cyber Threat
Interesting. I wrote this about Chinese cyberattacks in 2008....
TSA Logo Contest Finalists
Last month I announced a contest to redesign the TSA logo. Here are the finalists. Clicking on them will bring up a larger, and easier to read, version. Travis McHale Will Imholte Rhys Gibson Kurushio I love to fly and it shows Vote in the comments. The winner will receive a copy of each of our books, a fake boarding...
Radio Interview
I was interviewed on the New Horizons radio show in Boise....
Friday Squid Blogging: Squid Record
I don't know which is more exciting: that someone is trying to break the squid record, or that there is a squid record in the first place. An Auckland scientist is attempting to break his own world record for rearing deep sea squid in captivity. Neither, actually. This is what's exciting: The project is a warm-up for Dr Steve O'Shea...
Homebrew Cryptography
Nice article about a would-be spy and his homebrew pencil-and-paper cryptography....
Car-Key Copier
This The Impressioner consists of a sensor that goes into the lock and sends information back to a computer via USB about the location of the lock's tumblers–a corresponding computer program comes up with the code, depending on the make of car you've entered beforehand. Once you know the code, a key-cutting machine can use it to carve up a...
Man-in-the-Middle Attack Against Chip and PIN
Nice attack against the EMV -- Eurocard Mastercard Visa -- the "chip and PIN" credit card payment system. The attack allows a criminal to use a stolen card without knowing the PIN. The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a...
Interview with a Nigerian Internet Scammer
Really interesting reading. Scam-Detective: How did you find victims for your scams? John: First you need to understand how the gangs work. At the bottom are the "foot soldiers", kids who spend all of their time online to find email addresses and send out the first emails to get people interested. When they receive a reply, the victim is passed...
Terrorists Prohibited from Using iTunes
The iTunes Store Terms and Conditions prohibits it: Notice, as I read this clause not only are terrorists -- or at least those on terrorist watch lists -- prohibited from using iTunes to manufacture WMD, they are also prohibited from even downloading and using iTunes. So all the Al-Qaeda operatives holed up in the Northwest Frontier Provinces of Pakistan, dodging...
All Subversive Organizations Now Must Register in South Carolina
This appears not to be a joke: The state's "Subversive Activities Registration Act," passed last year and now officially on the books, states that "every member of a subversive organization, or an organization subject to foreign control, every foreign agent and every person who advocates, teaches, advises or practices the duty, necessity or propriety of controlling, conducting, seizing or overthrowing...
Outguessing the Terrorists
Isn't it a bit embarrassing for an "expert on counter-terrorism" to be quoted as saying this? Bill Tupman, an expert on counter-terrorism from Exeter University, told BBC News: "The problem is trying to predict the mind of the al-Qaeda planner; there are so many things they might do. "And it is also necessary to reassure the public that we are...
The Limits of Visual Inspection
Interesting research: Target prevalence powerfully influences visual search behavior. In most visual search experiments, targets appear on at least 50% of trials. However, when targets are rare (as in medical or airport screening), observers shift response criteria, leading to elevated miss error rates. Observers also speed target-absent responses and may make more motor errors. This could be a speed/accuracy tradeoff...
More Details on the Chinese Attack Against Google
Three weeks ago, Google announced a sophisticated attack against them from China. There have been some interesting technical details since then. And the NSA is helping Google analyze the attack. The rumor that China used a system Google put in place to enable lawful intercepts, which I used as a news hook for this essay, has not been confirmed. At...
New Attack on Threefish
At FSE 2010 this week, Dmitry Khovratovich and Ivica Nikolic presented a paper where they cryptanalyze ARX algorithms (algorithms that use only addition, rotation, and exclusive-OR operations): "Rotational Cryptanalysis of ARX." In the paper, they demonstrate their attack against Threefish. Their attack breaks 39 (out of 72) rounds of Threefish-256 with a complexity of 2252.4, 42 (out of 72) rounds...
Scaring the Senate Intelligence Committee
This is unconscionable: At Tuesday's hearing, Senator Dianne Feinstein, Democrat of California and chairwoman of the Senate Intelligence Committee, asked Mr. Blair [the Director of National Intelligence] to assess the possibility of an attempted attack in the United States in the next three to six months. He replied, "The priority is certain, I would say" -- a response that was...
World's Largest Data Collector Teams Up With Word's Largest Data Collector
Does anyone think this is a good idea? Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users...
Security and Function Creep
Security is rarely static. Technology changes both security systems and attackers. But there's something else that changes security's cost/benefit trade-off: how the underlying systems being secured are used. Far too often we build security for one purpose, only to find it being used for another purpose -- one it wasn't suited for in the first place. And then the security...
Anonymity and the Internet
Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We'll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks,...
More Movie Plot Terrorist Threats
The Foreign Policy website has its own list of movie-plot threats: machine-gun wielding terrorists on paragliders, disease-laden insect swarms, a dirty bomb made from smoke detector parts, planning via online games, and botulinum in the food supply. The site fleshes these threats out a bit, but it's nothing regular readers of this blog can't imagine for themselves. Maybe they should...
Online Credit/Debit Card Security Failure
Ross Anderson reports: Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as "Verified by VISA" and "MasterCard SecureCode". This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It's getting hard to shop online without being forced to use it. In a paper...
Friday Squid Blogging: Harrowgate's 1886 Giant Squid
I have no idea how to explain this....
Tracking your Browser Without Cookies
How unique is your browser? Can you be tracked simply by its characteristics? The EFF is trying to find out. Their site Panopticlick will measure the characteristics of your browser setup and tell you how unique it is. I just ran the test on myself, and my browser is unique amongst the 120,000 browsers tested so far. It's my browser...
World Privacy Day and the Madrid Privacy Declaration
Today is World Privacy Day. (I know; it's odd to me, too.) You can celebrate by signing on to the Madrid Privacy Declaration, either as an individual or as an organization. Me, I'm celebrating -- but I'm not going to tell you how....
Scanning Cargo for Nuclear Material and Conventional Explosives
Still experimental: The team propose using a particle accelerator to alternately smash ionised hydrogen molecules and deuterium ions into targets of carbon and boron respectively. The collisions produce beams of gamma rays of various energies as well as neutrons. These beams are then passed through the cargo. By measuring the way the beams are absorbed, Goldberg and company say they...
More Surveillance in the UK
This seems like a bad idea: Police in the UK are planning to use unmanned spy drones, controversially deployed in Afghanistan, for the "routine" monitoring of antisocial motorists, protesters, agricultural thieves and fly-tippers, in a significant expansion of covert state surveillance. Once again, laws and technologies deployed against terrorism are used against much more mundane crimes....
Penny Shooter Business Card
Nice. Of course, this means that the TSA will start banning wallets on airplanes....
The Abdulmutallab that Should Have Been Connected
The notion that U.S. intelligence should have "connected the dots," and caught Abdulmutallab, isn't going away. This is a typical example: So you'd need come "articulable facts" which could "reasonably warrant a determination" that the guy may be a terrorist based on his behavior. And one assumes his behavior would have to catch the attention of the authorities, correct? Well...
Me on Chinese Hacking and Enabling Surveillance
CNN.com just published an essay of mine on China's hacking of Google, an update of this essay....
Transport Canada on its New Security Regulations
Okay, it's really the Rick Mercer Report....
German TV on the Failure of Full-Body Scanners
The video is worth watching, even if you don't speak German. The scanner caught a subject's cell phone and Swiss Army knife -- and the microphone he was wearing -- but missed all the components to make a bomb that he hid on his body. Admittedly, he only faced the scanner from the front and not from the side. But...
ATM Skimmer
Neat pictures. I would never have noticed it, which is precisely the point....
Wrasse Punish Cheaters
Interesting: The bluestreak cleaner wrasse (Labroides dimidiatus) operates an underwater health spa for larger fish. It advertises its services with bright colours and distinctive dances. When customers arrive, the cleaner eats parasites and dead tissue lurking in any hard-to-reach places. Males and females will sometimes operate a joint business, working together to clean their clients. The clients, in return, dutifully...
Privacy Violations by Facebook Employees
I don't know if this is real, but it seems perfectly reasonable that all of Facebook is stored in a huge database that someone with the proper permissions can access and modify. And it also makes sense that developers and others would need the ability to assume anyone's identity. Rumpus: You've previously mentioned a master password, which you no longer...
Eavesdropping in the Former Soviet Union
Interesting story: The phone's ringer is a pretty simple thing: there's a coil, a magnet and a hammer controlled by the magnet that hits the gongs when there is AC current in the coil. The ringer system is connected directly to the phone line when the phone is on hook. (Actually through a capacitor that protects the ringer system from...
Security vs. Sustainability in Building Construction
Interesting: Any facility executive involved in the design of a new building would agree that security is one important goal for the new facility. These days, facility executives are likely to say that green design is another priority. Unfortunately, these two goals are often in conflict. Consider the issues that arise when even a parking lot is being designed. From...
Google vs. China
I'm not sure what I can add to this: politically motivated attacks against Gmail from China. I've previously written about hacking from China. Shishir Nagaraja and Ross Anderson wrote a report specifically describing how the Chinese have been hacking groups that are politically opposed to them. I've previously written about censorship, Chinese and otherwise. I've previously written about broad government...
Prison Escape Artist
Clever ruse: When he went to court for hearings, he could see the system was flawed. He would arrive on the twelfth floor in handcuffs and attached at the waist to a dozen other inmates. A correction officer would lead them into the bull pen, an area where inmates wait for their lawyers. From the bull pen, the inmates would...
Fixing Intelligence Failures
President Obama, in his speech last week, rightly focused on fixing the intelligence failures that resulted in Umar Farouk Abdulmutallab being ignored, rather than on technologies targeted at the details of his underwear-bomb plot. But while Obama's instincts are right, reforming intelligence for this new century and its new threats is a more difficult task than he might like. We...
Loretta Napoleoni on the Economics of Terrorism
Interesting TED talk: Loretta Napoleoni details her rare opportunity to talk to the secretive Italian Red Brigades -- an experience that sparked a lifelong interest in terrorism. She gives a behind-the-scenes look at its complex economics, revealing a surprising connection between money laundering and the US Patriot Act....
Ray McGovern on Intelligence Failures
Good commentary from former CIA analyst Ray McGovern: The short answer to the second sentence is: Yes, it is inevitable that "certain plots will succeed." A more helpful answer would address the question as to how we might best minimize their prospects for success. And to do this, sorry to say, there is no getting around the necessity to address...
$3.2 Million Jewelry Store Theft
I've written about this sort of thing before: A robber bored a hole through the wall of jewelry shop and walked off with about 200 luxury watches worth 300 million yen ($3.2 million) in Tokyo's upscale Ginza district, police said Saturday. From Secrets and Lies, p. 318: Threat modeling is, for the most part, ad hoc. You think about the...
Body Cavity Scanners
At least one company is touting its technology: Nesch, a company based in Crown Point, Indiana, may have a solution. It's called diffraction-enhanced X-ray imaging or DEXI, which employs proprietary diffraction enhanced imaging and multiple image radiography Rather than simply shining X-rays through the subject and looking at the amount that passes through (like a conventional X-ray machine), DEXI analyzes...
Airplane Security Commentary
Excellent commentary from The Register: As the smoke clears following the case of Umar Farouk Abdul Mutallab, the failed Christmas Day "underpants bomber" of Northwest Airlines Flight 253 fame, there are just three simple points for us Westerners to take away. First: It is completely impossible to prevent terrorists from attacking airliners. Second: This does not matter. There is no...
The Power Law of Terrorism
Research result #1: "A Generalized Fission-Fusion Model for the Frequency of Severe Terrorist Attacks," by Aaron Clauset and Frederik W. Wiegel. Plot the number of people killed in terrorists attacks around the world since 1968 against the frequency with which such attacks occur and you'll get a power law distribution, that's a fancy way of saying a straight line when...
The Comparative Risk of Terrorism
Good essay from the Wall Street Journal: It might be unrealistic to expect the average citizen to have a nuanced grasp of statistically based risk analysis, but there is nothing nuanced about two basic facts: (1) America is a country of 310 million people, in which thousands of horrible things happen every single day; and (2) The chances that one...
My Second CNN.com Essay on the Underwear Bomber
This one is about our tendency to overreact to rare risks, and is an update of this 2007 essay. I think we should start calling them the "underpants of mass destruction."...
768-bit Number Factored
News: On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve. The number RSA-768 was taken from the now obsolete RSA Challenge list as a representative 768-bit RSA modulus. This result is a record for factoring general integers. Factoring a 1024-bit RSA modulus would be about a thousand times harder, and a 768-bit RSA...
Cybersecurity Theater at FOSE
FOSE, the big government IT conference, has a Cybersecurity Theater" this year. I wonder if they'll check the photo ID of everyone who tries to get in. On a similar note, I am pleased that my term "security theater" has finally hit the mainstream. It's everywhere. My favorite variant is "security theater of the absurd." And this great cartoon. And...
FIPS 140-2 Level 2 Certified USB Memory Stick Cracked
Kind of a dumb mistake: The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that...
Connecting the Dots
I wrote about intelligence failures back in 2002....
Post-Underwear-Bomber Airport Security
In the headlong rush to "fix" security after the Underwear Bomber's unsuccessful Christmas Day attack, there's far too little discussion about what worked and what didn't, and what will and will not make us safer in the future. The security checkpoints worked. Because we screen for obvious bombs, Umar Farouk Abdulmutallab -- or, more precisely, whoever built the bomb --...
Gift Cards and Employee Retail Theft
Retail theft by employees has always been a problem, but gift cards make it easier: At the Saks flagship store in Manhattan, a 23-year-old sales clerk was caught recently ringing up $130,000 in false merchandise returns and siphoning the money onto a gift card. [...] Many of the gift card crimes are straightforward, frequently involving young sales clerks and smaller...
Nate Silver on the Risks of Airplane Terrorism
Over at fivethirtyeight.com, Nate Silver crunches the numbers and concludes that, at least as far as terrorism is concerned, air travel is safer than it's ever been: In the 2000s, a total of 469 passengers (including crew and terrorists) were killed worldwide as the result of Violent Passenger Incidents, 265 of which were on 9/11 itself. No fatal incidents have...
Another Contest: Fixing Airport Security
Slate is hosting an airport security suggestions contest: ideas "for making airport security more effective, more efficient, or more pleasant." Deadline is midday Friday. I had already submitted a suggestion before I was asked to be a judge. Since I'm no longer eligible, here's what I sent them: Reduce the TSA's budget, and spend the money on: 1. Intelligence. Security...
David Brooks on Resilience in the Face of Security Imperfection
David Brooks makes some very good points in this New York Times op ed from last week: All this money and technology seems to have reduced the risk of future attack. But, of course, the system is bound to fail sometimes. Reality is unpredictable, and no amount of computer technology is going to change that. Bureaucracies are always blind because...
TSA Logo Contest
Over at "Ask the Pilot," Patrick Smith has a great idea: Calling all artists: One thing TSA needs, I think, is a better logo and a snappy motto. Perhaps there's a graphic designer out there who can help with a new rendition of the agency's circular eagle-and-flag motif. I'm imagining a revised eagle, its talons clutching a box cutter and...
Breaching the Secure Area in Airports
An unidentified man breached airport security at Newark Airport on Sunday, walking into the secured area through the exit, prompting an evacuation of a terminal and flight delays that continued into the next day. This problem isn't common, but it happens regularly. The result is always the same, and it's not obvious that fixing the problem is the right solution....
Me on Airport Security Profiling
Yesterday I participated in a "Room for Debate" discussion on airport security profiling. Nothing I haven't said before....
Matt Blaze on the New "Unpredictable" TSA Screening Measures
Interesting: "Unpredictable" security as applied to air passenger screening means that sometimes (perhaps most of the time), certain checks that might detect terrorist activity are not applied to some or all passengers on any given flight. Passengers can't predict or influence when or whether they are be subjected to any particular screening mechanism. And so, the strategy assumes, the would-be...
Adopting the Israeli Airport Security Model
I've been reading a lot recently -- like this one on the Israeli airport security model, and how we should adopt more of the Israeli security model here in the U.S. This sums up the problem with that idea nicely: On the other hand, no matter how safe or how wonderful the flying experience on El Al, it is TINY...
Vatican Admits Perfect Security is Both Impossible and Undesirable
This is refreshing: Father Lombardi said it was not realistic to think the Vatican could ensure 100% security for the Pope and that security guards appeared to have acted as quickly as possible. It seems that they intervened at the earliest possible moment in a situation in which zero risk cannot be achieved," he told the Associated Press news agency....
Christmas Bomber: Where Airport Security Worked
With all the talk about the failure of airport security to detect the PETN that the Christmas bomber sewed into his underwear -- and to think I've been using the phrase "underwear bomber" as a joke all these years -- people forget that airport security played an important role in foiling the plot. In order to get through airport security,...
Friday Squid Blogging: Squid Ski Mask
You probably can't walk into a bank wearing this....
Quantum Cryptography Cracked
Impressive: This presentation will show the first experimental implementation of an eavesdropper for quantum cryptosystem. Although quantum cryptography has been proven unconditionally secure, by exploiting physical imperfections (detector vulnerability) we have successfully built an intercept-resend attack and demonstrated eavesdropping under realistic conditions on an installed quantum key distribution line. The actual eavesdropping hardware we have built will be shown during...
Me and the Christmas Underwear Bomber
I spent a lot of yesterday giving press interviews. Nothing I haven't said before, but it's now national news and everyone wants to hear it. These are the most interesting bits. Rachel Maddow interviewed me last night on her show. Jeffrey Goldberg interviewed me for the Atlantic website. And CNN.com published a rewrite of an older article of mine on...
Change Blindness
Interesting video demonstrating change blindness: the human brain's tendency to ignore major visual changes. The implications for security are pretty serious....
"The Behavioral Economics of Personal Information"
Good survey article by Alessandro Acquisti in IEEE Computer....
Separating Explosives from the Detonator
Chechen terrorists did it in 2004. I said this in an interview with then TSA head Kip Hawley in 2007: I don't want to even think about how much C4 I can strap to my legs and walk through your magnetometers. And what sort of magical thinking is behind the rumored TSA rule about keeping passengers seated during the last...
Intercepting Predator Video
Sometimes mediocre encryption is better than strong encryption, and sometimes no encryption is better still. The Wall Street Journal reported this week that Iraqi, and possibly also Afghan, militants are using commercial software to eavesdrop on U.S. Predators, other unmanned aerial vehicles, or UAVs, and even piloted planes. The systems weren't "hacked" -- the insurgents can't control them -- but...
Plant Security Countermeasures
The essay is about veganism and plant eating, but I found the descriptions of plant security countermeasures interesting: Plants can't run away from a threat but they can stand their ground. “They are very good at avoiding getting eaten,” said Linda Walling of the University of California, Riverside. “It's an unusual situation where insects can overcome those defenses.” At the...
Luggage Locator
Wow, is this a bad idea: The Luggage Locator is an innovative product that travellers or anyone can use to locate items. It has been specifically engineered to help people find their luggage quickly and can also be used around the home or office. A battery operated, two unit system, the Luggage Locator consists of a small transmitter about the...
Howard Schmidt to be Named U.S. Cybersecurity Czar
I head this rumor two days ago, and The New York Times is reporting today. Reporters are calling me for reactions and opinions, but I just don't know. Schmidt is good, but I don't know if anyone can do well in a job with lots of responsibility but no actual authority. But maybe Obama will imbue the position with authority...
Defeating Microsoft BitLocker
Defeating BitLocker, even with a TPM. Related....
Live Face-Off with Marcus Ranum at ISD
Here are the six links to the face-off Marcus Ranum and I did on stage at the Information Security Decisions conference in Chicago....
MagnePrint Technology for Credit/Debit Cards
This seems like a solution in search of a problem: MagTek discovered that no two magnetic strips are identical. This is due to the manufacturing process. Similar to DNA, the structure of every magnetic stripe is different and the differences are distinguishable. Knowing that, MagTek pairs the card's magnetic strip signature with the card user's personal data to create a...
Australia Restores Some Sanity to Airport Screening
Welcome news: Carry-on baggage rules will be relaxed under a shake-up of aviation security announced by the Federal Government today. The changes will see passengers again allowed to carry some sharp implements, such as nail files and clippers, umbrellas, crochet and knitting needles on board aircraft from July next year. Metal cutlery will return to return to cabin meals and...
The Politics of Power in Cyberspace
Thoughful blog post by The Atlantic's Marc Ainbinder: We allow Google, Amazon.com, credit companies and all manner of private corporations to collect intimate information about our lives, but we reflexively recoil when the government proposes to monitor (and not even collect) a fraction of that information, even with legal safeguards. We carry in our wallets credit cards with RFID chips....
Telcoms Security
A very good four-part series: "Risk and Security in the Telecommunications Industry."...
The U.S. Civil Rights Movement as an Insurgency
This is interesting: Most Americans fail to appreciate that the Civil Rights movement was about the overthrow of an entrenched political order in each of the Southern states, that the segregationists who controlled this order did not hesitate to employ violence (law enforcement, paramilitary, mob) to preserve it, and that for nearly a century the federal government tacitly or overtly...
U.S./Russia Cyber Arms Control Talks
Now this interesting: The United States has begun talks with Russia and a United Nations arms control committee about strengthening Internet security and limiting military use of cyberspace. [...] The Russians have held that the increasing challenges posed by military activities to civilian computer networks can be best dealt with by an international treaty, similar to treaties that have limited...
Me Speaking on "The Future of Privacy"
Video of the talk I gave to the Open Right Group last week in London....
Friday Squid Blogging: Cephalopod Christmas Trees
Christmas is coming....
Obama's Cybersecurity Czar
Rumors are that RSA president Art Coviello declined the job. No surprise: it has no actual authority but a lot of responsibility. Security experts have pointed out that previous cybersecurity positions, cybersecurity czars and directors at the Department of Homeland Security, have been unable to make any significant changes to lock down federal systems. Virtually nothing can get done without...
Reacting to Security Vulnerabilities
Last month, researchers found a security flaw in the SSL protocol, which is used to protect sensitive web data. The protocol is used for online commerce, webmail, and social networking sites. Basically, hackers could hijack an SSL session and execute commands without the knowledge of either the client or the server. The list of affected products is enormous. If this...
TSA Publishes Standard Operating Procedures
BoingBoing is pretty snarky: The TSA has published a "redacted" version of their s00per s33kr1t screening procedure guidelines (Want to know whether to frisk a CIA operative at the checkpoint? Now you can!). Unfortunately, the security geniuses at the DHS don't know that drawing black blocks over the words you want to eliminate from your PDF doesn't actually make the...
My Reaction to Eric Schmidt
Schmidt said: I think judgment matters. If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are...
Emotional Epidemiology
This, from The New England Journal of Medicine, sounds familiar: This is the story line for most headline-grabbing illnesses – HIV, Ebola virus, SARS, typhoid. These diseases capture our imagination and ignite our fears in ways that more prosaic illnesses do not. These dramatic stakes lend themselves quite naturally to thriller books and movies; Dustin Hoffman hasn't starred in any...
Using Fake Documents to Get a Valid U.S. Passport
I missed this story: Since 2007, the U.S. State Department has been issuing high-tech "e-passports," which contain computer chips carrying biometric data to prevent forgery. Unfortunately, according to a March report from the Government Accountability Office (GAO), getting one of these supersecure passports under false pretenses isn't particularly difficult for anyone with even basic forgery skills. A GAO investigator managed...
Terrorists Targeting High-Profile Events
In an AP story on increased security at major football (the American variety) events, this sentence struck me: "High-profile events are something that terrorist groups would love to interrupt somehow," said Anthony Mangione, chief of U.S. Immigration and Customs Enforcement's Miami office. This is certainly the conventional wisdom, but is there any actual evidence that it's true? The 9/11 terrorists...
Sprint Provides U.S. Law Enforcement with Cell Phone Customer Location Data
Wired summarizes research by Christopher Soghoian: Sprint Nextel provided law enforcement agencies with customer location data more than 8 million times between September 2008 and October 2009, according to a company manager who disclosed the statistic at a non-public interception and wiretapping conference in October. The manager also revealed the existence of a previously undisclosed web portal that Sprint provides...
The Security Implications of Windows Volume Shadow Copy
It can be impossible to securely delete a file: What are the security implications of Volume Shadow Copy? Suppose you decide to protect one of your documents from prying eyes. First, you create an encrypted copy using an encryption application. Then, you "wipe" (or "secure-delete") the original document, which consists of overwriting it several times and deleting it. (This is...
Fingerprinting RFID Chips
This research centers on looking at the radio characteristics of individual RFID chips and creating a "fingerprint." It makes sense; fingerprinting individual radios based on their transmission characteristics is as old as WW II. But while the research centers on using this as an anti-counterfeiting measure, I think it would much more likely be used as an identification and surveillance...
Cyberwarfare Policy
National Journal has an excellent article on cyberwar policy. I agree with the author's comments on The Atlantic blog: Would the United States ever use a more devastating weapon, perhaps shutting off the lights in an adversary nation? The answer is, almost certainly no, not unless America were attacked first. To understand why, forget about the cyber dimension for a...
The Psychology of Being Scammed
This is a very interesting paper: "Understanding scam victims: seven principles for systems security," by Frank Stajano and Paul Wilson. Paul Wilson produces and stars in the British television show The Real Hustle, which does hidden camera demonstrations of con games. (There's no DVD of the show available, but there are bits of it on YouTube.) Frank Stajano is at...
Fear and Public Perception
This 1996 interview with psychiatrist Robert DuPont was part of a Frontline program called "Nuclear Reaction." He's talking about the role fear plays in the perception of nuclear power. It's a lot of the sorts of things I say, but particularly interesting is this bit on familiarity and how it reduces fear: You see, we sited these plants away from...
Leaked 9/11 Text Messages
Wikileaks has published pager intercepts from New York on 9/11: WikiLeaks released half a million US national text pager intercepts. The intercepts cover a 24 hour period surrounding the September 11, 2001 attacks in New York and Washington. [...] Text pagers are usualy carried by persons operating in an official capacity. Messages in the archive range from Pentagon, FBI, FEMA...
Mumbai Terrorist Attacks
Long, detailed, and very good story of the Mumbai terrorist attacks of last year. My own short commentary in the aftermath of the attacks....
Virtual Mafia in Online Worlds
If you allow players in an online world to penalize each other, you open the door to extortion: One of the features that supported user socialization in the game was the ability to declare that another user was a trusted friend. The feature involved a graphical display that showed the faces of users who had declared you trustworthy outlined in...
Users Rationally Rejecting Security Advice
This paper, by Cormac Herley at Microsoft Research, sounds like me: Abstract: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certicates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers...
Norbt
Norbt (no robot) is a low-security web application to encrypt web pages. You can create and encrypt a webpage. The key is an answer to a question; anyone who knows the answer can see the page. I'm not sure this is very useful....
Decertifying "Terrorist" Pilots
This article reads like something written by the company's PR team. When it comes to sleuthing these days, knowing your way within a database is as valued a skill as the classic, Sherlock Holmes-styled powers of detection. Safe Banking Systems Software proved this very point in a demonstration of its algorithm acumen -- one that resulted in a disclosure that...
Al Qaeda Secret Code Broken
I would sure like to know more about this: Top code-breakers at the Government Communications Headquarters in the United Kingdom have succeeded in breaking the secret language that has allowed imprisoned leaders of al-Qaida to keep in touch with other extremists in U.K. jails as well as 10,000 "sleeper agents" across the islands.... [...] For six months, the code-breakers worked...
Friday Squid Blogging: New Squid Discovered
An expedition to study seamounts in the Indian Ocean has discovered some new species, including some squid....
Interview with Me
Yet another interview with me. This one is audio, and was conducted in Rotterdam in October....
Denial-of-Service Attack Against CALEA
Interesting: The researchers say they've found a vulnerability in U.S. law enforcement wiretaps, if only theoretical, that would allow a surveillance target to thwart the authorities by launching what amounts to a denial-of-service (DoS) attack against the connection between the phone company switches and law enforcement. [...] The University of Pennsylvania researchers found the flaw after examining the telecommunication industry...
A Taxonomy of Social Networking Data
At the Internet Governance Forum in Sharm El Sheikh this week, there was a conversation on social networking data. Someone made the point that there are several different types of data, and it would be useful to separate them. This is my taxonomy of social networking data. Service data. Service data is the data you need to give to a...
Stabbing People with Stuff You Can Get Through Airport Security
"Use of a pig model to demonstrate vulnerability of major neck vessels to inflicted trauma from common household items," from the American Journal of Forensic Medical Pathology. Abstract. Commonly available items including a ball point pen, a plastic knife, a broken wine bottle, and a broken wine glass were used to inflict stab and incised wounds to the necks of...
How Smart are Islamic Terrorists?
Organizational Learning and Islamic Militancy (May 2009) was written by Michael Kenney for the U.S. Department of Justice. It's long: 146 pages. From the executive summary: Organizational Learning and Islamic Militancy contains significant findings for counter-terrorism research and policy. Unlike existing studies, this report suggests that the relevant distinction in knowledge learned by terrorists is not between tacit and explicit...
Quantum Ghost Imaging
This is cool: Ghost imaging is a technique that allows a high-resolution camera to produce an image of an object that the camera itself cannot see. It uses two sensors: one that looks at a light source and another that looks at the object. These sensors point in different directions. For example, the camera can face the sun and the...
Secret Knock Lock
Door lock that opens if you tap a particular rhythm....
A Useful Side-Effect of Misplaced Fear
A study in the British Journal of Criminology makes the point that drink-spiking date-raping is basically an urban legend: Abstract. There is a stark contrast between heightened perceptions of risk associated with drug-facilitated sexual assault (DFSA) and a lack of evidence that this is a widespread threat. Through surveys and interviews with university students in the United Kingdom and United...
Public Reactions to Terrorist Threats
Interesting research: For the last five years we have researched the connection between times of terrorist threats and public opinion. In a series of tightly designed experiments, we expose subsets of research participants to a news story not unlike the type that aired last week. We argue that attitudes, evaluations, and behaviors change in at least three politically-relevant ways when...
Bruce Schneier Action Figure
A month ago, ThatsMyFace.com approached me about making a Bruce Schneier action figure. It's $100. I'd like to be able to say something like "half the proceeds are going to EPIC and EFF," but they're not. That's the price for custom orders. I don't even get a royalty. The company is working on lowering the price, and they've said that...
Blowfish in Fiction
The algorithm is mentioned in Von Neumann's War, by John Ringo and Travis Taylor. P. 495: The guy was using a fairly simple buffer overflow attack but with a very nice little fillip of an encryption packet designed to overcome Blowfish. The point seemed to be to create a zero day exploit, which he didn't have a chance of managing....
Video Interview with Me
Here's an interview with me, conducted at the Information Security Decisions conference in Chicago in October....
Beyond Security Theater
[I was asked to write this essay for the New Internationalist (n. 427, November 2009, pp. 10¿13). It's nothing I haven't said before, but I'm pleased with how this essay came together.] Terrorism is rare, far rarer than many people think. It's rare because very few people want to commit acts of terrorism, and executing a terrorist plot is much...
FBI/CIA/NSA Information Sharing Before 9/11
It's conventional wisdom that the legal "wall" between intelligence and law enforcement was one of the reasons we failed to prevent 9/11. The 9/11 Comission evaluated that claim, and published a classified report in 2004. The report was released, with a few redactions, over the summer: "Legal Barriers to Information Sharing: The Erection of a Wall Between Intelligence and Law...
Security in a Reputation Economy
In the past, our relationship with our computers was technical. We cared what CPU they had and what software they ran. We understood our networks and how they worked. We were experts, or we depended on someone else for expertise. And security was part of that expertise. This is changing. We access our email via the web, from any computer...
Hacking the Brazil Power Grid
We've seen lots of rumors about attacks against the power grid, both in the U.S. and elsewhere, of people hacking the power grid. Seems like the source of these rumors has been Brazil: Several prominent intelligence sources confirmed that there were a series of cyber attacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three...
Thieves Prefer Stealing Black Luggage
It's obvious why if you think about it: Thieves prefer to steal black luggage because so much of it looks alike. If the thief is caught red-handed by the bag's owner, he only has to say sorry, it looks just like mine. And he's out of there. Scott free. Read the news story that prompted this blog post. I had...
Protecting OSs from RootKits
Interesting research: "Countering Kernel Rootkits with Lightweight Hook Protection," by Zhi Wang, Xuxian Jiang, Weidong Cui, and and Peng Ning. Abstract: Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits...
Is Antivirus Dead?
Security is never black and white. If someone asks, "for best security, should I do A or B?" the answer almost invariably is both. But security is always a trade-off. Often it's impossible to do both A and B -- there's no time to do both, it's too expensive to do both, or whatever -- and you have to choose....
John Mueller on Zazi
I have refrained from commenting on the case against Najibullah Zazi, simply because it's so often the case that the details reported in the press have very little do with reality. My suspicion was, that as in in so many other cases, he was an idiot who couldn't do any real harm and was turned into a bogeyman for political...
Laissez-Faire Access Control
Recently I wrote about the difficulty of making role-based access control work, and how reasearch at Dartmouth showed that it was better to let people take the access control they need to do their jobs, and audit the results. This interesting paper, "Laissez-Faire File Sharing," tries to formalize the sort of access control. Abstract: When organizations deploy file systems with...
The Doghouse: ADE 651
A divining rod to find explosives in Iraq: ATSC's promotional material claims that its device can find guns, ammunition, drugs, truffles, human bodies and even contraband ivory at distances up to a kilometer, underground, through walls, underwater or even from airplanes three miles high. The device works on “electrostatic magnetic ion attraction,” ATSC says. To detect materials, the operator puts...
Mossad Hacked Syrian Official's Computer
It was unattended in a hotel room at the time: Israel's Mossad espionage agency used Trojan Horse programs to gather intelligence about a nuclear facility in Syria the Israel Defense Forces destroyed in 2007, the German magazine Der Spiegel reported Monday. According to the magazine, Mossad agents in London planted the malware on the computer of a Syrian official who...
The Problems with Unscientific Security
From the Open Access Journal of Forensic Psychology, by a whole llist of authors: "A Call for Evidence-Based Security Tools": Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions offered today, however, lack scientific underpinning. We...
Fear and Overreaction
It's hard work being prey. Watch the birds at a feeder. They're constantly on alert, and will fly away from food -- from easy nutrition -- at the slightest movement or sound. Given that I've never, ever seen a bird plucked from a feeder by a predator, it seems like a whole lot of wasted effort against not very big...
Zero-Tolerance Policies
Recent stories have documented the ridiculous effects of zero-tolerance weapons policies in a Delaware school district: a first-grader expelled for taking a camping utensil to school, a 13-year-old expelled after another student dropped a pocketknife in his lap, and a seventh-grader expelled for cutting paper with a utility knife for a class project. Where's the common sense? the editorials cry....
Detecting Terrorists by Smelling Fear
Really: The technology relies on recognising a pheromone - or scent signal - produced in sweat when a person is scared. Researchers hope the 'fear detector' will make it possible to identify individuals at check points who are up to no good. Terrorists with murder in mind, drug smugglers, or criminals on the run are likely to be very fearful...
The FBI and Wiretaps
To aid their Wall Street investigations, the FBI used DCSNet, their massive surveillance system. Prosecutors are using the FBI's massive surveillance system, DCSNet, which stands for Digital Collection System Network. According to Wired magazine, this system connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It can be used to instantly wiretap almost...
Friday Squid Blogging: Humboldt Squid in Canada
They're washing ashore on Vancouver Island. Scientists have begun attaching tracking devices to squid off the coast of Vancouver Island to find out why the marine animals have wandered so far from their traditional territory. They also hope to find out why the squid have been beaching themselves and dying by the hundreds this summer near the town of Tofino...
Attacking U.S. Critical Infrastructure
Squirrel terrorists. We have a cognitive bias to exaggerate risks caused by other humans, and downplay risks caused by animals (and, even more, by natural phenomena.)...
Report on Chinese Cyberwarfare Capability
"Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation," prepared for the US-China Economic and Security Review Commission, Northrop Grumman Corporation, October 9, 2009. I have not read it yet. Post the interesting bits in comments, if there are any....
DDNI for Collection Press Conference
The U.S. Deputy Director of National Intelligence for Collection gives a press conference on the new Utah data collection facility: video and transcript....
A Critical Essay on the TSA
A critical essay on the TSA from a former assistant police chief: This is where I find myself now obsessing over TSA policy, or its apparent lack. Every one of us goes to work each day harboring prejudice. This is simply human nature. What I have witnessed in law enforcement over the course of the last two decades serves to...
Best Buy Sells Surveillance Tracker
Only $99.99: Keep tabs on your child at all times with this small but sophisticated device that combines GPS and cellular technology to provide you with real-time location updates. The small and lightweight Little Buddy transmitter fits easily into a backpack, lunchbox or other receptacle, making it easy for your child to carry so you can check his or her...
Psychology and Security Resource Page
Ross Anderson has put together a great resource page on security and psychology: At a deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The 'Machiavellian Brain' hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting...
2006 Wal-Mart Hack
Interesting story of a 2006 Wal-Mart hack from, probably, Minsk....
CIA Invests in Social-Network Datamining
From Wired: In-Q-Tel, the investment arm of the CIA and the wider intelligence community, is putting cash into Visible Technologies, a software firm that specializes in monitoring social media. It's part of a larger movement within the spy services to get better at using "open source intelligence" -- information that's publicly available, but often hidden in the flood of TV...
Friday Squid Blogging: Draw-a-Squid Contest
Draw a squid, win Jeff Vandermeer`s Ambergris novels....
"Evil Maid" Attacks on Encrypted Hard Drives
Earlier this month, Joanna Rutkowska implemented the "evil maid" attack against TrueCrypt. The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. Basically, the attack works like this: Step 1: Attacker gains access to your shut-down computer and boots it from a separate volume. The attacker writes a hacked bootloader onto your system, then...
James Bamford on the NSA
James Bamford -- author of The Shadow Factory: The NSA from 9/11 to the Eavesdropping on America writes about the NSA's new data center in Utah as he reviews another book: The Secret Sentry: The Untold History of the National Security Agency: Just how much information will be stored in these windowless cybertemples? A clue comes from a recent report...
Ballmer Blames the Failure of Windows Vista on Security
According to the Telegraph: Mr Ballmer said: "We got some uneven reception when [Vista] first launched in large part because we made some design decisions to improve security at the expense of compatibility. I don't think from a word-of-mouth perspective we ever recovered from that." Commentary: Vista's failure and Ballmer's faulting security is a bit of being careful for what...
Australia Man Receives Reduced Sentence Due to Encryption
From the Courier-Mail: A man who established a sophisticated network of peepholes and cameras to spy on his flatmates has escaped a jail sentence after police were unable to crack an encryption code on his home computer. [...] They found a series of holes drilled in to walls and ceilings throughout the Surfers Paradise apartment with wires leading back to...
TSA Successfully Defends Itself
Story here. Basically, a woman posts a horrible story of how she was mistreated by the TSA, and the TSA responds by releasing the video showing that she was lying. There was a similar story in 2007. Then, I wrote: Why is it that we all -- myself included -- believe these stories? Why are we so quick to assume...
Computer Card Counter Detects Human Card Counters
All it takes is a computer that can track every card: The anti-card-counter system uses cameras to watch players and keep track of the actual "count" of the cards, the same way a player would. It also measures how much each player is betting on each hand, and it syncs up the two data points to look for patterns in...
Six Years of Patch Tuesdays
Nice article summing up six years of Microsoft Patch Tuesdays: The total number of flaws disclosed and patched by the software maker so far this year stands at around 160, more than the 155 or so that Microsoft reported for all of 2008. The number of flaws reported in Microsoft products over the last two years is more than double...
Helpful Hint for Fugitives: Don't Update Your Location on Facebook
"Fugitive caught after updating his status on Facebook." It's easy to say "so dumb," and it would be true, but what's interesting is how people just don't think through the privacy implications of putting their information on the Internet. Facebook is how we interact with friends, and we think of it in the frame of interacting with friends. We don't...
The Commercial Speech Arms Race
A few years ago, a company began to sell a liquid with identification codes suspended in it. The idea was that you would paint it on your stuff as proof of ownership. I commented that I would paint it on someone else's stuff, then call the police. I was reminded of this recently when a group of Israeli scientists demonstrated...
The Bizarre Consequences of "Zero Tolerance" Weapons Policies at Schools
Good article: Zachary's offense? [He's six years old.] Taking a camping utensil that can serve as a knife, fork and spoon to school. He was so excited about recently joining the Cub Scouts that he wanted to use it at lunch. School officials concluded that he had violated their zero-tolerance policy on weapons, and Zachary was suspended and now faces...
The Doghouse: Privacy Inside
I'm just going to quote without comment: About the file: the text message file encrypted with a symmetric key combine 3 modes 1st changing the original text with random (white noise) and PHR (Pure Human Randomness) shuffle command , move and replace instruction combine with the key from mode 1 (white noise) and 2 (PHR) 2nd mode xor PHR...
David Dittrich on Criminal Malware
Good essay: "Malware to crimeware: How far have they gone, and how do we catch up?" ;login:, August 2009: I have survived over a decade of advances in delivery of malware. Over this period, attackers have shifted to using complex, multi-phase attacks based on subtle social engineering tactics, advanced cyptographic techniques to defeat takeover and analysis, and highly targeted attacks...
Wi-fi Blocking Paint
I wrote about this in 2004. This is an improved product: While paints blocking lower frequencies have been available for some time, Mr Ohkoshi's technology is the first to absorb frequencies transmitting at 100GHz (gigahertz). Signals carrying a larger amount of data -- such as wireless internet -- travel at a higher frequency than, for example, FM radio....
Pigs Defeating RFID-Enabled Feeding Systems
Pretty clever (for a pig, that is)....
1,000 Cybersecurity Experts
Yesterday, DHS Secretary Janet Napolitano said that the U.S. needed to hire 1,000 cybersecurity experts over the next three years. Bob Cringly doubts that there even are 1,000 cybersecurity experts out there to hire. I suppose it depends on what she meant by "expert."...
The Futility of Defending the Targets
This is just silly: Beaver Stadium is a terrorist target. It is most likely the No. 1 target in the region. As such, it deserves security measures commensurate with such a designation, but is the stadium getting such security? [..] When the stadium is not in use it does not mean it is not a target. It must be watched...
Detecting Forged Signatures Using Pen Pressure and Angle
Interesting: Songhua Xu presented an interesting idea for measuring pen angle and pressure to present beautiful flower-like visual versions of a handwritten signature. You could argue that signatures are already a visual form, nicely identifiable and universal. However, with the added data about pen pressure and angle, the authors were able to create visual signatures that offer potentially greater security,...
Hotel Safe Scam
This is interesting: Since then, his scams have tended to take place in luxury hotels around the world. Typically, he would arrive at a hotel, claim to be a guest, and then tell security that he had forgotten the combination code to his safe. When hotel staff helped him to open the safe, he would pocket the contents and make...
Detecting People Who Want to Do Harm
I'm dubious: At a demonstration of the technology this week, project manager Robert P. Burns said the idea is to track a set of involuntary physiological reactions that might slip by a human observer. These occur when a person harbors malicious intent–but not when someone is late for a flight or annoyed by something else, he said, citing years of...
Computer-Assisted Witness Identification
Witnesses are much more accurate at identifying criminals when computers assist in the identification process, not police officers. A major cause of miscarriages of justice could be avoided if computers, rather than detectives, guided witnesses through the identification of suspects. That's according to Brent Daugherty at the University of North Carolina in Charlotte and colleagues, who say that too often...
Don't Let Hacker Inmates Reprogram Prison Computers
You'd think this would be obvious: Douglas Havard, 27, serving six years for stealing up to £6.5million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written. He was left unguarded and hacked into the system's hard drive at Ranby Prison, near Retford, Notts. Then...
Malware that Forges Bank Statements
This is brilliant: The sophisticated hack uses a Trojan horse program installed on the victim's machine that alters html coding before it's displayed in the user's browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances. Another article. If there's a moral here, it's that banks...
UK Defense Security Manual Leaked
Wow. It's over 2,000 pages, so it'll take time to make any sense of. According to Ross Anderson, who's given it a quick look over, "it seems to be the bureaucratic equivalent of spaghetti code: a hodgepodge of things written by people from different backgrounds, and with different degrees of clue, in different decades." The computer security stuff starts at...
Moving Hippos in the Post-9/11 World
It's a security risk: The crate was hoisted onto the flatbed with a 120-ton construction crane. For security reasons, there were no signs on the truck indicating that the cargo was a hippopotamus, the zoo said. The last thing you need is a hijacked hippo. Does this make any sense? Has there ever been a zoo animal hijacking anywhere?...
Actual DHS Travel Record
If you were curious what the DHS knows about you....
"Security Theater in New York City"
For the U.N. General Assembly: For those entranced by security theater, New York City is a sight to behold this week. A visit to one of the two centers of the action -- the Waldorf Astoria, where the presidents of China, Russia, the Prime Ministers of Israel and the Palestinian Authority, and the President of the United States -- are...
Proving a Computer Program's Correctness
This is interesting: Professor Gernot Heiser, the John Lions Chair in Computer Science in the School of Computer Science and Engineering and a senior principal researcher with NICTA, said for the first time a team had been able to prove with mathematical rigour that an operating-system kernel–the code at the heart of any computer or microprocessor–was 100 per cent bug-free...
Reproducing Keys from Photographs
Reproducing keys from distant and angled photographs: Abstract:The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private --- that duplication should require either possession of the key or a priori knowledge of how it was cut. However, the ever-increasing capabilities and prevalence of digital imaging technologies present...
Nice Use of Diversion During a Robbery
During a daring bank robbery in Sweden that involved a helicopter, the criminals disabled a police helicopter by placing a package with the word "bomb" near the helicopter hangar, thus engaging the full caution/evacuation procedure while they escaped. I wrote about this exact sort of thing in Beyond Fear....
Immediacy Affects Risk Assessments
New experiment demonstrates what we already knew: That's because people tend to view their immediate emotions, such as their perceptions of threats or risks, as more intense and important than their previous emotions. In one part of the study focusing on terrorist threats, using materials adapted from the U.S. Department of Homeland Security, Van Boven and his research colleagues presented...
The Doghouse: Crypteto
Crypteto has a 49,152-bit symmetric key: The most important issue of any encryption product is the 'bit key strength'. To date the strongest known algorithm has a 448-bit key. Crypteto now offers a 49,152-bit key. This means that for every extra 1 bit increase that Crypteto has over its competition makes it 100% stronger. The security and privacy this offers...
The Problem of Vague Laws
The average American commits three felonies a day: the title of a new book by Harvey Silverglate. More specifically, the problem is the intersection of vague laws and fast-moving technology: Technology moves so quickly we can barely keep up, and our legal system moves so slowly it can't keep up with itself. By design, the law is built up over...
Predicting Characteristics of People by the Company they Keep
Turns out "gaydar" can be automated: Using data from the social network Facebook, they made a striking discovery: just by looking at a person's online friends, they could predict whether the person was gay. They did this with a software program that looked at the gender and sexuality of a person's friends and, using statistical analysis, made a prediction. The...
Unauthentication
In computer security, a lot of effort is spent on the authentication problem. Whether it's passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated–and hopefully more secure–ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank...
Ass Bomber
Nobody tell the TSA, but last month someone tried to assassinate a Saudi prince by exploding a bomb stuffed in his rectum. He pretended to be a repentant militant, when in fact he was a Trojan horse: The resulting explosion ripped al-Asiri to shreds but only lightly injured the shocked prince -- the target of al-Asiri's unsuccessful assassination attempt. Other...
Friday Squid Blogging: 20-Foot Squid Caught in the Gulf of Mexico
First one sighted in the Gulf since 1954: The new specimen, weighing 103 pounds, was found during a preliminary survey of the Gulf during which scientists hope to identify the types of fish and squid that sperm whales feed on. The squid, like other deep catches, was dead when brought to the surface because the animals can't survive the rapid...
Texas Instruments Signing Keys Broken
Texas Instruments' calculators use RSA digital signatures to authenticate any updates to their operating system. Unfortunately, their signing keys are too short: 512-bits. Earlier this month, a collaborative effort factored the moduli and published the private keys. Texas Instruments responded by threatening websites that published the keys with the DMCA, but it's too late. So far, we have the operating-system...
The Onion on Security
"Authorities Called in to Examine Suspicious-Looking Ham."...
Sears Spies on its Customers
It's not just hackers who steal financial and medical information: Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more...
Monopoly Sets for WWII POWs: More Information
I already blogged about this; there's more information in this new article: Included in the items the German army allowed humanitarian groups to distribute in care packages to imprisoned soldiers, the game was too innocent to raise suspicion. But it was the ideal size for a top-secret escape kit that could help spring British POWs from German war camps. The...
Eliminating Externalities in Financial Security
This is a good thing: An Illinois district court has allowed a couple to sue their bank on the novel grounds that it may have failed to sufficiently secure their account, after an unidentified hacker obtained a $26,500 loan on the account using the customers' user name and password. [...] In February 2007, someone with a different IP address than...
Quantum Computer Factors the Number 15
This is an important development: Shor's algorithm was first demonstrated in a computing system based on nuclear magnetic resonance -- manipulating molecules in a solution with strong magnetic fields. It was later demonstrated with quantum optical methods but with the use of bulk components like mirrors and beam splitters that take up an unwieldy area of several square meters. Last...
Hacking Two-Factor Authentication
Back in 2005, I wrote about the failure of two-factor authentication to mitigate banking fraud: Here are two new active attacks we're starting to see: Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done...
Inferring Friendship from Location Data
Interesting: For nine months, Eagle's team recorded data from the phones of 94 students and staff at MIT. By using blue-tooth technology and phone masts, they could monitor the movements of the participants, as well as their phone calls. Their main goal with this preliminary study was to compare data collected from the phones with subjective self-report data collected through...
Terrorist Havens
Good essay on "terrorist havens" -- like Afghanistan -- and why they're not as big a worry as some maintain: Rationales for maintaining the counterinsurgency in Afghanistan are varied and complex, but they all center on one key tenet: that Afghanistan must not be allowed to again become a haven for terrorist groups, especially al-Qaeda. [...] The debate has largely...
Friday Squid Blogging: Embracing Your Inner Squid
Interview with Jonathan Coulton....
Modifying the Color-Coded Threat Alert System
I wrote about the DHS's color-coded threat alert system in 2003, in Beyond Fear: The color-coded threat alerts issued by the Department of Homeland Security are useless today, but may become useful in the future. The U.S. military has a similar system; DEFCON 1-5 corresponds to the five threat alerts levels: Green, Blue, Yellow, Orange, and Red. The difference is...
Printing Police Handcuff Keys
Using a 3D printer. Impressive. At the end of the day he talked the officers into trying the key on their handcuffs and ¿ it did work! At least the Dutch Police now knows there is a plastic key on the market that will open their handcuffs. A plastic key undetectable by metal detectors¿....
Skein News
Skein is one of the 14 SHA-3 candidates chosen by NIST to advance to the second round. As part of the process, NIST allowed the algorithm designers to implement small "tweaks" to their algorithms. We've tweaked the rotation constants of Skein. This change does not affect Skein's performance in any way. The revised Skein paper contains the new rotation constants,...
Robert Sawyer's Alibis
Back in 2002, science fiction author Robert J. Sawyer wrote an essay about the trade-off between privacy and security, and came out in favor of less privacy. I disagree with most of what he said, and have written pretty much the opposite essay -- and others on the value of privacy and the future of privacy -- several times since...
Friday Squid Blogging: Stinky Squid
It's a mushroom: Pseudocolus fusiformis....
Schneier on "The Future of the Security Industry"
Here's a video of a talk I gave at an OWASP meeting in August....
Eighth Anniversary of 9/11
On September 30, 2001, I published a special issue of Crypto-Gram discussing the terrorist attacks. I wrote about the novelty of the attacks, airplane security, diagnosing intelligence failures, the potential of regulating cryptography -- because it could be used by the terrorists -- and protecting privacy and liberty. Much of what I wrote is still relevant today: Appalled by the...
File Deletion
File deletion is all about control. This used to not be an issue. Your data was on your computer, and you decided when and how to delete a file. You could use the delete function if you didn't care about whether the file could be recovered or not, and a file erase program -- I use BCWipe for Windows --...
Demonstration of a Liquid Explosive
The BBC has a video demonstration of a 16-ounce bottle of liquid blowing a hole in the side of a plane. I know no more details other than what's in the video....
NSA Intercepts Used to Convict Liquid Bombers
Three of the UK liquid bombers were convicted Monday. NSA-intercepted e-mail was introduced as evidence in the trial: The e-mails, several of which have been reprinted by the BBC and other publications, contained coded messages, according to prosecutors. They were intercepted by the NSA in 2006 but were not included in evidence introduced in a first trial against the three...
The Global Illicit Economy
Interesting video: A new class of global actors is playing an increasingly important role in globalization: smugglers, warlords, guerrillas, terrorists, gangs, and bandits of all stripes. Since the end of the Cold War, the global illicit economy has consistently grown at twice the rate of the licit global economy. Increasingly, illicit actors will represent not just an economic but a...
David Kilcullen on Security and Insurgency
Very interesting hour-long interview. Australian-born David Kilcullen was the senior advisor to US General David Petraeus during his time in Iraq, advising on counterinsurgency. The implementation of his strategies are now regarded as a major turning point in the war. Here, in a fascinating discussion with human rights lawyer Julian Burnside at the Melbourne Writers' Festival, he talks about the...
Subpoenas as a Security Threat
Blog post from Ed Felten: Usually when the threat model mentions subpoenas, the bigger threats in reality come from malicious intruders or insiders. The biggest risk in storing my documents on CloudCorp's servers is probably that somebody working at CloudCorp, or a contractor hired by them, will mess up or misbehave. So why talk about subpoenas rather than intruders or...
"The Cult of Schneier"
If there's actually a cult out there, I want to hear about it. In an essay by that name, John Viega writes about the dangers of relying on Applied Cryptography to design cryptosystems: But, after many years of evaluating the security of software systems, I'm incredibly down on using the book that made Bruce famous when designing the cryptographic aspects...
Real-World Access Control
Access control is difficult in an organizational setting. On one hand, every employee needs enough access to do his job. On the other hand, every time you give an employee more access, there's more risk: he could abuse that access, or lose information he has access to, or be socially engineered into giving that access to a malfeasant. So a...
The History of One-Time Pads and the Origins of SIGABA
Blog post from Steve Bellovin: It is vital that the keystream values (a) be truly random and (b) never be reused. The Soviets got that wrong in the 1940s; as a result, the U.S. Army's Signal Intelligence Service was able to read their spies' traffic in the Venona program. The randomness requirement means that the values cannot be generated by...
The Exaggerated Fears of Cyber-War
Good article, which basically says that our policies are based more on fear than on reality. On cyber-terrorism: So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies–which need to justify their own existence–and cyber-security companies–which derive commercial benefits from popular...
Hacking Swine Flu
Interesting: So how many bits are in this instance of H1N1? The raw number of bits, by my count, is 26,022; the actual number of coding bits approximately 25,054 -- I say approximately because the virus does the equivalent of self-modifying code to create two proteins out of a single gene in some places (pretty interesting stuff actually), so it's...
Matthew Weigman
Fascinating story of a 16-year-old blind phone phreaker. One afternoon, not long after Proulx was swatted, Weigman came home to find his mother talking to what sounded like a middle-aged male. The man introduced himself as Special Agent Allyn Lynd of the FBI's cyber squad in Dallas, which investigates hacking and other computer crimes. A West Point grad, Lynd had...
On London's Surveillance Cameras
A recent report has concluded that the London's surveillance cameras have solved one crime per thousand cameras per year. David Davis MP, the former shadow home secretary, said: "It should provoke a long overdue rethink on where the crime prevention budget is being spent." He added: "CCTV leads to massive expense and minimum effectiveness. "It creates a huge intrusion on...
Friday Squid Blogging: Squid Police
I like to think this isn't a typo....
The Security Risks of Accepting Free Laptops
Weird: The U.S. Federal Bureau of Investigation is trying to figure out who is sending laptop computers to state governors across the U.S., including West Virginia Governor Joe Mahchin and Wyoming Governor Dave Freudenthal. Some state officials are worried that they may contain malicious software....
Marine Worms with Glowing Bombs
More security stories from the natural world: During chase scenes, movie protagonists often make their getaway by releasing some sort of decoy to cover their escape or distract their pursuer. But this tactic isn't reserved for action heroes–some deep-sea animals also evade their predators by releasing decoys–glowing ones. Karen Osborn from the Scripps Institute of Oceanography has discovered seven new...
Banning Beer Glasses in Pubs
Not beer, just the glasses: The Home Office has commissioned a new design, in an attempt to stop glasses being used as weapons. Official figures show 5,500 people are attacked with glasses and bottles every year in England and Wales. The British Beer and Pub Association said it did not want the new plastic glasses to be made compulsory. I...
Stealing 130 Million Credit Card Numbers
Someone has been charged with stealing 130 million credit card numbers. Yes, it's a lot, but that's the sort of quantities credit card numbers come in. They come by the millions, in large database files. Even if you only want ten, you have to steal millions. I'm sure every one of us has a credit card in our wallet whose...
Manipulating Breathalyzers
Interesting video demonstrating how a policeman can manipulate the results of a Breathalyzer....
Small Business Identity Theft and Fraud
The sorts of crimes we've been seeing perpetrated against individuals are starting to be perpetrated against small businesses: In July, a school district near Pittsburgh sued to recover $700,000 taken from it. In May, a Texas company was robbed of $1.2 million. An electronics testing firm in Baton Rouge, La., said it was bilked of nearly $100,000. In many cases,...
Actual Security Theater
As part of their training, federal agents engage in mock exercises in public places. Sometimes, innocent civilians get involved. Every day, as Washingtonians go about their overt lives, the FBI, CIA, Capitol Police, Secret Service and U.S. Marshals Service stage covert dramas in and around the capital where they train. Officials say the scenarios help agents and officers integrate the...
Non-Randomness in Coin Flipping
It turns out that flipping a coin has all sorts of non-randomness: Here are the broad strokes of their research: If the coin is tossed and caught, it has about a 51% chance of landing on the same face it was launched. (If it starts out as heads, there's a 51% chance it will end as heads). If the coin...
Modeling Zombie Outbreaks
The math doesn't look good: "When Zombies Attack!: Mathematical Modelling of an Outbreak of Zombie Infection." An outbreak of zombies infecting humans is likely to be disastrous, unless extremely aggressive tactics are employed against the undead. While aggressive quarantine may eradicate the infection, this is unlikely to happen in practice. A cure would only result in some humans surviving the...
Friday Squid Blogging: Jurassic Squid
Neat: Palaeontologists have drawn with ink extracted from a preserved fossilised squid uncovered during a dig in Trowbridge, Wiltshire. The fossil, thought to be 150 million years old, was found when a rock was cracked open, revealing the one-inch-long black ink sac. The calcified ink was ground with a solution of ammonia to turn it into ink. Another article....
Embarrassing Terrorist Failures
From the humor website Cracked: "The 5 Most Embarrassing Failures in the History of Terrorism." Yes, it's funny. But remember that these are the terrorist masterminds that politicians invoke to keep us scared. My 2007 essay, "Portrait of the Modern Terrorist as an Idiot," is also relevant. But less funny....
Hacking the Assa Solo Lock
Marc Weber Tobias again: The new Assa Solo was recently introduced in Europe and we believe is the latest Cliq design. We were provided with samples and were able to show a reporter for Wired's Threat Level how to completely circumvent the electronic credentials in less than thirty seconds, which she easily accomplished. This is the latest and most current...
Developments in Lie Detection
Interesting: Scientists looking for better ways to detect lies have found a promising one: increasing suspects' "cognitive load." For a host of reasons, their theory goes, lying is more mentally taxing than telling the truth. Performing an extra task while lying or telling the truth should therefore affect the liars more. To test this idea, deception researchers led by psychologist...
The Continuing Cheapening of the Word "Terrorism"
"Terroristic threats"? A pickup truck driver is accused of trying to run over a bicyclist and then coming after him brandishing an ax after a road-rage incident in Burnsville last weekend. The driver, Mitchel J. Pieper, 32, of Burnsville, was charged in Dakota County District Court on Tuesday with making terroristic threats, a felony, in connection with the altercation Saturday....
Fabricating DNA Evidence
This isn't good: The scientists fabricated blood and saliva samples containing DNA from a person other than the donor of the blood and saliva. They also showed that if they had access to a DNA profile in a database, they could construct a sample of DNA to match that profile without obtaining any tissue from that person. [...] The planting...
Movie-Plot Threat Alert: Robot Suicide Bombers
Let's all be afraid: But it adds: "Robots that effectively mimic human appearance and movements may be used as human proxies." It raised the prospects of terrorists using robots to plant and detonate bombs or even replacing human suicide bombers. A Home Office spokeswoman said: "This strategy looks at how technology might develop in future. "Clearly it is important that...
Flash Cookies
Flash has the equivalent of cookies, and they're hard to delete: Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not. What's even sneakier? Several...
EFF on Locational Privacy
Excellent paper: "On Locational Privacy, and How to Avoid Losing it Forever." Some threats to locational privacy are overt: it's evident how cameras backed by face-recognition software could be misused to track people and record their movements. In this document, we're primarily concerned with threats to locational privacy that arise as a hidden side-effect of clearly useful location-based services. We...
Man-in-the-Middle Trucking Attack
Clever: For over three years the pair hacked into a Department of Transportation website called Safersys.org, which maintains a list of licensed interstate-trucking companies and brokers, according to an affidavit (.pdf) filed by a DOT investigator. There, they would temporarily change the contact information for a legitimate trucking company to an address and phone number under their control. The men...
Lockpicking and the Intenet
Physical locks aren't very good. They keep the honest out, but any burglar worth his salt can pick the common door lock pretty quickly. It used to be that most people didn't know this. Sure, we all watched television criminals and private detectives pick locks with an ease only found on television and thought it realistic, but somehow we still...
An Ethical Code for Intelligence Officers
August's Communications of the ACM has an interesting article: "An Ethics Code for U.S. Intelligence Officers," by former NSAers Brian Snow and Clint Brooks. The article is behind a paywall, but here's the code: Draft Statement of Ethics for the Intelligence Community Preamble: Intelligence work may present exceptional or unusual ethical dilemmas beyond those of ordinary life. Ethical thinking and...
Self-Enforcing Protocols
There are several ways two people can divide a piece of cake in half. One way is to find someone impartial to do it for them. This works, but it requires another person. Another way is for one person to divide the piece, and the other person to complain (to the police, a judge, or his parents) if he doesn't...
Password Advice
Here's some complicated advice on securing passwords that -- I'll bet -- no one follows. DO use a password manager such as those reviewed by Scott Dunn in his Sept. 18, 2008, Insider Tips column. Although Scott focused on free programs, I really like CallPod's Keeper, a $15 utility that comes in Windows, Mac, and iPhone versions and allows you...
Friday Squid Blogging: Humboldt Squid is "Timid"
Contrary to my previous blog entry on the topic, Humboldt squid are really timid: Humboldt squid feed in surface waters at night, then retreat to great depths during daylight hours. "They spend the day 300 meters deep where oxygen levels are very low," Seibel said. "We wanted to know how they deal with so little oxygen." Seibel said that while...
Risk Intuition
People have a natural intuition about risk, and in many ways it's very good. It fails at times due to a variety of cognitive biases, but for normal risks that people regularly encounter, it works surprisingly well: often better than we give it credit for. This struck me as I listened to yet another conference presenter complaining about security awareness...
How we Reacted to the Unexpected 75 Years Ago
From the International Herald Tribune: 1934 Dynamite Found On Track SPOKANE Discovery of a box of useless dynamite on the railway track two and a half miles southwest of this city led to special precautions being taken to guard the line over which President Roosevelt's train passed this morning [August 4] en route to Washington. Six deputy sheriffs guarded the...
Security vs. Usability
Good essay: "When Security Gets in the Way." The numerous incidents of defeating security measures prompts my cynical slogan: The more secure you make something, the less secure it becomes. Why? Because when security gets in the way, sensible, well-meaning, dedicated people develop hacks and workarounds that defeat the security. Hence the prevalence of doors propped open by bricks and...
Regulating Chemical Plant Security
The New York Times has an editorial on regulating chemical plants: Since Sept. 11, 2001, experts have warned that an attack on a chemical plant could produce hundreds of thousands of deaths and injuries. Public safety and environmental advocates have fought for strong safety rules, but the chemical industry used its clout in Congress in 2006 to ensure that only...
Too Many Security Warnings Results in Complacency
Research that proves what we already knew: Crying Wolf: An Empirical Study of SSL Warning Effectiveness Abstract. Web users are shown an invalid certificate warning when their browser cannot validate the identity of the websites they are visiting. While these warnings often appear in benign situations, they can also signal a man-in-the-middle attack. We conducted a survey of over 400...
Too Many Security Warnings Results in Complacency
Building in Surveillance
China is the world's most successful Internet censor. While the Great Firewall of China isn't perfect, it effectively limits information flowing in and out of the country. But now the Chinese government is taking things one step further. Under a requirement taking effect soon, every computer sold in China will have to contain the Green Dam Youth Escort software package....
Snake Oil Salesman
In cryptography, we've long used the term "snake oil" to refer to crypto systems with good marketing hype and little actual security. It's the phrase I generalized into "security theater." Well, it turns out that there really is a snake oil salesman....
Eve Ensler on Security
Interesting TED talk by Eve Ensler on security. She doesn't use any of the terms, but in the beginning she's echoing a lot of the current thinking about evolutionary psychology and how it relates to security....
Nuclear Self-Terrorization
More fearmongering. The headline is "Terrorists could use internet to launch nuclear attack: report." The subhead: "The risk of cyber-terrorism escalating to a nuclear strike is growing daily, according to a study." In the article: The claims come in a study commissioned by the International Commission on Nuclear Non-proliferation and Disarmament (ICNND), which suggests that under the right circumstances, terrorists...
Another New AES Attack
A new and very impressive attack against AES has just been announced. Over the past couple of months, there have been two (the second blogged about here) new cryptanalysis papers on AES. The attacks presented in the paper are not practical -- they're far too complex, they're related-key attacks, and they're against larger-key versions and not the 128-bit version that...
Risks of Cloud Computing
Excellent essay by Jonathan Zittrain on the risks of cloud computing: The cloud, however, comes with real dangers. Some are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody...
iPhone Encryption Useless
Interesting, although I want some more technical details. ...the new iPhone 3GS' encryption feature is "broken" when it comes to protecting sensitive information such as credit card numbers and social-security digits, Zdziarski said. Zdziarski said it's just as easy to access a user's private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first...
New Real Estate Scam
Clever: Nigerian scammers find homes listed for sale on these public search sites, copy the pictures and listings verbatim, and then post the information onto Craigslist under available housing rentals, without the consent or knowledge of Craigslist, who has been notified. After the posting is listed, unsuspecting individuals contact the poster, who is Nigerian, for more information on the "rental."...
Large Signs a Security Risk
A large sign saying "United States" at a border crossing was deemed a security risk: Yet three weeks ago, less than a month after the station opened, workers began prying the big yellow letters off the building's facade on orders from Customs and Border Protection. The plan is to dismantle the rest of the sign this week. "At the end...
Swiss Security Problem: Storing Gold
Seems like the Swiss may be running out of secure gold storage. If this is true, it's a real security issue. You can't just store the stuff behind normal locks. Building secure gold storage takes time and money. I am reminded of a related problem the EU had during the transition to the euro: where to store all the bills...
Tips for Staying Safe Online
This is funny: Tips for Staying Safe Online All citizens can follow a few simple guidelines to keep themselves safe in cyberspace. In doing so, they not only protect their personal information but also contribute to the security of cyberspace. Install anti-virus software, a firewall, and anti-spyware software to your computer, and update as necessary. Create strong passwords on your...
Friday Squid Blogging: Humboldt Squid Invasion
Yikes: Thousands of jumbo flying squid, aggressive 5-foot-long sea monsters with razor-sharp beaks and toothy tentacles, have invaded the shallow waters off San Diego, spooking scuba divers and washing up dead on beaches. They're aggressive: One diver described how one of the rust-coloured creatures ripped the buoyancy aid and light from her chest, and grabbed her with its tentacles. Very...
SHA-3 Second Round Candidates Announced
NIST has announced the 14 SHA-3 candidates that have advanced to the second round: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. In February, I chose my favorites: Arirang, BLAKE, Blue Midnight Wish, ECHO, Grøstl, Keccak, LANE, Shabal, and Skein. Of the ones NIST eventually chose, I am most surprised to...
Social Security Numbers are Not Random
Social Security Numbers are not random. In some cases, you can http://www.wired.com/wiredscience/2009/07/predictingssn/">predict them with date and place of birth. Abstract: Information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data and found that...
Mapping Drug Use by Testing Sewer Water
I wrote about this in 2007, ut there's New research: Scientists from Oregon State University, the University of Washington and McGill University partnered with city workers in 96 communities, including Pendleton, Hermiston and Umatilla, to gather samples on one day, March 4, 2008. The scientists then tested the samples for evidence of methamphetamine, cocaine and ecstasy, or MDMA. Addiction specialists...
Verifiable Dismantling of Nuclear Bombs
Cryptography has zero-knowledge proofs, where Alice can prove to Bob that she knows something without revealing it to Bob. Here's something similar from the real world. It's a research project to allow weapons inspectors from one nation to verify the disarming of another nation's nuclear weapons without learning any weapons secrets in the process, such as the amount of nuclear...
Cybercrime Paper
"Distributed Security: A New Model of Law Enforcement," Susan W. Brenner and Leo L. Clarke. Abstract: Cybercrime, which is rapidly increasing in frequency and in severity, requires us to rethink how we should enforce our criminal laws. The current model of reactive, police-based enforcement, with its origins in real-world urbanization, does not and cannot protect society from criminals using computer...
Friday Squid Blogging: Bottled Water Plus Squid
Only in Japan: Bandai toy company from Japan has finally realized that bottles of water just aren't cute. As Japan is the cute capital of the world, this just wouldn't do. To fix the problem, they developed these adorable floating squids that can be added to any bottle of water. Thank god for Japanese innovation. Of course, they're only available...
Pepper Spray–Equipped ATMs
South Africa takes its security seriously. Here's an ATM that automatically squirts pepper spray into the face of "people tampering with the card slots." Sounds cool, but these kinds of things are all about false positives: But the mechanism backfired in one incident last week when pepper spray was inadvertently inhaled by three technicians who required treatment from paramedics. Patrick...
Privacy Salience and Social Networking Sites
Reassuring people about privacy makes them more, not less, concerned. It's called "privacy salience," and Leslie John, Alessandro Acquisti, and George Loewenstein -- all at Carnegie Mellon University -- demonstrated this in a series of clever experiments. In one, subjects completed an online survey consisting of a series of questions about their academic behavior -- "Have you ever cheated on...
Laptop Security while Crossing Borders
Last year, I wrote about the increasing propensity for governments, including the U.S. and Great Britain, to search the contents of people's laptops at customs. What we know is still based on anecdote, as no country has clarified the rules about what their customs officers are and are not allowed to do, and what rights people have. Companies and individuals...
Data Leakage Through Power Lines
The NSA has known about this for decades: Security researchers found that poor shielding on some keyboard cables means useful data can be leaked about each character typed. By analysing the information leaking onto power circuits, the researchers could see what a target was typing. The attack has been demonstrated to work at a distance of up to 15m, but...
Poor Man's Steganography
Hide files inside pdf documents: "embed a file in a PDF document and corrupt the reference, thereby effectively making the embedded file invisible to the PDF reader."...
Gaze Tracking Software Protecting Privacy
Interesting use of gaze tracking software to protect privacy: Chameleon uses gaze-tracking software and camera equipment to track an authorized reader's eyes to show only that one person the correct text. After a 15-second calibration period in which the software essentially "learns" the viewer's gaze patterns, anyone looking over that user's shoulder sees dummy text that randomly and constantly changes....
North Korean Cyberattacks
To hear the media tell it, the United States suffered a major cyberattack last week. Stories were everywhere. "Cyber Blitz hits U.S., Korea" was the headline in Thursday's Wall Street Journal. North Korea was blamed. Where were you when North Korea attacked America? Did you feel the fury of North Korea's armies? Were you fearful for your country? Or did...
Strong Web Passwords
Interesting paper from HotSec '07: "Do Strong Web Passwords Accomplish Anything?" by Dinei Florêncio, Cormac Herley, and Baris Coskun. ABSTRACT: We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are...
Friday Squid Blogging: Humboldt Squid Caught Off Seattle
A hundred-pounder. They're still moving North....
Lost Suitcases in Airport Restrooms
Want to cause chaos at an airport? Leave a suitcase in the restroom: Three incoming flights from London were cancelled and about 150 others were delayed for up to three hours, while the army's bomb squad carried out its investigation, before giving the all-clear at about 5pm. Passengers were told to leave the arrivals hall, main check-in area at the...
Making an Operating System Virus Free
Commenting on Google's claim that Chrome was designed to be virus-free, I said: Bruce Schneier, the chief security technology officer at BT, scoffed at Google's promise. "It's an idiotic claim," Schneier wrote in an e-mail. "It was mathematically proved decades ago that it is impossible -- not an engineering impossibility, not technologically impossible, but the 2+2=3 kind of impossible --...
NSA Building Massive Data Center in Utah
They're expanding: The years-in-the-making project, which may cost billions over time, got a $181 million start last week when President Obama signed a war spending bill in which Congress agreed to pay for primary construction, power access and security infrastructure. The enormous building, which will have a footprint about three times the size of the Utah State Capitol building, will...
The ATM Vulnerability You Won't Hear About
The talk has been pulled from the BlackHat conference: Barnaby Jack, a researcher with Juniper Networks, was to present a demonstration showing how he could jackpot a popular ATM brand by exploiting a vulnerability in its software. Jack was scheduled to present his talk at the upcoming Black Hat security conference being held in Las Vegas at the end of...
Homomorphic Encryption Breakthrough
Last month, IBM made some pretty brash claims about homomorphic encryption and the future of security. I hate to be the one to throw cold water on the whole thing -- as cool as the new discovery is -- but it's important to separate the theoretical from the practical. Homomorphic cryptosystems are ones where mathematical operations on the ciphertext have...
Spanish Police Foil Remote-Controlled Zeppelin Jailbreak
Sometimes movie plots actually happen: ...three people have been arrested after police discovered their plan to free a drug trafficker from an island prison using a 13-foot airship carrying night goggles, climbing gear and camouflage paint. [...] The arrested men had setup an elaborate surveillance operation of the prison that involved a camouflaged tent, powerful binoculars, telephoto lenses, and motion...
Court Limits on TSA Searches
This is good news: A federal judge in June threw out seizure of three fake passports from a traveler, saying that TSA screeners violated his Fourth Amendment rights against unreasonable search and seizure. Congress authorizes TSA to search travelers for weapons and explosives; beyond that, the agency is overstepping its bounds, U.S. District Court Judge Algenon L. Marbley said. "The...
Why People Don't Understand Risks
Yesterday's Minneapolis Star Tribune had the front-page headline: "Co-sleeping kills about 20 infants each year." (The headline in the web article is different.) The only problem is, in either case, there's no additional information with which to make sense of the statistic. How many infants don't die each year? How many infants die each year in separate beds? Is the...
More Low-Tech Security Solutions
Anti-theft lunch bags, for those who have a problem with their lunches being stolen. Only works until the thief figures it out, though....
Pocketless Trousers to Protect Against Bribery
I wonder if it will work. Nepal's anti-corruption authority has come up with a novel solution to rampant bribe-taking at the country's only international airport -- the pocketless trouser. The authority said it was issuing the new, bribe-proof garment to all airport officials after uncovering widespread corruption at Kathmandu's Tribhuvan International Airport....
Terrorist Risk of Cloud Computing
I don't even know where to begin on this one: As we have seen in the past with other technologies, while cloud resources will likely start out decentralized, as time goes by and economies of scale take hold, they will start to collect into mega-technology hubs. These hubs could, as the end of this cycle, number in the low single...
The Pros and Cons of Password Masking
Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong. I was certainly too glib. Like any security countermeasure, password...
The Pros and Cons of Password Masking
Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong. I was certainly too glib. Like any security countermeasure, password...
The Pros and Cons of Password Masking
Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong. I was certainly too glib. Like any security countermeasure, password...
The Insecurity of Secrecy
Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy. Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by...
The Insecurity of Secrecy
Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy. Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by...
The Insecurity of Secrecy
Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy. Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by...
Information Leakage from Keypads
Can anyone guess the entry codes for these door locks? There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The second is almost certainly guessable in one....
Information Leakage from Keypads
Can anyone guess the entry codes for these door locks? There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234....
Information Leakage from Keypads
Can anyone guess the entry codes for these door locks? There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234....
More Security Countermeasures from the Natural World
The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it. She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten...
More Security Countermeasures from the Natural World
The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it. She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten...
More Security Countermeasures from the Natural World
The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it. She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten...
MD6 Withdrawn from SHA-3 Competition
In other SHA-3 news, Ron Rivest seems to have withdrawn MD6 from the SHA-3 competition. From an e-mail to a NIST mailing list: We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward. Basically, the issue is that in order for MD6 to be...
MD6 Withdrawn from SHA-3 Competition
In other SHA-3 news, Ron Rivest seems to have withdrawn MD6 from the SHA-3 competition. From an e-mail to a NIST mailing list: We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward. Basically, the issue is that in order for MD6 to be...
New Attack on AES
There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher...
New Attack on AES
There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher...
New Attack on AES
There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher...
Security, Group Size, and the Human Brain
If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with. Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking"...
Security, Group Size, and the Human Brain
If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with. Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking"...
Security, Group Size, and the Human Brain
If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with. Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking"...
Cryptography Spam
I think this is a first. Information security, and protection of your e-money. Electronic payments and calculations, on means of a network the Internet or by means of bank credit cards, continue to win the world market. Electronic payments, it quickly, conveniently, but is not safely. Now there is a real war, between users and hackers. Your credit card can...
Cryptography Spam
I think this is a first. Information security, and protection of your e-money. Electronic payments and calculations, on means of a network the Internet or by means of bank credit cards, continue to win the world market. Electronic payments, it quickly, conveniently, but is not safely. Now there is a real war, between users and hackers. Your credit card can...
Cryptography Spam
I think this is a first. Information security, and protection of your e-money. Electronic payments and calculations, on means of a network the Internet or by means of bank credit cards, continue to win the world market. Electronic payments, it quickly, conveniently, but is not safely. Now there is a real war, between users and hackers. Your credit card can...
Growth of the CSE
The Communication Security Establishment (CSE, basically Canada's NSA) is growing so fast they're running out of room and building new office buildings....
Growth of the CSE
The Communication Security Establishment (CSE, basically Canada's NSA) is growing so fast they're running out of room and building new office buildings....
Growth of the CSE
The Communication Security Establishment (CSE, basically Canada's NSA) is growing so fast they're running out of room and building new office buildings....
Anti-Stab Knife
I've already written about the risks of pointy knives. This no-stabbing knife is the solution, and seems not to be a joke....
Anti-Stab Knife
I've already written about the risks of pointy knives. This no-stabbing knife is the solution, and seems not to be a joke. EDITED TO ADD (7/1): Some people have taken this blog post to imply that I am endorsing these knives. These are obviously not regular readers of mine. (For my part, I'm going to buy a very sharp and...
Anti-Stab Knife
I've already written about the risks of pointy knives. This no-stabbing knife is the solution, and seems not to be a joke. EDITED TO ADD (7/1): Some people have taken this blog post to imply that I am endorsing these knives. These are obviously not regular readers of mine. (For my part, I'm going to buy a very sharp and...
Protecting Against the Snatched Laptop Data Theft
Almost two years ago, I wrote about my strategy for encrypting my laptop. One of the things I said was: There are still two scenarios you aren't secure against, though. You're not secure against someone snatching your laptop out of your hands as you're typing away at the local coffee shop. And you're not secure against the authorities telling you...
Protecting Against the Snatched Laptop Data Theft
Almost two years ago, I wrote about my strategy for encrypting my laptop. One of the things I said was: There are still two scenarios you aren't secure against, though. You're not secure against someone snatching your laptop out of your hands as you're typing away at the local coffee shop. And you're not secure against the authorities telling you...
Protecting Against the Snatched Laptop Data Theft
Almost two years ago, I wrote about my strategy for encrypting my laptop. One of the things I said was: There are still two scenarios you aren't secure against, though. You're not secure against someone snatching your laptop out of your hands as you're typing away at the local coffee shop. And you're not secure against the authorities telling you...
Fake Receipts
For all of you who want to scam your company's expense reimbursement system. I've heard of sites where you give them a range of dates and a city, and they give you a full set of receipts for a trip to that city: airfare, hotel, meals, everything -- but I can't find a website....
The Problem with Password Masking
I agree with this: It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply. Most websites (and many other applications) mask passwords as users type them, and thereby theoretically...
Clear Shuts Down Operation
Clear, the company that sped people through airport security, has ceased operations. My first question: what happened to all that personal information it collected on its members? An answer appeared on its website: Applicant and Member data is currently secured in accordance with the Transportation Security Administration's Security, Privacy and Compliance Standards. Verified Identity Pass, Inc. will continue to secure...
Authenticating Paperwork
It's a sad, horrific story. Homeowner returns to find his house demolished. The demolition company was hired legitimately but there was a mistake and it demolished the wrong house. The demolition company relied on GPS co-ordinates, but requiring street addresses isn't a solution. A typo in the address is just as likely, and it would have demolished the house just...
Workshop on Economics of Information Security
I'm at the 8th Workshop on Economics and Information Security at University College London (field trip to see Jeremy Bentham). Ross Anderson liveblogged the event. I wrote about WEIS 2006 back in 2006....
Fixing Airport Security
It's been months since the Transportation Security Administration has had a permanent director. If, during the job interview (no, I didn't get one), President Obama asked me how I'd fix airport security in one sentence, I would reply: "Get rid of the photo ID check, and return passenger screening to pre-9/11 levels." Okay, that's a joke. While showing ID, taking...
Research on the Security of Online Games
The May/June 2009 issue of IEEE Security and Privacy contains five articles about the security of online games. Unfortunately, the articles are all behind paywalls....
John Walker and the Fleet Broadcasting System
Ph.D. thesis from 2001: An Analysis of the Systemic Security Weaknesses of the U.S. Navy Fleet Broadcasting System, 1967-1974, as exploited by CWO John Walker, by MAJ Laura J. Heath Abstract: CWO John Walker led one of the most devastating spy rings ever unmasked in the US. Along with his brother, son, and friend, he compromised US Navy cryptographic systems...
The Iranian Firewall
Two blog posts on Iran's attempts to censor the Internet...
Eavesdropping on Dot-Matrix Printers by Listening to Them
Interesting research. First, we develop a novel feature design that borrows from commonly used techniques for feature extraction in speech recognition and music processing. These techniques are geared towards the human ear, which is limited to approx. 20 kHz and whose sensitivity is logarithmic in the frequency; for printers, our experiments show that most interesting features occur above 20 kHz,...
John Mueller on Nuclear Disarmament
The New York Times website has a blog called "Room for Debate," where a bunch of people -- experts in their areas -- write short essays commenting on a news item. (I participated a few weeks ago.) Earlier this month, there was a post on nuclear disarmament, following President Obama's speech in Cairo that mentioned the subject. One of the...
Engineers More Likely to Become Muslim Terrorists
Time to start profiling....
This Week's Movie-Plot Threat: Fungus
I had been wondering whether to post this, since it's not really a security threat -- there's no intelligence by the attacker: Crop scientists fear the Ug99 fungus could wipe out more than 80% of worldwide wheat crops as it spreads from eastern Africa. It has already jumped the Red Sea and traveled as far as Iran. Experts say it...
Fraud on eBay
I expected selling my computer on eBay to be easy. Attempt 1: I listed it. Within hours, someone bought it -- from a hacked account, as eBay notified me, cancelling the sale. Attempt 2: I listed it again. Within hours, someone bought it, and asked me to send it to her via FedEx overnight. The buyer sent payment via PayPal...
Imagining Threats
A couple of years ago, the Department of Homeland Security hired a bunch of science fiction writers to come in for a day and think of ways terrorists could attack America. If our inability to prevent 9/11 marked a failure of imagination, as some said at the time, then who better than science fiction writers to inject a little imagination...
Lockpicking
Great article from Wired about the lockpicker Marc Tobias. Related: "Ten Things Everyone Should Know About Lockpicking & Physical Security."...
New Computer Snooping Tool
From the press release: Unlike existing computer forensics solutions, EnCase Portable runs on a USB drive, rather than a laptop, and enables the user to easily and rapidly boot a target computer to the USB drive, and run a pre-configured data search and collection job. The ease-of-use and ultra-portability of EnCase Portable creates exciting new possibilities in data acquisition. Even...
The Psychology of Being Scammed
Fascinating research on the psychology of con games. "The psychology of scams: Provoking and committing errors of judgement" was prepared for the UK Office of Fair Trading by the University of Exeter School of Psychology. From the executive summary, here's some stuff you may know: Appeals to trust and authority: people tend to obey authorities so scammers use, and victims...
Carrot-Bomb Art Project Bombs in Sweden
Not the best idea: The carrot bombs had been placed around the city at the request of a local art gallery, as part of an open-air arts festival. They had only been in place for an hour before police received their first call. "We received a call ... from a person who said they saw two real bombs placed outside...
Ever Better Cryptanalytic Results Against SHA-1
The SHA family (which, I suppose, should really be called the MD4 family) of cryptographic hash functions has been under attack for a long time. In 2005, we saw the first cryptanalysis of SHA-1 that was faster than brute force: collisions in 269 hash operations, later improved to 263 operations. A great result, but not devastating. But remember the great...
DHS Has a Blog
The U.S. Department of Homeland Security has a blog. I don't know if it will be as interesting or entertaining as the TSA's blog....
Prairie Dogs Hack Baltimore Zoo
Fun story, with a lot of echoes of our own security problems: It took just 10 minutes for a dozen prairie dogs to outwit the creators of the Maryland Zoo's new $500,000 habitat. Aircraft wire, poured concrete and slick plastic walls proved no match for the fast-footed rodents, the stars of a new exhibit that opens today. As officials were...
Did a Public Twitter Post Lead to a Burglary?
No evidence one way or the other: Like a lot of people who use social media, Israel Hyman and his wife Noell went on Twitter to share real-time details of a recent trip. Their posts said they were "preparing to head out of town," that they had "another 10 hours of driving ahead," and that they "made it to Kansas...
The "Hidden Cost" of Privacy
Forbes ran an article talking about the "hidden" cost of privacy. Basically, the point was that privacy regulations are expensive to comply with, and a lot of that expense gets eaten up by the mechanisms of compliance and doesn't go toward improving anyone's actual privacy. This is a valid point, and one that I make in talks about privacy all...
Friday Squid Blogging: Squid Also See Through Non-Eye Organ
Weird: The UW-Madison researchers have been intrigued by the light organ's "counterillumination" ability -- this capacity to give off light to make squids as bright as the ocean surface above them, so that predators below can't see them. "Until now, scientists thought that illuminating tissues in the light organ functioned exclusively for the control of the intensity and direction of...
Second SHB Workshop Liveblogging (9)
The eighth, and final, session of the SHB09 was optimistically titled "How Do We Fix the World?" I moderated, which meant that my liveblogging was more spotty, especially in the discussion section. David Mandel, Defense Research and Development Canada (suggested reading: Applied Behavioral Science in Support of Intelligence Analysis, Radicalization: What does it mean?; The Role of Instigators in Radicalization...
Second SHB Workshop Liveblogging (8)
The penultimate session of the conference was "Privacy," moderated by Tyler Moore. Alessandro Acquisti, Carnegie Mellon University (suggested reading: What Can Behavioral Economics Teach Us About Privacy?; Privacy in Electronic Commerce and the Economics of Immediate Gratification), presented research on how people value their privacy. He started by listing a variety of cognitive biases that affect privacy decisions: illusion of...
Second SHB Workshop Liveblogging (7)
Session Six -- Terror -- chaired by Stuart Schechter. Bill Burns, Decision Research (suggested reading: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike), studies social reaction to risk. He discussed his theoretical model of how people react to fear events, and data from the 9/11 attacks, the 7/7 bombings in the UK, and the 2008 financial collapse....
Second SHB Workshop Liveblogging (6)
The first session of the morning was "Foundations," which is kind of a catch-all for a variety of things that didn't really fit anywhere else. Rachel Greenstadt moderated. Terence Taylor, International Council for the Live Sciences (suggested video to watch: Darwinian Security; Natural Security), talked about the lessons evolution teaches about living with risk. Successful species didn't survive by eliminating...
Second SHB Workshop Liveblogging (5)
David Livingstone Smith moderated the fourth session, about (more or less) methodology. Angela Sasse, University College London (suggested reading: The Compliance Budget: Managing Security Behaviour in Organisations; Human Vulnerabilities in Security Systems), has been working on usable security for over a dozen years. As part of a project called "Trust Economics," she looked at whether people comply with security policies...
Second SHB Workshop Liveblogging (4)
Session three is titled "Usability." (For the record, the Stata Center is one ugly building.) Andrew Patrick, NRC Canada until he was laid off four days ago (suggested reading: Fingerprint Concerns: Performance, Usability, and Acceptance of Fingerprint Biometric Systems), talked about biometric systems and human behavior. Biometrics are used everywhere: for gym membership, at Disneyworld, at international borders. The government...
Second SHB Workshop Liveblogging (3)
The second session was about fraud. (These session subjects are only general. We tried to stick related people together, but there was the occasional oddball -- and scheduling constraint -- to deal with.) Julie Downs, Carnegie Mellon University (suggested reading: Behavioral Response to Phishing Risk; Parents' vaccination comprehension and decisions; The Psychology of Food Consumption), is a psychologist who studies...
Second SHB Workshop Liveblogging (2)
The first session was about deception. Frank Stajano, Cambridge University (suggested reading: Usability of Security Management: Defining the Permissions of Guests), presented research with someone who films actual scams for "The Real Hustle." His is point is that we build security systems based on our "logic," but users don't always follow our logic. It's fraudsters who really understand what people...
Second SHB Workshop Liveblogging (1)
I'm at SHB09, the Second Interdisciplinary Workshop on Security and Human Behavior, at MIT. This is a two-day gathering of computer security researchers, psychologists, behavioral economists, sociologists, philosophers, and others -- all of whom are studying the human side of security, organized by Ross Anderson, Alessandro Acquisti, and myself. Here's the schedule. Last year's link will give you a good...
Malware Steals ATM Data
One of the risks of using a commercial OS for embedded systems like ATM machines: it's easier to write malware against it: The report does not detail how the ATMs are infected, but it seems likely that the malware is encoded on a card that can be inserted in an ATM card reader to mount a buffer overflow attack. The...
I'm Selling My Laptop
I'm selling my laptop on eBay. It's basically new, although the box has been opened. I wanted to downgrade the OS, but learned that one of the key drivers -- it controls the camera and the hibernate function -- was only available for Vista. So it's up for sale, at a good price....
Industry Differences in Types of Security Breaches
Interhack has been working on a taxonomy of security breaches, and has an interesting conclusion: The Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionally large number of compromised hosts, while insider conduct and lost and stolen...
Teaching Children to Spot Terrorists
You can't make this stuff up: More than 2,000 10 and 11-year-olds [in the UK] will see a short film, which urges them to tell the police, their parents or a teacher if they hear anyone expressing extremist views. [...] A lion explains that terrorists can look like anyone, while a cat tells pupils that should get help if they...
Corrupted Word Files for Sale
On one hand, this is clever: We offer a wide array of corrupted Word files that are guaranteed not to open on a Mac or PC. A corrupted file is a file that contains scrambled and unrecoverable data due to hardware or software failure. Files may become corrupted when something goes wrong while a file is being saved e.g. the...
British High Schoolers Write About CCTV in School
If you think that under-20-year-olds don't care about privacy, this is an eloquent op-ed by two students about why CCTV cameras have no place in their UK school: Adults are often quick to define the youth of today as stereotypical troublemakers and violent offenders -- generalisations which are prompted by the media -- when in fact the majority of students...
Fear of Aerial Images
Time for some more fear about terrorists using maps and images on the Internet. But the more striking images come when Portzline clicks on the "bird's-eye" option offered by the map service. The overhead views, which come chiefly from satellites, are replaced with strikingly clear oblique-angle photos, chiefly shot from aircraft. By clicking another button, he can see the same...
Bullet Pen
Earlier this year, I blogged about a self-defense pen that is likely to easily pass through airport security. On the other hand, this normal pen in the shape of a bullet will probably get you in trouble....
Clever Combination Door Lock Design
This combination door lock is very pretty. Of course, four digits is too short an entry code, but I like the overall design and the automatic rescrambling feature....
I'm Being Interviewed in Second Life Today
I'll be interviewed in Second Life on "Virtually Speaking" tonight at 9:00 PM ET....
Secret Goverment Communications Cables Buried Around Washington, DC
Interesting: This part happens all the time: A construction crew putting up an office building in the heart of Tysons Corner a few years ago hit a fiber optic cable no one knew was there. This part doesn't: Within moments, three black sport-utility vehicles drove up, a half-dozen men in suits jumped out and one said, "You just hit our...
Cloud Computing
This year's overhyped IT concept is cloud computing. Also called software as a service (Saas), cloud computing is when you run software over the internet and access it via a browser. The Salesforce.com customer management software is an example of this. So is Google Docs. If you believe the hype, cloud computing is the future. But, hype aside, cloud computing...
Why Is Terrorism so Hard?
I don't know how I missed this great series from Slate in February. It's eight essays exploring why there have been no follow-on terrorist attacks in the U.S. since 9/11 (not counting the anthrax mailings, I guess). Some excerpts: Al-Qaida's successful elimination of the Twin Towers, part of the Pentagon, four jetliners, and nearly 3,000 innocent lives makes the terror...
Arming the Boston Police with Assault Rifles
Whose idea is this? The Boston Police Department is preparing a plan to arm as many as 200 patrol officers with semiautomatic assault rifles, a significant boost in firepower that department leaders believe is necessary to counter terrorist threats, according to law enforcement officials briefed on the plan. The initiative calls for equipping specialized units, such as the bomb squad...
Update on Computer Science Student's Computer Seizure
In April, I blogged about the Boston police seizing a student's computer for, among other things, running Linux. (Anyone who runs Linux instead of Windows is obviously a scary bad hacker.) Last week, the Massachusets Supreme Court threw out the search warrant: Massachusetts Supreme Judicial Court Associate Justice Margot Botsford on Thursday said that Boston College and Massachusetts State Police...
Research on Movie-Plot Threats
This could be interesting: Emerging Threats and Security Planning: How Should We Decide What Hypothetical Threats to Worry About? Brian A. Jackson, David R. Frelinger Concerns about how terrorists might attack in the future are central to the design of security efforts to protect both individual targets and the nation overall. In thinking about emerging threats, security planners are confronted...
Friday Squid Blogging: Squid Pasta
Step by step instructions on how to make squid pasta....
Obama's Cybersecurity Speech
I am optimistic about President Obama's new cybersecurity policy and the appointment of a new "cybersecurity coordinator," though much depends on the details. What we do know is that the threats are real, from identity theft to Chinese hacking to cyberwar. His principles were all welcome -- securing government networks, coordinating responses, working to secure the infrastructure in private hands...
No Smiling in Driver's License Photographs
In other biometric news, four states have banned smiling in driver's license photographs. The serious poses are urged by DMVs that have installed high-tech software that compares a new license photo with others that have already been shot. When a new photo seems to match an existing one, the software sends alarms that someone may be trying to assume another...
News from the Fingerprint Biometrics World
Wacky: A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints -- which had apparently disappeared because of a drug he was taking. [...] The drug, capecitabine, is commonly used to treat cancers in the head and neck, breast, stomach and colorectum. One side-effect is chronic inflammation...
Faking Background Checks for Security Clearances
What do you do if you have too many background checks to do, and not enough time to do them? You fake them, of course: Eight current and former security clearance investigators say they have been pressured to work faster and take on crushing workloads in recent years, as the government tried to eliminate a backlog that once topped 531,000...
Steganography Using TCP Retransmission
Research: Hiding Information in Retransmissions Wojciech Mazurczyk, Milosz Smolarczyk, Krzysztof Szczypiorski The paper presents a new steganographic method called RSTEG (Retransmission Steganography), which is intended for a broad class of protocols that utilises retransmission mechanisms. The main innovation of RSTEG is to not acknowledge a successfully received packet in order to intentionally invoke retransmission. The retransmitted packet carries a steganogram...
Automatic Dice Thrower
Imprssive: The Dice-O-Matic is 7 feet tall, 18 inches wide and 18 inches deep. It has an aluminum frame covered with Plexiglas panels. A 6x4 inch square Plexiglas tube runs vertically up the middle almost the entire height. Inside this tube a bucket elevator carries dice from a hopper at the bottom, past a camera, and tosses them onto a...
Defending Against Movie-Plot Threats with Movie Characters
Excellent: Seeking to quell fears of terrorists somehow breaking out of America's top-security prisons and wreaking havoc on the defenseless heartland, President Barack Obama moved quickly to announce an Anti-Terrorist Strike Force headed by veteran counterterrorism agent Jack Bauer and mutant superhero Wolverine. Already dubbed a "dream team," their appointment is seen by experts as a crucial step in reducing...
Secret Questions
In 2004, I wrote about the prevalence of secret questions as backup passwords. The problem is that the answers to these "secret questions" are often much easier to guess than random passwords. Mother's maiden name isn't very secret. Name of first pet, name of favorite teacher: there are some common names. Favorite color: I could probably guess that in no...
Friday Squid Blogging: How to Capture a Giant Squid
Three methods: Method 2: Offer Squid a Tasty Treat If your preferred squid looks hungry, try luring it with a delicious oil tanker. During the course of the 1930s, the Norwegian tanker Brunswick was attacked not once, not twice, but three times by giant squid. Metal boats don't sound especially appetizing, but scientists think squid mistake the large, gray objects...
Schneier and Ranum on Face-Off Video
Marcus Ranum and I did two video versions of our Face-Off column: one on cloud computing, and the other on who should be in charge of cyber-security....
The Doghouse: Net1
They have technology: The FTS Patent has been acclaimed by leading cryptographic authorities around the world as the most innovative and secure protocol ever invented to manage offline and online smart card related transactions. Please see the independent report by Bruce Schneider [sic] in his book entitled Applied Cryptography, 2nd Edition published in the late 1990s. I have no idea...
This Week's Terrorism Arrests
Four points. One: There was little danger of an actual terrorist attack: Authorities said the four men have long been under investigation and there was little danger they could actually have carried out their plan, NBC News' Pete Williams reported. [...] In their efforts to acquire weapons, the defendants dealt with an informant acting under law enforcement supervision, authorities said....
IEDs Are Now Weapons of Mass Destruction
In an article on the recent arrests in New York: On Wednesday night, they planted one of the mock improvised explosive devices in a trunk of a car outside the temple and two mock bombs in the back seat of a car outside the Jewish center, the authorities said. Shortly thereafter, police officers swooped in and broke the windows on...
On the Anonymity of Home/Work Location Pairs
Interesting: Philippe Golle and Kurt Partridge of PARC have a cute paper on the anonymity of geo-location data. They analyze data from the U.S. Census and show that for the average person, knowing their approximate home and work locations â to a block level â identifies them uniquely. Even if we look at the much coarser granularity of a census...
Me on Full-Body Scanners in Airports
I'm very happy with this quote in a CNN.com story on "whole-body imaging" at airports: Bruce Schneier, an internationally recognized security technologist, said whole-body imaging technology "works pretty well," privacy rights aside. But he thinks the financial investment was a mistake. In a post-9/11 world, he said, he knows his position isn't "politically tenable," but he believes money would be...
Microsoft Bans Memcopy()
This seems smart: Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C language. Effective later this year, Microsoft will add memcpy(), CopyMemory(), and RtlCopyMemory() to its list of function calls banned under its secure...
"Lost" Puzzle in Wired Magazine
For the April 09 issue Wired Magazine, I was asked to create a cryptographic puzzle based on the television show Lost. Specifically, I was given a "clue" to encrypt. Here are details of the puzzle and solving attempts. Near as I can tell, no one has published a solution. Creating something like this is very hard. The puzzle needs to...
Invisible Ink Pen
This is cool. It writes like a normal pen, but if you run a hair dryer over the written words they disappear. And if you put the paper in the freezer the words reappear. Fantastic....
Pirate Terrorists in Chesapeake Bay
This is a great movie-plot threat: Pirates could soon find their way to the waters of the Chesapeake Bay. That's assuming that a liquefied natural gas terminal gets built at Sparrows Point. The folks over at the LNG Opposition Team have long said that building an LNG plant on the shores of the bay would surely invite terrorists to attack....
Kylin: New Chinese Operating System
Interesting: China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing's networks impenetrable to U.S. military and intelligence agencies. The secure operating system, known as Kylin, was disclosed to Congress during recent hearings that provided new details on how China's government is...
Interview with Me
ThreatPost interviewed me. SlashDot thread on the interview....
No Warrant Required in U.S. for GPS Tracking
At least, according to a U.S. District Court ruling: As the law currently stands, the court said police can mount GPS on cars to track people without violating their constitutional rights -- even if the drivers aren't suspects. Officers do not need to get warrants beforehand because GPS tracking does not involve a search or a seizure, Judge Paul Lundsten...
Detecting Liars by Content
Interesting: Kevin Colwell, a psychologist at Southern Connecticut State University, has advised police departments, Pentagon officials and child protection workers, who need to check the veracity of conflicting accounts from parents and children. He says that people concocting a story prepare a script that is tight and lacking in detail. "It's like when your mom busted you as a kid,...
Attacking the Food Supply
Terrorists attacking our food supply is a nightmare scenario that has been given new life during the recent swine flu outbreak. Although it seems easy to do, understanding why it hasn't happened is important. G.R. Dalziel, at the Nanyang Technological University in Singapore, has written a report chronicling every confirmed case of malicious food contamination in the world since 1950:...
Software Problems with a Breath Alcohol Detector
This is an excellent lesson in the security problems inherent in trusting proprietary software: After two years of attempting to get the computer based source code for the Alcotest 7110 MKIII-C, defense counsel in State v. Chun were successful in obtaining the code, and had it analyzed by Base One Technologies, Inc. Draeger, the manufacturer maintained that the system was...
Using Surveillance Cameras to Detect Cashier Cheating
It's called "sweethearting": when cashiers pass free merchandise to friends. And some stores are using security cameras to detect it: Mathematical algorithms embedded in the stores' new security system pick out sweethearting on their own. There's no need for a security guard watching banks of video monitors or reviewing hours of grainy footage. When the system thinks it's spotted evidence,...
Fourth Movie-Plot Threat Contest Winner
For this contest, the goal was to: ...to find an existing event somewhere in the industrialized world—Third World events are just too easy—and provide a conspiracy theory to explain how the terrorists were really responsible. I thought it was straightforward enough but, honestly, I wasn't very impressed with the submissions. Nothing surprised me with its cleverness. There were scary entries...
Zeus Trojan has Self-Destruct Option
From Brian Krebs at The Washington Post: One of the scarier realities about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker, who could simply decide to order all of the infected machines to self-destruct. Most security experts will tell you that while this so-called "nuclear option" is an available feature...
Researchers Hijack a Botnet
A bunch of researchers at the University of California Santa Barbara took control of a botnet for ten days, and learned a lot about how botnets work: The botnet in question is controlled by Torpig (also known as Sinowal), a malware program that aims to gather personal and financial information from Windows users. The researchers gained control of the Torpig...
Marc Rotenberg on Security vs. Privacy
Nice essay: In the modern era, the right of privacy represents a vast array of rights that include clear legal standards, government accountability, judicial oversight, the design of techniques that are minimally intrusive and the respect for the dignity and autonomy of individuals. The choice that we are being asked to make is not simply whether to reduce our expectation...
MI6 and a Lost Memory Stick
Oops: The United Kingdom's MI6 agency acknowledged this week that in 2006 it had to scrap a multi-million-dollar undercover drug operation after an agent left a memory stick filled with top-secret data on a transit coach. The general problem. The general solution....
Virginia Data Ransom
This is bad: On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand: "I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to...
Lie Detector Charlatans
This is worth reading: Five years ago I wrote a Language Log post entitled "BS conditional semantics and the Pinocchio effect" about the nonsense spouted by a lie detection company, Nemesysco. I was disturbed by the marketing literature of the company, which suggested a 98% success rate in detecting evil intent of airline passengers, and included crap like this: The...
Secure Version of Windows Created for the U.S. Air Force
I have long argued that the government should use its massive purchasing power to pressure software vendors to improve security. Seems like the U.S. Air Force has done just that: The Air Force, on the verge of renegotiating its desktop-software contract with Microsoft, met with Ballmer and asked the company to deliver a secure configuration of Windows XP out of...
Security Considerations in the Design of the Human Penis
Fascinating bit of evolutionary biology: So how did natural selection equip men to solve the adaptive problem of other men impregnating their sexual partners? The answer, according to Gallup, is their penises were sculpted in such a way that the organ would effectively displace the semen of competitors from their partner's vagina, a well-synchronized effect facilitated by the "upsuck" of...
An Expectation of Online Privacy
If your data is online, it is not private. Oh, maybe it seems private. Certainly, only you have access to your e-mail. Well, you and your ISP. And the sender's ISP. And any backbone provider who happens to route that mail from the sender to you. And, if you read your personal mail from work, your company. And, if they...
Mathematical Illiteracy
This may be the stupidest example of risk assessment I've ever seen. It's a video clip from a recent Daily Show, about he dangers of the Large Hadron Collider. The segment starts off slow, but then there's an exchange with high school science teacher Walter L. Wagner, who insists the device has a 50-50 chance of destroying the world: "If...
I've Been Named the 31st Most Influential Person on the Web
At least, in Canada....
Googling Justice Scalia
Nice hack: Last year, when law professor Joel Reidenberg wanted to show his Fordham University class how readily private information is available on the Internet, he assigned a group project. It was collecting personal information from the Web about himself. This year, after U.S. Supreme Court Justice Antonin Scalia made public comments that seemingly may have questioned the need for...
Yet Another New York Times Cyberwar Article
It's the season, I guess: The United States has no clear military policy about how the nation might respond to a cyberattack on its communications, financial or power networks, a panel of scientists and policy advisers warned Wednesday, and the country needs to clarify both its offensive capabilities and how it would respond to such attacks. The report, based on...
Preparing for Cyberwar
Interesting article from The New York Times. Because so many aspects of the American effort to develop cyberweapons and define their proper use remain classified, many of those officials declined to speak on the record. The White House declined several requests for interviews or to say whether Mr. Obama as a matter of policy supports or opposes the use of...
A Sad Tale of Biometrics Gone Wrong
From The Daily WTF: Johnny was what you might call a "gym rat." In incredible shape from almost-daily gym visits, a tight Lycra tank top, iPod strapped to his sizable bicep, underneath which was a large black tribal tattoo. He scanned his finger on his way out, but the turnstile wouldn't budge. "Uh, just a second," the receptionist furiously typed...
Ireland Does Away with Electronic Voting
They're voting on paper again; smart country. I wrote about electronic voting machines back in 2004....
Lessons from the Columbine School Shooting
Lots of high-tech gear, but that's not what makes schools safe: Some of the noticeable security measures remain, but experts say the country is exploring a new way to protect kids from in-school violence: administrators now want to foster school communities that essentially can protect themselves with or without the high-tech gear. "The first and best line of defense is...
"No-Fly" Also Means "No-Flyover"
I've previously written about the piece of counterterrorism silliness known as the no-fly list: Imagine a list of suspected terrorists so dangerous that we can't ever let them fly, yet so innocent that we can't arrest them -- even under the draconian provisions of the Patriot Act. Turns out these people are so dangerous that they can't be allowed to...
How to Spot a Fake Census Worker
This apparently non-ironic video warns that people might impersonate census workers in an effort to rob you. But while you shouldn't trust the ID of a stranger, you should trust that same stranger to give you a phone number where you can verify that ID. This, of course, makes no sense. Preventing impersonation is hard....
Cell Phones and Hostage Situations
I haven't read this book on the Columbine school shooting and massacre, but the New York Times review had an interesting paragraph about cell phones in a hostage situation: Fuselier is one of the people Cullen spotlights in his retelling in order to clear up the historical record. Some of the confusion generated by Columbine was inevitable: Harris and Klebold...
Unfair and Deceptive Data Trade Practices
Do you know what your data did last night? Almost none of more than 27 million people who took the RealAge quiz realized that their personal health data was sold to drug companies, who in turned used that information for targeted e-mail marketing campaigns. There's a basic consumer protection principle at work here, and it's the concept of "unfair and...
Friday Squid Blogging: Squid Forensics
Not what you think; it's about forensics of the Squid web/proxy cache. Note the squid stamp, though....
San Francisco Restaurant Reviews for the RSA Conference
The RSA Conference organizers asked me to write a restaurant review column for their show daily -- distributed only electronically. I called my column "The Dining Cryptographer." Here are links to them. I reviewed two restaurants each day: one walking distance from Moscone Center, and one a taxi ride away....
The Terrorism Arrests that Weren't
Remember those terrorism arrests that the UK government conducted, after a secret document was accidentally photographed? No one was charged: The Crown Prosecution Service said there was insufficient evidence to press charges or hold them any longer. The Muslim Council of Britain said the government behaved "very dishonourably" over the treatment of the men should admit it had made a...
Fake Facts on Twitter
Clever hack: Back during the debate for HR 1, I was amazed at how easily conservatives were willing to accept and repeat lies about spending in the stimulus package, even after those provisions had been debunked as fabrications. The $30 million for the salt marsh mouse is a perfect example, and Kagro X documented well over a dozen congressmen repeating...
Hacking U.S. Military Satellites
The problem is more widespread than you might think: First lofted into orbit in the 1970s, the FLTSATCOM bird was at the time a major advance in military communications. Their 23 channels were used by every branch of the U.S. armed forces and the White House for encrypted data and voice, typically from portable ground units that could be quickly...
Conficker
Confickerâs April Foolâs joke -- the huge, menacing build-up and then nothing -- is a good case study on how we think about risks, one whose lessons are applicable far outside computer security. Generally, our brains aren't very good at probability and risk analysis. We tend to use cognitive shortcuts instead of thoughtful analysis. This worked fine for the simple...
Lessons in Key Management
Encrypting your USB drive is smart. Writing the encryption key on a piece of paper and attaching it to the USB drive is not....
Low-Tech Impersonation
Sometimes the basic tricks work best: Police say a man posing as a waiter collected $186 in cash from diners at two restaurants in New Jersey and walked out with the money in his pocket. Diners described the bogus waiter as a spikey-haired 20-something wearing a dark blue or black button-down shirt, yellow tie and khaki pants. Police say he...
NSA at RSA
I was going to write a commentary on the RSA Conference keynote speech by General Alexander, NSA Director. But he didn't actually say anything. Does anyone have any other opinions?...
Funny "War on Photography" Anecdote
Posting an excerpt would give it away....
DHS Recruitment Drive
Anyone interested? General Dynamics Information Technology put out an ad last month on behalf of the Homeland Security Department seeking someone who could "think like the bad guy." Applicants, it said, must understand hackers' tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems. In the Pentagon's budget request submitted last week, Defense...
Hacking a Time Poll
Not a particularly subtle hack, but clever nonetheless....
Book Review: The Science of Fear
Daniel Gardner's The Science of Fear was published last July, but I've only just gotten around to reading it. That was a big mistake. It's a fantastic book at how how humans deal with fear: exactly the kind of thing I have been reading and writing about for the past couple of years. It's the book I wanted to write,...
New Frontiers in Biometrics
Ears? Arm swinging? I guess biometrics is now the "it" thing to study....
Boston Police Consider Using Linux to be Ground for Suspicion
This is pretty awful. More war on the unexpected....
How to Write a Scary Cyberterrorism Story
From Foreign Affairs, of all places: 8. If you are still having trouble working the Chinese or the Russian governments into your story, why not throw in some geopolitical kerfuffle that involves a country located in between? Not only would it implicate both governments, it would also make cyberspace seem relevant to geopolitics. I suggest you settle on Kyrgyzstan, as...
UK Terrorism Arrests
Details of the arrests made in haste after this inadvertant disclosure....
Tweenbots
Tweenbots: Tweenbots are human-dependent robots that navigate the city with the help of pedestrians they encounter. Rolling at a constant speed, in a straight line, Tweenbots have a destination displayed on a flag, and rely on people they meet to read this flag and to aim them in the right direction to reach their goal. Given their extreme vulnerability, the...
How Not to Carry Around Secret Documents
Here's a tip: when walking around in public with secret government documents, put them in an envelope. A huge MI5 and police counterterrorist operation against al-Qaeda suspects had to be brought forward at short notice last night after Scotland Yard's counter-terrorism chief accidentally revealed a briefing document. [...] The operation was nearly blown when Assistant Commissioner Bob Quick walked up...
U.S. Power Grid Hacked, Everyone Panic!
Yesterday I talked to at least a dozen reporters about this breathless Wall Street Journal story: Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia and other countries, these officials said, and were believed to be...
P2P Privacy
Interesting research: The team of researchers, which includes graduate students David Choffnes (electrical engineering and computer science) and Dean Malmgren (chemical and biological engineering), and postdoctoral fellow Jordi Duch (chemical and biological engineering), studied connection patterns in the BitTorrent file-sharing network -- one of the largest and most popular P2P systems today. They found that over the course of weeks,...
Police Powers and the UK Government in the 1980s
I found this great paragraph in this article on the future of privacy in the UK: One of the few home secretaries who dominated his department rather than be cowed by it was Lord Whitelaw in the 1980s. He boasted how after any security lapse, the police would come to beg for new and draconian powers. He laughed and sent...
Social Networking Identity Theft Scams
Clever: I'm going to tell you exactly how someone can trick you into thinking they're your friend. Now, before you send me hate mail for revealing this deep, dark secret, let me assure you that the scammers, crooks, predators, stalkers and identity thieves are already aware of this trick. It works only because the public is not aware of it....
Crypto Puzzle and NSA Problem
From Cryptosmith: The NSA had an incinerator in their old Arlington Hall facility that was designed to reduce top secret crypto materials and such to ash. Someone discovered that it wasn't in fact working. Contract disposal trucks had been disposing of this not-quite-sanitized rubish, and officers tracked down a huge pile in a field in Ft. Meyer. How did they...
What to Fear
Nice rundown of the statistics. The single greatest killer of Americans is the so-called "lifestyle disease." Somewhere between half a million and a million of us get a short ride in a long hearse every year because of smoking, lousy diets, parking our bodies in front of the TV instead of operating them, and downing yet another six pack and...
Definition of "Weapon of Mass Destruction"
At least, according to U.S. law: 18 U.S.C. 2332a (2) the term "weapon of mass destruction" means— (A) any destructive device as defined in section 921 of this title; (B) any weapon that is designed or intended to cause death or serious bodily injury through the release, dissemination, or impact of toxic or poisonous chemicals, or their precursors; (C) any...
Identifying People using Anonymous Social Networking Data
Interesting: Computer scientists Arvind Narayanan and Dr Vitaly Shmatikov, from the University of Texas at Austin, developed the algorithm which turned the anonymous data back into names and addresses. The data sets are usually stripped of personally identifiable information, such as names, before it is sold to marketing companies or researchers keen to plumb it for useful information. Before now,...
Learning About Giant Squid From Sperm Whale Stomachs
Interesting research: By looking in the stomachs of three sperm whales stranded in the Bay of Biscay, Cherel recovered hundreds of beaks from 19 separate species -- 17 squids including the giant squid, the seven-arm octopus (the largest in the world) and the bizarre vampire squid. Together, these species represent a decent spread of the full diversity of deep-sea cephalopods....
Interview with Me
On the threats of insiders, from Federal News Radio....
Stealing Commodities
Before his arrest, Tom Berge stole lead roof tiles from several buildings in south-east England, including the Honeywood Museum in Carshalton, the Croydon parish church, and the Sutton high school for girls. He then sold those tiles to scrap metal dealers. As a security expert, I find this story interesting for two reasons. First, amongst increasingly ridiculous attempts to ban,...
DNA False Positives
A story about a very expensive series of false positives. The German police spent years and millions of dollars tracking a mysterious killer whose DNA had been found at the scenes of six murders. Finally they realized they were tracking a worker at the factory that assembled the prepackaged swabs used for DNA testing. This story could be used as...
Who Should be in Charge of U.S. Cybersecurity?
U.S. government cybersecurity is an insecure mess, and fixing it is going to take considerable attention and resources. Trying to make sense of this, President Barack Obama ordered a 60-day review of government cybersecurity initiatives. Meanwhile, the U.S. House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology is holding hearings on the same topic. One of the areas of contention...
Thefts at the Museum of Bad Art
I'm not making this up: The loss of two MOBA works to theft has drawn media attention, and enhanced the museum's stature. In 1996, the painting Eileen, by R. Angelo Le, vanished from MOBA. Eileen was acquired from the trash by Wilson, and features a rip in the canvas where someone slashed it with a knife even before the museum...
Fourth Annual Movie-Plot Threat Contest
Let's face it, the War on Terror is a tired brand. There just isn't enough action out there to scare people. If this keeps up, people will forget to be scared. And then both the terrorists and the terror-industrial complex lose. We can't have that. We're going to help revive the fear. There's plenty to be scared about, if only...
Privacy and the Fourth Amendment
In the United States, the concept of "expectation of privacy" matters because it's the constitutional test, based on the Fourth Amendment, that governs when and how the government can invade your privacy. Based on the 1967 Katz v. United States Supreme Court decision, this test actually has two parts. First, the government's action can't contravene an individual's subjective expectation of...
Massive Chinese Espionage Network
The story broke in The New York Times yesterday: In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved. [...] Their sleuthing opened a window into a broader operation that, in less than...
The Zone of Essential Risk
Bob Blakley makes an interesting point. It's in the context of eBay fraud, but it's more general than that. If you conduct infrequent transactions which are also small, you'll never lose much money and it's not worth it to try to protect yourself - you'll sometimes get scammed, but you'll have no trouble affording the losses. If you conduct large...
Friday Squid Blogging: Two Squid Recipes
Braised squid with artichokes, and squid in red wine sauce, both from the New York Times food blog....
Gorilla Detector
From Muppet Labs: How many times have you awakened at night in the dark and said to yourself..."Is there a gorilla in here?" And how many people do you know whose vacations were ruined because they were eaten by undetected gorillas?...
Security Fears Drive Iran to Linux
According to The Age in Australia: "We would have to pay a lot of money," said Sephery-Rad, noting that most of the government's estimated one million PCs and the country's total of six to eight million computers were being run almost exclusively on the Windows platform. "Secondly, Microsoft software has a lot of backdoors and security weaknesses that are always...
A Solar Plasma Movie-Plot Threat
This is impressive: It is midnight on 22 September 2012 and the skies above Manhattan are filled with a flickering curtain of colourful light. Few New Yorkers have seen the aurora this far south but their fascination is short-lived. Within a few seconds, electric bulbs dim and flicker, then become unusually bright for a fleeting moment. Then all the lights...
Surviving a Suicide Bombing
Where you stand matters: The two researchers have developed accurate physics-based models of a suicide bombing attack, including casualty levels and explosive composition. Their work also describes human shields available in the crowd with partial and full coverage in both two- and three-dimensional environments. Their virtual simulation tool assesses the impact of crowd formation patterns and their densities on the...
Sniffing Keyboard Keystrokes with a Laser
Interesting: Chief Security Engineer Andrea Barisani and hardware hacker Daniele Bianco used a handmade laser microphone device and a photo diode to measure the vibrations, software for analyzing the spectrograms of frequencies from different keystrokes, as well as technology to apply the data to a dictionary to try to guess the words. They used a technique called dynamic time warping...
Election Fraud in Kentucky
I think this is the first documented case of election fraud in the U.S. using electronic voting machines (there have been lots of documented cases of errors and voting problems, but this one involves actual maliciousness): Five Clay County officials, including the circuit court judge, the county clerk, and election officers were arrested Thursday after they were indicted on federal...
Fear and the Availability Heuristic
Psychology Today on fear and the availability heuristic: We use the availability heuristic to estimate the frequency of specific events. For example, how often are people killed by mass murderers? Because higher frequency events are more likely to occur at any given moment, we also use the availability heuristic to estimate the probability that events will occur. For example, what...
Research in Explosive Detection
Interesting: Much of this research focuses on "micromechanical" devices -- tiny sensors that have microscopic probes on which airborne chemical vapors deposit. When the right chemicals find the surface of the sensors, they induce tiny mechanical motions, and those motions create electronic signals that can be measured. These devices are relatively inexpensive to make and can sensitively detect explosives, but...
Friday Squid Blogging: Make a Giant Giant Squid Pillow
Photos and instructions....
Holy Hand Grenade of Antioch Bomb Scare
You just can't make this stuff up: Buildings were evacuated, a street was cordoned off and a bomb disposal team called in after workmen spotted a suspicious object. But the dangerous-looking weapon turned out to be the Holy Hand Grenade of Antioch, made famous in the 1975 film Monty Python And The Holy Grail. [...] They evacuated a pub and...
More NSA Video Courses from 1991
Last month, I posted this. There's an update with new information (the FOIA redactions were appealed)....
Why People Steal Rare Books
Interesting analysis: "Book theft is very hard to quantify because very often pages are cut and it's not noticed for years," says Rapley. "Often we come across pages from books [in hauls of recovered property] and we work back from there." The Museum Security Network, a Dutch-based, not-for-profit organisation devoted to co-ordinating efforts to combat this type of theft, estimates...
Blowfish on 24, Again
Three nights ago, my encryption algorithm Blowfish was mentioned on the Fox show 24. The clip is available here, or streaming on Hulu. This is the exchange: Janis Gold: I isolated the data Renee uploaded to Bauer but I can't get past the filed header. Ryan Burnett: What does that mean? JG: She encrypted the name and address she used...
Fingerprinting Paper
Interesting paper: Fingerprinting Blank Paper Using Commodity Scanners Will Clarkson, Tim Weyrich, Adam Finkelstein, Nadia Heninger, Alex Halderman, and Edward W. Felten Abstract: This paper presents a novel technique for authenticating physical documents based on random, naturally occurring imperfections in paper texture. We introduce a new method for measuring the three-dimensional surface of a page using only a commodity scanner...
Hiding Behind Terrorism Law
The Bayer company is refusing to talk about a fatal accident at a West Virginia plant, citing a 2002 terrorism law. CSB had intended to hear community concerns, gather more information on the accident, and inform residents of the status of its investigation. However, Bayer attorneys contacted CSB Chairman John Bresland and set up a Feb. 12 conference at the...
1801 Cipher Solved
Interesting piece of cryptographic history: a cipher designed by Robert Patterson and sent to Thomas Jefferson. The full story is behind a paywall....
Leaving Infants in the Car
It happens; sometimes they die. "Death by hyperthermia" is the official designation. When it happens to young children, the facts are often the same: An otherwise loving and attentive parent one day gets busy, or distracted, or upset, or confused by a change in his or her daily routine, and just... forgets a child is in the car. It happens...
Privacy in Google Latitude
Good news: What Loopt — and now Google — are asserting is this: when you tell your friends where you are, you are using a public conveyance to communicate privately. And, just as it would if it wanted to record your phone call or read your e-mail, the government needs to get a wiretap order. That's even tougher to get...
Friday Squid Blogging: Build Your Own Virtual Squid
This site lets you build your own squid and let it loose in a virtual environment. You can even come back later and visit your squid....
The Doghouse: Sentex Keypads
It has a master key: Here's a fun little tip: You can open most Sentex key pad-access doors by typing in the following code: ***00000099#* The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access...
The Kindness of Strangers
When I was growing up, children were commonly taught: "don't talk to strangers." Strangers might be bad, we were told, so it's prudent to steer clear of them. As it turns out, this is profoundly bad advice. Most people are honest, kind, and generous, especially when someone asks them for help. If a small child is in trouble, the smartest...
IT Security: Blaming the Victim
Blaming the victim is common in IT: users are to blame because they don't patch their systems, choose lousy passwords, fall for phishing attacks, and so on. But, while users are, and will continue to be, a major source of security problems, focusing on them is an unhelpful way to think. People regularly don't do things they are supposed to:...
The Story of the World's Largest Diamond Heist
Read the whole thing: He took the elevator, descending two floors underground to a small, claustrophobic room--the vault antechamber. A 3-ton steel vault door dominated the far wall. It alone had six layers of security. There was a combination wheel with numbers from 0 to 99. To enter, four numbers had to be dialed, and the digits could be seen...
Google Map Spam
There are zillions of locksmiths in New York City. Not really; this is the latest attempt by phony locksmiths to steer business to themselves: This is one of the scary parts they have a near monopoly on the cell phone 411 system. They have filled the data bases with so many phony address listings in most major citys that when...
The Techniques for Distributing Child Porn
Fascinating history of an illegal industry: Today's schemes are technologically very demanding and extremely complex. It starts with the renting of computer servers in several countries. First the Carders are active to obtain the credit cards and client identities wrongfully. These data are then passed to the falsifiers who manufacture wonderful official documents so that they can be used to...
Security Theater Scare Mongering
We need more security in hotels and churches: First Baptist Church in Maryville, Illinois, had a security plan in place when a gunman walked into services Sunday morning and killed Pastor Fred Winters, said Tim Lawson, another pastor at the church. Lawson told CNN he was not prepared to disclose details of his church's security plan on Monday. But Maryville...
History and Ethics of Military Robots
This article gives an overview of U.S. military robots, and discusses a bit around the issues regarding their use in war: As military robots gain more and more autonomy, the ethical questions involved will become even more complex. The U.S. military bends over backwards to figure out when it is appropriate to engage the enemy and how to limit civilian...
New eBay Fraud
Here's a clever attack, exploiting relative delays in eBay, PayPal, and UPS shipping: The buyer reported the item as "destroyed" and demanded and got a refund from Paypal. When the buyer shipped it back to Chad and he opened it, he found there was nothing wrong with it -- except that the scammer had removed the memory, processor and hard...
Self-Defense Pen
I'm sure you need some skill to actually use this, and I'm also sure it'll get through airport security checkpoints just fine....
More European Chip and Pin Insecurity
"Optimised to Fail: Card Readers for Online Banking," by Saar Drimer, Steven J. Murdoch, and Ross Anderson. Abstract The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer's debit card to generate one-time codes for both login and...
All-or-Nothing Encryption Program
Programs staple and unstaple perform all-or-nothing encryption. Just demonstration code, but interesting all the same....
Commentary on the UK Government National Security Strategy
This is scary: Sir David Omand, the former Whitehall security and intelligence co-ordinator, sets out a blueprint for the way the state will mine data -- including travel information, phone records and emails -- held by public and private bodies and admits: "Finding out other people's secrets is going to involve breaking everyday moral rules." In short: it's immoral, but...
Michael Froomkin on Identity Cards
University of Miami law professor Michael Froomkin writes about ID cards and society in "Identity Cards and Identity Romanticism." This book chapter for "Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society" (New York: Oxford University Press, 2009)—a forthcoming comparative examination of approaches to the regulation of anonymity edited by Ian Kerr—discusses the sources of hostility...
Three Security Anecdotes from the Insect World
Beet armyworm caterpillars react to the sound of a passing wasp by freezing in place, or even dropping off the plant. Unfortunately, armyworm intelligence isn't good enough to tell the difference between enemy aircraft (the wasps that prey on them) and harmless commercial flights (bees); they react the same way to either. So by producing pollen for bees, plants not...
Shower Mirror with Hidden Camera
Use it to catch the lovers of cheating spouses. (The site has a wide variety of hidden cameras in common household objects.)...
Judge Orders Defendant to Decrypt Laptop
This is an interesting case: At issue in this case is whether forcing Boucher to type in that PGP passphrase--which would be shielded from and remain unknown to the government--is "testimonial," meaning that it triggers Fifth Amendment protections. The counterargument is that since defendants can be compelled to turn over a key to a safe filled with incriminating documents, or...
Perverse Security Incentives
An employee of Whole Foods in Ann Arbor, Michigan, was fired in 2007 for apprehending a shoplifter. More specifically, he was fired for touching a customer, even though that customer had a backpack filled with stolen groceries and was running away with them. I regularly see security decisions that, like the Whole Foods incident, seem to make absolutely no sense....
Friday Squid Blogging: Researching Squid Bacteria
New research: Intriguingly, that gene is the one that enables the bacteria to form a biofilm, the tightly woven matrix of "slime" which allows bacterial colonies to behave in many ways like a single organism. "The biofilm might be critical for adhering to the light organ, or telling the host that the correct symbiont has arrived," says Mandel. Biofilms also...
Privacy in the Age of Persistence
Note: This isn't the first time I have written about this topic, and it surely won't be the last. I think I did a particularly good job summarizing the issues this time, which is why I am reprinting it. Welcome to the future, where everything about you is saved. A future where your actions are recorded, your movements are tracked,...
Defeating Caller ID Blocking
TrapCall is a new service that reveals the caller ID on anonymous or blocked calls: TrapCall instructs new customers to reprogram their cellphones to send all rejected, missed and unanswered calls to TrapCall's own toll-free number. If the user sees an incoming call with Caller ID blocked, he just presses the button on the phone that would normally send it...
Electromagnetic Pulse Grenades
There are rumors of a prototype: Even the highly advanced US forces hadn't been generally thought to have developed a successful pulse-bomb yet, with most reports indicating that such a capability remains a few years off (as has been the case for decades). Furthermore, the pulse ordnance has usually been seen as large and heavy, in the same league as...
The Doghouse: Singularics
This is priceless: Our advances in Prime Number Theory have led to a new branch of mathematics called Neutronics. Neutronic functions make possible for the first time the ability to analyze regions of mathematics commonly thought to be undefined, such as the point where one is divided by zero. In short, we have developed a new way to analyze the...
Maine Man Tries to Build a Dirty Bomb
No one cares, probably because he isn't Muslim. White supremicist terrorism just isn't sexy these days....
Melissa Hathaway Interview
President Obama has tasked Melissa Hathaway with conducting a 60-day review of the nation's cybersecurity policies. Who is she? Hathaway has been working as a cybercoordination executive for the Office of the Director of National Intelligence. She chaired a multiagency group called the National Cyber Study Group that was instrumental in developing the Comprehensive National Cyber Security Initiative, which was...
New Conficker Variant
This is one well-designed piece of malware: Conficker B++ is somewhat similar to Conficker B, with 294 of 297 sub-routines the same and 39 additional subroutines. The latest variant, first spotted on 16 February, is even more sneaky than its previous incarnations, SRI explains. Conficker B++ is no longer limited to reinfection by similarly structured Conficker DLLs, but can now...
Is Megan's Law Worth It?
A study from New Jersey shows that Megan's Law—laws designed to identity sex offenders to the communities they live in—is ineffective in reducing sex crimes or deterring victims. The study, funded by the National Institute of Justice, examined the cases of 550 sex offenders who were broken into two groups—those released from prison before the passage of Megan's Law and...
NSA Wants Help Eavesdropping on Skype
At least, according to an anonymous "industry source": The spybiz exec, who preferred to remain anonymous, confirmed that Skype continues to be a major problem for government listening agencies, spooks and police. This was already thought to be the case, following requests from German authorities for special intercept/bugging powers to help them deal with Skype-loving malefactors. Britain's GCHQ has also...
Friday Squid Blogging: Jumbo Squid Teeth
They're strong and lightweight: The teeth get their strength from architecture. A series of tooth pores runs through the protein, and on the outer edge the pores are spaced widely for a hard, shape edge that digs into the flesh of hapless prey. Toward the base, the pores are closer together, making a softer material that can absorb the prey's...
The "Broken Windows" Theory of Crimefighting
Evidence of its effectiveness: Researchers, working with police, identified 34 crime hot spots. In half of them, authorities set to work—clearing trash from the sidewalks, fixing street lights, and sending loiterers scurrying. Abandoned buildings were secured, businesses forced to meet code, and more arrests made for misdemeanors. Mental health services and homeless aid referrals expanded. In the remaining hot spots,...
Another Password Analysis
Here's an analysis of 30,000 passwords from phpbb.com, similar to my analysis of 34,000 MySpace passwords: The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character." Most people satisfied this requirement by simply appending "1" to...
Balancing Security and Usability in Authentication
Since January, the Conficker.B worm has been spreading like wildfire across the Internet: infecting the French Navy, hospitals in Sheffield, the court system in Houston, and millions of computers worldwide. One of the ways it spreads is by cracking administrator passwords on networks. Which leads to the important question: Why in the world are IT administrators still using easy-to-guess passwords?...
Terrorism Common Sense from MI6
Refreshing commentary from Nigel Inkster, former Assistant Chief and Director of Operations and Intelligence of MI6: "Efforts to establish a global repository of counterterrorist information are unlikely ever to succeed. We need to be wary of rebuilding our world to deal with just one problem, one which might not be by any means the most serious we face." Asked what...
HIPAA Accountability in Stimulus Bill
On page 379 of the current stimulus bill, there's a bit about establishing a website of companies that lost patient information: (4) POSTING ON HHS PUBLIC WEBSITE -- The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described...
Computer Virus Epidemiology
"WiFi networks and malware epidemiology," by Hao Hu, Steven Myers, Vittoria Colizza, and Alessandro Vespignani. Abstract In densely populated urban areas WiFi routers form a tightly interconnected proximity network that can be exploited as a substrate for the spreading of malware able to launch massive fraudulent attacks. In this article, we consider several scenarios for the deployment of malware that...
Difficult-to-Pronounce Things are Judged to Be More Risky
Do I have any readers left who think humans are rational about risks? Abstract Low processing fluency fosters the impression that a stimulus is unfamiliar, which in turn results in perceptions of higher risk, independent of whether the risk is desirable or undesirable. In Studies 1 and 2, ostensible food additives were rated as more harmful when their names were...
Los Alamos Explains Their Security Problems
They've lost 80 computers: no idea if they're stolen, or just misplaced. Typical story—not even worth commenting on—but this great comment by Los Alamos explains a lot about what was wrong with their security policy: The letter, addressed to Department of Energy security officials, contends that "cyber security issues were not engaged in a timely manner" because the computer losses...
Insiders
Rajendrasinh Makwana was a UNIX contractor for Fannie Mae. On October 24, he was fired. Before he left, he slipped a logic bomb into the organization's network. The bomb would have "detonated" on January 31. It was programmed to disable access to the server on which it was running, block any network monitoring software, systematically and irretrievably erase everything—and then...
Using Fear to Sell Pens, Part Two
This ad, for a Uni-ball pen that's hard to erase, is kind of surreal. They're using fear to sell pens -- again -- but it's the wrong fear. They're confusing check-washing fraud, where someone takes a check and changes the payee and maybe the amount, with identity theft. And how can someone steal money from me by erasing and changing...
The Doghouse: Raidon's Staray-S Encrypted Hard Drives
Turns out the algorithm is linear. When you're buying security products, you have to trust the vendor. That's why I don't buy any of these hardware-encrypted drives. I don't trust the vendors....
Worldwide Browser Patch Rates
Interesting research: Abstract: Although there is an increasing trend for attacks against popular Web browsers, only little is known about the actual patch level of daily used Web browsers on a global scale. We conjecture that users in large part do not actually patch their Web browsers based on recommendations, perceived threats, or any security warnings. Based on HTTP useragent...
Cheating at Disneyworld
Interesting discussion of different ways to cheat and skip the lines at Disney theme parks. Most of the tricks involve their FastPass system for virtual queuing: Moving toward the truly disingenuous, we've got the "FastPass Switcheroo." To do this, simply get your FastPass like normal for Splash Mountain. You notice that the return time is two hours away, in the...
Billboards that Watch you Back
Creepy: Small cameras can now be embedded in the screen or hidden around it, tracking who looks at the screen and for how long. The makers of the tracking systems say the software can determine the viewer's gender, approximate age range and, in some cases, ethnicity—and can change the ads accordingly. That could mean razor ads for men, cosmetics ads...
Cloning RFID Passports
It's easy to clone RFID passports. (To make it clear, the attacker didn't actually create fake passports; he just stole the data off the RFID chips.) Not that this hasn't been done before. I've long been opposed to RFID chips in passports, and have written op eds about them in the International Herald Tribune and several other papers....
Self-Propelled Semi-Submersibles
They're used to smuggle drugs into the U.S. Since the vessels have a low profile ÃÂ the hulls only rise about a foot above the waterline—they are hard to see from a distance and produce a small radar signature. U.S. counterdrug officials estimate that SPSS are responsible for 32% of all cocaine movement in the transit zone. But let's not...
Man Arrested by Amtrak Police for Taking Photographs for Amtrak Photography Contest
You can't make this stuff up. Even Stephen Colbert made fun of it. This isn't the first time Amtrak police have been idiots. And in related news, in the U.K. it soon might be illegal to photograph the police....
U.S. is One Small Step Closer to Making No-Fly List Less Harassing
The House approved a bill creating a whitelist of people who are on the blacklist, but shouldn't be. No word yet about what they're going to do about people who are on the whitelist, but shouldn't be. Perhaps there'll create another blacklist. Then we'll all be safe from terrorists, for sure....
Monster.com Data Breach
Monster.com was hacked, and and people's personal data was stolen. Normally I wouldn't bother even writing about this—it happens all the time—but an AP reporter called me yesterday to comment. I said: Monster's latest breach "shouldn't have happened," said Bruce Schneier, chief security technology officer for BT Group. "But you can't understand a company's network security by looking at public...
Friday Squid Blogging: Squid Cake
Doesn't really look all that tasty....
xkcd on Cryptanalysis
Good xkcd comic on the difference between theoretical and practical cryptanalysis....
Radio Interview with Me
Last Saturday I was interviewed on Paul Harris's Chicago radio show....
List of NSA Video Courses from 1991
Interesting, at least to me. It helps if you know the various code names and the names of the different equipment....
Hacking an Electronic Road Sign
It's easy: cheap lock, and default password. And fun....
Hard Drive Encryption Specification
There's a new hard drive encryption standard, which will make it easier for manufacturers to build encryption into drives. Honestly, I don't think this is really needed. I use PGP Disk, and I haven't noticed any slowdown due to having encryption done in software. And I worry about yet another standard with its inevitable flaws and security vulnerabilities....
Racial Profiling No Better than Random Screening
Not that this is any news, but there's some new research to back it up: The study was performed by William Press, who does bioinformatics research at the University of Texas, Austin, with a joint appointment at Los Alamos National Labs. His background in statistics is apparent in his ability to handle various mathematical formulae with aplomb, but he's apparently...
Confessions Corrupt Eyewitnesses
People confess to crimes they don't commit. They do it a lot. What's interesting about this research is that confessions—whether false or true—corrupt other eyewitnesses: Abstract A confession is potent evidence, persuasive to judges and juries. Is it possible that a confession can also affect other evidence? The present study tested the hypothesis that a confession will alter eyewitnesses' identification...
Cost of the U.S. No-Fly List
Someone did the analysis: As will be analyzed below, it is estimated that the costs of the no-fly list, since 2002, range from approximately $300 million (a conservative estimate) to $966 million (an estimate on the high end). Using those figures as low and high potentials, a reasonable estimate is that the U.S. government has spent over $500 million on...
Making Cameras Go Click
There's a bill in Congress—unlikely to go anywhere—to force digital cameras to go "click." The idea is that this will make surreptitious photography harder: The bill's text says that Congress has found that "children and adolescents have been exploited by photographs taken in dressing rooms and public places with the use of a camera phone." This is so silly it...
Evaluating Risks of Low-Probability High-Cost Events
"Probing the Improbable: Methodological Challenges for Risks with Low Probabilities and High Stakes," by Toby Ord, Rafaela Hillerbrand, Anders Sandberg. Abstract: Some risks have extremely high stakes. For example, a worldwide pandemic or asteroid impact could potentially kill more than a billion people. Comfortingly, scientific calculations often put very low probabilities on the occurrence of such catastrophes. In this paper,...
Airlines Defining Anyone Disruptive as Terrorists
From the Los Angeles Times: Freeman is one of at least 200 people on flights who have been convicted under the amended law. In most of the cases, there was no evidence that the passengers had attempted to hijack the airplane or physically attack any of the flight crew. Many have simply involved raised voices, foul language and drunken behavior....
Friday Squid Blogging: Safe Quick Undercarriage Immobilization Device (SQUID)
New security device: But what if an officer could lay down a road trap in seconds, then activate it from a nearby hiding place? What if—like sea monsters of ancient lore—the trap could reach up from below to ensnare anything from a MINI Cooper to a Ford Expedition? What if this trap were as small as a spare tire, as...
Jeffrey Rosen on the Department of Homeland Security
Excellent article: The same elements of psychology lead people to exaggerate the likelihood of terrorist attacks: Images of terrifying but highly unusual catastrophes on television—such as the World Trade Center collapsing—are far more memorable than images of more mundane and more prevalent threats, like dying in car crashes. Psychologists call this the "availability heuristic," in which people estimate the probability...
Interview with an Adware Developer
Fascinating: I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they're the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you're using IE, then either you don't care or you don't know about all the vulnerabilities that IE has. IE has...
Helping the Terrorists
It regularly comes as a surprise to people that our own infrastructure can be used against us. And in the wake of terrorist attacks or plots, there are fear-induced calls to ban, disrupt or control that infrastructure. According to officials investigating the Mumbai attacks, the terrorists used images from Google Earth to help learn their way around. This isn't the...
The Exclusionary Rule and Security
Earlier this month, the Supreme Court ruled that evidence gathered as a result of errors in a police database is admissible in court. Their narrow decision is wrong, and will only ensure that police databases remain error-filled in the future. The specifics of the case are simple. A computer database said there was a felony arrest warrant pending for Bennie...
A Rational Response to Peanut Allergies and Children
Some parents of children with peanuts allergies are not asking their school to ban peanuts. They consider it more important that teachers know which children are likely to have a reaction, and how to deal with it when it happens; i.e., how to use an Epipen. This is a much more resilient response to the threat. It works even when...
Remote Fireworks Launcher
How soon before these people are accused of helping the terrorists? With around a thousand people in the UK injured every year by fireworks, a new electronic remote control 'Firework Launcher' will put safety first and ensure everyone enjoys the Christmas and new year celebrations.This innovative, compact device dramatically reduces the chance of injury by launching fireworks without a flame...
Teaching Risk Analysis in School
Good points: "I regard myself as part of a movement we call risk literacy," Professor Spiegelhalter told The Times. "It should be a basic component of discussion about issues in media, politics and in schools. "We should essentially be teaching the ability to deconstruct the latest media story about a cancer risk or a wonder drug, so people can work...
Risk Mismanagement on Wall Street
Long article from the New York Times Magazine on Wall Street's risk management, and where it went wrong. The most interesting part explains how the incentives for traders encouraged them to take asymmetric risks: trade-offs that would work out well 99% of the time but fail catastrophically the remaining 1%. So of course, this is exactly what happened....
BitArmor's No-Breach Guarantee
BitArmor now comes with a security guarantee. They even use me to tout it: "We think this guarantee is going to encourage others to offer similar ones. Bruce Schneier has been calling on the industry to do something like this for a long time," he [BitArmor's CEO] says. Sounds good, until you read the fine print: If your company has...
When Voting Machine Audit Logs Don't Help
Wow: Computer audit logs showing what occurred on a vote tabulation system that lost ballots in the November election are raising more questions not only about how the votes were lost, but also about the general reliability of voting system audit logs to record what occurs during an election and to ensure the integrity of results. The logs, which Threat...
New Police Computer System Impeding Arrests
In Queensland, Australia, policemen are arresting fewer people because their new data-entry system is too annoying: He said police were growing reluctant to make arrests following the latest phased roll-out of QPRIME, or Queensland Police Records Information Management Exchange. "They are reluctant to make arrests and they're showing a lot more discretion in the arrests they make because QPRIME is...
Identity, Authentication, and Authorization
Good essay on why they must remain distinct. I spent a chapter on this in Beyond Fear....
Breach Notification Laws
There are three reasons for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law—"They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing"—is just wrong. Two, it provides statistics to...
The Discovery of TEMPEST
Another recently unclassified NSA document: Jeffrey Friedman, "TEMPEST: A Signal Problem," NSA Cryptologic Spectrum, Summer 1972....
Dognapping
Dognapping -- or, at least, the fear of dognapping -- is on the rise. So people are no longer leaving their dogs tied up outside stores, and are buying leashes that can't be easily cut through....
In-Person Credit Card Scam
Surely this isn't new: Suspects entered the business, selected merchandise worth almost $8,000. They handed a credit card with no financial backing to the clerk which when swiped was rejected by the cash register's computer. The suspects then informed the clerk that this rejection was expected and to contact the credit card company by phone to receive a payment approval...
"The Cost of Fearing Strangers"
Excellent essay from the Freakonomics blog: As we wrote in Freakonomics, most people are pretty terrible at risk assessment. They tend to overstate the risk of dramatic and unlikely events at the expense of more common and boring (if equally devastating) events. A given person might fear a terrorist attack and mad cow disease more than anything in the world,...
Friday Squid Blogging: Your Octopus, Squid and Cephalopod Information Center
Tonmo.com....
Podcast with Me
Cato recorded a podcast with me. Nothing you haven't read before....
Top Eleven Reasons Why Lists of Top Ten Bugs Don't Work
Worth reading....
Michael Chertoff Claims that Hijackings were Routine Prior to 9/11
I missed this interview with DHS Secretary Michael Chertoff from December. It's all worth reading, but I want to point out where he claims that airplane hijackings were routine prior to 9/11: What I can tell you is that in the period prior to September 12, 2001, it was a regular, routine issue to have American aircraft hijacked or blown...
Economic Distress and Fear
This was the Quotation of the Day from January 12: Part of the debtor mentality is a constant, frantically suppressed undercurrent of terror. We have one of the highest debt-to-income ratios in the world, and apparently most of us are two paychecks from the street. Those in power -- governments, employers -- exploit this, to great effect. Frightened people are...
Michael Chertoff Parodied in The Onion
Funny: "While 9/11 has historically always fallen on 9/11, we as Americans need to be prepared for a wide range of dates," Chertoff said during a White House press conference. "There's a chance we could all find ourselves living in a post-6/10 world as early as next July. Unless, that is, we're already living in a pre-2/14 world." "1/1, 1/2,...
Stupid Security Tricks: Key Management
It's smart to encrypt USB memory devices, but it's stupid to attach the encryption key to the device. Health bosses today admitted the memory stick was encrypted, but the password had been attached to the device when it went missing. I'm sure they were so proud that they chose a secure encryption algorithm....
Two Security Camera Studies
From San Francisco: San Francisco's Community Safety Camera Program was launched in late 2005 with the dual goals of fighting crime and providing police investigators with a retroactive investigatory tool. The program placed more than 70 non-monitored cameras in mainly high-crime areas throughout the city. This report released today (January 9, 2009) consists of a multi-disciplinary collaboration examining the program's...
Shaping the Obama Administration's Counterterrorism Strategy
I'm at a two-day conference: Shaping the Obama Adminstration's Counterterrorism Strategy, sponsored by the Cato Institute in Washington, DC. It's sold out, but you can watch or listen to the event live on the Internet. I'll be on a panel tomorrow at 9:00 AM. I've been told that there's a lively conversation about the conference on Twitter, but -- as...
Bad Password Security at Twitter
Twitter fell to a dictionary attack because the site allowed unlimited failed login attempts: Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts. Coding Horror has more, but -- come on, people -- this is basic stuff....
DHS's Files on Travelers
This is interesting: I had been curious about what's in my travel dossier, so I made a Freedom of Information Act (FOIA) request for a copy. I'm posting here a few sample pages of what officials sent me. My biggest surprise was that the Internet Protocol (I.P.) address of the computer used to buy my tickets via a Web agency...
Movie-Plot Threat: Terrorists Using Insects
Fear sells books: Terrorists could easily contrive an "insect-based" weapon to import an exotic disease, according to an entomologist who's promoting a book on the subject....
Friday Squid Blogging: Bizarre Squid Reproductive Habits
Lots of them: Hoving investigated the reproductive techniques of no fewer than ten different squids and related cuttlefish -- from the twelve-metre long giant squid to a mini-squid of no more than twenty-five millimetres in length. Along the way he made a number of remarkable discoveries. Hoving: "Reproduction is no fun if you're a squid. With one species, the Taningia...
Impersonation
Impersonation isn't new. In 1556, a Frenchman was executed for impersonating Martin Guerre and this week hackers impersonated Barack Obama on Twitter. It's not even unique to humans: mockingbirds, Viceroy butterflies, and the brown octopus all use impersonation as a survival strategy. For people, detecting impersonation is a hard problem for three reasons: we need to verify the identity of...
Allocating Resources: Financial Fraud vs. Terrorism
Interesting trade-off: The FBI has been forced to transfer agents from its counter-terrorism divisions to work on Bernard Madoff's alleged $50 billion fraud scheme as victims of the biggest scam in the world continue to emerge. The Freakonomics blog discusses this: This might lead you to ask an obvious counter-question: Has the anti-terror enforcement since 9/11 in the U.S. helped...
Biometrics
Biometrics may seem new, but they're the oldest form of identification. Tigers recognize each other's scent; penguins recognize calls. Humans recognize each other by sight from across the room, voices on the phone, signatures on contracts and photographs on driver's licenses. Fingerprints have been used to identify people at crime scenes for more than 100 years. What is new about...
Reporting Unruly Football Fans via Text Message
This system is available in most NFL stadiums: Fans still are urged to complain to an usher or call a security hotline in the stadium to report unruly behavior. But text-messaging lines -- typically advertised on stadium scoreboards and on signs where fans gather -- are aimed at allowing tipsters to surreptitiously alert security personnel via cellphone without getting involved...
Censorship on Google Maps
"Blurred Out: 51 Things You Aren't Allowed to See on Google Maps." An interesting list....
Kip Hawley Is Starting to Sound Like Me
Good quote: "In the hurly-burly and the infinite variety of travel, you can end up with nonsensical results in which the T.S.A. person says, 'Well, I'm just following the rules,'" Mr. Hawley said. "But if you have an enemy who is going to study your technology and your process, and if you have something they can figure out a way...
Trends in Counterfeit Currency
It's getting worse: More counterfeiters are using today's ink-jet printers, computers and copiers to make money that's just good enough to pass, he said, even though their product is awful. In the past, he said, the best American counterfeiters were skilled printers who used heavy offset presses to turn out decent 20s, 50s and 100s. Now that kind of work...
Friday Squid Blogging: Climate Change Affects Squids
No surprise, really....
Friday Squid Blogging: Squid Attacks ROV
Video. Looks like a Humboldt squid....
Another Recently Released NSA Document
American Cryptology during the Cold War, 1945-1989, by Thomas R. Johnson: documents 1, 2, 3, 4, 5, and 6. In response to a declassification request by the National Security Archive, the secretive National Security Agency has declassified large portions of a four-part "top-secret Umbra" study, American Cryptology during the Cold War. Despite major redactions, this history discloses much new information...
Schneier on Twitter
This account, "bruceschneier," is not me. This account, "schneier," is me. I have never posted; I don't promise that I ever will....
Forging SSL Certificates
We already knew that MD5 is a broken hash function. Now researchers have successfully forged MD5-signed certificates: Molnar, Appelbaum, and Sotirov joined forces with the European MD5 research team in mid-2008, along with Swiss cryptographer Dag Arne Osvik. They realized that the co-construction technique could be used to simultaneously generate one normal SSL certificate and one forged certificate, which could...
NSA Patent on Network Tampering Detection
The NSA has patented a technique to detect network tampering: The NSA's software does this by measuring the amount of time the network takes to send different types of data from one computer to another and raising a red flag if something takes too long, according to the patent filing. Other researchers have looked into this problem in the past...
Matthew Alexander on Torture
Alexander is a former Special Operations interrogator who worked in Iraq in 2006. His op-ed is worth reading: I learned in Iraq that the No. 1 reason foreign fighters flocked there to fight were the abuses carried out at Abu Ghraib and Guantanamo. Our policy of torture was directly and swiftly recruiting fighters for al-Qaeda in Iraq. The large majority...
Shoplifting on the Rise in Bad Economy
From the New York Times: Police departments across the country say that shoplifting arrests are 10 percent to 20 percent higher this year than last. The problem is probably even greater than arrest records indicate since shoplifters are often banned from stores rather than arrested. Much of the increase has come from first-time offenders like Mr. Johnson making rash decisions...
Gunpowder Is Okay to Bring on an Airplane
Putting it in a clear plastic baggie magically makes it safe: Mind you, I had packed the stuff safely. It was in three separate jars: one of charcoal, one of sulphur, and one of saltpetre (potassium nitrate). Each jar was labeled: Charcoal, Sulphur, Saltpetre. I had also thoroughly wet down each powder with tap water. No ignition was possible. As...
Friday Squid Blogging: Vandals Wreck Giant Squid Collection
Sad squid news. ...vandals got in by taking advantage of a temporary door, smashed windows and broke display cases containing male and female giant squids each measuring ten metres long as well as skeletons of whales, tortoises, marine birds and fossils. Where was the security?...
Friday Squid Blogging: Bruce Eating Squid
Bruce eating grilled squid in Wuxi, China, earlier this month....
CCTV Cameras Going Unmonitored
This is not surprising at all; when money is scarce, these sorts of things go unfunded. Perhaps the biggest surprise is that people thought the cameras were ever monitored -- generally, they're not....
Securing Cyberspace for the 44th Presidency
"Securing Cyberspace for the 44th Presidency," by the Center for Strategic and International Studies....
U.S. COMSEC History from 1973
Just declassified, this document -- A History of U.S. Communications Security (Volumes I and II); the David G. Boak Lectures, National Security Agency (NSA), 1973 -- is definitely worth reading. The first sections are highly redacted, but the remainder is fascinating....
Comparing the Security of Electronic Slot Machines and Electronic Voting Machines
From the Washington Post. Other important differences: Slot machine are used every day, 24 hours a day. Electronic voting machines are used, at most, twice a year -- often less frequently. Slot machines involve money. Electronic voting machines involve something much more abstract. Slot machine accuracy is a non-partisan issue. For some reason I can't fathom, electronic voting machine accuracy...
DHS Reality Show
On ABC: Every day the men and women of the Department of Homeland Security patrol more than 100,000 miles of America's borders. This territory includes airports, seaports, land borders, international mail centers, the open seas, mountains, deserts and even cyberspace. Now viewers will get an unprecedented look at the work of these men and women while they use the newest...
Voice Prints
Seems that it's hard: "There is no such thing as a voice print," he said. "It's a very very dangerous term. There is no single feature of a voice that is indelible that works like a fingerprint does." Many different factors influence how people speak at any particular time and place. "If you're tired or if you have a cold...
Registry of Cell Phone Owners
In Mexico: Also Tuesday, the Senate voted to create a registry of cell phone owners to combat kidnappings and extortions in which gangs often use untraceable mobile phones to make ransom demands. Telecoms would be required to ask purchasers of cell phones or phone memory chips for their names, addresses and fingerprints, and to turn that information over to investigators...
Food in Defense of a Crime
Last year, throwing hot coffee in the face of a store clerk was a new robbery tactic. Now, we have a Pizza Hut delivery man throwing a hot pie in the face of a would-be (armed) mugger....
Schneier on 60 Minutes
I'm on 60 Minutes today. If you're a new reader who has just found me from that show, welcome. Here are links to some of my previous writings about airplane security: Airport Pasta-Sauce Interdiction Considered Harmful The TSA's Useless Photo ID Rules Airline Security a Waste of Cash Airplane Security and Metal Knives I also interviewed Kip Hawley last year....
Security Cartoon: Overly Specific Countermeasures
At President Bush's press conferences....
"Nut Allergy" Fear and Overreaction
Good article: Professor Nicolas Christakis, a professor of medical sociology at Harvard Medical School, told the BMJ there was "a gross over-reaction to the magnitude of the threat" posed by food allergies, and particularly nut allergies. In the US, serious allergic reactions to foods cause just 2,000 of more than 30 million hospitalisations a year and comparatively few deaths --...
Schneier on 60 Minutes
I'll be on 60 Minutes this Sunday. I honestly don't know how it will look; it wasn't my best interview....
Bypassing Airport Checkpoints
From a reader: I always get a giggle from reading about TSA security procedures, because of what I go through during my occasional job at an airport. I repair commercial kitchen cooking equipment -- restaurants etc. On occasion I have to go to restaurants inside a nearby airport terminal to repair equipment, sometimes needing a return trip with parts. So...
James Bamford Interview on the NSA
Worth reading. One excerpt: The problem is that NSA was never designed for what it's doing. It was designed after World War II to prevent another surprise attack from another nation-state, particularly the Soviet Union. And from 1945 or '46 until 1990 or '91, that's what its mission was. That's what every piece of equipment, that's what every person recruited...
Brazilian Logging Firms Hire Hackers to Modify Logging Limits
Interesting: Some Brazilian states used a computerised allocation system to levy how much timber can be logged in each area. However, logging firms attempted to subvert these controls by hiring hackers to break systems and increase the companies' allocations. Greenpeace reckons these types of computer swindles were responsible for the excess export of 1.7 million cubic metres of timber (or...
Ed Felten on TSA Behavioral Screening
Good comment: Now suppose that TSA head Kip Hawley came to you and asked you to submit voluntarily to a pat-down search the next time you travel. And suppose you knew, with complete certainty, that if you agreed to the search, this would magically give the TSA a 0.1% chance of stopping a deadly crime. You'd agree to the search,...
Arming New York City Police with Machine Guns
I have mixed feelings about this: The NYPD wants all 1,000 Police Academy recruits trained to use M4 automatic machine guns - which are now carried only by the 400 cops in its elite Emergency Service Unit - in time for the holiday celebration in Times Square. On the one hand, deploying these weapons seems like a bad idea. On...
Buying Fake Nintendo Consoles Helps Terrorists
Really: Speaking to the BBC, HMRC spokesperson Clare Merrills warned that faulty counterfeit consoles could be unsafe. "You might find you plug it in and the adaptor sets on fire or the wires start to melt and stick out," she warned. "When you buy these goods, you're not funding our economy, you're actually funding criminals in these far off places...
Snipers
Really interesting article on snipers: It might be because there's another side to snipers and sniping after all. In particular, even though a sniper will often be personally responsible for huge numbers of deaths -- body counts in the hundreds for an individual shooter are far from unheard of -- as a class snipers kill relatively few people compared to...
How to Steal the Empire State Building
A reporter managed to file legal papers, transferring ownership of the Empire State Building to himself. Yes, it's a stunt: The office of the city register, upon receipt of the phony documents prepared by the newspaper, transferred ownership of the 102-story building from Empire State Land Associates to Nelots Properties, LLC. Nelots is "stolen" spelled backward. To further enhance the...
Killing Robot Being Tested by Lockheed Martin
Wow: The frightening, but fascinatingly cool hovering robot - MKV (Multiple Kill Vehicle), is designed to shoot down enemy ballistic missiles. A video released by the Missile Defense Agency (MDA) shows the MKV being tested at the National Hover Test Facility at Edwards Air Force Base, in California. Inside a large steel cage, Lockheed's MKV lifts off the ground, moves...
Friday Squid Blogging: Petrified Squid
Petrified squid pictures. And a new cartoon....
Influential Security Professionals
I have been named as one of the 25 most influential people in the security industry....
Jim Harper Responds to My Comments on Fingerprinting Foreigners at the Border
Good comments: Anyway, turning someone away from the border is a trivial security against terrorism because terrorists are fungible. Turning away a known terrorist merely inconveniences a terrorist group, which just has to recruit someone different. The 9/11 attacks were conducted for the most part by people who had no known record of terrorism and who arrived on visas granted...
Another Schneier on Security Book Review
Another book review. Remember, you can order your signed copies here. They make great Christmas presents....
More SHA-3 News
NIST has published all 51 first-round candidates. (Presumably the other submissions -- we heard they received 64 -- were rejected because they weren't complete.) You can download the submission package from the NIST page. The SHA-3 Zoo is still the best source for up-to-date cryptanalysis information. Various people have been trying to benchmark the performance of the candidates, but --...
Remote-Controlled Thermostats
People just don't understand security: Mr. Somsel, in an interview Thursday, said he had done further research and was concerned that the radio signal — or the Internet instructions that would be sent, in an emergency, from utilities' central control stations to the broadcasters sending the FM signal — could be hacked into. That is not possible, said Nicole Tam,...
Audit
As the first digital president, Barack Obama is learning the hard way how difficult it can be to maintain privacy in the information age. Earlier this year, his passport file was snooped by contract workers in the State Department. In October, someone at Immigration and Customs Enforcement leaked information about his aunt's immigration status. And in November, Verizon employees peeked...
Disguised USB Drive
This is a 2 Gig USB drive disguised as a piece of frayed cable. You'll still want to encrypt it, of course, but it is likely to be missed if your bags are searched at customs, the police raid your house, or your lose it....
Who Worries About Terrorism?
The paper, "Terrorism-Related Fear and Avoidance Behavior in a Multiethnic Urban Population," is for subscribers only. Abstract Objectives. We sought to determine whether groups traditionally most vulnerable to disasters would be more likely than would be others to perceive population-level risk as high (as measured by the estimated color-coded alert level) would worry more about terrorism, and would avoid activities...
Flying While Armed
Two years ago, all it took to bypass airport security was filling out a form: Grant was flying from Boston to San Diego on Jan. 1, 2007, when he approached an American Airlines ticket counter at Logan International Airport and flashed a badge he carries as a part-time assistant harbor master in Chatham, according to federal prosecutors. Grant, a medical...
Mumbai Terrorists Used Google Earth, Boats, Food
The Mumbai terrorists used Google Earth to help plan their attacks. This is bothering some people: Google Earth has previously come in for criticism in India, including from the country's former president, A.P.J. Abdul Kalam. Kalam warned in a 2005 lecture that the easy availability online of detailed maps of countries from services such as Google Earth could be misused...
Tourist Scams
Interesting list of tourist scams: I have only heard of this happening in Spain on the Costa del Sol, but it could happen anywhere. This scam depends on you paying a restaurant/bar bill in cash, usually with a ¿50 note. The waiter will take your payment, then return shortly after, apologetically telling you that the note is a fake and...
Friday Squid Blogging: Colossal Squid Causes Traffic Jam
Remember the colossal squid defrosted live on the Internet? It stopped traffic in Wellington, New Zealand....
Protecting Yourself from Hotel Terrorism
I stand by my quote: Also, my personal security guru, Bruce Schneier, says it's foolish even to worry about hotel safety, because the chances of something happening on any particular night in any particular hotel are vanishingly small. The taxi ride to the hotel is invariably more dangerous than the hotel itself. But if you tend to stay in targeted...
Prisoner Escapes by Mailing Himself Out of Jail
So maybe this isn't an obvious tactic, and maybe large packages coming into a prison are searched more thoroughly than large packages leaving a prison -- but you'd expect prison guards to pay attention to anything large enough for a person to fit into. At the end of his shift, the inmate climbed into a cardboard box and was taken...
Credit Card with One-Time Password Generator
This is a nifty little device: a credit card with an onboard one-time password generator. The idea is that the user enters his PIN every time he makes an online purchase, and enters the one-time code on the screen into the webform. The article doesn't say if the code is time-based or just sequence-based, but in either case the credit...
Who Falls for those Nigerian 419 Scams Anyway?
This is the story of a woman who sent the scammers $400K: She wiped out her husband's retirement account, mortgaged the house and took a lien out on the family car. Both were already paid for. For more than two years, Spears sent tens and hundreds of thousands of dollars. Everyone she knew, including law enforcement officials, her family and...
TSA Aiding Luggage Thieves
In this story about luggage stealing at Los Angeles International Airport, we find this interesting paragraph: They both say there are organized rings of thieves, who identify valuables in your checked luggage by looking at the TSA x-ray screens, then communicate with baggage handlers by text or cell phone, telling them exactly what to look for. Someone should investigate the...
Evolutionary Perspectives of War
This looks like it was a very interesting conference. And here's a random paper on the subject....
Communications During Terrorist Attacks are Not Bad
Twitter was a vital source of information in Mumbai: News on the Bombay attacks is breaking fast on Twitter with hundreds of people using the site to update others with first-hand accounts of the carnage. The website has a stream of comments on the attacks which is being updated by the second, often by eye-witnesses and people in the city....
Lessons from Mumbai
I'm still reading about the Mumbai terrorist attacks, and I expect it'll be a long time before we get a lot of the details. What we know is horrific, and my sympathy goes out to the survivors of the dead (and the injured, who often seem to get ignored as people focus on death tolls). Without discounting the awfulness of...
Friday Squid Blogging: Cooking a Humboldt Squid
I thought that large squid were too chewy and not very tasty, but this person cooked a 30-pound Humboldt squid....
Terrorism Survival Bundle for Windows Mobile
Seems not to be a joke....
FBI Stoking Fear
Another unsubstantiated terrorist plot: An internal memo obtained by The Associated Press says the FBI has received a "plausible but unsubstantiated" report that al-Qaida terrorists in late September may have discussed attacking the subway system. [...] The internal bulletin says al-Qaida terrorists "in late September may have discussed targeting transit systems in and around New York City. These discussions reportedly...
Victoria's Secret Competition Gets Hacked
Colleges aren't assigning enough homework these days. In seriousness, it's hard to prevent ballot stuffing in online polls....
New DHS Head Understands Security
This quote impresses me: Gov. Janet Napolitano, D-Ariz., is smashing the idea of a border wall, stating it would be too expensive, take too long to construct, and be ineffective once completed. "You show me a 50-foot wall and I'll show you a 51-foot ladder at the border. That's the way the border works," Napolitano told the Associated Press. Instead...
Government Can Determine Location of Cell Phones without Telco Help
Interesting: Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that...
Here Comes Everybody Review
In 1937, Ronald Coase answered one of the most perplexing questions in economics: if markets are so great, why do organizations exist? Why don't people just buy and sell their own services in a market instead? Coase, who won the 1991 Nobel Prize in Economics, answered the question by noting a market's transaction costs: buyers and sellers need to find...
The Future of Ephemeral Conversation
When he becomes president, Barack Obama will have to give up his BlackBerry. Aides are concerned that his unofficial conversations would become part of the presidential record, subject to subpoena and eventually made public as part of the country's historical record. This reality of the information age might be particularly stark for the president, but it's no less true for...
BNP Database Leaked
This is a big deal. British National Party (BNP, a far-right nationalist party) membership and contacts list. 12,801 individuals are represented. Contains contact details and notes on selected party members and (possibly) other individuals. The list has been independently verified by Wikileaks staff as predominantly containing current or ex-BNP members, however other individuals who have donated to the BNP or...
Friday Squid Blogging: Preserving Giant Squid
At the Smithsonian: At the centerof the Smithsonian Institution's National Museum of Natural History's gleaming new Sant Ocean Hall lies a preserved giant female squid -- the arresting, spineless star among the vibrant exhibition's animal specimens. Tentacles menacingly outstretched and seemingly frozen in time, the 24-foot squid embodies humans' fascination with the briny deep. But this squid also symbolizes something...
Lego Safe
Nice: You might think that a Lego safe would be easy to open. Maybe just remove a few bricks and you're in. But that's not the case with this thing, the cutting edge of Lego safe technology. The safe weighs 14 pounds and has a motion detecting alarm so it can't be moved without creating a huge ruckus....
Online Age Verification
A discussion of the security trade-off: Child-safety activists charge that some of the age-verification firms want to help Internet companies tailor ads for children. They say these firms are substituting one exaggerated threat -- the menace of online sex predators -- with a far more pervasive danger from online marketers like junk food and toy companies that will rush to...
When Sky Marshals Do Bad Things
They're not even close to perfect: Since 9/11, more than three dozen federal air marshals have been charged with crimes, and hundreds more have been accused of misconduct, an investigation by ProPublica, a non-profit journalism organization, has found. Cases range from drunken driving and domestic violence to aiding a human-trafficking ring and trying to smuggle explosives from Afghanistan. The meta-problem...
Secret German IP Addresses Leaked
From Wikileaks: The PDF document holds a single paged scan of an internally distributed mail from German telecommunications company T-Systems (Deutsche Telekom), revealing over two dozen secret IP address ranges in use by the German intelligence service Bundesnachrichtendienst (BND). Independent evidence shows that the claim is almost certainly true and the document itself has been verified by a demand letter...
RIAA Lawsuits May Be Unconstitutional
Harvard law professor Charles Nesson is arguing, in court, that the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 is unconstitutional: He makes the argument that the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 is very much unconstitutional, in that its hefty fines for copyright infringement (misleadingly called "theft" in the title of the bill)...
Skein and SHA-3 News
There are two bugs in the Skein code. They are subtle and esoteric, but they're there. We have revised both the reference and optimized code -- and provided new test vectors -- on the Skein website. A revision of the paper -- Version 1.1 -- has new IVs, new test vectors, and also fixes a few typos in the paper....
Schneier for TSA Administrator
It's been suggested. For the record, I don't want the job. Since the election, the newspapers and Internet have been flooded with unsolicited advice for President-elect Barack Obama. I'll go ahead and add mine. [...] And by "revamp," I mean "start over." Most security experts agree that the rigmarole we go through at the airport is mere security theater, designed...
The Neuroscience of Cons
Fascinating: The key to a con is not that you trust the conman, but that he shows he trusts you. Conmen ply their trade by appearing fragile or needing help, by seeming vulnerable. Because of THOMAS [The Human Oxytocin Mediated Attachment System], the human brain makes us feel good when we help others--this is the basis for attachment to family...