Blogs

RSS

An aggregation of our Blog Roll, made up of acmqueue authors.   more

All Postings, Bruce Schneier:  (3,358 posts)

Source blog: Schneier on Security

Thu, 12 May 2016 10:31:34 UTC

Hacking Gesture-Based Security

Posted By Bruce Schneier

Interesting research: Abdul Serwadda, Vir V. Phoha, Zibo Wang, Rajesh Kumar, and Diksha Shukla, "Robotic Robbery on the Touch Screen," ACM Transactions on Information and System Security, May 2016. Abstract: Despite the tremendous amount of research fronting the use of touch gestures as a mechanism of continuous authentication on smart phones, very little research has been conducted to evaluate how...

Wed, 11 May 2016 19:37:37 UTC

FTC Investigating Android Patching Practices

Posted By Bruce Schneier

It's a known truth that most Android vulnerabilities don't get patched. It's not Google's fault. They release the patches, but the phone carriers don't push them down to their smartphone users. Now the Federal Communications Commission and the Federal Trade Commission are investigating, sending letters to major carriers and device makers. I think this is a good thing. This is...

Wed, 11 May 2016 11:34:50 UTC

New Credit Card Scam

Posted By Bruce Schneier

A criminal ring was arrested in Malaysia for credit card fraud: They would visit the online shopping websites and purchase all their items using phony credit card details while the debugging app was activated. The app would fetch the transaction data from the bank to the online shopping website, and trick the website into believing that the transaction was approved,...

Tue, 10 May 2016 11:15:43 UTC

Children of Spies

Posted By Bruce Schneier

Fascinating story of Tim and Alex Foley, the children of Russian spies Donald Heathfield and Tracey Foley....

Mon, 09 May 2016 18:15:02 UTC

Economist Detained for Doing Math on an Airplane

Posted By Bruce Schneier

An economics professor was detained when he was spotted doing math on an airplane: On Thursday evening, a 40-year-old man ­-- with dark, curly hair, olive skin and an exotic foreign accent --­ boarded a plane. It was a regional jet making a short, uneventful hop from Philadelphia to nearby Syracuse. Or so dozens of unsuspecting passengers thought. The curly-haired...

Mon, 09 May 2016 11:19:22 UTC

NIST Starts Planning for Post-Quantum Cryptography

Posted By Bruce Schneier

Last year, the NSA announced its plans for transitioning to cryptography that is resistant to a quantum computer. Now, it's NIST's turn. Its just-released report talks about the importance of algorithm agility and quantum resistance. Sometime soon, it's going to have a competition for quantum-resistant public-key algorithms: Creating those newer, safer algorithms is the longer-term goal, Moody says. A key...

Fri, 06 May 2016 21:11:56 UTC

Friday Squid Blogging: Firefly Squid in the News

Posted By Bruce Schneier

It's a good time to see firefly squid in Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 06 May 2016 19:10:23 UTC

Dilbert on Electronic Voting Machines

Posted By Bruce Schneier

Accurate (the cartoon, not the machines)....

Fri, 06 May 2016 11:12:29 UTC

White House Report on Big Data Discrimination

Posted By Bruce Schneier

The White House has released a report on big-data discrimination. From the blog post: Using case studies on credit lending, employment, higher education, and criminal justice, the report we are releasing today illustrates how big data techniques can be used to detect bias and prevent discrimination. It also demonstrates the risks involved, particularly how technologies can deliberately or inadvertently perpetuate,...

Thu, 05 May 2016 11:31:32 UTC

Own a Pair of Clipper Chips

Posted By Bruce Schneier

The AT&T TSD was an early 1990s telephone encryption device. It was digital. Voice quality was okay. And it was the device that contained the infamous Clipper Chip, the U.S. government's first attempt to put a back door into everyone's communications. Marcus Ranum is selling a pair on eBay. He has the decryption wrong, though. The TSD-3600-E is the model...

Wed, 04 May 2016 19:28:45 UTC

$7 Million Social Media Privacy Mistake

Posted By Bruce Schneier

Forbes estimates that football player Laremy Tunsil lost $7 million in salary because of an ill-advised personal video made public....

Wed, 04 May 2016 11:51:25 UTC

Credential Stealing as an Attack Vector

Posted By Bruce Schneier

Traditional computer security concerns itself with vulnerabilities. We employ antivirus software to detect malware that exploits vulnerabilities. We have automatic patching systems to fix vulnerabilities. We debate whether the FBI should be permitted to introduce vulnerabilities in our software so it can get access to systems with a warrant. This is all important, but what's missing is a recognition that...

Tue, 03 May 2016 18:10:03 UTC

Julian Sanchez on the Feinstein-Burr Bill

Posted By Bruce Schneier

Two excellent posts....

Mon, 02 May 2016 20:45:31 UTC

Fake Security Conferences

Posted By Bruce Schneier

Turns out there are two different conferences with the title International Conference on Cyber Security (ICCS 2016), one real and one fake. Richard Clayton has the story....

Mon, 02 May 2016 14:01:13 UTC

Vulnerabilities in Samsung's SmartThings

Posted By Bruce Schneier

Interesting research: Earlence Fernandes, Jaeyeon Jung, and Atul Prakash, "Security Analysis of Emerging Smart Home Applications": Abstract: Recently, several competing smart home programming frameworks that support third party app development have emerged. These frameworks provide tangible benefits to users, but can also expose users to significant security risks. This paper presents the first in-depth empirical security analysis of one such...

Fri, 29 Apr 2016 21:05:18 UTC

Friday Squid Blogging: Global Squid Shortage

Posted By Bruce Schneier

There's a squid shortage along the Pacific coast of the Americas. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 29 Apr 2016 18:02:33 UTC

I'm Writing a Book on Security

Posted By Bruce Schneier

I'm writing a book on security in the highly connected Internet-of-Things World. Tentative title: Click Here to Kill Everything Peril and Promise in a Hyper-connected World There are two underlying metaphors in the book. The first is what I have called the World-Sized Web, which is that combination of mobile, cloud, persistence, personalization, agents, cyber-physical systems, and the Internet of...

Fri, 29 Apr 2016 11:28:27 UTC

Documenting the Chilling Effects of NSA Surveillance

Posted By Bruce Schneier

In Data and Golliath, I talk about the self-censorship that comes along with broad surveillance. This interesting research documents this phenomenon in Wikipedia: "Chilling Effects: Online Surveillance and Wikipedia Use," by Jon Penney, Berkeley Technology Law Journal, 2016. Abstract: This article discusses the results of the first empirical study providing evidence of regulatory "chilling effects" of Wikipedia users associated with...

Thu, 28 Apr 2016 13:20:03 UTC

Amazon Unlimited Fraud

Posted By Bruce Schneier

Amazon Unlimited is a all-you-can-read service. You pay one price and can read anything that's in the program. Amazon pays authors out of a fixed pool, on the basis of how many people read their books. More interestingly, it pays by the page. An author make more money if someone reads his book through to page 200 than if they...

Wed, 27 Apr 2016 11:46:47 UTC

Two Good Readings on the Encryption "Going Dark" Debate

Posted By Bruce Schneier

Testimonies of Matt Blaze and Danny Weitzner, both on April 19th before the House Energy and Commerce Committee. And the hearing....

Tue, 26 Apr 2016 14:33:29 UTC

People Trust Robots, Even When They Don't Inspire Trust

Posted By Bruce Schneier

Interesting research: In the study, sponsored in part by the Air Force Office of Scientific Research (AFOSR), the researchers recruited a group of 42 volunteers, most of them college students, and asked them to follow a brightly colored robot that had the words "Emergency Guide Robot" on its side. The robot led the study subjects to a conference room, where...

Mon, 25 Apr 2016 17:07:29 UTC

Graffiti by Drone

Posted By Bruce Schneier

Drones can graffiti walls that no person can reach. (Note that wired.com blocks ad blockers. My trick is to copy the page and then paste it into my text editor.)...

Mon, 25 Apr 2016 10:54:26 UTC

BlackBerry's Global Encryption Key

Posted By Bruce Schneier

Last week there was a big news story about the Blackberry encryption. The news was that all BlackBerry devices share a global encryption key, and that the Canadian RCMP has a copy of it. Stupid design, certainly, but it's not news. As The Register points out, this has been repeatedly reported on since 2010. And note that this only holds...

Fri, 22 Apr 2016 21:24:32 UTC

Friday Squid Blogging: My Little Cephalopod

Posted By Bruce Schneier

I assume this is more amusing to people who know about My Little Pony. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 Apr 2016 19:19:13 UTC

Encryption Backdoor Cartoons

Posted By Bruce Schneier

Dilbert has a series: 1, 2, 3, 4, and 5. SMBC. And three more that make it clear this is a security vs. surveillance debate. Also this....

Fri, 22 Apr 2016 11:22:22 UTC

Cheating in Bicycle Races with Tiny Hidden Motors

Posted By Bruce Schneier

If doping weren't enough, cyclists are cheating in races by hiding tiny motors in their bicycles. There are many detection techniques: For its report, Stade 2 positioned a thermal imaging camera along the route of the Strade Bianche, an Italian professional men's race in March held mostly on unpaved roads and featuring many steep climbs. The rear hub of one...

Thu, 21 Apr 2016 11:42:08 UTC

How Hacking Team Got Hacked

Posted By Bruce Schneier

The hacker who hacked Hacking Team posted a lengthy description of how he broke into the company and stole everything. Two articles. ETA: This post originally had a pastebin.com link to the original post, but it seems to have been taken down....

Wed, 20 Apr 2016 11:27:26 UTC

Helen Nissenbaum on Regulating Data Collection and Use

Posted By Bruce Schneier

NYU Helen Nissenbaum gave an excellent lecture at Brown University last month, where she rebutted those who think that we should not regulate data collection, only data use: something she calls "big data exceptionalism." Basically, this is the idea that collecting the "haystack" isn't the problem; it what is done with it that is. (I discuss this same topic in...

Tue, 19 Apr 2016 18:39:09 UTC

GCHQ Gets Involved in Mundane Surveillance Matters

Posted By Bruce Schneier

GCHQ detected a potential pre-publication leak of a Harry Potter book, and alerted the publisher. Is this what British national intelligence is supposed to be doing?...

Tue, 19 Apr 2016 10:59:01 UTC

Details about Juniper's Firewall Backdoor

Posted By Bruce Schneier

Last year, we learned about a backdoor in Juniper firewalls, one that seems to have been added into the code base. There's now some good research: "A Systematic Analysis of the Juniper Dual EC Incident," by Stephen Checkoway, Shaanan Cohney, Christina Garman, Matthew Green, Nadia Heninger, Jacob Maskiewicz, Eric Rescorla, Hovav Shacham, and Ralf-Philipp Weinmann: Abstract: In December 2015, Juniper...

Mon, 18 Apr 2016 17:46:00 UTC

Kuwaiti Government will DNA Test Everyone

Posted By Bruce Schneier

There's a new law that will enforce DNA testing for everyone: citizens, expatriates, and visitors. They promise that the program "does not include genealogical implications or affects personal freedoms and privacy." I assume that "visitors" includes tourists, so presumably the entry procedure at passport control will now include a cheek swab. And there is nothing preventing the Kuwaiti government from...

Mon, 18 Apr 2016 11:00:04 UTC

Security Risks of Shortened URLs

Posted By Bruce Schneier

Shortened URLs, produced by services like bit.ly and goo.gl, can be brute-forced. And searching random shortened URLs yields all sorts of secret documents. Plus, many of them can be edited, and can be infected with malware. Academic paper. Blog post with lots of detail....

Fri, 15 Apr 2016 21:25:14 UTC

Friday Squid Blogging: Replicating Reflecting Squid Tissue

Posted By Bruce Schneier

New research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 15 Apr 2016 11:52:21 UTC

IRS Security

Posted By Bruce Schneier

Monday is Tax Day. Many of us are thinking about our taxes. Are they too high or too low? What's our money being spent on? Do we have a government worth paying for? I'm not here to answer any of those questions -- I'm here to give you something else to think about. In addition to sending the IRS your...

Thu, 14 Apr 2016 11:44:47 UTC

Cheating in Marathon Running

Posted By Bruce Schneier

Story of Julie Miller, who cheated in multiple triathlon races: The difference between cheating in 1980 and cheating today is that it's much harder to get away with now. What trips up contemporary cheaters, Empfield said, is their false assumption that the only thing they have to worry about is their timing chip, the device they wear that records their...

Wed, 13 Apr 2016 11:51:08 UTC

Smartphone Forensics to Detect Distraction

Posted By Bruce Schneier

The company Cellebrite is developing a portable forensics device that would determine if a smartphone user was using the phone at a particular time. The idea is to test phones of drivers after accidents: Under the first-of-its-kind legislation proposed in New York, drivers involved in accidents would have to submit their phone to roadside testing from a textalyzer to determine...

Tue, 12 Apr 2016 11:39:59 UTC

Hacking Lottery Machines

Posted By Bruce Schneier

Interesting article about how a former security director of the US Multi-State Lottery Association hacked the random-number generator in lottery software so he could predict the winning numbers. For several years, Eddie Tipton, the former security director of the US Multi-State Lottery Association, installed software code that allowed him to predict winning numbers on specific days of the year, investigators...

Mon, 11 Apr 2016 19:06:10 UTC

2016 Protocols Workshop

Posted By Bruce Schneier

Ross Anderson has liveblogged the 24th International Workshop on Security Protocols in Brno, Czech Republic....

Mon, 11 Apr 2016 11:49:54 UTC

Scams from the 1800s

Posted By Bruce Schneier

They feel quaint today: But in the spring of 1859, folks were concerned about another kind of hustle: A man who went by the name of A.V. Lamartine drifted from town to town in the Midwest ­ pretending to attempt suicide. He would walk into a hotel ­ according to newspaper accounts from Salem, Ore., to Richmond, Va., and other...

Fri, 08 Apr 2016 21:30:27 UTC

Friday Squid Blogging: Cooking with Squid Ink

Posted By Bruce Schneier

Risotto nero and more. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Apr 2016 17:27:58 UTC

Security Lessons from the Game of Werewolf

Posted By Bruce Schneier

I can't believe I haven't posted this before....

Fri, 08 Apr 2016 11:39:51 UTC

Breaking Semantic Image CAPTCHAs

Posted By Bruce Schneier

Interesting research: Suphannee Sivakorn, Iasonas Polakis and Angelos D. Keromytis, "I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs": Abstract: Since their inception, captchas have been widely used for preventing fraudsters from performing illicit actions. Nevertheless, economic incentives have resulted in an armsrace, where fraudsters develop automated solvers and, in turn, captcha services tweak their design to break the...

Thu, 07 Apr 2016 11:39:35 UTC

Bypassing Phone Security through Social Engineering

Posted By Bruce Schneier

This works: Khan was arrested in mid-July 2015. Undercover police officers posing as company managers arrived at his workplace and asked to check his driver and work records, according to the source. When they disputed where he was on a particular day, he got out his iPhone and showed them the record of his work. The undercover officers asked to...

Wed, 06 Apr 2016 17:47:42 UTC

IBM Officially Owns Resilient Systems

Posted By Bruce Schneier

It's officially final; IBM has "completed the acquisition" of Resilient Systems, Inc. We are now "Resilient: an IBM Company." As I expected when I announced this acquisition, I am staying on as the CTO of Resilient and something like Senior Advisor to IBM Security -- we're still working on the exact title. Everything I've seen so far indicates that this...

Wed, 06 Apr 2016 15:27:32 UTC

CONIKS

Posted By Bruce Schneier

CONIKS is an new easy-to-use transparent key-management system: CONIKS is a key management system for end users capable of integration in end-to-end secure communication services. The main idea is that users should not have to worry about managing encryption keys when they want to communicate securely, but they also should not have to trust their secure communication service providers to...

Tue, 05 Apr 2016 15:04:13 UTC

WhatsApp is Now End-to-End Encrypted

Posted By Bruce Schneier

WhatsApp is now end-to-end encrypted....

Mon, 04 Apr 2016 19:41:30 UTC

Data and Goliath Sale

Posted By Bruce Schneier

I have a bunch of extra copies of my book Data and Goliath, and I am selling them at a discount. Details here....

Sun, 03 Apr 2016 11:42:35 UTC

Smart Essay on the Limitations of Anti-Terrorism Security

Posted By Bruce Schneier

This is good: Threats constantly change, yet our political discourse suggests that our vulnerabilities are simply for lack of resources, commitment or competence. Sometimes, that is true. But mostly we are vulnerable because we choose to be; because we've accepted, at least implicitly, that some risk is tolerable. A state that could stop every suicide bomber wouldn't be a free...

Fri, 01 Apr 2016 21:26:55 UTC

Friday Squid Blogging: Composite Materials Based on Squid Beaks

Posted By Bruce Schneier

Squid-based research is yielding composites that are both strong and flexible. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 01 Apr 2016 20:16:11 UTC

Reddit's Warrant Canary Just Died

Posted By Bruce Schneier

Reddit has received a National Security Letter. I have long discounted warrant canaries. A gag order is serious, and this sort of high-school trick won't fool judges for a minute. But so far they seem to be working. Now we have another question: now what? We have one piece of information, but not a very useful one. We know that...

Fri, 01 Apr 2016 14:50:51 UTC

Hacking Elections in Latin America

Posted By Bruce Schneier

Long and interesting article about a fixer who hacked multiple elections in Latin America. This isn't election hacking as in manipulate the voting machines or the vote counting, but hacking and social-media dirty tricks leading up to the election....

Thu, 31 Mar 2016 11:10:57 UTC

ISIS Encryption Opsec

Posted By Bruce Schneier

Tidbits from the New York Times: The final phase of Mr. Hame's training took place at an Internet cafe in Raqqa, where an Islamic State computer specialist handed him a USB key. It contained CCleaner, a program used to erase a user's online history on a given computer, as well as TrueCrypt, an encryption program that was widely available at...

Wed, 30 Mar 2016 21:54:40 UTC

Lawful Hacking and Continuing Vulnerabilities

Posted By Bruce Schneier

The FBI's legal battle with Apple is over, but the way it ended may not be good news for anyone. Federal agents had been seeking to compel Apple to break the security of an iPhone 5c that had been used by one of the San Bernardino, Calif., terrorists. Apple had been fighting a court order to cooperate with the FBI,...

Tue, 29 Mar 2016 17:58:10 UTC

Mass Surveillance Silences Minority Opinions

Posted By Bruce Schneier

Research paper: Elizabeth Stoycheff, "Under Surveillance: Examining Facebook's Spiral of Silence Effects in the Wake of NSA Internet Monitoring": Abstract: Since Edward Snowden exposed the National Security Agency's use of controversial online surveillance programs in 2013, there has been widespread speculation about the potentially deleterious effects of online government monitoring. This study explores how perceptions and justification of surveillance practices...

Mon, 28 Mar 2016 18:05:17 UTC

A 1976 Congressional Report on Surveillance

Posted By Bruce Schneier

Here's a 1,300-page Congressional report on "surveillance technology" from 1976....

Mon, 28 Mar 2016 11:46:24 UTC

Power on the Internet

Posted By Bruce Schneier

Interesting paper: Yochai Benkler, "Degrees of Freedom, Dimensions of Power," Daedelus, winter 2016: Abstract: The original Internet design combined technical, organizational, and cultural characteristics that decentralized power along diverse dimensions. Decentralized institutional, technical, and market power maximized freedom to operate and innovate at the expense of control. Market developments have introduced new points of control. Mobile and cloud computing, the...

Fri, 25 Mar 2016 21:28:58 UTC

Friday Squid Blogging: President Squid

Posted By Bruce Schneier

New children's book....

Fri, 25 Mar 2016 17:26:55 UTC

Memphis Airport Inadvertently Gets Security Right

Posted By Bruce Schneier

A local newspaper recently tested airport security at Memphis Airport: Our crew sat for 30 minutes in the passenger drop-off area Tuesday without a word from anyone, and that raised a number of eyebrows. Certainly raised mine. Here's my question: why is that a bad thing? If you're worried about a car bomb, why do you think length of time...

Fri, 25 Mar 2016 11:31:51 UTC

Interesting Lottery Terminal Hack

Posted By Bruce Schneier

It was a manipulation of the terminals. The 5 Card Cash game was suspended in November after Connecticut Lottery and state Department of Consumer Protection officials noticed there were more winning tickets than the game's parameters should have allowed. The game remains suspended. An investigation determined that some lottery retailers were manipulating lottery machines to print more instant winner tickets...

Thu, 24 Mar 2016 17:34:53 UTC

FBI vs. Apple: Who Is Helping the FBI?

Posted By Bruce Schneier

On Monday, the FBI asked the court for a two-week delay in a scheduled hearing on the San Bernardino iPhone case, because some "third party" approached it with a way into the phone. It wanted time to test this access method. Who approached the FBI? We have no idea. I have avoided speculation because the story makes no sense. Why...

Thu, 24 Mar 2016 11:37:45 UTC

Cryptography Is Harder Than It Looks

Posted By Bruce Schneier

Writing a magazine column is always an exercise in time travel. I'm writing these words in early December. You're reading them in February. This means anything that's news as I write this will be old hat in two months, and anything that's news to you hasn't happened yet as I'm writing. This past November, a group of researchers found some...

Wed, 23 Mar 2016 18:03:20 UTC

FBI's Cyber Most Wanted List

Posted By Bruce Schneier

The FBI just added two members of the Syrian Electronic Army to its cyber most-wanted list. I had no idea that the FBI had a cyber most-wanted list....

Wed, 23 Mar 2016 11:20:37 UTC

1981 US Document on Encryption Policy

Posted By Bruce Schneier

This was newly released under FOIA at my request: Victor C. Williams, Jr., Donn B. Parker, and Charles C. Wood, "Impacts of Federal Policy Options for Nonmilitary Cryptography," NTIA-CR-81-10, National Telecommunications and Information Administration, US. Department of Commerce, June 1981. It argues that cryptography is an important enabling technology. At this point, it's only of historical value....

Tue, 22 Mar 2016 11:37:57 UTC

Observations on the Surveillance that Resulted in the Capture of Salah Abdeslam

Posted By Bruce Schneier

Interesting analysis from The Grugq: Bottom Line Up Front Intelligence agencies must cooperate more rapidly and proactively to counter ISIS' rapid and haphazard operational tempo. Clandestine operatives must rely on support networks that include overt members of the public. These networks are easily mapped out based on metadata available to nation state level security forces. Fugitives should learn to cook...

Mon, 21 Mar 2016 18:45:47 UTC

iMessage Encryption Flaw Found and Fixed

Posted By Bruce Schneier

Matthew Green and team found and reported a significant iMessage encryption flaw last year. Green suspected there might be a flaw in iMessage last year after he read an Apple security guide describing the encryption process and it struck him as weak. He said he alerted the firm's engineers to his concern. When a few months passed and the flaw...

Mon, 21 Mar 2016 11:53:27 UTC

Brennan Center Report on NSA Overseas Spying and Executive Order 12333

Posted By Bruce Schneier

The Brennan Center has released a report on EO 12333, the executive order that regulates the NSA's overseas surveillance. Much of what the NSA does here is secret and, even though the EO is designed for foreign surveillance, Americans are regularly swept up in the NSA's collection operations: Despite a series of significant disclosures, the scope of these operations, as...

Fri, 18 Mar 2016 21:08:33 UTC

Friday Squid Blogging: Braised Squid With Harissa and Olives

Posted By Bruce Schneier

Recommended recipe. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 18 Mar 2016 19:39:42 UTC

I'm a Wall Street Journal Acrostic Answer

Posted By Bruce Schneier

A quote from Data and Goliath is the answer to a Wall Street Journal acrostic. It's not the same as being a New York Times crossword puzzle answer, but it's close....

Fri, 18 Mar 2016 16:27:02 UTC

Companies Handing Source Code Over to Governments

Posted By Bruce Schneier

ZDNet has an article on US government pressure on software companies to hand over copies of their source code. There's no details because no one is talking on the record, but I also believe that this is happening. When asked, a spokesperson for the Justice Dept. acknowledged that the department has demanded source code and private encryption keys before. These...

Thu, 17 Mar 2016 14:54:35 UTC

New NIST Encryption Guidelines

Posted By Bruce Schneier

NIST has published a draft of their new standard for encryption use: "NIST Special Publication 800-175B, Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms." In it, the Escrowed Encryption Standard from the 1990s, FIPS-185, is no longer certified. And Skipjack, NSA's symmetric algorithm from the same period, will no longer be certified. I see nothing sinister about...

Wed, 16 Mar 2016 11:12:38 UTC

Another FBI Filing on the San Bernardino iPhone Case

Posted By Bruce Schneier

The FBI's reply to Apple is more of a character assassination attempt than a legal argument. It's as if it only cares about public opinion at this point. Although notice the threat in footnote 9 on page 22: For the reasons discussed above, the FBI cannot itself modify the software on Farook's iPhone without access to the source code and...

Tue, 15 Mar 2016 17:37:34 UTC

Financial Cryptography 2016

Posted By Bruce Schneier

Ross Anderson liveblogged this year's Financial Cryptography conference....

Tue, 15 Mar 2016 11:17:33 UTC

Possible Government Demand for WhatsApp Backdoor

Posted By Bruce Schneier

The New York Times is reporting that WhatsApp, and its parent company Facebook, may be headed to court over encrypted chat data that the FBI can't decrypt. This case is fundamentally different from the Apple iPhone case. In that case, the FBI is demanding that Apple create a hacking tool to exploit an already existing vulnerability in the iPhone 5c,...

Mon, 14 Mar 2016 17:59:04 UTC

Punishment and Trust

Posted By Bruce Schneier

Interesting research: "Third-party punishment as a costly signal of trustworthiness, by Jillian J. Jordan, Moshe Hoffman, Paul Bloom,and David G. Rand, Nature: Abstract: Third-party punishment (TPP), in which unaffected observers punish selfishness, promotes cooperation by deterring defection. But why should individuals choose to bear the costs of punishing? We present a game theoretic model of TPP as a costly signal...

Sun, 13 Mar 2016 11:32:00 UTC

Analysis of Yemeni Cell Phone Metadata

Posted By Bruce Schneier

This research shows the power of cell phone metadata. From an article by the author: Yemen has experienced an array of violent incidents and political turmoil in recent years, ranging from al Qaeda militant attacks to drone strikes, Arab Spring protests, and now Saudi Arabian air strikes. Call patterns can capture political or violent activities as they unravel in real...

Fri, 11 Mar 2016 22:21:06 UTC

Friday Squid Blogging: Squid Scientists on Tumblr

Posted By Bruce Schneier

Really great Tumblr feed. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 11 Mar 2016 12:17:47 UTC

Leaked ISIS Documents

Posted By Bruce Schneier

Looks like tens of thousands of ISIS documents have been leaked. Where did they come from? We don't know: Documents listing the names of Islamic State fighters have been touted around the Middle East for months, dangled in front of media outlets for large sums of money. [...] Ramsay said he met the source of the documents in Turkey, an...

Thu, 10 Mar 2016 20:16:44 UTC

Espionage Tactics Against Tibetans

Posted By Bruce Schneier

A Citizen Lab research study of Chinese attack and espionage tactics against Tibetan networks and users. This report describes the latest iteration in a long-running espionage campaign against the Tibetan community. We detail how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing that draws on "inside" knowledge of community activities. This...

Thu, 10 Mar 2016 14:26:09 UTC

Hidden Credit Card Skimmers

Posted By Bruce Schneier

New credit card skimmers are hidden inside the card readers, making them impossible to spot. EDITED TO ADD (3/11): Brian Krebs on this from over a year ago....

Wed, 09 Mar 2016 19:43:10 UTC

Plagiarism in Crossword Puzzles

Posted By Bruce Schneier

Yet another fraud discovered through data analysis. EDITED TO ADD (3/11): More....

Wed, 09 Mar 2016 12:11:54 UTC

Hacking Ukraine's Power Grid

Posted By Bruce Schneier

This is an excellent article on the December hack of Ukraine's power grid....

Wed, 24 Feb 2016 18:05:45 UTC

Eavesdropping by the Foscam Security Camera

Posted By Bruce Schneier

Brian Krebs has a really weird story about the build-in eavesdropping by the Chinese-made Foscam security camera: Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek...

Wed, 24 Feb 2016 12:05:53 UTC

Research on Balancing Privacy with Surveillance

Posted By Bruce Schneier

Interesting research: Michael Kearns, Aaron Roth, Zhiewi Steven Wu, and Grigory Yaroslavtsev, "Private algorithms for the protected in social network search," PNAS, Jan 2016: Abstract: Motivated by tensions between data privacy for individual citizens and societal priorities such as counterterrorism and the containment of infectious disease, we introduce a computational model that distinguishes between parties for whom privacy is explicitly...

Tue, 23 Feb 2016 18:18:57 UTC

The Ads vs. Ad Blockers Arms Race

Posted By Bruce Schneier

For the past month or so, Forbes has been blocking browsers with ad blockers. Today, I tried to access a Wired article and the site blocked me for the same reason. I see this as another battle in this continuing arms race, and hope/expect that the ad blockers will update themselves to fool the ad blocker detectors. But in a...

Tue, 23 Feb 2016 11:49:24 UTC

Practical TEMPEST Attack

Posted By Bruce Schneier

Four researchers have demonstrated a TEMPEST attack against a laptop, recovering its keys by listening to its electrical emanations. The cost for the attack hardware was about $3,000. News article: To test the hack, the researchers first sent the target a specific ciphertext -- ­in other words, an encrypted message. "During the decryption of the chosen ciphertext, we measure the...

Mon, 22 Feb 2016 20:30:07 UTC

Security Vulnerability in gilbc DNS

Posted By Bruce Schneier

It's a really bad one....

Mon, 22 Feb 2016 12:58:25 UTC

Decrypting an iPhone for the FBI

Posted By Bruce Schneier

Earlier this week, a federal magistrate ordered Apple to assist the FBI in hacking into the iPhone used by one of the San Bernardino shooters. Apple will fight this order in court. The policy implications are complicated. The FBI wants to set a precedent that tech companies will assist law enforcement in breaking their users' security, and the technology community...

Fri, 19 Feb 2016 22:17:22 UTC

Friday Squid Blogging: Up Close and Personal with a Giant Squid

Posted By Bruce Schneier

Fascinating story. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 19 Feb 2016 12:34:21 UTC

Security Implications of Cash

Posted By Bruce Schneier

I saw two related stories today. The first is about high-denomination currency. The EU is considering dropping its 500-euro note, on the grounds that only criminals need to move around that much cash. In response, Switzerland said that it is not dropping its 1,000-Swiss franc note. Of course, the US leads the way in small money here; its biggest banknote...

Thu, 18 Feb 2016 12:02:29 UTC

Underage Hacker Is behind Attacks against US Government

Posted By Bruce Schneier

It's a teenager: British police have arrested a teenager who allegedly was behind a series of audacious -- and, for senior U.S. national security officials, embarrassing -- hacks targeting personal accounts or top brass at the CIA, FBI, Homeland Security Department, the White House and other federal agencies, according to U.S. officials briefed on the investigation. [...] The prominent victims...

Wed, 17 Feb 2016 20:15:45 UTC

Judge Demands that Apple Backdoor an iPhone

Posted By Bruce Schneier

A judge has ordered that Apple bypass iPhone security in order for the FBI to attempt a brute-force password attack on an iPhone 5c used by one of the San Bernardino killers. Apple is refusing. The order is pretty specific technically. This implies to me that what the FBI is asking for is technically possible, and even that Apple assisted...

Wed, 17 Feb 2016 11:18:44 UTC

Enabling Trust by Consensus

Posted By Bruce Schneier

Trust is a complex social phenomenon, captured very poorly by the binary nature of Internet trust systems. This paper proposes a social consensus system of trust: "Do You Believe in Tinker Bell? The Social Externalities of Trust," by Khaled Baqer and Ross Anderson. From the abstract: Inspired by Tinker Bell, we propose a new approach: a trust service whose power...

Tue, 16 Feb 2016 19:45:11 UTC

Using Eagles to Intercept Drones

Posted By Bruce Schneier

Both Dutch and UK police are training eagles to attack drones....

Tue, 16 Feb 2016 12:27:02 UTC

Fear and Anxiety

Posted By Bruce Schneier

More psychological research on our reaction to terrorism and mass violence: The researchers collected posts on Twitter made in response to the 2012 shooting attack at Sandy Hook Elementary School in Newtown, Connecticut. They looked at tweets about the school shooting over a five-and-a-half-month period to see whether people used different language in connection with the event depending on how...

Mon, 15 Feb 2016 12:19:06 UTC

Survey of the Dark Web

Posted By Bruce Schneier

Interesting paper on the dark web: Daniel Moore & Thomas Rid, "Cryptopolitik and the Darknet," Survival, 2016. (Technical annex here -- requires the Tor browser.) They conclude that it's mostly used for illegal activity. No surprise, really, but it's good to have actual research to back it up. Press coverage....

Fri, 12 Feb 2016 22:05:58 UTC

Friday Squid Blogging : Pajama Squid

Posted By Bruce Schneier

The Monterey Bay Aquarium has a pajama squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Feb 2016 18:16:28 UTC

Fitbit Data Reveals Pregnancy

Posted By Bruce Schneier

A man learned his wife was pregnant from her Fitbit data. The details of the story are weird. The man posted the data to Reddit and asked for analysis help. But the point is that the data can reveal pregnancy, and this might not be something a person wants to tell a company who can sell that information for profit....

Fri, 12 Feb 2016 12:19:02 UTC

Determining Physical Location on the Internet

Posted By Bruce Schneier

Interesting research: "CPV: Delay-based Location Verification for the Internet": Abstract: The number of location-aware services over the Internet continues growing. Some of these require the client's geographic location for security-sensitive applications. Examples include location-aware authentication, location-aware access policies, fraud prevention, complying with media licensing, and regulating online gambling/voting. An adversary can evade existing geolocation techniques, e.g., by faking GPS coordinates...

Thu, 11 Feb 2016 17:05:33 UTC

Worldwide Encryption Products Survey

Posted By Bruce Schneier

Today I released my worldwide survey of encryption products. The findings of this survey identified 619 entities that sell encryption products. Of those 412, or two-thirds, are outside the U.S.-calling into question the efficacy of any US mandates forcing backdoors for law-enforcement access. It also showed that anyone who wants to avoid US surveillance has over 567 competing products to...

Thu, 11 Feb 2016 12:13:58 UTC

Make Privacy a 2016 Election Issue

Posted By Bruce Schneier

EPIC has just launched "Data Protection 2016" to try to make privacy an issue in this year's elections. You can buy swag....

Wed, 10 Feb 2016 19:59:32 UTC

AT&T Does Not Care about Your Privacy

Posted By Bruce Schneier

AT&T's CEO believes that the company should not offer robust security to its customers: But tech company leaders aren't all joining the fight against the deliberate weakening of encryption. AT&T CEO Randall Stephenson said this week that AT&T, Apple, and other tech companies shouldn't have any say in the debate. "I don't think it is Silicon Valley's decision to make...

Wed, 10 Feb 2016 11:29:00 UTC

10,000-Year-Old Warfare

Posted By Bruce Schneier

Evidence of primitive warfare from Kenya's Rift Valley....

Tue, 09 Feb 2016 21:25:27 UTC

The 2016 National Threat Assessment

Posted By Bruce Schneier

It's National Threat Assessment Day. Published annually by the Director of National Intelligence, the "Worldwide Threat Assessment of the US Intelligence Community" is the US intelligence community's one time to publicly talk about the threats in general. The document is the results of weeks of work and input from lots of people. For Clapper, it's his chance to shape the...

Tue, 09 Feb 2016 12:25:51 UTC

Large-Scale FBI Hacking

Posted By Bruce Schneier

As part of a child pornography investigation, the FBI hacked into over 1,300 computers. But after Playpen was seized, it wasn't immediately closed down, unlike previous dark web sites that have been shuttered" by law enforcement. Instead, the FBI ran Playpen from its own servers in Newington, Virginia, from February 20 to March 4, reads a complaint filed against a...

Mon, 08 Feb 2016 20:11:54 UTC

Data and Goliath Published in Paperback

Posted By Bruce Schneier

Today, Data and Goliath is being published in paperback. Everyone tells me that the paperback version sells better than the hardcover, even though it's a year later. I can't really imagine that there are tens of thousands of people who wouldn't spend $28 on a hardcover but are happy to spend $18 on the paperback, but we'll see. (Amazon has...

Mon, 08 Feb 2016 12:52:21 UTC

Exploiting Google Maps for Fraud

Posted By Bruce Schneier

The New York Times has a long article on fraudulent locksmiths. The scam is a basic one: quote a low price on the phone, but charge much more once you show up and do the work. But the method by which the scammers get victims is new. They exploit Google's crowdsourced system for identifying businesses on their maps. The scammers...

Fri, 05 Feb 2016 22:55:53 UTC

Friday Squid Blogging: Squid Knitting Pattern

Posted By Bruce Schneier

Surprisingly realistic for a knitted stuffed animal....

Fri, 05 Feb 2016 21:15:21 UTC

NSA Reorganizing

Posted By Bruce Schneier

The NSA is undergoing a major reorganization, combining its attack and defense sides into a single organization: In place of the Signals Intelligence and Information Assurance directorates ­ the organizations that historically have spied on foreign targets and defended classified networks against spying, respectively ­ the NSA is creating a Directorate of Operations that combines the operational elements of each....

Fri, 05 Feb 2016 12:56:58 UTC

Tracking Anonymous Web Users

Posted By Bruce Schneier

This research shows how to track e-commerce users better across multiple sessions, even when they do not provide unique identifiers such as user IDs or cookies. Abstract: Targeting individual consumers has become a hallmark of direct and digital marketing, particularly as it has become easier to identify customers as they interact repeatedly with a company. However, across a wide variety...

Thu, 04 Feb 2016 12:18:27 UTC

The Internet of Things Will Be the World's Biggest Robot

Posted By Bruce Schneier

The Internet of Things is the name given to the computerization of everything in our lives. Already you can buy Internet-enabled thermostats, light bulbs, refrigerators, and cars. Soon everything will be on the Internet: the things we own, the things we interact with in public, autonomous things that interact with each other. These "things" will have two separate parts. One...

Wed, 03 Feb 2016 12:09:02 UTC

Security vs. Surveillance

Posted By Bruce Schneier

Both the "going dark" metaphor of FBI Director James Comey and the contrasting "golden age of surveillance" metaphor of privacy law professor Peter Swire focus on the value of data to law enforcement. As framed in the media, encryption debates are about whether law enforcement should have surreptitious access to data, or whether companies should be allowed to provide strong...

Tue, 02 Feb 2016 20:20:09 UTC

Paper on the Going Dark Debate

Posted By Bruce Schneier

I am pleased to have been a part of this report, part of the Berkman Center's Berklett Cybersecurity project: Don't Panic: Making Progress on the "Going Dark" Debate From the report: In this report, we question whether the "going dark" metaphor accurately describes the state of affairs. Are we really headed to a future in which our ability to effectively...

Tue, 02 Feb 2016 13:11:56 UTC

More Details on the NSA Switching to Quantum-Resistant Cryptography

Posted By Bruce Schneier

The NSA is publicly moving away from cryptographic algorithms vulnerable to cryptanalysis using a quantum computer. It just published a FAQ about the process: Q: Is there a quantum resistant public-key algorithm that commercial vendors should adopt? A: While a number of interesting quantum resistant public key algorithms have been proposed external to NSA, nothing has been standardized by NIST,...

Mon, 01 Feb 2016 20:27:09 UTC

NSA and GCHQ Hacked Israeli Drone Feeds

Posted By Bruce Schneier

The NSA and GCHQ have successfully hacked Israel's drones, according to the Snowden documents. The story is being reported by the Intercept and Der Spiegel. The Times of Israel has more....

Mon, 01 Feb 2016 12:42:50 UTC

NSA's TAO Head on Internet Offense and Defense

Posted By Bruce Schneier

Rob Joyce, the head of the NSA's Tailored Access Operations (TAO) group -- basically the country's chief hacker -- spoke in public earlier this week. He talked both about how the NSA hacks into networks, and what network defenders can do to protect themselves. Here's a video of the talk, and here are two good summaries. Intrusion Phases Reconnaissance Initial...

Fri, 29 Jan 2016 22:23:16 UTC

Friday Squid Blogging: Polynesian Squid Hook

Posted By Bruce Schneier

From 1909, for squid fishing. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 29 Jan 2016 20:21:36 UTC

Encryption Backdoor Comic

Posted By Bruce Schneier

"Support our Snoops."...

Fri, 29 Jan 2016 13:29:20 UTC

Integrity and Availability Threats

Posted By Bruce Schneier

Cyberthreats are changing. We're worried about hackers crashing airplanes by hacking into computer networks. We're worried about hackers remotely disabling cars. We're worried about manipulated counts from electronic voting booths, remote murder through hacked medical devices and someone hacking an Internet thermostat to turn off the heat and freeze the pipes. The traditional academic way of thinking about information security...

Thu, 28 Jan 2016 12:18:14 UTC

Psychological Model of Selfishness

Posted By Bruce Schneier

This is interesting: Game theory decision-making is based entirely on reason, but humans don't always behave rationally. David Rand, assistant professor of psychology, economics, cognitive science, and management at Yale University, and psychology doctoral student Adam Bear incorporated theories on intuition into their model, allowing agents to make a decision either based on instinct or rational deliberation. In the model,...

Wed, 27 Jan 2016 12:20:47 UTC

Horrible Story of Digital Harassment

Posted By Bruce Schneier

This is just awful. Their troll -- or trolls, as the case may be -- have harassed Paul and Amy in nearly every way imaginable. Bomb threats have been made under their names. Police cars and fire trucks have arrived at their house in the middle of the night to respond to fake hostage calls. Their email and social media...

Tue, 26 Jan 2016 12:33:58 UTC

Data-Driven Policing

Posted By Bruce Schneier

Good article from the Washington Post....

Mon, 25 Jan 2016 12:25:32 UTC

Shodan Lets Your Browse Insecure Webcams

Posted By Bruce Schneier

There's a lot out there: The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores.... Slashdot thread....

Fri, 22 Jan 2016 22:19:17 UTC

Friday Squid Blogging: North Coast Squid

Posted By Bruce Schneier

North Coast Squid is a local writing journal from Manzanita, Oregon. It's going to publish its fifth edition this year. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 Jan 2016 20:23:29 UTC

UK Government Promoting Backdoor-Enabled Voice Encryption Protocol

Posted By Bruce Schneier

The UK government is pushing something called the MIKEY-SAKKE protocol to secure voice. Basically, it's an identity-based system that necessarily requires a trusted key-distribution center. So key escrow is inherently built in, and there's no perfect forward secrecy. The only reasonable explanation for designing a protocol with these properties is third-party eavesdropping. Steven Murdoch has explained the details. The upshot:...

Fri, 22 Jan 2016 12:44:09 UTC

Security Trade-offs in the Longbow vs. Crossbow Decision

Posted By Bruce Schneier

Interesting research: Douglas W. Allen and Peter T. Leeson, "Institutionally Constrained Technology Adoption: Resolving the Longbow Puzzle," Journal of Law and Economics, v. 58, Aug 2015. Abstract: For over a century the longbow reigned as undisputed king of medieval European missile weapons. Yet only England used the longbow as a mainstay in its military arsenal; France and Scotland clung to...

Thu, 21 Jan 2016 12:19:41 UTC

El Chapo's Opsec

Posted By Bruce Schneier

I've already written about Sean Penn's opsec while communicating with El Chapo. Here's the technique of mirroring, explained: El chapo then switched to a complex system of using BBM (Blackberry's Instant Messaging) and Proxies. The way it worked was if you needed to contact The Boss, you would send a BBM text to an intermediary (who would spend his days...

Wed, 20 Jan 2016 11:02:05 UTC

France Rejects Back Doors in Encryption Products

Posted By Bruce Schneier

For the right reasons too: Axelle Lemaire, the Euro nation's digital affairs minister, shot down the amendment during the committee stage of the forthcoming omnibus digital bill, saying it would be counterproductive and would leave personal data unprotected. "Recent events show how the fact of introducing faults deliberately at the request - sometimes even without knowing - the intelligence agencies...

Tue, 19 Jan 2016 20:34:01 UTC

Reverse-Engineering a Zero-Day Exploit from the Hacking Team Data Dump

Posted By Bruce Schneier

Last July, a still-anonymous hacker broke into the network belonging to the cyberweapons arms manufacturer Hacking Team, and dumped an enormous amount of its proprietary documents online. Kaspersky Labs was able to reverse-engineer one of its zero-day exploits from that data....

Mon, 18 Jan 2016 19:36:24 UTC

Counterfeit Theater Tickets in New York

Posted By Bruce Schneier

Counterfeiters are making tickets for the Broadway show "Hamilton." Counterfeiting is much easier when the person you're passing the fakes off to doesn't know what the real thing is supposed to look like....

Mon, 18 Jan 2016 16:50:46 UTC

Match Fixing in Tennis

Posted By Bruce Schneier

The BBC and Buzzfeed are jointly reporting on match fixing in tennis. Their story is based partially on leaked documents and partly on data analysis. BuzzFeed News began its investigation after devising an algorithm to analyse gambling on professional tennis matches over the past seven years. It identified 15 players who regularly lost matches in which heavily lopsided betting appeared...

Sat, 16 Jan 2016 11:26:37 UTC

Should We Allow Bulk Searching of Cloud Archives?

Posted By Bruce Schneier

Jonathan Zittrain proposes a very interesting hypothetical: Suppose a laptop were found at the apartment of one of the perpetrators of last year's Paris attacks. It's searched by the authorities pursuant to a warrant, and they find a file on the laptop that's a set of instructions for carrying out the attacks. The discovery would surely help in the prosecution...

Fri, 15 Jan 2016 12:45:03 UTC

Spamming Someone from PayPal

Posted By Bruce Schneier

Troy Hunt has identified a new spam vector. PayPal allows someone to send someone else a $0 invoice. The spam is in the notes field. But it's a legitimate e-mail from PayPal, so it evades many of the traditional spam filters. Presumably it doesn't cost anything to send a $0 invoice via PayPal. Hopefully, the company will close this loophole...

Thu, 14 Jan 2016 20:13:39 UTC

Fighting DRM in the W3C

Posted By Bruce Schneier

Cory Doctorow has a good post on the EFF website about how they're trying to fight digital rights management software in the World Wide Web Consortium. So we came back with a new proposal: the W3C could have its cake and eat it too. It could adopt a rule that requires members who help make DRM standards to promise not...

Thu, 14 Jan 2016 12:32:21 UTC

Sean Penn's Opsec

Posted By Bruce Schneier

This article talks about the opsec used by Sean Penn surrounding his meeting with El Chapo. Security experts say there aren't enough public details to fully analyze Penn's operational security (opsec). But they described the paragraph above as "incomprehensible" and "gibberish." Let's try to break it down: Penn describes using "TracPhones," by which he likely means TracFones, which are cheap...

Wed, 13 Jan 2016 11:35:45 UTC

The Internet of Things that Talks About You Behind Your Back

Posted By Bruce Schneier

SilverPush is an Indian startup that's trying to figure out all the different computing devices you own. It embeds inaudible sounds into the webpages you read and the television commercials you watch. Software secretly embedded in your computers, tablets, and smartphones pick up the signals, and then use cookies to transmit that information back to SilverPush. The result is that...

Tue, 12 Jan 2016 19:22:35 UTC

Michael Hayden and the Dutch Government Are against Crypto Backdoors

Posted By Bruce Schneier

Last week, former NSA Director Michael Hayden made a very strong argument against deliberately weakening security products by adding backdoors: Americans' safety is best served by the highest level of technology possible, and that the country's intelligence agencies have figured out ways to get around encryption. "Before any civil libertarians want to come up to me afterwards and get my...

Mon, 11 Jan 2016 20:33:13 UTC

Mac OS X, iOS, and Flash Had the Most Discovered Vulnerabilities in 2015

Posted By Bruce Schneier

Interesting analysis: Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple's Mac OS X, with 384 vulnerabilities. The runner-up? Apple's iOS, with 375 vulnerabilities. Rounding out the top five are Adobe's Flash Player, with 314 vulnerabilities; Adobe's AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. For comparison,...

Mon, 11 Jan 2016 12:45:43 UTC

IT Security and the Normalization of Deviance

Posted By Bruce Schneier

Professional pilot Ron Rapp has written a fascinating article on a 2014 Gulfstream plane that crashed on takeoff. The accident was 100% human error and entirely preventable -- the pilots ignored procedures and checklists and warning signs again and again. Rapp uses it as example of what systems theorists call the "normalization of deviance," a term coined by sociologist Diane...

Fri, 08 Jan 2016 22:05:43 UTC

Friday Squid Blogging: Squid Ink Pasta

Posted By Bruce Schneier

Squid ink pasta is not hard to make, and is a really good side for a wide variety of fish recipes. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Jan 2016 20:15:36 UTC

Podcast Interview with Me

Posted By Bruce Schneier

The Technoskeptic has posted a good interview with me on its website. Normally it charges for its content, but this interview is available for free....

Fri, 08 Jan 2016 18:54:20 UTC

"How Stories Deceive"

Posted By Bruce Schneier

Fascinating New Yorker article about Samantha Azzopardi, serial con artist and deceiver. The article is really about how our brains allow stories to deceive us: Stories bring us together. We can talk about them and bond over them. They are shared knowledge, shared legend, and shared history; often, they shape our shared future. Stories are so natural that we don't...

Fri, 08 Jan 2016 11:21:29 UTC

Replacing Judgment with Algorithms

Posted By Bruce Schneier

China is considering a new "social credit" system, designed to rate everyone's trustworthiness. Many fear that it will become a tool of social control -- but in reality it has a lot in common with the algorithms and systems that score and classify us all every day. Human judgment is being replaced by automatic algorithms, and that brings with it...

Thu, 07 Jan 2016 13:00:35 UTC

Straight Talk about Terrorism

Posted By Bruce Schneier

Nice essay that lists ten "truths" about terrorism: We can't keep the bad guys out. Besides, the threat is already inside. More surveillance won't get rid of terrorism, either. Defeating the Islamic State won't make terrorism go away. Terrorism still remains a relatively minor threat, statistically speaking. But don't relax too much, because things will probably get worse before they...

Wed, 06 Jan 2016 12:14:13 UTC

How the US Is Playing Both Ends on Data Privacy

Posted By Bruce Schneier

There's an excellent article in Foreign Affairs on how the European insistence on data privacy -- most recently illustrated by their invalidation of the "safe harbor" agreement -- is really about the US talking out of both sides of its mouth on the issue: championing privacy in public, but spying on everyone in private. As long as the US keeps...

Tue, 05 Jan 2016 18:44:09 UTC

1981 CIA Report on Deception

Posted By Bruce Schneier

Recently declassified: Deception Maxims: Fact and Folklore, Office of Research and Development, Central Intelligence Agency, June 1981. Research on deception and con games has advanced in the past 25 years, but this is still interesting to read....

Tue, 05 Jan 2016 12:36:19 UTC

NSA Spies on Israeli Prime Minister

Posted By Bruce Schneier

The Wall Street Journal has a story that the NSA spied on Israeli Prime Minister Benjamin Netanyahu and other Israeli government officials, and incidentally collected conversations between US citizens -- including lawmakers -- and those officials. US lawmakers who are usually completely fine with NSA surveillance are aghast at this behavior, as both Glenn Greenwald and Trevor Timm explain. Greenwald:...

Mon, 04 Jan 2016 19:14:44 UTC

Windows 10 Whole-Disk Encryption without Key Escrow

Posted By Bruce Schneier

On the Intercept, Micah Lee has a good article that talks about how Microsoft is collecting the hard-drive encryption keys of Windows 10 users, and how to disable that "feature."...

Mon, 04 Jan 2016 13:41:03 UTC

De-Anonymizing Users from their Coding Styles

Posted By Bruce Schneier

Interesting blog post: We are able to de-anonymize executable binaries of 20 programmers with 96% correct classification accuracy. In the de-anonymization process, the machine learning classifier trains on 8 executable binaries for each programmer to generate numeric representations of their coding styles. Such a high accuracy with this small amount of training data has not been reached in previous attempts....

Fri, 01 Jan 2016 18:29:08 UTC

Friday Squid Blogging: Video of Live Giant Squid

Posted By Bruce Schneier

Giant squid filmed swimming through a harbor in Japan: Reports in Japanese say that the creature was filmed on December 24, seen by an underwater camera swimming near boat moorings. It was reportedly about 13 feet long and 3 feet around. Some on Twitter have suggested that the species may be Architeuthis, a deep-ocean dwelling creature that can grow up...

Thu, 31 Dec 2015 12:12:29 UTC

Cory Doctorow on Software Security and the Internet of Things

Posted By Bruce Schneier

Cory Doctorow has a good essay on software integrity and control problems and the Internet of Things. He's writing about self-driving cars, but the issue is much more general. Basically, we're going to want systems that prevent their owner from making certain changes to it. We know how to do this: digital rights management. We also know that this solution...

Wed, 30 Dec 2015 12:29:01 UTC

Another Scandal Resulting from E-mails Gone Public

Posted By Bruce Schneier

A lot of Pennsylvania government officials are being hurt as a result of e-mails being made public. This is all the result of a political pressure to release the emails, and not an organizational doxing attack, but the effects are the same. Our psychology of e-mail doesn't match the reality. We treat them as ephemeral, even though they're not. And...

Tue, 29 Dec 2015 18:25:53 UTC

PayPal Authentication Still Substandard

Posted By Bruce Schneier

Brian Krebs has the story. Bottom line: PayPal has no excuse for this kind of stuff. I hope the public shaming incents them to offer better authentication for its customers....

Tue, 29 Dec 2015 11:58:00 UTC

DMCA and the Internet of Things

Posted By Bruce Schneier

In theory, the Internet of Things -- the connected network of tiny computers inside home appliances, household objects, even clothing -- promises to make your life easier and your work more efficient. These computers will communicate with each other and the Internet in homes and public spaces, collecting data about their environment and making changes based on the information they...

Mon, 28 Dec 2015 12:54:58 UTC

NSA/GCHQ Exploits Against Juniper Networking Equipment

Posted By Bruce Schneier

The Intercept just published a 2011 GCHQ document outlining their exploit capabilities against Juniper networking equipment, including routers and NetScreen firewalls as part of this article. GCHQ currently has capabilities against: Juniper NetScreen Firewalls models Ns5gt, N25, NS50, NS500, NS204, NS208, NS5200, NS5000, SSG5, SSG20, SSG140, ISG 1000, ISG 2000. Some reverse engineering maybe required depending on firmware revisions. Juniper...

Fri, 25 Dec 2015 21:00:45 UTC

Friday Squid Blogging: Squid Christmas

Posted By Bruce Schneier

Squid sighting in this Christmas cartoon. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. And Happy Christmas for those who celebrate it....

Thu, 24 Dec 2015 19:24:20 UTC

Burglary Footage Turned into Commercial

Posted By Bruce Schneier

Earlier this month, a Las Vegas taco shop was robbed in the middle of the night. The restaurant took the surveillance-video footage and turned it into a combination commercial for their tacos and request for help identifying the burglars....

Thu, 24 Dec 2015 14:18:29 UTC

Police Dog Sniffs for Hard Drives

Posted By Bruce Schneier

This weird story describes a "porn dog" that is trained to find hidden hard drives. It's used in child porn investigations. I suppose it's reasonable that computer disks have a particular chemical smell, but I wonder what it is....

Wed, 23 Dec 2015 12:48:22 UTC

Using Law Against Technology

Posted By Bruce Schneier

On Thursday, a Brazilian judge ordered the text messaging service WhatsApp shut down for 48 hours. It was a monumental action. WhatsApp is the most popular app in Brazil, used by about 100 million people. The Brazilian telecoms hate the service because it entices people away from more expensive text messaging services, and they have been lobbying for months to...

Tue, 22 Dec 2015 12:34:22 UTC

More Writings on the Second Crypto Wars

Posted By Bruce Schneier

Two things to read: "Wanting It Bad Enough Won't Make It Work: Why Adding Backdoors and Weakening Encryption Threatens the Internet," by Meredith Whittaker and Ben Laurie. "The Second Crypto War is Not about Crypto," by Jaap-Henk Hoepman....

Mon, 21 Dec 2015 19:09:59 UTC

"The Medieval Origins of Mass Surveillance"

Posted By Bruce Schneier

This interesting article by medieval historian Amanda Power traces our culture's relationship with the concept of mass surveillance from the medieval characterization of the Christian god and how piety was policed by the church: What is all this but a fundamental trust in the experience of being watched? One must wonder about the subtle, unspoken fear of the consequences of...

Mon, 21 Dec 2015 12:52:17 UTC

Back Door in Juniper Firewalls

Posted By Bruce Schneier

Juniper has warned about a malicious back door in their firewalls that automatically decrypts VPN traffic. It's been there for years. Hopefully details are forthcoming, but the folks at Hacker News have pointed to this page about Juniper's use of the DUAL_EC_DBRG random number generator. For those who don't immediately recognize that name, it's the pseudo-random-number generator that was back-doored...

Fri, 18 Dec 2015 22:11:20 UTC

Friday Squid Blogging: Penguins Fight over Squid

Posted By Bruce Schneier

Watch this video of gentoo penguins fighting over a large squid. This underwater brawl was captured on a video camera taped to the back of the second penguin, revealing this unexpected foraging behaviour for the first time. "This is completely new behaviour, not just for gentoo penguins but for penguins in general," says Jonathan Handley, a doctoral student at Nelson...

Fri, 18 Dec 2015 18:29:27 UTC

GCHQ Holiday Puzzle

Posted By Bruce Schneier

If you like puzzles, GCHQ has one for you. Just don't let it distract you from fighting the UK legislation giving the GCHQ new surveillance powers....

Fri, 18 Dec 2015 12:35:28 UTC

25th Anniversary of the Landmark Unix Security Book

Posted By Bruce Schneier

Gene Spafford writes about the history of Practical Unix Security....

Thu, 17 Dec 2015 18:06:24 UTC

Catalog of Police Surveillance Equipment

Posted By Bruce Schneier

The Intercept has "a secret, internal U.S. government catalogue of dozens of cellphone surveillance devices used by the military and by intelligence agencies." Lot of detailed information about Stingrays and similar equipment....

Thu, 17 Dec 2015 12:46:52 UTC

User Errors Often Compromise Encryption

Posted By Bruce Schneier

This should come as no surprise: users often compromise their own security by making mistakes setting up and using their encryption apps. Paper: "On the Security and Usability of Crypto Phones," by Maliheh Shivanian and Nitesh Saxena, Proceedings of ACSAC 2015....

Wed, 16 Dec 2015 12:28:30 UTC

DOS Attack Against Los Angeles Schools

Posted By Bruce Schneier

Yesterday, the city of Los Angeles closed all of its schools -- over 1,000 schools -- because of a bomb threat. It was a hoax. LA officials defended the move, with that city's police chief dismissing the criticism as "irresponsible." "It is very easy in hindsight to criticize a decision based on results the decider could never have known," Chief...

Tue, 15 Dec 2015 06:19:24 UTC

Attack Against DNS Root Servers

Posted By Bruce Schneier

Has anyone been following the attack against the DNS root servers two weeks ago? Details. I can't precisely explain why, but this feels like someone testing an attack capability. For defense: it's long past time to implement source address validation in the DNS system....

Mon, 14 Dec 2015 18:17:43 UTC

"Security Theater" Sighting

Posted By Bruce Schneier

In a Schlock Mercenary comic....

Mon, 14 Dec 2015 11:46:45 UTC

Good Swatting Story

Posted By Bruce Schneier

The New York Times Magazine has a good story about swatting, centering around a Canadian teenager who did it over a hundred times....

Fri, 11 Dec 2015 22:02:49 UTC

Friday Squid Blogging: Rare Octopus Squid Video from Hawaii

Posted By Bruce Schneier

Neat: While the Dana octopus squid may lack a squid's trademark trailing tentacles, it makes up for them in spectacular lighting equipment, with two of its muscular arms ending in lidded light organs called "photophores." About the size of lemons, these photophores are the largest known light-producing organs in the animal kingdom, said Mike Vecchione, a zoologist at the NOAA...

Fri, 11 Dec 2015 20:56:01 UTC

Resilient Systems News: End-of-Year Trends Webinar

Posted By Bruce Schneier

I'll be participating in an end-of-year trends and predictions webinar on Thursday, December 17, at 1:00 PM EST. Join me here. In other news, Resilient has joined the IBM Security App Exchange community. And we're still hiring for a bunch of positions....

Fri, 11 Dec 2015 12:48:12 UTC

Hit-and-Run Driver Arrested Because Car Reported Accident

Posted By Bruce Schneier

A Florida woman drove away after an accident, but her car automatically reported it anyway. She was arrested....

Thu, 10 Dec 2015 12:54:19 UTC

How People Learn about Computer Security

Posted By Bruce Schneier

Interesting research: "Identifying patterns in informal sources of security information," by Emilee Rader and Rick Wash, Journal of Cybersecurity, 1 Dec 2015. Abstract: Computer users have access to computer security information from many different sources, but few people receive explicit computer security training. Despite this lack of formal education, users regularly make many important security decisions, such as "Should I...

Wed, 09 Dec 2015 19:48:10 UTC

Terrifying Technologies

Posted By Bruce Schneier

I've written about the difference between risk perception and risk reality. I thought about that when reading this list of Americans' top technology fears: Cyberterrorism Corporate tracking of personal information Government tracking of personal information Robots replacing workforce Trusting artificial intelligence to do work Robots Artificial intelligence Technology I don't understand More at the link....

Tue, 08 Dec 2015 13:25:00 UTC

How Israel Regulates Encryption

Posted By Bruce Schneier

Interesting essay about how Israel regulates encryption: ...the Israeli encryption control mechanisms operate without directly legislating any form of encryption-key depositories, built-in back or front door access points, or other similar requirements. Instead, Israel's system emphasizes smooth initial licensing processes and cultivates government-private sector collaboration. These processes help ensure that Israeli authorities are apprised of the latest encryption and cyber...

Mon, 07 Dec 2015 11:35:33 UTC

Forced Authorization Attacks Against Chip-and-Pin Credit Card Terminals

Posted By Bruce Schneier

Clever: The way forced authorisation fraud works is that the retailer sets up the terminal for a transaction by inserting the customer's card and entering the amount, then hands the terminal over to the customer so they can type in the PIN. But the criminal has used a stolen or counterfeit card, and due to the high value of the...

Fri, 04 Dec 2015 22:22:35 UTC

Friday Squid Blogging: North Korean Squid Fisherman Found Dead in Boats

Posted By Bruce Schneier

I don't know if you've been following the story of the boats full of corpses that have been found in Japanese waters: Over the past two months, at least 12 wooden boats have been found adrift or on the coast, carrying chilling cargo -- the decaying bodies of 22 people, police and Japan's coast guard said. All the bodies were...

Fri, 04 Dec 2015 12:40:36 UTC

BlackBerry Leaves Pakistan Rather Than Provide a Government Backdoor

Posted By Bruce Schneier

BlackBerry has chosen to shut down operations in Pakistan rather than provide the government with backdoor access to encrypted communications. Pakistan is a relatively small market, but still....

Thu, 03 Dec 2015 20:49:42 UTC

The Moral Dimension of Cryptography

Posted By Bruce Schneier

Phil Rogaway has written an excellent paper titled "The Moral Character of Cryptography Work." In it, he exhorts cryptographers to consider the morality of their research, and to build systems that enhance privacy rather than diminish it. It is very much worth reading....

Thu, 03 Dec 2015 13:55:29 UTC

Worldwide Cryptographic Products Survey: Edits and Additions Wanted

Posted By Bruce Schneier

Back in September, I announced my intention to survey the world market of cryptographic products. The goal is to compile a list of both free and commercial encryption products that can be used to protect arbitrary data and messages. That is, I'm not interested in products that are specifically designed for a narrow application, like financial transactions, or products that...

Wed, 02 Dec 2015 12:14:38 UTC

Security vs. Business Flexibility

Posted By Bruce Schneier

This article demonstrates that security is less important than functionality. When asked about their preference if they needed to choose between IT security and business flexibility, 71 percent of respondents said that security should be equally or more important than business flexibility. But show them the money and things change, when the same people were asked if they would take...

Tue, 01 Dec 2015 11:41:31 UTC

Tracking Someone Using LifeLock

Posted By Bruce Schneier

Someone opened a LifeLock account in his ex-wife's name, and used the service to track her bank accounts, credit cards, and other financial activities. The article is mostly about how appalling LifeLock was about this, but I'm more interested in the surveillance possibilities. Certainly the FBI can use LifeLock to surveil people with a warrant. The FBI/NSA can also collect...

Mon, 30 Nov 2015 18:47:30 UTC

A History of Privacy

Posted By Bruce Schneier

This New Yorker article traces the history of privacy from the mid 1800s to today: As a matter of historical analysis, the relationship between secrecy and privacy can be stated in an axiom: the defense of privacy follows, and never precedes, the emergence of new technologies for the exposure of secrets. In other words, the case for privacy always comes...

Mon, 30 Nov 2015 12:05:00 UTC

Cryptanalysis of Algebraic Eraser

Posted By Bruce Schneier

Algebraic Eraser is a public-key key-agreement protocol that's patented and being pushed by a company for the Internet of Things, primarily because it is efficient on small low-power devices. There's a new cryptanalytic attack. This is yet another demonstration of why you should not choose proprietary encryption over public algorithms and protocols. The good stuff is not patented. News article....

Fri, 27 Nov 2015 22:19:19 UTC

Friday Squid Blogging: Squid Necklace

Posted By Bruce Schneier

She's calling it an octopus, but it's a squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 27 Nov 2015 20:21:40 UTC

Data and Goliath in German

Posted By Bruce Schneier

The German edition of Data and Goliath has been published....

Fri, 27 Nov 2015 12:45:01 UTC

Defending against Actual IT Threats

Posted By Bruce Schneier

Roger Grimes has written an interesting paper: "Implementing a Data-Driven Computer Security Defense." His thesis is that most organizations don't match their defenses to the actual risks. His paper explains how it got to be this way, and how to fix it....

Wed, 25 Nov 2015 13:06:47 UTC

NSA Lectures on Communications Security from 1973

Posted By Bruce Schneier

Newly declassified: "A History of U.S. Communications Security (Volumes I and II)," the David G. Boak Lectures, National Security Agency (NSA), 1973. (The document was initially declassified in 2008. We just got a whole bunch of additional material declassified. Both versions are in the document, so you can compare and see what was kept secret seven years ago.)...

Tue, 24 Nov 2015 19:37:33 UTC

NSA Collected Americans' E-mails Even After it Stopped Collecting Americans' E-mails

Posted By Bruce Schneier

In 2011, the Bush administration authorized -- almost certainly illegally -- the NSA to conduct bulk electronic surveillance on Americans: phone calls, e-mails, financial information, and so on. We learned a lot about the bulk phone metadata collection program from the documents provided by Edward Snowden, and it was the focus of debate surrounding the USA FREEDOM Act. E-mail metadata...

Tue, 24 Nov 2015 12:32:54 UTC

Policy Repercussions of the Paris Terrorist Attacks

Posted By Bruce Schneier

In 2013, in the early days of the Snowden leaks, Harvard Law School professor and former Assistant Attorney General Jack Goldsmith reflected on the increase in NSA surveillance post 9/11. He wrote: Two important lessons of the last dozen years are (1) the government will increase its powers to meet the national security threat fully (because the People demand it),...

Mon, 23 Nov 2015 18:03:02 UTC

Voter Surveillance

Posted By Bruce Schneier

There hasn't been that much written about surveillance and big data being used to manipulate voters. In Data and Goliath, I wrote: Unique harms can arise from the use of surveillance data in politics. Election politics is very much a type of marketing, and politicians are starting to use personalized marketing's capability to discriminate as a way to track voting...

Fri, 20 Nov 2015 22:30:09 UTC

Friday Squid Blogging: Squid Spawning in South Australian Waters

Posted By Bruce Schneier

Divers are counting them: Squid gather and mate with as many partners as possible, then die, in an annual ritual off Rapid Head on the Fleurieu Peninsula, south of Adelaide. Department of Environment divers will check the waters and gather data on how many eggs are left by the spawning squid. No word on how many are expected. Ten? Ten...

Fri, 20 Nov 2015 13:04:19 UTC

Reputation in the Information Age

Posted By Bruce Schneier

Reputation is a social mechanism by which we come to trust one another, in all aspects of our society. I see it as a security mechanism. The promise and threat of a change in reputation entices us all to be trustworthy, which in turn enables others to trust us. In a very real sense, reputation enables friendships, commerce, and everything...

Thu, 19 Nov 2015 12:16:04 UTC

RFID-Shielded, Ultra-Strong Duffel Bags

Posted By Bruce Schneier

They're for carrying cash through dangerous territory: SDR Traveller caters to people who, for one reason or another, need to haul huge amounts of cash money through dangerous territory. The bags are made from a super strong, super light synthetic material designed for yacht sails, are RFID-shielded, and are rated by how much cash in US$100 bills each can carry.......

Wed, 18 Nov 2015 21:35:10 UTC

Paris Terrorists Use Double ROT-13 Encryption

Posted By Bruce Schneier

That is, no encryption at all. The Intercept has the story: "Yet news emerging from Paris -- as well as evidence from a Belgian ISIS raid in January -- suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted. European media outlets are reporting that the location of...

Wed, 18 Nov 2015 12:59:53 UTC

Ads Surreptitiously Using Sound to Communicate Across Devices

Posted By Bruce Schneier

This is creepy and disturbing: Privacy advocates are warning federal authorities of a new threat that uses inaudible, high-frequency sounds to surreptitiously track a person's online behavior across a range of devices, including phones, TVs, tablets, and computers. The ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser....

Tue, 17 Nov 2015 18:03:00 UTC

On CISA

Posted By Bruce Schneier

I have avoided writing about the Cybersecurity Information Sharing Act (CISA), largely because the details kept changing. (For those not following closely, similar bills were passed by both the House and the Senate. They're now being combined into a single bill which will be voted on again, and then almost certainly signed into law by President Obama.) Now that it's...

Tue, 17 Nov 2015 12:36:48 UTC

Refuse to Be Terrorized

Posted By Bruce Schneier

Paul Krugman has written a really good update of my 2006 esssay. Krugman: So what can we say about how to respond to terrorism? Before the atrocities in Paris, the West's general response involved a mix of policing, precaution, and military action. All involved difficult tradeoffs: surveillance versus privacy, protection versus freedom of movement, denying terrorists safe havens versus the...

Mon, 16 Nov 2015 20:39:07 UTC

Paris Attacks Blamed on Strong Cryptography and Edward Snowden

Posted By Bruce Schneier

Well, that didn't take long: As Paris reels from terrorist attacks that have claimed at least 128 lives, fierce blame for the carnage is being directed toward American whistleblower Edward Snowden and the spread of strong encryption catalyzed by his actions. Now the Paris attacks are being used an excuse to demand back doors. CIA Director John Brennan chimed in,...

Mon, 16 Nov 2015 12:19:43 UTC

Did Carnegie Mellon Attack Tor for the FBI?

Posted By Bruce Schneier

There's pretty strong evidence that the team of researchers from Carnegie Mellon University who canceled their scheduled 2015 Black Hat talk deanonymized Tor users for the FBI. Details are in this Vice story and this Wired story (and these https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users">two follow-on Vice stories). And here's the reaction from the Tor Project. Nicholas Weaver guessed this back in January. The behavior...

Fri, 13 Nov 2015 22:22:09 UTC

Friday Squid Blogging: Squid Fishing Championship

Posted By Bruce Schneier

It's an annual event in Hvar, Croatia....

Fri, 13 Nov 2015 20:25:13 UTC

Amazon Chooses Data and Goliath as a Best Book of 2015

Posted By Bruce Schneier

Amazon chose Data and Goliath as one of its Best Books of 2015, in both the nonfiction and business categories....

Fri, 13 Nov 2015 12:08:51 UTC

Personal Data Sharing by Mobile Apps

Posted By Bruce Schneier

Interesting research: "Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps," by Jinyan Zang, Krysta Dummit, James Graves, Paul Lisker, and Latanya Sweeney. We tested 110 popular, free Android and iOS apps to look for apps that shared personal, behavioral, and location data with third parties. 73% of Android...

Thu, 12 Nov 2015 20:28:51 UTC

Testing the Usability of PGP Encryption Tools

Posted By Bruce Schneier

"Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client," by Scott Ruoti, Jeff Andersen, Daniel Zappala, and Kent Seamons. Abstract: This paper presents the results of a laboratory study involving Mailvelope, a modern PGP client that integrates tightly with existing webmail providers. In our study, we brought in pairs of participants and had them attempt...

Thu, 12 Nov 2015 13:01:40 UTC

Betting Ticket Forged Based on Selfie

Posted By Bruce Schneier

This is an interesting story. Someone posts a photograph of herself holding a winning horse-race betting ticket, and someone else uses the data from the photograph to forge the ticket and claim the winnings. I have been thinking a lot about how technology is messing with our intuitions about risk and security. This is a good example of that....

Wed, 11 Nov 2015 20:22:16 UTC

Bypassing the iPhone Activation Lock

Posted By Bruce Schneier

Clever man-in-the-middle attack....

Wed, 11 Nov 2015 12:44:57 UTC

Ransomware Is Getting Sophisticated

Posted By Bruce Schneier

Some of the tricks that ransomware is using to get victims to pay up....

Tue, 10 Nov 2015 20:17:51 UTC

IT Security Is Still a Great Career Path

Posted By Bruce Schneier

Jobs are plentiful and salaries are booming. I know from personal experience that demand far exceeds supply....

Tue, 10 Nov 2015 12:38:47 UTC

Linus Torvalds on Linux Security

Posted By Bruce Schneier

Interesting interview. Slashdot thread....

Mon, 09 Nov 2015 12:11:18 UTC

Good Article on the Blockchain

Posted By Bruce Schneier

The Economist published a really good article on the blockchain....

Fri, 06 Nov 2015 22:30:03 UTC

Friday Squid Blogging: The Symbiotic Relationship Between Squid and Bacteria

Posted By Bruce Schneier

Margaret McFall-Ngai studies the symbiotic relationship between squid and the bacteria that live inside them. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 05 Nov 2015 20:42:47 UTC

Passwords by Mail

Posted By Bruce Schneier

Julia Angwin's daughter is selling diceware passwords by mail....

Thu, 05 Nov 2015 12:16:31 UTC

The Effects of Surveillance on the Victims

Posted By Bruce Schneier

Last month, the Cato Institute held its Second Annual Cato Surveillance Conference. It was an excellent event, with many interesting talks and panels. But their was one standout: a panel by victims of surveillance. Titled "The Feeling of Being Watched," it consisted of Assia Boundaoui, Faisal Gill, and Jumana Musa. It was very powerful and moving to hear them talk...

Wed, 04 Nov 2015 19:54:59 UTC

Analyzing Reshipping Mule Scams

Posted By Bruce Schneier

Interesting paper: "Drops for Stuff: An Analysis of Reshipping Mule Scams. From a blog post: A cybercriminal (called operator) recruits unsuspecting citizens with the promise of a rewarding work-from-home job. This job involves receiving packages at home and having to re-ship them to a different address, provided by the operator. By accepting the job, people unknowingly become part of a...

Tue, 03 Nov 2015 20:31:19 UTC

$1M Bounty for iPhone Hack

Posted By Bruce Schneier

I don't know whether to believe this story. Supposedly the startup Zerodium paid someone $1M for an iOS 9.1 and 9.2b hack. Bekrar and Zerodium, as well as its predecessor VUPEN, have a different business model. They offer higher rewards than what tech companies usually pay out, and keep the vulnerabilities secret, revealing them only to certain government customers, such...

Tue, 03 Nov 2015 12:20:08 UTC

Australia Is Testing Virtual Passports

Posted By Bruce Schneier

Australia is going to be the first country to have virtual passports. Presumably, the passport data will be in the cloud somewhere, and you'll access it with an app or a URL or maybe just the passport number. On the one hand, all a passport needs to be is a pointer into a government database with all the relevant information...

Mon, 02 Nov 2015 12:47:43 UTC

The Rise of Political Doxing

Posted By Bruce Schneier

Last week, CIA director John O. Brennan became the latest victim of what's become a popular way to embarrass and harass people on the Internet. A hacker allegedly broke into his AOL account and published e-mails and documents found inside, many of them personal and sensitive. It's called doxing­ -- sometimes doxxing­ -- from the word "documents." It emerged in...

Fri, 30 Oct 2015 21:08:09 UTC

Friday Squid Blogging: Baby Giant Squid Found

Posted By Bruce Schneier

First ever examples of a baby giant squid have been found. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 30 Oct 2015 19:35:33 UTC

The Onion on the State of IT Security

Posted By Bruce Schneier

"China Unable To Recruit Hackers Fast Enough To Keep Up With Vulnerabilities In U.S. Security Systems." It's only funny because it's true....

Fri, 30 Oct 2015 11:40:44 UTC

Weaknesses in the PLAID Protocol

Posted By Bruce Schneier

In 2009, the Australian government released the Protocol for Lightweight Authentication of Identity (PLAID) protocol. It was recently analyzed (original paper is from 2014, but was just updated), and it's a security disaster. Matt Green wrote a good blog post back in 2014 that explains the problems. Slashdot thread. Reddit thread....

Thu, 29 Oct 2015 18:38:50 UTC

Flash Drive Lock

Posted By Bruce Schneier

This device is clever: it's a three-digit combination lock that prevents a USB drive from being read. It's not going to keep out anyone serious, but is a great solution for the sort of casual security that most people need....

Thu, 29 Oct 2015 11:33:40 UTC

Tracking Connected Vehicles

Posted By Bruce Schneier

Researchers have shown that it is both easy and cheap to surveil connected vehicles. The second link talks about various anonymization techniques, none of which I am optimistic about....

Wed, 28 Oct 2015 19:11:42 UTC

Why Is the NSA Moving Away from Elliptic Curve Cryptography?

Posted By Bruce Schneier

In August, I wrote about the NSA's plans to move to quantum-resistant algorithms for its own cryptographic needs. Cryptographers Neal Koblitz and Alfred Menezes just published a long paper speculating as to the government's real motives for doing this. They range from some new cryptanalysis of ECC to a political need after the DUAL_EC_PRNG disaster -- to the stated reason...

Wed, 28 Oct 2015 11:24:39 UTC

The Doxing Trend

Posted By Bruce Schneier

If the director of the CIA can't keep his e-mail secure, what hope do the rest of us have -- for our e-mail or any of our digital information? None, and that's why the companies that we entrust with our digital lives need to be required to secure it for us, and held accountable when they fail. It's not just...

Tue, 27 Oct 2015 14:52:09 UTC

The Need for Transparency in Surveillance

Posted By Bruce Schneier

In Data and Goliath, I talk about the need for transparency, oversight, and accountability as the mechanism to allow surveillance when it is necessary, while preserving our security against excessive surveillance and surveillance abuse. James Losey has a new paper that discusses the need for transparency in surveillance. His conclusion: Available transparency reports from ICT companies demonstrate the rise in...

Mon, 26 Oct 2015 19:32:43 UTC

Ravens Can Identify Cheaters

Posted By Bruce Schneier

Ravens have been shown to identify and remember cheaters among their unkindness....

Mon, 26 Oct 2015 13:40:05 UTC

Microsoft's Brad Smith on the Collapse of Safe Harbor

Posted By Bruce Schneier

Microsoft's President Brad Smith has a blog post discussing what to do now that the US-EU safe-harbor agreement has collapsed. He outlines four steps: First, we need to ensure across the Atlantic that people's legal rights move with their data. This is a straightforward proposition that would require, for example, that the U.S. government agree that it will only demand...

Fri, 23 Oct 2015 21:29:59 UTC

Friday Squid Blogging: Squid Bed Sheets

Posted By Bruce Schneier

Some nice options....

Fri, 23 Oct 2015 11:58:59 UTC

Forensic Analysis of Smart Card Fraud

Posted By Bruce Schneier

This paper describes what is almost certainly the most sophisticated chip-and-pin credit card fraud to date. News article. BoingBoing post....

Thu, 22 Oct 2015 18:20:25 UTC

Hacking Fitbit

Posted By Bruce Schneier

This is impressive: "An attacker sends an infected packet to a fitness tracker nearby at bluetooth distance then the rest of the attack occurs by itself, without any special need for the attacker being near," Apvrille says. "[When] the victim wishes to synchronise his or her fitness data with FitBit servers to update their profile ... the fitness tracker responds...

Thu, 22 Oct 2015 11:40:28 UTC

Police Want Genetic Data from Corporate Repositories

Posted By Bruce Schneier

Both the FBI and local law enforcement are trying to get the genetic data stored at companies like 23andMe. No surprise, really. As NYU law professor Erin Murphy told the New Orleans Advocate regarding the Usry case, gathering DNA information is "a series of totally reasonable steps by law enforcement." If you're a cop trying to solve a crime, and...

Wed, 21 Oct 2015 17:25:39 UTC

Forgotten Passwords

Posted By Bruce Schneier

Funny monologue....

Wed, 21 Oct 2015 11:22:47 UTC

Security Risks of Unpatched Android Software

Posted By Bruce Schneier

A lot has been written about the security vulnerability resulting from outdated and unpatched Android software. The basic problem is that while Google regularly updates the Android software, phone manufacturers don't regularly push updates out to Android users. New research tries to quantify the risk: We are presenting a paper at SPSM next week that shows that, on average over...

Mon, 19 Oct 2015 14:49:24 UTC

How to Commandeer a Store PA System

Posted By Bruce Schneier

If you call the proper phone extension, you have complete control over the public address system at a Target store....

Fri, 16 Oct 2015 21:20:32 UTC

Friday Squid Blogging: Squid Photos

Posted By Bruce Schneier

"Terrifying" squid photos. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Oct 2015 19:33:19 UTC

Mapping FinFisher Users

Posted By Bruce Schneier

Citizen Lab continues to do excellent work exposing the world's cyber-weapons arms manufacturers. Its latest report attempts to track users of Gamma International's FinFisher: This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher's "anonymizing proxies"...

Fri, 16 Oct 2015 11:19:11 UTC

Breaking Diffie-Hellman with Massive Precomputation (Again)

Posted By Bruce Schneier

The Internet is abuzz with this blog post and paper, speculating that the NSA is breaking the Diffie-Hellman key-exchange protocol in the wild through massive precomputation. I wrote about this at length in May when this paper was first made public. (The reason it's news again is that the paper was just presented at the ACM Computer and Communications Security...

Thu, 15 Oct 2015 11:53:24 UTC

Problems with DNA Evidence

Posted By Bruce Schneier

Turns out it's fallible....

Wed, 14 Oct 2015 19:15:35 UTC

On Cyber Arms Control Treaties

Posted By Bruce Schneier

Good op-ed....

Wed, 14 Oct 2015 14:39:40 UTC

Obama Administration Not Pursuing a Backdoor to Commercial Encryption

Posted By Bruce Schneier

The Obama Administration is not pursuing a law that would force computer and communications manufacturers to add backdoors to their products for law enforcement. Sensibly, they concluded that criminals, terrorists, and foreign spies would use that backdoor as well. Score one for the pro-security side in the Second Crypto War. It's certainly not over. The FBI hasn't given up on...

Tue, 13 Oct 2015 16:46:17 UTC

Jamming Wi-Fi

Posted By Bruce Schneier

It's both easy and cheap. Slashdot thread....

Mon, 12 Oct 2015 13:19:40 UTC

Soviet Spying on US Selectric Typewriters

Posted By Bruce Schneier

In the 19980s, the Soviet Union bugged the IBM Selectric typewriters in the U.S. Embassy in Moscow. This NSA document discusses how the US discovered the bugs and what we did about it. Codename is GUNMAN. Is this the world's first keylogger? Maybe....

Fri, 09 Oct 2015 12:20:08 UTC

NSA Patents

Posted By Bruce Schneier

Details on the patents issued to the NSA....

Thu, 08 Oct 2015 21:26:25 UTC

Friday Squid Blogging: Japanese Squid Recipe

Posted By Bruce Schneier

Delicious recipe of squid with cabbage, bean sprouts, and noodles. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. EDITED TO ADD (10/9): Posted a day early by mistake.......

Thu, 08 Oct 2015 19:11:26 UTC

I'm a Guest on "Adam Ruins Everything"

Posted By Bruce Schneier

The show is about security theater. I am a disembodied head on a scooter. Here's a teaser. Here's the full episode (for pay, but cheap). The scooter idea was a hack when I couldn't find the time to fly to LA for live filming. The whole thing was a lot of fun....

Thu, 08 Oct 2015 16:44:29 UTC

SHA-1 Freestart Collision

Posted By Bruce Schneier

There's a new cryptanalysis result against the hash function SHA-1: Abstract: We present in this article a freestart collision example for SHA-1, i.e., a collision for its internal compression function. This is the first practical break of the full SHA-1, reaching all 80 out of 80 steps, while only 10 days of computation on a 64 GPU cluster were necessary...

Thu, 08 Oct 2015 11:22:45 UTC

Information in Your Boarding Pass's Bar Code

Posted By Bruce Schneier

There's a lot of information, including the ability to get even more information....

Wed, 07 Oct 2015 12:27:48 UTC

European Court of Justice Rules Against Safe Harbor

Posted By Bruce Schneier

The European Court of Justice ruled that sending personal data to the US violates their right to privacy: The ruling, by the European Court of Justice, said the so-called safe harbor agreement was flawed because it allowed American government authorities to gain routine access to Europeans' online information. The court said leaks from Edward J. Snowden, the former contractor for...

Tue, 06 Oct 2015 12:18:27 UTC

Autonomous Vehicles as Bombs

Posted By Bruce Schneier

Good discussion of the issues. Now we need to think about solutions....

Mon, 05 Oct 2015 11:11:12 UTC

Automatic Face Recognition and Surveillance

Posted By Bruce Schneier

ID checks were a common response to the terrorist attacks of 9/11, but they'll soon be obsolete. You won't have to show your ID, because you'll be identified automatically. A security camera will capture your face, and it'll be matched with your name and a whole lot of other information besides. Welcome to the world of automatic facial recognition. Those...

Fri, 02 Oct 2015 21:11:25 UTC

Friday Squid Blogging: Bobtail Squid Keeps Bacteria to Protect Its Eggs

Posted By Bruce Schneier

The Hawaiian Bobtail Squid deposits bacteria on its eggs to keep them safe. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 02 Oct 2015 19:06:53 UTC

Resilient Systems News

Posted By Bruce Schneier

Former Raytheon chief scientist Bill Swanson has joined our board of directors. For those who don't know, Resilient Systems is my company. I'm the CTO, and we sell an incident-response management platform that...well...helps IR teams to manage incidents. It's a single hub that allows a team to collect data about an incident, assign and manage tasks, automate actions, integrate intelligence...

Fri, 02 Oct 2015 11:35:22 UTC

Stealing Fingerprints

Posted By Bruce Schneier

The news from the Office of Personnel Management hack keeps getting worse. In addition to the personal records of over 20 million US government employees, we've now learned that the hackers stole fingerprint files for 5.6 million of them. This is fundamentally different from the data thefts we regularly read about in the news, and should give us pause before...

Thu, 01 Oct 2015 17:03:59 UTC

Existential Risk and Technological Advancement

Posted By Bruce Schneier

AI theorist Eliezer Yudkowsky: "Every eighteen months, the minimum IQ necessary to destroy the world drops by one point." Oh, how I wish I said that....

Thu, 01 Oct 2015 12:00:13 UTC

Identifying CIA Officers in the Field

Posted By Bruce Schneier

During the Cold War, the KGB was very adept at identifying undercover CIA officers in foreign countries through what was basically big data analysis. (Yes, this is a needlessly dense and very hard-to-read article. I think it's worth slogging through, though.)...

Wed, 30 Sep 2015 17:02:23 UTC

Spoofing Fitness Trackers

Posted By Bruce Schneier

The website Unfitbits.com has a series of instructional videos on how to spoof fitness trackers, using such things as a metronome, pendulum, or power drill. With insurance companies like John Hancock offering discounts to people who allow them to verify their exercise program by opening up their fitness-tracker data, these are useful hacks. News article....

Wed, 30 Sep 2015 14:13:43 UTC

Volkswagen and Cheating Software

Posted By Bruce Schneier

For the past six years, Volkswagen has been cheating on the emissions testing for its diesel cars. The cars' computers were able to detect when they were being tested, and temporarily alter how their engines worked so they looked much cleaner than they actually were. When they weren't being tested, they belched out 40 times the pollutants. Their CEO has...

Tue, 29 Sep 2015 11:16:14 UTC

How GCHQ Tracks Internet Users

Posted By Bruce Schneier

The Intercept has a new story from the Snowden documents about The UK's GCHQ's surveillance of the Internet: The mass surveillance operation ­ code-named KARMA POLICE­ was launched by British spies about seven years ago without any public debate or scrutiny. It was just one part of a giant global Internet spying apparatus built by the United Kingdom's electronic eavesdropping...

Mon, 28 Sep 2015 11:22:19 UTC

Good Article on the Sony Attack

Posted By Bruce Schneier

Fortune has a three-part article on the Sony attack by North Korea. There's not a lot of tech here; it's mostly about Sony's internal politics regarding the movie and IT security before the attack, and some about their reaction afterwards. Despite what I wrote at the time, I now believe that North Korea was responsible for the attack. This is...

Fri, 25 Sep 2015 21:30:16 UTC

Friday Squid Blogging: Disney's Minigame Squid Wars

Posted By Bruce Schneier

It looks like a Nintendo game. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 25 Sep 2015 19:23:08 UTC

Anti-Alien Security

Posted By Bruce Schneier

You can wrap your house in tinfoil, but when you start shining bright lights to defend yourself against alien attack, you've gone too far. In general, society puts limits on what types of security you are allowed to use, especially when that use can affect others. You can't place landmines on your lawn or shoot down drones hovering over your...

Fri, 25 Sep 2015 10:54:39 UTC

People Who Need to Pee Are Better at Lying

Posted By Bruce Schneier

No, really. Abstract: The Inhibitory-Spillover-Effect (ISE) on a deception task was investigated. The ISE occurs when performance in one self-control task facilitates performance in another (simultaneously conducted) self-control task. Deceiving requires increased access to inhibitory control. We hypothesized that inducing liars to control urination urgency (physical inhibition) would facilitate control during deceptive interviews (cognitive inhibition). Participants drank small (low-control) or...

Thu, 24 Sep 2015 16:39:06 UTC

Living in a Code Yellow World

Posted By Bruce Schneier

In the 1980s, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the "combat mind-set." Here is his summary: In White you are unprepared and unready to take lethal action. If you are attacked in White you will probably die unless your adversary is totally inept. In Yellow you bring yourself to the understanding...

Wed, 23 Sep 2015 11:05:49 UTC

Hacking the Game Show "Press Your Luck"

Posted By Bruce Schneier

Fascinating story about a man who figured out how to hack the game show "Press Your Luck" in 1984....

Tue, 22 Sep 2015 18:34:56 UTC

Buying an Online Reputation

Posted By Bruce Schneier

The story of a reporter who set up a fake business and then bought Facebook fans, Twitter followers, and online reviews. It was surprisingly easy and cheap....

Tue, 22 Sep 2015 18:22:17 UTC

Bringing Frozen Liquids through Airport Security

Posted By Bruce Schneier

Gizmodo reports that UK airport security confiscates frozen liquids: "He told me that it wasn't allowed so I asked under what grounds, given it is not a liquid. When he said I couldn't take it I asked if he knew that for sure or just assumed. He grabbed his supervisor and the supervisor told me that 'the government does not...

Mon, 21 Sep 2015 16:45:09 UTC

SYNful Knock Attack Against Cisco Routers

Posted By Bruce Schneier

FireEye is reporting the discovery of persistent malware that compromises Cisco routers: While this attack could be possible on any router technology, in this case, the targeted victims were Cisco routers. The Mandiant team found 14 instances of this router implant, dubbed SYNful Knock, across four countries: Ukraine, Philippines, Mexico, and India. [...] The implant uses techniques that make it...

Mon, 21 Sep 2015 11:34:46 UTC

History of Hacktivism

Posted By Bruce Schneier

Nice article by Dorothy Denning. Hacktivism emerged in the late 1980s at a time when hacking for fun and profit were becoming noticeable threats. Initially it took the form of computer viruses and worms that spread messages of protest. A good example of early hacktivism is "Worms Against Nuclear Killers (WANK)," a computer worm that anti-nuclear activists in Australia unleashed...

Fri, 18 Sep 2015 22:47:58 UTC

Friday Squid Blogging; Giant Squid Sculpture at Burning Man

Posted By Bruce Schneier

It looks impressive, maybe 20-30 feet long: "I think this might be the coolest thing I have ever built," said Barry Crawford about his giant, metal squid that was installed at Burning Man. The sculpture is entirely made of found objects including half of a dropped airplane tank and a metal vegetable strainer. The eyeball opens and closes and the...

Fri, 18 Sep 2015 18:32:40 UTC

Drone Speedboat

Posted By Bruce Schneier

It's a thing....

Fri, 18 Sep 2015 10:20:14 UTC

Smart Watch that Monitors Typing

Posted By Bruce Schneier

Here's a watch that monitors the movements of your hand and can guess what you're typing. Using the watch's built-in motion sensors, more specifically data from the accelerometer and gyroscope, researchers were able to create a 3D map of the user's hand movements while typing on a keyboard. The researchers then created two algorithms, one for detecting what keys were...

Thu, 17 Sep 2015 17:56:02 UTC

Two Security Companies Battling It Out over Disclosures

Posted By Bruce Schneier

Okay, this is weird. FireEye has gone to court to prevent ERNW from disclosing vulnerabilities in FireEye products. FireEye should know better. Here's FireEye's statement, BTW....

Thu, 17 Sep 2015 12:17:56 UTC

Self-Destructing Computer Chip

Posted By Bruce Schneier

The chip is built on glass: Shattering the glass is straightforward. When the proper circuit is toggled, a small resistor within the substrate heats up until the glass shatters. According to Corning, it will continue shattering even after the initial break, rendering the entire chip unusable. The demo chip resistor was triggered by a photo diode that switched the circuit...

Wed, 16 Sep 2015 18:40:57 UTC

Anonymous Browsing at the Library

Posted By Bruce Schneier

A rural New Hampshire library decided to install Tor on their computers and allow anonymous Internet browsing. The Department of Homeland pressured them to stop: A special agent in a Boston DHS office forwarded the article to the New Hampshire police, who forwarded it to a sergeant at the Lebanon Police Department. DHS spokesman Shawn Neudauer said the agent was...

Wed, 16 Sep 2015 15:09:52 UTC

Child Arrested Because Adults Are Stupid

Posted By Bruce Schneier

A Texas 9th-grader makes an electronic clock and brings it to school. Teachers immediately become stupid and call the police: The bell rang at least twice, he said, while the officers searched his belongings and questioned his intentions. The principal threatened to expel him if he didn't make a written statement, he said. "They were like, 'So you tried to...

Wed, 16 Sep 2015 11:05:34 UTC

Obama and the Security of the Waldorf Astoria Hotel

Posted By Bruce Schneier

President Obama won't stay at the Waldorf Astoria Hotel in New York because of security concerns. The hotel "was bought last year by Chinese investors with deep ties to Beijing's ruling elite..." Why can't they just erect the security tent for him?...

Tue, 15 Sep 2015 11:38:01 UTC

Hacking Team, Computer Vulnerabilities, and the NSA

Posted By Bruce Schneier

When the National Security Administration (NSA) -- or any government agency -- discovers a vulnerability in a popular computer system, should it disclose it or not? The debate exists because vulnerabilities have both offensive and defensive uses. Offensively, vulnerabilities can be exploited to penetrate others' computers and networks, either for espionage or destructive purposes. Defensively, publicly revealing security flaws can...

Mon, 14 Sep 2015 20:56:28 UTC

Security Cartoon

Posted By Bruce Schneier

"Security vs. privacy."...

Mon, 14 Sep 2015 11:26:13 UTC

Programming Errors Weaken bcrypt Hashes of Ashley Madison Passwords

Posted By Bruce Schneier

Ashley Madison encrypted users' passwords using the bcrypt function. It's a secure password-encryption function, but two implemention programming mistakes allow millions of passwords to be easily decrypted. Ars Technica explains the problems....

Fri, 11 Sep 2015 21:13:33 UTC

Friday Squid Blogging: The Chemistry of Squid Camouflage

Posted By Bruce Schneier

Interesting research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 11 Sep 2015 19:08:29 UTC

Wanted: Cryptography Products for Worldwide Survey

Posted By Bruce Schneier

In 1999, Lance Hoffman, David Balenson, and others published a survey of non-US cryptographic products. The point of the survey was to illustrate that there was a robust international market in these products, and that US-only export restrictions on strong encryption did nothing to prevent its adoption and everything to disadvantage US corporations. This was an important contribution during the...

Fri, 11 Sep 2015 11:45:48 UTC

Drone Self-Defense and the Law

Posted By Bruce Schneier

Last month, a Kentucky man shot down a drone that was hovering near his backyard. WDRB News reported that the camera drone's owners soon showed up at the home of the shooter, William H. Merideth: "Four guys came over to confront me about it, and I happened to be armed, so that changed their minds," Merideth said. "They asked me,...

Thu, 10 Sep 2015 17:30:55 UTC

Cheating News from the Chess World

Posted By Bruce Schneier

Chess player caught cheating at a tournament: I kept on looking at him. He was always sitting down, he never got up. It was very strange; we are taking about hours and hours of playing. But most suspicious of all, he always had his arms folded with his thumb under his armpit. He never took it out." Mr Coqueraut said...

Thu, 10 Sep 2015 11:00:50 UTC

FBI and Apple's Encryption

Posted By Bruce Schneier

The New York Times is reporting that Apple encryption is hampering an FBI investigation: In an investigation involving guns and drugs, the Justice Department obtained a court order this summer demanding that Apple turn over, in real time, text messages between suspects using iPhones. Apple's response: Its iMessage system was encrypted and the company could not comply. Government officials had...

Wed, 09 Sep 2015 18:30:48 UTC

Animals vs. Drones

Posted By Bruce Schneier

It's not just humans who dislike the small flying objects. YouTube has videos of drones being stared at quizzically by a moose, harassed by a raven, attacked by a hawk, butted by a ram, knocked out of the sky by a chimpanzee (who planned the whole thing) and a goose, and punched out of the sky by a kangaroo. And...

Wed, 09 Sep 2015 13:42:19 UTC

The Security Risks of Third-Party Data

Posted By Bruce Schneier

Most of us get to be thoroughly relieved that our e-mails weren't in the Ashley Madison database. But don't get too comfortable. Whatever secrets you have, even the ones you don't think of as secret, are more likely than you think to get dumped on the Internet. It's not your fault, and there's largely nothing you can do about it....

Thu, 23 Jul 2015 11:17:43 UTC

Remotely Hacking a Car While It's Driving

Posted By Bruce Schneier

This is a big deal. Hackers can remotely hack the Uconnect system in cars just by knowing the car's IP address. They can disable the brakes, turn on the AC, blast music, and disable the transmission: The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway....

Wed, 22 Jul 2015 12:11:32 UTC

Preventing Book Theft in the Middle Ages

Posted By Bruce Schneier

Interesting article....

Tue, 21 Jul 2015 11:51:47 UTC

Malcom Gladwell on Competing Security Models

Posted By Bruce Schneier

In this essay/review of a book on UK intelligence officer and Soviet spy Kim Philby, Malcom Gladwell makes this interesting observation: Here we have two very different security models. The Philby-era model erred on the side of trust. I was asked about him, and I said I knew his people. The "cost" of the high-trust model was Burgess, Maclean, and...

Tue, 21 Jul 2015 11:51:47 UTC

Malcolm Gladwell on Competing Security Models

Posted By Bruce Schneier

In this essay/review of a book on UK intelligence officer and Soviet spy Kim Philby, Malcolm Gladwell makes this interesting observation: Here we have two very different security models. The Philby-era model erred on the side of trust. I was asked about him, and I said I knew his people. The "cost" of the high-trust model was Burgess, Maclean, and...

Mon, 20 Jul 2015 20:15:22 UTC

Organizational Doxing of Ashley Madison

Posted By Bruce Schneier

The -- depending on who is doing the reporting -- cheating, affair, adultery, or infidelity site Ashley Madison has been hacked. The hackers are threatening to expose all of the company's documents, including internal e-mails and details of its 37 million customers. Brian Krebs writes about the hackers' demands. According to the hackers, although the "full delete" feature that Ashley...

Mon, 20 Jul 2015 10:25:16 UTC

Google's Unguessable URLs

Posted By Bruce Schneier

Google secures photos using public but unguessable URLs: So why is that public URL more secure than it looks? The short answer is that the URL is working as a password. Photos URLs are typically around 40 characters long, so if you wanted to scan all the possible combinations, you'd have to work through 1070 different combinations to get the...

Fri, 17 Jul 2015 21:09:27 UTC

Friday Squid Blogging: Squid Giving Birth

Posted By Bruce Schneier

I may have posted this short video before, but if I did, I can't find it. It's four years old, but still pretty to watch. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 Jul 2015 11:35:52 UTC

Using Secure Chat

Posted By Bruce Schneier

Micah Lee has a good tutorial on installing and using secure chat. To recap: We have installed Orbot and connected to the Tor network on Android, and we have installed ChatSecure and created an anonymous secret identity Jabber account. We have added a contact to this account, started an encrypted session, and verified that their OTR fingerprint is correct. And...

Thu, 16 Jul 2015 16:00:43 UTC

ProxyHam Canceled

Posted By Bruce Schneier

The ProxyHam project (and associated Def Con talk) has been canceled under mysterious circumstances. No one seems to know anything, and conspiracy theories abound....

Wed, 15 Jul 2015 07:15:22 UTC

Crypto-Gram Is Moving

Posted By Bruce Schneier

If you subscribe to my monthly e-mail newsletter, Crypto-Gram, you need to read this. Sometime between now and the August issue, the Crypto-Gram mailing list will be moving to a new host. When the move happens, you'll get an e-mail asking you to confirm your subscription. In the e-mail will be a link that you will have to click in...

Tue, 14 Jul 2015 10:53:58 UTC

Human and Technology Failures in Nuclear Facilities

Posted By Bruce Schneier

This is interesting: We can learn a lot about the potential for safety failures at US nuclear plants from the July 29, 2012, incident in which three religious activists broke into the supposedly impregnable Y-12 facility at Oak Ridge, Tennessee, the Fort Knox of uranium. Once there, they spilled blood and spray painted "work for peace not war" on the...

Mon, 13 Jul 2015 20:00:31 UTC

NSA Antennas

Posted By Bruce Schneier

Interesting article on the NSA's use of multi-beam antennas for surveillance. Certainly smart technology; it can eavesdrop on multiple targets per antenna. I'm surprised by how behind the NSA was on this technology. It's from at least 1973, and there was some commercialization as far back as 1981. Why did it take the NSA/GCHQ until 2010 to install this? Here's...

Fri, 10 Jul 2015 21:29:38 UTC

Friday Squid Blogging: My Little Cephalopod

Posted By Bruce Schneier

A cute series of knitted plushies. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Jul 2015 17:44:45 UTC

High-tech Cheating on Exams

Posted By Bruce Schneier

India is cracking down on people who use technology to cheat on exams: Candidates have been told to wear light clothes with half-sleeves, and shirts that do not have big buttons. They cannot wear earrings and carry calculators, pens, handbags and wallets. Shoes have also been discarded in favour of open slippers. In India students cheating in exams have been...

Fri, 10 Jul 2015 09:32:21 UTC

Organizational Doxing

Posted By Bruce Schneier

Recently, WikiLeaks began publishing over half a million previously secret cables and other documents from the Foreign Ministry of Saudi Arabia. It's a huge trove, and already reporters are writing stories about the highly secretive government. What Saudi Arabia is experiencing isn't common but part of a growing trend. Just last week, unknown hackers broke into the network of the...

Thu, 09 Jul 2015 11:31:59 UTC

The Risks of Mandating Back Doors in Encryption Products

Posted By Bruce Schneier

Monday a group of cryptographers and security experts released a major paper outlining the risks of government-mandated back-doors in encryption products: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, by Hal Abelson, Ross Anderson, Steve Bellovin, Josh Behaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter Neumann, Ron Rivest, Jeff Schiller,...

Wed, 08 Jul 2015 11:36:38 UTC

Amazon Is Analyzing the Personal Relationships of Its Reviewers

Posted By Bruce Schneier

This is an interesting story of a reviewer who had her reviewer deleted because Amazon believed she knew the author personally. Leaving completely aside the ethics of friends reviewing friends' books, what is Amazon doing conducting this kind of investigative surveillance? Do reviewers know that Amazon is keeping tabs on who their friends are?...

Tue, 07 Jul 2015 22:30:47 UTC

More on Hacking Team

Posted By Bruce Schneier

Read this: Hacking Team asked its customers to shut down operations, but according to one of the leaked files, as part of Hacking Team's "crisis procedure," it could have killed their operations remotely. The company, in fact, has "a backdoor" into every customer's software, giving it ability to suspend it or shut it down­ -- something that even customers aren't...

Tue, 07 Jul 2015 11:38:00 UTC

More about the NSA's XKEYSCORE

Posted By Bruce Schneier

I've been reading through the 48 classified documents about the NSA's XKEYSCORE system released by the Intercept last week. From the article: The NSA's XKEYSCORE program, first revealed by The Guardian, sweeps up countless people's Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that...

Mon, 06 Jul 2015 17:53:56 UTC

Hacking Team Is Hacked

Posted By Bruce Schneier

Someone hacked the cyberweapons arms manufacturer Hacking Team and posted 400 GB of internal company data. Hacking Team is a pretty sleazy company, selling surveillance software to all sorts of authoritarian governments around the world. Reporters Without Borders calls it one of the enemies of the Internet. Citizen Lab has published many reports about their activities. It's a huge trove...

Mon, 06 Jul 2015 10:13:54 UTC

NSA German Intercepts

Posted By Bruce Schneier

On Friday, WikiLeaks published three summaries of NSA intercepts of German government communications. To me, the most interesting thing is not the intercept analyses, but this spreadsheet of intelligence targets. Here we learn the specific telephone numbers being targeted, who owns those phone numbers, the office within the NSA that processes the raw communications received, why the target is being...

Fri, 03 Jul 2015 21:39:42 UTC

Friday Squid Blogging: Squid Fishing in the Gulf of Thailand

Posted By Bruce Schneier

Long article about a very lucrative squid-fishing industry that involves bribing the Cambodian Navy. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Jul 2015 17:13:08 UTC

Rabbit Beating Up Snake

Posted By Bruce Schneier

It's the Internet, which means there must be cute animal videos on this blog. But this one is different. Watch a mother rabbit beat up a snake to protect her children. It's impressive the way she keeps attacking the snake until it is far away from her nest, but I worry that she doesn't know enough to grab the snake...

Fri, 03 Jul 2015 11:38:42 UTC

Clever System of Secure Distributed Computation

Posted By Bruce Schneier

This is really clever: Enigma's technique -- what cryptographers call "secure multiparty computation" -- works by mimicking a few of the features of bitcoin's decentralized network architecture: It encrypts data by splitting it up into pieces and randomly distributing indecipherable chunks of it to hundreds of computers in the Enigma network known as "nodes." Each node performs calculations on its...

Thu, 02 Jul 2015 16:16:57 UTC

Details of the NSA's XKEYSCORE

Posted By Bruce Schneier

The Intercept has published a highly detailed two-part article on how the NSA's XKEYSCORE works, including a huge number of related documents from the Snowden archive. So much to digest. Please post anything interesting you notice in the comments....

Wed, 01 Jul 2015 11:32:06 UTC

Office of Personnel Management Data Hack

Posted By Bruce Schneier

I don't have much to say about the recent hack of the US Office of Personnel Management, which has been attributed to China (and seems to be getting worse all the time). We know that government networks aren't any more secure than corporate networks, and might even be less secure. I agree with Ben Wittes here (although not the imaginary...

Tue, 30 Jun 2015 18:16:08 UTC

Twitter Followers: Please Use the Correct Feed

Posted By Bruce Schneier

The official Twitter feed for my blog is @schneierblog. The account @Bruce_Schneier also mirrors my blog, but it is not mine. I have nothing to do with it, and I don't know who owns it. Normally I wouldn't mind, but the unofficial blog fails intermittently. Also, @Bruce_Schneier follows people who then think I'm following them. I'm not; I never log...

Tue, 30 Jun 2015 11:27:52 UTC

Tracking the Psychological Effects of the 9/11 Attacks

Posted By Bruce Schneier

Interesting research from 2012: "The Dynamics of Evolving Beliefs, Concerns, Emotions, and Behavioral Avoidance Following 9/11: A Longitudinal Analysis of Representative Archival Samples": Abstract: September 11 created a natural experiment that enables us to track the psychological effects of a large-scale terror event over time. The archival data came from 8,070 participants of 10 ABC and CBS News polls collected...

Mon, 29 Jun 2015 18:38:25 UTC

TEMPEST Attack

Posted By Bruce Schneier

There's a new paper on a low-cost TEMPEST attack against PC cryptography: We demonstrate the extraction of secret decryption keys from laptop computers, by nonintrusively measuring electromagnetic emanations for a few seconds from a distance of 50 cm. The attack can be executed using cheap and readily-available equipment: a consumer-grade radio receiver or a Software Defined Radio USB dongle. The...

Mon, 29 Jun 2015 11:05:05 UTC

Migrating from SHA-1 to SHA-2

Posted By Bruce Schneier

Here's a comprehensive document on migrating from SHA-1 to SHA-2 in Active Directory certificates....

Fri, 26 Jun 2015 21:32:26 UTC

Friday Squid Blogging: Classic Gary Larson Squid Cartoon

Posted By Bruce Schneier

I have always liked this one. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 26 Jun 2015 17:12:08 UTC

Other GCHQ News from Snowden

Posted By Bruce Schneier

There are two other Snowden stories this week about GCHQ: one about its hacking practices, and the other about its propaganda and psychology research. The second is particularly disturbing: While some of the unit's activities are focused on the claimed areas, JTRIG also appears to be intimately involved in traditional law enforcement areas and U.K.-specific activity, as previously unpublished documents...

Fri, 26 Jun 2015 11:59:32 UTC

NSA and GCHQ Attacked Antivirus Companies

Posted By Bruce Schneier

On Monday, the Intercept published a new story from the Snowden documents: The spy agencies have reverse engineered software products, sometimes under questionable legal authority, and monitored web and email traffic in order to discreetly thwart anti-virus software and obtain intelligence from companies about security software and users of such software. One security software maker repeatedly singled out in the...

Thu, 25 Jun 2015 17:51:36 UTC

Yet Another Leaker -- with the NSA's French Intercepts

Posted By Bruce Schneier

Wikileaks has published some NSA SIGINT documents describing intercepted French government communications. This seems not be from the Snowden documents. It could be one of the other NSA leakers, or it could be someone else entirely. As leaks go, this isn't much. As I've said before, spying on foreign leaders is the kind of thing we want the NSA to...

Thu, 25 Jun 2015 11:14:40 UTC

Baseball Hacking: Cardinals vs. Astros

Posted By Bruce Schneier

I think this is the first case of one professional sports team hacking another. No idea if it was an official operation, or a couple of employees doing it on their own initiative....

Wed, 24 Jun 2015 12:42:51 UTC

What is the DoD's Position on Backdoors in Security Systems?

Posted By Bruce Schneier

In May, Admiral James A. Winnefeld, Jr., vice-chairman of the Joint Chiefs of Staff, gave an address at the Joint Service Academies Cyber Security Summit at West Point. After he spoke for twenty minutes on the importance of Internet security and a good national defense, I was able to ask him a question (32:42 mark) about security versus surveillance: Bruce...

Tue, 23 Jun 2015 18:39:18 UTC

Hayden Mocks NSA Reforms

Posted By Bruce Schneier

Former NSA Director Michael recently mocked the NSA reforms in the recently passed USA Freedom Act: If somebody would come up to me and say, "Look, Hayden, here's the thing: This Snowden thing is going to be a nightmare for you guys for about two years. And when we get all done with it, what you're going to be required...

Tue, 23 Jun 2015 11:02:51 UTC

Why We Encrypt

Posted By Bruce Schneier

Encryption protects our data. It protects our data when it's sitting on our computers and in data centers, and it protects it when it's being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And sometimes, it protects our lives. This protection is important for everyone. It's easy...

Mon, 22 Jun 2015 18:35:32 UTC

History of the First Crypto War

Posted By Bruce Schneier

As we're all gearing up to fight the Second Crypto War over governments' demands to be able to back-door any cryptographic system, it pays for us to remember the history of the First Crypto War. The Open Technology Instutute has written the story of those years in the mid-1990s. The act that truly launched the Crypto Wars was the White...

Mon, 22 Jun 2015 11:13:31 UTC

The Secrecy of the Snowden Documents

Posted By Bruce Schneier

Last weekend, the Sunday Times published a front-page story (full text here), citing anonymous British sources claiming that both China and Russia have copies of the Snowden documents. It's a terrible article, filled with factual inaccuracies and unsubstantiated claims about both Snowden's actions and the damage caused by his disclosure, and others have thoroughly refuted the story. I want to...

Fri, 19 Jun 2015 21:03:49 UTC

Friday Squid Blogging: Squid Salad Servers

Posted By Bruce Schneier

Nice. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 18 Jun 2015 11:29:36 UTC

Counterfeit Social Media Accounts

Posted By Bruce Schneier

Interesting article on the inner workings of a Facebook account farm, with commentary on fake social media accounts in general....

Wed, 17 Jun 2015 19:02:42 UTC

Hacking Drug Pumps

Posted By Bruce Schneier

When you connect hospital drug pumps to the Internet, they're hackable -- only surprising people who aren't paying attention. Rios says when he first told Hospira a year ago that hackers could update the firmware on its pumps, the company "didn't believe it could be done." Hospira insisted there was "separation" between the communications module and the circuit board that...

Wed, 17 Jun 2015 11:44:30 UTC

Research on The Trade-off Between Free Services and Personal Data

Posted By Bruce Schneier

New report: "The Tradeoff Fallacy: How marketers are misrepresenting American consumers and opening them up to exploitation." New Annenberg survey results indicate that marketers are misrepresenting a large majority of Americans by claiming that Americas give out information about themselves as a tradeoff for benefits they receive. To the contrary, the survey reveals most Americans do not believe that 'data...

Tue, 16 Jun 2015 11:59:23 UTC

Peter Swire on the USA FREEDOM Act

Posted By Bruce Schneier

Peter Swire, law professor and one of the members of the President's review group on the NSA, writes about intelligence reform and the USA FREEDOM Act....

Mon, 15 Jun 2015 11:31:49 UTC

Encrypting Windows Hard Drives

Posted By Bruce Schneier

Encrypting your Windows hard drives is trivially easy; choosing which program to use is annoyingly difficult. I still use Windows -- yes, I know, don't even start -- and have intimate experience with this issue. Historically, I used PGP Disk. I used it because I knew and trusted the designers. I even used it after Symantec bought the company. But...

Sat, 13 Jun 2015 17:11:48 UTC

Eighth Movie-Plot Threat Contest Winner

Posted By Bruce Schneier

On April 1, I announced the Eighth Movie-Plot Threat Contest: I want a movie-plot threat that shows the evils of encryption. (For those who don't know, a movie-plot threat is a scary-threat story that would make a great movie, but is much too specific to build security policies around. Contest history here.) We've long heard about the evils of the...

Fri, 12 Jun 2015 21:41:42 UTC

Friday Squid Blogging: Dancing Zombie Squid

Posted By Bruce Schneier

How dead squid is made to dance when soy sauce is poured on it. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Jun 2015 18:38:36 UTC

Uh Oh -- Robots Are Getting Good with Samurai Swords

Posted By Bruce Schneier

It's Iaido, not sword fighting, but still. Of course, the two didn't battle each other, but competed in Iaido tests like cutting mats and flowers in various cross-sectional directions. A highlight was when the robot horizontally sliced string beans measuring just 1cm in thickness! At the end, the ultimate test unfolds: the famous 1,000 iaido sword cut challenge. Ultimately, both...

Fri, 12 Jun 2015 16:45:05 UTC

The History of Internet Insecurity

Posted By Bruce Schneier

The Washington Post has a good two part story on the history of insecurity of the Internet....

Fri, 12 Jun 2015 11:18:58 UTC

Duqu 2.0

Posted By Bruce Schneier

Kaspersky Labs has discovered and publicized details of a new nation-state surveillance malware system, called Duqu 2.0. It's being attributed to Israel. There's a lot of details, and I recommend reading them. There was probably a Kerberos zero-day vulnerability involved, allowing the attackers to send updates to Kaspersky's clients. There's code specifically targeting anti-virus software, both Kaspersky and others. The...

Thu, 11 Jun 2015 18:24:29 UTC

Security and Human Behavior (SHB 2015)

Posted By Bruce Schneier

Earlier this week, I was at the eighth Workshop on Security and Human Behavior. This is a small invitational gathering of people studying various aspects of the human side of security. The fifty people in the room include psychologists, computer security researchers, sociologists, behavioral economists, philosophers, political scientists, lawyers, biologists, anthropologists, business school professors, neuroscientists, and a smattering of others....

Thu, 11 Jun 2015 11:10:31 UTC

Reassessing Airport Security

Posted By Bruce Schneier

News that the Transportation Security Administration missed a whopping 95% of guns and bombs in recent airport security "red team" tests was justifiably shocking. It's clear that we're not getting value for the $7 billion we're paying the TSA annually. But there's another conclusion, inescapable and disturbing to many, but good news all around: we don't need $7 billion worth...

Wed, 10 Jun 2015 20:27:46 UTC

Should Companies Do Most of Their Computing in the Cloud? (Part 3)

Posted By Bruce Schneier

Cloud computing is the future of computing. Specialization and outsourcing make society more efficient and scalable, and computing isn't any different. But why aren't we there yet? Why don't we, in Simon Crosby's words, "get on with it"? I have discussed some reasons: loss of control, new and unquantifiable security risks, and -- above all -- a lack of trust....

Wed, 10 Jun 2015 16:27:32 UTC

Should Companies Do Most of Their Computing in the Cloud? (Part 2)

Posted By Bruce Schneier

Let me start by describing two approaches to the cloud. Most of the students I meet at Harvard University live their lives in the cloud. Their e-mail, documents, contacts, calendars, photos and everything else are stored on servers belonging to large internet companies in America and elsewhere. They use cloud services for everything. They converse and share on Facebook and...

Wed, 10 Jun 2015 11:43:21 UTC

Should Companies Do Most of Their Computing in the Cloud? (Part 1)

Posted By Bruce Schneier

Yes. No. Yes. Maybe. Yes. Okay, it's complicated. The economics of cloud computing are compelling. For companies, the lower operating costs, the lack of capital expenditure, the ability to quickly scale and the ability to outsource maintenance are just some of the benefits. Computing is infrastructure, like cleaning, payroll, tax preparation and legal services. All of these are outsourced. And...

Tue, 09 Jun 2015 13:15:19 UTC

The Effects of Near Misses on Risk Decision-Making

Posted By Bruce Schneier

This is interesting research: "How Near-Miss Events Amplify or Attenuate Risky Decision Making," Catherine H. Tinsley, Robin L. Dillon, and Matthew A. Cronin. In the aftermath of many natural and man-made disasters, people often wonder why those affected were underprepared, especially when the disaster was the result of known or regularly occurring hazards (e.g., hurricanes). We study one contributing factor:...

Mon, 08 Jun 2015 17:48:00 UTC

Surveillance Law and Surveillance Studies

Posted By Bruce Schneier

Interesting paper by Julie Cohen: Abstract: The dialogue between law and Surveillance Studies has been complicated by a mutual misrecognition that is both theoretical and temperamental. Legal scholars are inclined to consider surveillance simply as the (potential) subject of regulation, while scholarship in Surveillance Studies often seems not to grapple with the ways in which legal processes and doctrines are...

Mon, 08 Jun 2015 11:09:06 UTC

Tracking People By Smart Phone Accelerometers

Posted By Bruce Schneier

Interesting research: "We Can Track You If You Take the Metro: Tracking Metro Riders Using Accelerometers on Smartphones": Abstract: Motion sensors (e.g., accelerometers) on smartphones have been demonstrated to be a powerful side channel for attackers to spy on users' inputs on touchscreen. In this paper, we reveal another motion accelerometer-based attack which is particularly serious: when a person takes...

Fri, 05 Jun 2015 21:51:12 UTC

Friday Squid Blogging: Giant Squid Lore

Posted By Bruce Schneier

Legends of giant squid go back centuries: In his book "The Search for the Giant Squid" marine biologist Richard Ellis notes that "There is probably no apparition more terrifying than a gigantic, saucer-eyed creature of the depths... Even the man-eating shark pales by comparison to such a horror... An animal that can reach a length of 60 feet is already...

Fri, 05 Jun 2015 19:38:08 UTC

US Identifies and Destroys ISIS Headquarters Because of "Selfie"

Posted By Bruce Schneier

The news media is buzzing about how the US military identified the location of an ISIS HQ because someone there took a photo and posted it. Quoting Air Force General Hawk Carlisle, head of Air Combat Command: "The guys that were working down out of Hurlburt, they're combing through social media and they see some moron standing at this command....

Fri, 05 Jun 2015 12:42:26 UTC

NSA Running a Massive IDS on the Internet Backbone

Posted By Bruce Schneier

The latest story from the Snowden documents, co-published by The New York Times and ProPublica, shows that the NSA is operating a signature-based intrusion detection system on the Internet backbone: In mid-2012, Justice Department lawyers wrote two secret memos permitting the spy agency to begin hunting on Internet cables, without a warrant and on American soil, for data linked to...

Thu, 04 Jun 2015 15:36:49 UTC

Yet Another New Biometric: Brainprints

Posted By Bruce Schneier

New research: In "Brainprint," a newly published study in academic journal Neurocomputing, researchers from Binghamton University observed the brain signals of 45 volunteers as they read a list of 75 acronyms, such as FBI and DVD. They recorded the brain's reaction to each group of letters, focusing on the part of the brain associated with reading and recognizing words, and...

Wed, 03 Jun 2015 21:27:37 UTC

2015 EPIC Champions of Freedom Dinner

Posted By Bruce Schneier

Monday night, EPIC -- that's the Electronic Privacy Information Center -- had its annual Champions of Freedom Dinner. I tell you this for two reasons. One, I received a Lifetime Achievement Award. (I was incredibly honored to receive this, and I thank EPIC profusely.) And two, Apple's CEO Tim Cook received a Champion of Freedom Award. His acceptance speech, delivered...

Wed, 03 Jun 2015 19:15:15 UTC

Smart Billboards Recognize Cops

Posted By Bruce Schneier

There are smart billboards in Russia that change what they display when cops are watching. Of course there are a gazillion ways this kind of thing will go wrong. I'm more interested in the general phenomenon of smart devices identifying us automatically and without our knowledge....

Tue, 02 Jun 2015 19:27:24 UTC

The Onion on NSA Surveillance

Posted By Bruce Schneier

Funny, and true. More seriously....

Tue, 02 Jun 2015 12:37:54 UTC

TSA Not Detecting Weapons at Security Checkpoints

Posted By Bruce Schneier

This isn't good: An internal investigation of the Transportation Security Administration revealed security failures at dozens of the nation's busiest airports, where undercover investigators were able to smuggle mock explosives or banned weapons through checkpoints in 95 percent of trials, ABC News has learned. The series of tests were conducted by Homeland Security Red Teams who pose as passengers, setting...

Mon, 01 Jun 2015 18:10:05 UTC

Fun NSA Surveillance Quizzes

Posted By Bruce Schneier

Okay, maybe not so fun. Quiz 1: "Just How Kafkaesque is the Court that Oversees NSA Spying?" Quiz 2: "Can You Tell the Difference Between Bush and Obama on the Patriot Act?" It's been fourteen hours since a few provisions of the Patriot Act have expired, and the world hasn't come to an end -- at least so far....

Mon, 01 Jun 2015 11:33:27 UTC

US Also Tried Stuxnet Against North Korea

Posted By Bruce Schneier

According to a Reuters article, the US military tried to launch Stuxnet against North Korea in addition to Iran: According to one U.S. intelligence source, Stuxnet's developers produced a related virus that would be activated when it encountered Korean-language settings on an infected machine. But U.S. agents could not access the core machines that ran Pyongyang's nuclear weapons program, said...

Sun, 31 May 2015 21:08:35 UTC

Friday Squid Blogging: Nutty Conspiracy Theory Involving Both the NSA and SQUID

Posted By Bruce Schneier

It's almost as if they wrote it for me. These devices, which are known as super conducting quantum interference devices (SQUIDS for short), can be attached to NSA signals intelligence satellites and used to track the electromagnetic fields which surround each of our bodies. These devices make it possible for agencies like the NSA (National Security Agency) to track any...

Fri, 29 May 2015 12:49:12 UTC

UN Report on the Value of Encryption to Freedom World-Wide

Posted By Bruce Schneier

United Nation's Office of the High Commissioner released a report on the value of encryption and anonymity to the world: Summary: In the present report, submitted in accordance with Human Rights Council resolution 25/2, the Special Rapporteur addresses the use of encryption and anonymity in digital communications. Drawing from research on international and national norms and jurisprudence, and the input...

Thu, 28 May 2015 19:13:12 UTC

Ransomware as a Service

Posted By Bruce Schneier

Tox is an outsourced ransomware platform that everyone can use....

Thu, 28 May 2015 12:19:32 UTC

MOOC on Cybersecurity

Posted By Bruce Schneier

The University of Adelaide is offering a new MOOC on "Cyberwar, Surveillance and Security." Here's a teaser video. I was interviewed for the class, and make a brief appearance in the teaser....

Wed, 27 May 2015 12:50:47 UTC

Terrorist Risks by City, According to Actual Data

Posted By Bruce Schneier

I don't know enough about the methodology to judge it, but it's interesting: In total, 64 cities are categorised as 'extreme risk' in Verisk Maplecroft's new Global Alerts Dashboard (GAD), an online mapping and data portal that logs and analyses every reported terrorism incident down to levels of 100m² worldwide. Based on the intensity and frequency of attacks in the...

Tue, 26 May 2015 21:51:25 UTC

Race Condition Exploit in Starbucks Gift Cards

Posted By Bruce Schneier

A researcher was able to steal money from Starbucks by exploiting a race condition in their gift-card value-transfer protocol. Basically, by initiating two identical web transfers at once, he was able to trick the system into recording them both. Normally, you could take a $5 gift card and move that money to another $5 gift card, leaving you with an...

Tue, 26 May 2015 11:18:21 UTC

Stink Bombs for Riot Control

Posted By Bruce Schneier

They're coming to the US: It's called Skunk, a type of "malodorant," or in plainer language, a foul-smelling liquid. Technically nontoxic but incredibly disgusting, it has been described as a cross between "dead animal and human excrement." Untreated, the smell lingers for weeks. The Israeli Defense Forces developed Skunk in 2008 as a crowd-control weapon for use against Palestinians. Now...

Mon, 25 May 2015 14:20:58 UTC

Story of the ZooKeeper Poison-Packet Bug

Posted By Bruce Schneier

Interesting story of a complex and deeply hidden bug -- with AES as a part of it....

Fri, 22 May 2015 21:39:17 UTC

Friday Squid Blogging: Giant Squid Washes Up in New Zealand

Posted By Bruce Schneier

The latest one. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 May 2015 17:33:36 UTC

USPS Tracking Queries to Its Package Tracking Website

Posted By Bruce Schneier

A man was arrested for drug dealing based on the IP address he used while querying the USPS package tracking website....

Fri, 22 May 2015 10:45:35 UTC

Why the Current Section 215 Reform Debate Doesn't Matter Much

Posted By Bruce Schneier

The ACLU's Chris Soghoian explains (time 25:52-30:55) why the current debate over Section 215 of the Patriot Act is just a minor facet of a large and complex bulk collection program by the FBI and the NSA. There were 180 orders authorized last year by the FISA Court under Section 215 -- 180 orders issued by this court. Only five...

Thu, 21 May 2015 18:05:05 UTC

New Pew Research Report on Americans' Attitudes on Privacy, Security, and Surveillance

Posted By Bruce Schneier

This is interesting: The surveys find that Americans feel privacy is important in their daily lives in a number of essential ways. Yet, they have a pervasive sense that they are under surveillance when in public and very few feel they have a great deal of control over the data that is collected about them and how it is used....

Thu, 21 May 2015 11:30:31 UTC

The Logjam (and Another) Vulnerability against Diffie-Hellman Key Exchange

Posted By Bruce Schneier

Logjam is a new attack against the Diffie-Hellman key-exchange protocol used in TLS. Basically: The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. The attack is reminiscent of the FREAK attack, but is due to a flaw in the...

Wed, 20 May 2015 19:15:16 UTC

Research on Patch Deployment

Posted By Bruce Schneier

New research indicates that it's very hard to completely patch systems against vulnerabilities: It turns out that it may not be that easy to patch vulnerabilities completely. Using WINE, we analyzed the patch deployment process for 1,593 vulnerabilities from 10 Windows client applications, on 8.4 million hosts worldwide [Oakland 2015]. We found that a host may be affected by multiple...

Wed, 20 May 2015 13:06:31 UTC

Spy Dust

Posted By Bruce Schneier

Used by the Soviet Union during the Cold War: A defecting agent revealed that powder containing both luminol and a substance called nitrophenyl pentadien (NPPD) had been applied to doorknobs, the floor mats of cars, and other surfaces that Americans living in Moscow had touched. They would then track or smear the substance over every surface they subsequently touched....

Tue, 19 May 2015 13:00:03 UTC

More on Chris Roberts and Avionics Security

Posted By Bruce Schneier

Last month ago I blogged about security researcher Chris Roberts being detained by the FBI after tweeting about avionics security while on a United flight: But to me, the fascinating part of this story is that a computer was monitoring the Twitter feed and understood the obscure references, alerted a person who figured out who wrote them, researched what flight...

Mon, 18 May 2015 12:14:28 UTC

United Airlines Offers Frequent Flier Miles for Finding Security Vulnerabilities

Posted By Bruce Schneier

Vulnerabilities on the website only, not in airport security or in the avionics....

Fri, 15 May 2015 21:08:31 UTC

Friday Squid Blogging: NASA's Squid Rover

Posted By Bruce Schneier

NASA is funding a study for a squid rover that could explore Europa's oceans. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 15 May 2015 11:20:06 UTC

Microbe Biometric

Posted By Bruce Schneier

Interesting: Franzosa and colleagues used publicly available microbiome data produced through the Human Microbiome Project (HMP), which surveyed microbes in the stool, saliva, skin, and other body sites from up to 242 individuals over a months-long period. The authors adapted a classical computer science algorithm to combine stable and distinguishing sequence features from individuals' initial microbiome samples into individual-specific "codes."...

Fri, 15 May 2015 04:26:29 UTC

Eighth Movie-Plot Threat Contest Semifinalists

Posted By Bruce Schneier

On April 1, I announced the Eighth Movie Plot Threat Contest: demonstrate the evils of encryption. Not a whole lot of good submissions this year. Possibly this contest has run its course, and there's not a whole lot of interest left. On the other hand, it's heartening to know that there aren't a lot of encryption movie-plot threats out there....

Thu, 14 May 2015 18:30:34 UTC

In Which I Collide with Admiral Rogers

Posted By Bruce Schneier

Universe does not explode. Photo here....

Thu, 14 May 2015 18:12:02 UTC

Admiral Rogers Speaking at the Joint Service Academy Cyber Security Summit

Posted By Bruce Schneier

Admiral Mike Rogers gave the keynote address at the Joint Service Academy Cyber Security Summit today at West Point. He started by explaining the four tenets of security that he thinks about. First: partnerships. This includes government, civilian, everyone. Capabilities, knowledge, and insight of various groups, and aligning them to generate better outcomes to everyone. Ability to generate and share...

Thu, 14 May 2015 11:18:23 UTC

License Plate Scanners Hidden in Fake Cactus

Posted By Bruce Schneier

The city of Paradise Valley, AZ, is hiding license plate scanners in fake cactus plants....

Tue, 12 May 2015 21:13:50 UTC

German Cryptanalysis of the M-209

Posted By Bruce Schneier

This 1947 document describes a German machine to cryptanalyze the American M-209 mechanical encryption machine. I can't figure out anything about how it works....

Tue, 12 May 2015 10:41:48 UTC

Amateurs Produce Amateur Cryptography

Posted By Bruce Schneier

Anyone can design a cipher that he himself cannot break. This is why you should uniformly distrust amateur cryptography, and why you should only use published algorithms that have withstood broad cryptanalysis. All cryptographers know this, but non-cryptographers do not. And this is why we repeatedly see bad amateur cryptography in fielded systems. The latest is the cryptography in the...

Mon, 11 May 2015 11:26:25 UTC

More on the NSA's Capabilities

Posted By Bruce Schneier

Ross Anderson summarizes a meeting in Princeton where Edward Snowden was "present." Third, the leaks give us a clear view of an intelligence analyst's workflow. She will mainly look in Xkeyscore which is the Google of 5eyes comint; it's a federated system hoovering up masses of stuff not just from 5eyes own assets but from other countries where the NSA...

Fri, 08 May 2015 21:04:33 UTC

Friday Squid Blogging: Squid Chair

Posted By Bruce Schneier

Squid chair. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 May 2015 19:22:22 UTC

Cybersecurity Summer Camps

Posted By Bruce Schneier

For high-school kids....

Fri, 08 May 2015 11:13:11 UTC

Stealing a Billion

Posted By Bruce Schneier

It helps if you own the banks: The report said Shor and his associates worked together in 2012 to buy a controlling stake in three Moldovan banks and then gradually increased the banks' liquidity through a series of complex transactions involving loans being passed between the three banks and foreign entities. The three banks then issued multimillion-dollar loans to companies...

Thu, 07 May 2015 17:30:24 UTC

Online Dating Scams

Posted By Bruce Schneier

Interesting research: We identified three types of scams happening on Jiayuan. The first one involves advertising of escort services or illicit goods, and is very similar to traditional spam. The other two are far more interesting and specific to the online dating landscape. One type of scammers are what we call swindlers. For this scheme, the scammer starts a long-distance...

Wed, 06 May 2015 22:12:12 UTC

Another Example of Cell Phone Metadata Forensic Surveillance

Posted By Bruce Schneier

Matthew Cole explains how the Italian police figured out how the CIA kidnapped Abu Omar in Milan. Interesting use of cell phone metadata, showing how valuable it is for intelligence purposes....

Wed, 06 May 2015 12:09:59 UTC

An Example of Cell Phone Metadata Forensic Surveillance

Posted By Bruce Schneier

In this long article on the 2005 assassination of Rafik Hariri in Beirut, there's a detailed section on what the investigators were able to learn from the cell phone metadata: At Eid's request, a judge ordered Lebanon's two cellphone companies, Alfa and MTC Touch, to produce records of calls and text messages in Lebanon in the four months before the...

Tue, 05 May 2015 17:51:16 UTC

The NSA's Voice-to-Text Capabilities

Posted By Bruce Schneier

New article from the Intercept based on the Snowden documents....

Tue, 05 May 2015 11:59:36 UTC

Easily Cracking a Master Combination Lock

Posted By Bruce Schneier

Impressive. Kamkar told Ars his Master Lock exploit started with a well-known vulnerability that allows Master Lock combinations to be cracked in 100 or fewer tries. He then physically broke open a combination lock and noticed the resistance he observed was caused by two lock parts that touched in a way that revealed important clues about the combination. (He likened...

Mon, 04 May 2015 11:17:04 UTC

Detecting QUANTUMINSERT

Posted By Bruce Schneier

Fox-IT has a blog post (and has published Snort rules) on how to detect man-on-the-side Internet attacks like the NSA's QUANTUMINSERT. From a Wired article: But hidden within another document leaked by Snowden was a slide that provided a few hints about detecting Quantum Insert attacks, which prompted the Fox-IT researchers to test a method that ultimately proved to be...

Fri, 01 May 2015 21:16:26 UTC

Friday Squid Blogging: Ceramic Squid Planters

Posted By Bruce Schneier

Nice....

Fri, 01 May 2015 19:43:22 UTC

Digital Privacy Public Service Announcement

Posted By Bruce Schneier

I thought this was very well done....

Fri, 01 May 2015 17:46:24 UTC

Ears as a Biometric

Posted By Bruce Schneier

It's an obvious biometric for cell phones: Bodyprint recognizes users by their ears with 99.8% precision with a false rejection rate of only 1 out of 13. Grip, too. News story....

Thu, 30 Apr 2015 19:22:02 UTC

Measuring the Expertise of Burglars

Posted By Bruce Schneier

New research paper: "New methods for examining expertise in burglars in natural and simulated environments: preliminary findings": Expertise literature in mainstream cognitive psychology is rarely applied to criminal behaviour. Yet, if closely scrutinised, examples of the characteristics of expertise can be identified in many studies examining the cognitive processes of offenders, especially regarding residential burglary. We evaluated two new methodologies...

Thu, 30 Apr 2015 14:11:04 UTC

Protecting Against Google Phishing in Chrome

Posted By Bruce Schneier

Google has a new Chrome extension called "Password Alert": To help keep your account safe, today we're launching Password Alert, a free, open-source Chrome extension that protects your Google and Google Apps for Work Accounts. Once you've installed it, Password Alert will show you a warning if you type your Google password into a site that isn't a Google sign-in...

Wed, 29 Apr 2015 11:12:57 UTC

Remote Proctoring and Surveillance

Posted By Bruce Schneier

Interesting article. There are a lot of surveillance and privacy issues at play here....

Tue, 28 Apr 2015 17:50:31 UTC

Shaking Someone Down for His Password

Posted By Bruce Schneier

A drug dealer claims that the police leaned him over an 18th floor balcony and threatened to kill him if he didn't give up his password. One of the policemen involved corroborates this story. This is what's known as "rubber-hose cryptanalysis," well-described in this xkcd cartoon....

Tue, 28 Apr 2015 11:21:03 UTC

Nice Essay on Security Snake Oil

Posted By Bruce Schneier

This is good: Just as "data" is being sold as "intelligence", a lot of security technologies are being sold as "security solutions" rather than what they for the most part are, namely very narrow focused appliances that as a best case can be part of your broader security effort. Too many of these appliances do unfortunately not easily integrate with...

Mon, 27 Apr 2015 18:38:35 UTC

The History of Lockpicking

Posted By Bruce Schneier

Interesting....

Mon, 27 Apr 2015 11:27:26 UTC

The Further Democratization of Stingray

Posted By Bruce Schneier

Stingray is the code name for an IMSI-catcher, which is basically a fake cell phone tower sold by Harris Corporation to various law enforcement agencies. (It's actually just one of a series of devices with fish names -- Amberjack is another -- but it's the name used in the media.) What is basically does is trick nearby cell phones into...

Fri, 24 Apr 2015 21:43:50 UTC

Friday Squid Blogging: The Unique Reproductive Habits of the Vampire Squid

Posted By Bruce Schneier

Interesting: While most female squid and octopuses have just one reproductive cycle before they die, vampire squid go through dozens of egg-making cycles in their lifetimes, scientists have found. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 24 Apr 2015 19:12:44 UTC

Signed Copies of Data and Goliath

Posted By Bruce Schneier

You can now order signed copies of Data and Goliath from my website....

Fri, 24 Apr 2015 17:42:18 UTC

Federal Trade Commissioner Julie Brill on Obscurity

Posted By Bruce Schneier

I think this is good: Obscurity means that personal information isn't readily available to just anyone. It doesn't mean that information is wiped out or even locked up; rather, it means that some combination of factors makes certain types of information relatively hard to find. Obscurity has always been an important component of privacy. It is a helpful concept because...

Fri, 24 Apr 2015 13:55:14 UTC

The Further Democratization of QUANTUM

Posted By Bruce Schneier

From Data and Goliath: ...when I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection­ -- basically, a technology that allows the agency to hack into computers. Turns out, though, that the NSA was...

Thu, 23 Apr 2015 12:19:58 UTC

An Incredibly Insecure Voting Machine

Posted By Bruce Schneier

Wow: The weak passwords -- which are hard-coded and can't be changed -- were only one item on a long list of critical defects uncovered by the review. The Wi-Fi network the machines use is encrypted with wired equivalent privacy, an algorithm so weak that it takes as little as 10 minutes for attackers to break a network's encryption key....

Wed, 22 Apr 2015 13:40:41 UTC

"Hinky" in Action

Posted By Bruce Schneier

In Beyond Fear I wrote about trained officials recognizing "hinky" and how it differs from profiling: Ressam had to clear customs before boarding the ferry. He had fake ID, in the name of Benni Antoine Noris, and the computer cleared him based on this ID. He was allowed to go through after a routine check of his car's trunk, even...

Tue, 21 Apr 2015 18:40:04 UTC

Hacking Airplanes

Posted By Bruce Schneier

Imagine this: A terrorist hacks into a commercial airplane from the ground, takes over the controls from the pilots and flies the plane into the ground. It sounds like the plot of some "Die Hard" reboot, but it's actually one of the possible scenarios outlined in a new Government Accountability Office report on security vulnerabilities in modern airplanes. It's certainly...

Tue, 21 Apr 2015 10:26:50 UTC

Hacker Detained by FBI After Tweeting About Airplane Software Vulnerabilities.

Posted By Bruce Schneier

This is troubling: Chris Roberts was detained by FBI agents on Wednesday as he was deplaning his United flight, which had just flown from Denver to Syracuse, New York. While on board the flight, he tweeted a joke about taking control of the plane's engine-indicating and crew-alerting system, which provides flight crews with information in real-time about an aircraft's functions,...

Mon, 20 Apr 2015 16:18:02 UTC

Counting the US Intelligence Community Leakers

Posted By Bruce Schneier

It's getting hard to keep track of the US intelligence community leakers without a scorecard. So here's my attempt: Leaker #1: Chelsea Manning. Leaker #2: Edward Snowden. Leaker #3: The person who leaked secret documents to Jake Appelbaum, Laura Poitras, and others in Germany: the Angela Merkel surveillance story, the TAO catalog, the X-KEYSCORE rules. My guess is that this...

Mon, 20 Apr 2015 12:16:57 UTC

New Top Secret Information on the US's Drone Program

Posted By Bruce Schneier

New operational information on the US's drone program, published by the Intercept and Der Speigel....

Fri, 17 Apr 2015 21:31:51 UTC

Friday Squid Blogging: Squid Hoodie

Posted By Bruce Schneier

This is neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 Apr 2015 11:54:44 UTC

The No-Fly List and Due Process

Posted By Bruce Schneier

The Congressional Research Service has released a report on the no-fly list and current litigation that it violates due process....

Thu, 16 Apr 2015 11:27:54 UTC

How Many Vulnerabilities Are there in Software?

Posted By Bruce Schneier

Dan Geer proposes some techniques for answering this question....

Wed, 15 Apr 2015 11:58:40 UTC

Metal Detectors at Sports Stadiums

Posted By Bruce Schneier

Fans attending Major League Baseball games are being greeted in a new way this year: with metal detectors at the ballparks. Touted as a counterterrorism measure, they're nothing of the sort. They're pure security theater: They look good without doing anything to make us safer. We're stuck with them because of a combination of buck passing, CYA thinking, and fear....

Tue, 14 Apr 2015 17:40:18 UTC

John Oliver Interviews Edward Snowden

Posted By Bruce Schneier

Wow, what an amazing segment and interview....

Tue, 14 Apr 2015 11:32:51 UTC

Two Thoughtful Essays on the Future of Privacy

Posted By Bruce Schneier

Paul Krugman argues that we'll give up our privacy because we want to emulate the rich, who are surrounded by servants who know everything about them: Consider the Varian rule, which says that you can forecast the future by looking at what the rich have today -- that is, that what affluent people will want in the future is, in...

Mon, 13 Apr 2015 14:12:29 UTC

China's Great Cannon

Posted By Bruce Schneier

Citizen Lab has issued a report on China's "Great Cannon" attack tool, used in the recent DDoS attack against GitHub. We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the "Great Cannon." The Great Cannon is not simply...

Fri, 10 Apr 2015 15:33:59 UTC

Alternatives to the FBI's Manufacturing of Terrorists

Posted By Bruce Schneier

John Mueller suggests an alternative to the FBI's practice of encouraging terrorists and then arresting them for something they would have never have planned on their own: The experience with another case can be taken to suggest that there could be an alternative, and far less costly, approach to dealing with would-be terrorists, one that might generally (but not always)...

Thu, 09 Apr 2015 21:51:38 UTC

Pepper-Spray Drones

Posted By Bruce Schneier

India has purchased pepper-spray drones....

Thu, 09 Apr 2015 11:45:30 UTC

Attacking Researchers Who Expose Voting Vulnerabilities

Posted By Bruce Schneier

Researchers found voting-system flaws in New South Wales, and were attacked by voting officials and the company that made the machines....

Wed, 08 Apr 2015 15:15:40 UTC

Lone-Wolf Terrorism

Posted By Bruce Schneier

The Southern Poverty Law Center warns of the rise of lone-wolf terrorism. From a security perspective, lone wolves are much harder to prevent because there is no conspiracy to detect. The long-term trend away from violence planned and committed by groups and toward lone wolf terrorism is a worrying one. Authorities have had far more success penetrating plots concocted by...

Tue, 07 Apr 2015 14:27:04 UTC

Cell Phone Opsec

Posted By Bruce Schneier

Here's an article on making secret phone calls with cell phones. His step-by-step instructions for making a clandestine phone call are as follows: Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren't changing locations); Leave your daily cell phone behind...

Mon, 06 Apr 2015 11:55:46 UTC

Bluetooth Doorlock

Posted By Bruce Schneier

Neat, but I'll bet it can be hacked....

Fri, 03 Apr 2015 21:17:05 UTC

Friday Squid Blogging: Giant Squid Video

Posted By Bruce Schneier

Giant squid caught on video. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Apr 2015 21:16:24 UTC

Friday Squid Blogging: The Longfin Inshore Squid Regularly Rewrites Its Own DNA

Posted By Bruce Schneier

Wow. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Apr 2015 18:14:24 UTC

TrueCrypt Security Audit Completed

Posted By Bruce Schneier

The security audit of the TrueCrypt code has been completed (see here for the first phase of the audit), and the results are good. Some issues were found, but nothing major. From Matthew Green, who is leading the project: The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC...

Thu, 02 Apr 2015 13:24:24 UTC

Real-Life Remailers in the Warsaw Pact Nations

Posted By Bruce Schneier

Interesting story....

Wed, 01 Apr 2015 18:13:25 UTC

Ugly Mail: Gmail Extension to Expose E-mail Tracking

Posted By Bruce Schneier

Nice idea, but I would like it to work for other browsers and other e-mail programs....

Wed, 01 Apr 2015 11:33:52 UTC

The Eighth Movie-Plot Threat Contest

Posted By Bruce Schneier

It's April 1, and time for another Movie-Plot Threat Contest. This year, the theme is Crypto Wars II. Strong encryption is evil, because it prevents the police from solving crimes. (No, really -- that's the argument.) FBI Director James Comey is going to be hard to beat with his heartfelt litany of movie-plot threats: "We're drifting toward a place where...

Tue, 31 Mar 2015 19:49:31 UTC

Survey of Americans' Privacy Habits Post-Snowden

Posted By Bruce Schneier

Pew Research has a new survey on Americans' privacy habits in a post-Snowden world. The 87% of those who had heard at least something about the programs were asked follow-up questions about their own behaviors and privacy strategies: 34% of those who are aware of the surveillance programs (30% of all adults) have taken at least one step to hide...

Tue, 31 Mar 2015 17:42:02 UTC

Chinese CA Issuing Fraudulent Certificates

Posted By Bruce Schneier

There's a Chinese CA that's issuing fraudulent Google certificates. Yet another example of why the CA model is so broken....

Tue, 31 Mar 2015 12:14:32 UTC

Australia Outlaws Warrant Canaries

Posted By Bruce Schneier

In the US, certain types of warrants can come with gag orders preventing the recipient from disclosing the existence of warrant to anyone else. A warrant canary is basically a legal hack of that prohibition. Instead of saying "I just received a warrant with a gag order," the potential recipient keeps repeating "I have not received any warrants." If the...

Mon, 30 Mar 2015 11:47:43 UTC

Brute-Forcing iPhone PINs

Posted By Bruce Schneier

This is a clever attack, using a black box that attaches to the iPhone via USB: As you know, an iPhone keeps a count of how many wrong PINs have been entered, in case you have turned on the Erase Data option on the Settings | Touch ID & Passcode screen. That's a highly-recommended option, because it wipes your device...

Fri, 27 Mar 2015 21:03:10 UTC

Friday Squid Blogging: Using Squid Proteins for Commercial Camouflage Products

Posted By Bruce Schneier

More research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 27 Mar 2015 12:01:04 UTC

Yet Another Computer Side Channel

Posted By Bruce Schneier

Researchers have managed to get two computers to communicate using heat and thermal sensors. It's not really viable communication -- the bit rate is eight per hour over fifteen inches -- but it's neat....

Thu, 26 Mar 2015 14:46:15 UTC

New Zealand's XKEYSCORE Use

Posted By Bruce Schneier

The Intercept and the New Zealand Herald have reported that New Zealand spied on communications about the World Trade Organization director-general candidates. I'm not sure why this is news; it seems like a perfectly reasonable national intelligence target. More interesting to me is that the Intercept published the XKEYSCORE rules. It's interesting to see how primitive the keyword targeting is,...

Wed, 25 Mar 2015 11:55:48 UTC

Capabilities of Canada's Communications Security Establishment

Posted By Bruce Schneier

There's a new story about the hacking capabilities of Canada's Communications Security Establishment (CSE), based on the Snowden documents....

Tue, 24 Mar 2015 14:04:42 UTC

Reforming the FISA Court

Posted By Bruce Schneier

The Brennan Center has a long report on what's wrong with the FISA Court and how to fix it. At the time of its creation, many lawmakers saw constitutional problems in a court that operated in total secrecy and outside the normal "adversarial" process.... But the majority of Congress was reassured by similarities between FISA Court proceedings and the hearings...

Mon, 23 Mar 2015 12:07:54 UTC

BIOS Hacking

Posted By Bruce Schneier

We've learned a lot about the NSA's abilities to hack a computer's BIOS so that the hack survives reinstalling the OS. Now we have a research presentation about it. From Wired: The BIOS boots a computer and helps load the operating system. By infecting this core software, which operates below antivirus and other security products and therefore is not usually...

Fri, 20 Mar 2015 21:29:44 UTC

Friday Squid Blogging: Squid Pen

Posted By Bruce Schneier

Neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 20 Mar 2015 18:51:04 UTC

New Paper on Digital Intelligence

Posted By Bruce Schneier

David Omand -- GCHQ director from 1996-1997, and the UK's security and intelligence coordinator from 2000-2005 -- has just published a new paper: "Understanding Digital Intelligence and the Norms That Might Govern It." Executive Summary: This paper describes the nature of digital intelligence and provides context for the material published as a result of the actions of National Security Agency...

Fri, 20 Mar 2015 11:56:11 UTC

Cisco Shipping Equipment to Fake Addresses to Foil NSA Interception

Posted By Bruce Schneier

Last May, we learned that the NSA intercepts equipment being shipped around the world and installs eavesdropping implants. There were photos of NSA employees opening up a Cisco box. Cisco's CEO John Chambers personally complained to President Obama about this practice, which is not exactly a selling point for Cisco equipment abroad. Der Spiegel published the more complete document, along...

Thu, 19 Mar 2015 19:35:02 UTC

More Data and Goliath News

Posted By Bruce Schneier

Right now, the book is #6 on the New York Times best-seller list in hardcover nonfiction, and #13 in combined print and e-book nonfiction. This is the March 22 list, and covers sales from the first week of March. The March 29 list -- covering sales from the second week of March -- is not yet on the Internet. On...

Thu, 19 Mar 2015 13:09:44 UTC

Understanding the Organizational Failures of Terrorist Organizations

Posted By Bruce Schneier

New research: Max Abrahms and Philip B.K. Potter, "Explaining Terrorism: Leadership Deficits and Militant Group Tactics," International Organizations. Abstract: Certain types of militant groups -- those suffering from leadership deficits -- are more likely to attack civilians. Their leadership deficits exacerbate the principal-agent problem between leaders and foot soldiers, who have stronger incentives to harm civilians. We establish the validity...

Wed, 18 Mar 2015 11:48:14 UTC

How We Become Habituated to Security Warnings on Computers

Posted By Bruce Schneier

New research: "How Polymorphic Warnings Reduce Habituation in the Brain ­- Insights from an fMRI Study." Abstract: Research on security warnings consistently points to habituation as a key reason why users ignore security warnings. However, because habituation as a mental state is difficult to observe, previous research has examined habituation indirectly by observing its influence on security behaviors. This study...

Tue, 17 Mar 2015 15:07:39 UTC

Details on Hacking Team Software Used by Ethiopian Government

Posted By Bruce Schneier

The Citizen Lab at the University of Toronto published a new report on the use of spyware from the Italian cyberweapons arms manufacturer Hacking Team by the Ethiopian intelligence service. We previously learned that the government used this software to target US-based Ethiopian journalists. News articles. Human Rights Watch press release....

Mon, 16 Mar 2015 12:38:15 UTC

How the CIA Might Target Apple's XCode

Posted By Bruce Schneier

The Intercept recently posted a story on the CIA's attempts to hack the iOS operating system. Most interesting was the speculation that they hacked XCode, which would mean that any apps developed using that tool would be compromised. The security researchers also claimed they had created a modified version of Apple's proprietary software development tool, Xcode, which could sneak surveillance...

Fri, 13 Mar 2015 22:29:08 UTC

Friday Squid Blogging: Squid Stir-Fry

Posted By Bruce Schneier

Spicy squid masala stir-fry. Easy and delicious. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Mar 2015 19:36:19 UTC

Fall Seminar on Catastrophic Risk

Posted By Bruce Schneier

I am planning a study group at Harvard University (in Boston) for the Fall semester, on catastrophic risk. Berkman Study Group -- Catastrophic Risk: Technologies and Policy Technology empowers, for both good and bad. A broad history of "attack" technologies shows trends of empowerment, as individuals wield ever more destructive power. The natural endgame is a nuclear bomb in everybody's...

Fri, 13 Mar 2015 11:05:20 UTC

Threats to Information Integrity

Posted By Bruce Schneier

Every year, the Director of National Intelligence publishes an unclassified "Worldwide Threat Assessment." This year's report was published two weeks ago. "Cyber" is the first threat listed, and includes most of what you'd expect from a report like this. More interesting is this comment about information integrity: Most of the public discussion regarding cyber threats has focused on the confidentiality...

Thu, 12 Mar 2015 19:05:37 UTC

Data and Goliath Makes New York Times Best-Seller List

Posted By Bruce Schneier

The March 22 best-seller list from the New York Times will list me as #6 in the hardcover nonfiction category, and #13 in the combined paper/e-book category. This is amazing, really. The book just barely crossed #400 on Amazon this week, but it seems that other booksellers did more. There are new reviews from the LA Times, >i>Lawfare, EFF, and...

Thu, 12 Mar 2015 11:22:35 UTC

The Changing Economics of Surveillance

Posted By Bruce Schneier

Cory Doctorow examines the changing economics of surveillance and what it means: The Stasi employed one snitch for every 50 or 60 people it watched. We can't be sure of the size of the entire Five Eyes global surveillance workforce, but there are only about 1.4 million Americans with Top Secret clearance, and many of them don't work at or...

Wed, 11 Mar 2015 19:14:04 UTC

Equation Group Update

Posted By Bruce Schneier

More information about the Equation Group, aka the NSA. Kaspersky Labs has published more information about the Equation Group -- that's the NSA -- and its sophisticated malware platform. Ars Technica article....

Wed, 11 Mar 2015 11:16:10 UTC

Hardware Bit-Flipping Attack

Posted By Bruce Schneier

The Project Zero team at Google has posted details of a new attack that targets a computer's' DRAM. It's called Rowhammer. Here's a good description: Here's how Rowhammer gets its name: In the Dynamic Random Access Memory (DRAM) used in some laptops, a hacker can run a program designed to repeatedly access a certain row of transistors in the computer's...

Tue, 10 Mar 2015 19:34:21 UTC

Can the NSA Break Microsoft's BitLocker?

Posted By Bruce Schneier

The Intercept has a new story on the CIA's -- yes, the CIA, not the NSA -- efforts to break encryption. These are from the Snowden documents, and talk about a conference called the Trusted Computing Base Jamboree. There are some interesting documents associated with the article, but not a lot of hard information. There's a paragraph about Microsoft's BitLocker,...

Tue, 10 Mar 2015 11:50:24 UTC

Geotagging Twitter Users by Mining Their Social Graphs

Posted By Bruce Schneier

New research: Geotagging One Hundred Million Twitter Accounts with Total Variation Minimization," by Ryan Compton, David Jurgens, and David Allen. Abstract: Geographically annotated social media is extremely valuable for modern information retrieval. However, when researchers can only access publicly-visible data, one quickly finds that social media users rarely publish location information. In this work, we provide a method which can...

Mon, 09 Mar 2015 18:03:35 UTC

Identifying When Someone is Operating a Computer Remotely

Posted By Bruce Schneier

Here's an interesting technique to detect Remote Access Trojans, or RATS: differences in how local and remote users use the keyboard and mouse: By using biometric analysis tools, we are able to analyze cognitive traits such as hand-eye coordination, usage preferences, as well as device interaction patterns to identify a delay or latency often associated with remote access attacks. Simply...

Mon, 09 Mar 2015 12:09:53 UTC

Attack Attribution and Cyber Conflict

Posted By Bruce Schneier

The vigorous debate after the Sony Pictures breach pitted the Obama administration against many of us in the cybersecurity community who didn't buy Washington's claim that North Korea was the culprit. What's both amazing -- and perhaps a bit frightening -- about that dispute over who hacked Sony is that it happened in the first place. But what it highlights...

Fri, 06 Mar 2015 22:21:07 UTC

Friday Squid Blogging: Biodegradable Thermoplastic Inspired by Squid Teeth

Posted By Bruce Schneier

There's a new 3D-printable biodegradable thermoplastic: Pennsylvania State University researchers have synthesized a biodegradable thermoplastic that can be used for molding, extrusion, 3D printing, as an adhesive, or a coating using structural proteins from the ring teeth on squid tentacles. Another article: The researchers took genes from a squid and put it into E. coli bacteria. "You can insert genes...

Fri, 06 Mar 2015 20:10:52 UTC

Data and Goliath's Big Idea

Posted By Bruce Schneier

Data and Goliath is a book about surveillance, both government and corporate. It's an exploration in three parts: what's happening, why it matters, and what to do about it. This is a big and important issue, and one that I've been working on for decades now. We've been on a headlong path of more and more surveillance, fueled by fear­--of...

Fri, 06 Mar 2015 16:46:11 UTC

FREAK: Security Rollback Attack Against SSL

Posted By Bruce Schneier

This week we learned about an attack called "FREAK" -- "Factoring Attack on RSA-EXPORT Keys" -- that can break the encryption of many websites. Basically, some sites' implementations of secure sockets layer technology, or SSL, contain both strong encryption algorithms and weak encryption algorithms. Connections are supposed to use the strong algorithms, but in many cases an attacker can force...

Fri, 06 Mar 2015 12:28:38 UTC

The TSA's FAST Personality Screening Program Violates the Fourth Amendment

Posted By Bruce Schneier

New law journal article: "A Slow March Towards Thought Crime: How the Department of Homeland Security's FAST Program Violates the Fourth Amendment," by Christopher A. Rogers. From the abstract: FAST is currently designed for deployment at airports, where heightened security threats justify warrantless searches under the administrative search exception to the Fourth Amendment. FAST scans, however, exceed the scope of...

Thu, 05 Mar 2015 12:33:45 UTC

Now Corporate Drones are Spying on Cell Phones

Posted By Bruce Schneier

The marketing firm Adnear is using drones to track cell phone users: The capture does not involve conversations or personally identifiable information, according to director of marketing and research Smriti Kataria. It uses signal strength, cell tower triangulation, and other indicators to determine where the device is, and that information is then used to map the user's travel patterns. "Let's...

Wed, 04 Mar 2015 12:40:12 UTC

Tom Ridge Can Find Terrorists Anywhere

Posted By Bruce Schneier

One of the problems with our current discourse about terrorism and terrorist policies is that the people entrusted with counterterrorism -- those whose job it is to surveil, study, or defend against terrorism -- become so consumed with their role that they literally start seeing terrorists everywhere. So it comes as no surprise that if you ask Tom Ridge, the...

Tue, 03 Mar 2015 19:03:14 UTC

Data and Goliath: Reviews and Excerpts

Posted By Bruce Schneier

On the net right now, there are excerpts from the Introduction on Scientific American, Chapter 5 on the Atlantic, Chapter 6 on the Blaze, Chapter 8 on Ars Technica, Chapter 15 on Slate, and Chapter 16 on Motherboard. That might seem like a lot, but it's only 9,000 of the book's 80,000 words: barely 10%. There are also a few...

Tue, 03 Mar 2015 11:46:43 UTC

Google Backs Away from Default Lollipop Encryption

Posted By Bruce Schneier

Lillipop encryption by default is still in the future. No consipricy here; it seems like they don't have the appropriate drivers yet. But while relaxing the requirement might make sense technically, it's not a good public relations move. Android compatibility document. Slashdot story...

Mon, 02 Mar 2015 12:49:13 UTC

The Democratization of Cyberattack

Posted By Bruce Schneier

The thing about infrastructure is that everyone uses it. If it's secure, it's secure for everyone. And if it's insecure, it's insecure for everyone. This forces some hard policy choices. When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's...

Fri, 27 Feb 2015 22:00:16 UTC

Friday Squid Blogging: Humboldt Squid Communicate by Flashing Each Other

Posted By Bruce Schneier

Scientists are attaching cameras to Humboldt squid to watch them communicate with each other. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 27 Feb 2015 20:32:59 UTC

Data and Goliath Book Tour

Posted By Bruce Schneier

Over the next two weeks, I am speaking about my new book -- Data and Goliath, if you've missed it -- in New York, Boston, Washington, DC, Seattle, San Francisco, and Minneapolis. Stop by to get your book signed, or just to say hello....

Thu, 26 Feb 2015 12:47:07 UTC

Everyone Wants You To Have Security, But Not from Them

Posted By Bruce Schneier

In December, Google's Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: "If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place...

Wed, 25 Feb 2015 19:54:15 UTC

Snowden-Greenwald-Poitras AMA

Posted By Bruce Schneier

Glenn Greenwald, Laura Poitras, and Edward Snowden did an "Ask Me Anything" on Reddit. Point out anything interesting in the comments. And note that Snowden mentioned my new book: One of the arguments in a book I read recently (Bruce Schneier, "Data and Goliath"), is that perfect enforcement of the law sounds like a good thing, but that may not...

Wed, 25 Feb 2015 12:09:12 UTC

"Surreptitiously Weakening Cryptographic Systems"

Posted By Bruce Schneier

New paper: "Surreptitiously Weakening Cryptographic Systems," by Bruce Schneier, Matthew Fredrikson, Tadayoshi Kohno, and Thomas Ristenpart. Abstract: Revelations over the past couple of years highlight the importance of understanding malicious and surreptitious weakening of cryptographic systems. We provide an overview of this domain, using a number of historical examples to drive development of a weaknesses taxonomy. This allows comparing different...

Tue, 24 Feb 2015 19:17:04 UTC

Twitpic

Posted By Bruce Schneier

On Monday, I asked Adm. Rogers a question. EDITED TO ADD: The question....

Tue, 24 Feb 2015 12:33:04 UTC

AT&T Charging Customers to Not Spy on Them

Posted By Bruce Schneier

AT&T is charging a premium for gigabit Internet service without surveillance: The tracking and ad targeting associated with the gigabit service cannot be avoided using browser privacy settings: as AT&T explained, the program "works independently of your browser's privacy settings regarding cookies, do-not-track and private browsing." In other words, AT&T is performing deep packet inspection, a controversial practice through which...

Mon, 23 Feb 2015 16:30:57 UTC

Cell Phones Leak Location Information through Power Usage

Posted By Bruce Schneier

New research on tracking the location of smart phone users by monitoring power consumption: PowerSpy takes advantage of the fact that a phone's cellular transmissions use more power to reach a given cell tower the farther it travels from that tower, or when obstacles like buildings or mountains block its signal. That correlation between battery use and variables like environmental...

Fri, 20 Feb 2015 22:06:33 UTC

Friday Squid Blogging: Squid Can Recode Their Genetic Makeup

Posted By Bruce Schneier

This is freaky: A new study showcases the first example of an animal editing its own genetic makeup on-the-fly to modify most of its proteins, enabling adjustments to its immediate surroundings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 20 Feb 2015 21:43:26 UTC

Man-in-the-Middle Attacks on Lenovo Computers

Posted By Bruce Schneier

It's not just national intelligence agencies that break your https security through man-in-the-middle attacks. Corporations do it, too. For the past few months, Lenovo PCs have shipped with an adware app called Superfish that man-in-the-middles TLS connections. Here's how it works, and here's how to get rid of it. And you should get rid of it, not merely because it's...

Fri, 20 Feb 2015 13:51:29 UTC

NSA/GCHQ Hacks SIM Card Database and Steals Billions of Keys

Posted By Bruce Schneier

The Intercept has an extraordinary story: the NSA and/or GCHQ hacked into the Dutch SIM card manufacturer Gemalto, stealing the encryption keys for billions of cell phones. People are still trying to figure out exactly what this means, but it seems to mean that the intelligence agencies have access to both voice and data from all phones using those cards....

Thu, 19 Feb 2015 19:02:56 UTC

Database of Ten Million Passwords

Posted By Bruce Schneier

Earlier this month, Mark Burnett released a database of ten million usernames and passwords. He collected this data from already-public dumps from hackers who had stolen the information; hopefully everyone affected has changed their passwords by now. News articles....

Thu, 19 Feb 2015 12:15:08 UTC

The Obsolescence of Submarines

Posted By Bruce Schneier

Interesting article on the submarine arms race between remaining hidden and detection. It seems that it is much more expensive for a submarine to hide than it is to detect it. And this changing balance will affect the long-term viability of submarines....

Wed, 18 Feb 2015 12:42:35 UTC

IRS Encourages Poor Cryptography

Posted By Bruce Schneier

I'm not sure what to make of this, or even what it means. The IRS has a standard called IDES: International Data Exchange Service: "The International Data Exchange Service (IDES) is an electronic delivery point where Financial Institutions (FI) and Host Country Tax Authorities (HCTA) can transmit and exchange FATCA data with the United States." It's like IRS data submission,...

Tue, 17 Feb 2015 18:19:41 UTC

The Equation Group's Sophisticated Hacking and Exploitation Tools

Posted By Bruce Schneier

This week, Kaspersky Labs published detailed information on what it calls the Equation Group -- almost certainly the NSA -- and its abilities to embed spyware deep inside computers, gaining pretty much total control of those computers while maintaining persistence in the face of reboots, operating system reinstalls, and commercial anti-virus products. The details are impressive, and I urge anyone...

Tue, 17 Feb 2015 12:53:02 UTC

Co3 Systems Changes Its Name to Resilient Systems

Posted By Bruce Schneier

Today my company, Co3 Systems, is changing its name to Resilient Systems. The new name better reflects who we are and what we do. Plus, the old name was kind of dumb. I have long liked the term "resilience." If you look around, you'll see it a lot. It's used in human psychology, in organizational theory, in disaster recovery, in...

Fri, 09 Jan 2015 22:01:59 UTC

Friday Squid Blogging: Dumpling Squid and Sex

Posted By Bruce Schneier

This just in: the threat of being eaten doesn't deter dumpling squid from having sex. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 09 Jan 2015 19:35:02 UTC

Smart Pipe

Posted By Bruce Schneier

Pretty impressive surveillance-economy satire....

Fri, 09 Jan 2015 12:24:15 UTC

Further Evidence Pointing to North Korea as Sony Hacker

Posted By Bruce Schneier

The FBI has provided more evidence: Speaking at a Fordham Law School cybersecurity conference Wednesday, Comey said that he has "very high confidence" in the FBI's attribution of the attack to North Korea. And he named several of the sources of his evidence, including a "behavioral analysis unit" of FBI experts trained to psychologically analyze foes based on their writings...

Thu, 08 Jan 2015 21:11:36 UTC

Hacking Attack Causes Physical Damage at German Steel Mill

Posted By Bruce Schneier

This sort of thing is still very rare, but I fear it will become more common: ...hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in "massive" -- though unspecified -- damage....

Thu, 08 Jan 2015 12:34:55 UTC

Attack Attribution in Cyberspace

Posted By Bruce Schneier

When you're attacked by a missile, you can follow its trajectory back to where it was launched from. When you're attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense. Many of us in the computer-security field are skeptical of the US government's claim that it...

Wed, 07 Jan 2015 17:16:34 UTC

Attributing the Sony Attack

Posted By Bruce Schneier

No one has admitted taking down North Korea's Internet. It could have been an act of retaliation by the US government, but it could just as well have been an ordinary DDoS attack. The follow-on attack against Sony PlayStation definitely seems to be the work of hackers unaffiliated with a government. Not knowing who did what isn't new. It's called...

Tue, 06 Jan 2015 20:44:37 UTC

Fidgeting as Lie Detection

Posted By Bruce Schneier

Sophie Van Der Zee and colleagues have a new paper on using body movement as a lie detector: Abstract: We present a new robust signal for detecting deception: full body motion. Previous work on detecting deception from body movement has relied either on human judges or on specific gestures (such as fidgeting or gaze aversion) that are coded or rated...

Tue, 06 Jan 2015 12:50:53 UTC

Attributing Cyberattacks

Posted By Bruce Schneier

New paper: "Attributing Cyber Attacks," by Thomas Rid and Ben Buchanan: Abstract: Who did it? Attribution is fundamental. Human lives and the security of the state may depend on ascribing agency to an agent. In the context of computer network intrusions, attribution is commonly seen as one of the most intractable technical problems, as either solvable or not solvable, and...

Mon, 05 Jan 2015 13:10:09 UTC

Loitering as a Security System

Posted By Bruce Schneier

In Kyoto, taxi drivers are encouraged to loiter around convenience stores late at night. Their presence reduces crime. In Kyoto about half of the convenience stores had signed on for the Midnight Defender Strategy. These 500 or so shops hung posters with slogans such as "vigilance strengthening" written on them in their windows. These signs are indicators to taxi drivers...

Sat, 03 Jan 2015 13:08:16 UTC

How Browsers Store Passwords

Posted By Bruce Schneier

Good information on how Internet Explorer, Chrome, and Firefox store user passwords....

Fri, 02 Jan 2015 22:50:08 UTC

Friday Squid Blogging: Easy Squid Recipes

Posted By Bruce Schneier

Stewed squid with tomatoes, sauteed squid with parsley and garlic, and braised squid with garlic and herbs. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 02 Jan 2015 13:21:49 UTC

Doxing as an Attack

Posted By Bruce Schneier

Those of you unfamiliar with hacker culture might need an explanation of "doxing." The word refers to the practice of publishing personal information about people without their consent. Usually it's things like an address and phone number, but it can also be credit card details, medical information, private e-mails -- ­pretty much anything an assailant can get his hands on....

Wed, 31 Dec 2014 13:52:08 UTC

More Data on Attributing the Sony Attack

Posted By Bruce Schneier

An analysis of the timestamps on some of the leaked documents shows that they were downloaded at USB 2.0 speeds -- which implies an insider. Our Gotnews.com investigation into the data that has been released by the "hackers" shows that someone at Sony was copying 182GB at minimum the night of the 21st -- the very same day that Sony...

Mon, 29 Dec 2014 12:22:39 UTC

Leaked CIA Documents

Posted By Bruce Schneier

I haven't seen much press mention about the leaked CIA documents that have appeared on Wikileaks this month. There are three: The CIA review of high-value target assassination programs, classified SECRET, from 2009. The CIA's advice for agents going through airport security and surviving secondary screening, classified SECRET, from 2011. The CIA's advice for agents travelling into the Shengen Area,...

Sun, 28 Dec 2014 23:06:22 UTC

New Documents on NSA's Crypanalysis Capabilities

Posted By Bruce Schneier

Spiegel published a long article today on the NSA's analysis capabilities against encrypted systems, with a lot of new documents from the Snowden archive. I'm not going to have time to look at this for a few days. Describe anything interesting you find -- with links to the documents -- in the comments....

Fri, 26 Dec 2014 22:32:11 UTC

Friday Squid Blogging: Mummers Play Featuring Giant Squid

Posted By Bruce Schneier

"St. George, the Dragon, and the Squid: A Preservation Mumming," by the American Folklife Center. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 26 Dec 2014 12:29:41 UTC

Merry Christmas from the NSA

Posted By Bruce Schneier

On Christmas eve the NSA relesed a bunch of audit reports on illegal spying using EO 12333 from 2001 to 2013. Bloomberg article. The heavily-redacted reports include examples of data on Americans being e-mailed to unauthorized recipients, stored in unsecured computers and retained after it was supposed to be destroyed, according to the documents. They were posted on the NSA's...

Thu, 25 Dec 2014 12:21:46 UTC

"Santa Claus and the Surveillance State"

Posted By Bruce Schneier

He sees you when you're sleeping. He knows when you're awake. He's everywhere. And that's the whole point of the Elf on the Shelf, the bright-eyed, Kewpie-esque doll that millions of parents display around their homes in December as a reminder to children to behave. The elf, the story goes, is an agent reporting back to Santa Claus, and he's...

Wed, 24 Dec 2014 12:27:05 UTC

Did North Korea Really Attack Sony?

Posted By Bruce Schneier

I am deeply skeptical of the FBI's announcement on Friday that North Korea was behind last month's Sony hack. The agency's evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the US government would make the accusation this formally if officials didn't believe it. Clues in the hackers' attack code seem...

Tue, 23 Dec 2014 20:19:04 UTC

Manipulating Juries with PowerPoint

Posted By Bruce Schneier

Interesting article on the subconscious visual tricks used to manipulate juries and affect verdicts. In December 2012 the Washington Supreme Court threw out Glasmann's convictions based on the "highly inflammatory" slides. As a general rule, courts don't want prosecutors expressing their personal opinion to a jury; they're supposed to couch their arguments in terms of what the evidence shows. Plastering...

Tue, 23 Dec 2014 16:09:28 UTC

North Korea DDoSed Off the Internet

Posted By Bruce Schneier

North Korea has been knocked off the Internet by a distributed denial-of-service (DDoS) attack. Maybe the US did it, and maybe not. This whole incident is a perfect illustration of how technology is equalizing capability. In both the original attack against Sony, and this attack against North Korea, we can't tell the difference between a couple of hackers and a...

Tue, 23 Dec 2014 13:02:09 UTC

2008 Cyberattack Against Turkish Oil Pipeline

Posted By Bruce Schneier

Interesting article talks about the 2008 cyberattack against a Turkish oil pipeline: For western intelligence agencies, the blowout was a watershed event. Hackers had shut down alarms, cut off communications and super-pressurized the crude oil in the line, according to four people familiar with the incident who asked not to be identified because details of the investigation are confidential. The...

Mon, 22 Dec 2014 12:08:57 UTC

Reacting to the Sony Hack

Posted By Bruce Schneier

First we thought North Korea was behind the Sony cyberattacks. Then we thought it was a couple of hacker guys with an axe to grind. Now we think North Korea is behind it again, but the connection is still tenuous. There have been accusations of cyberterrorism, and even cyberwar. I've heard calls for us to strike back, with actual missiles...

Fri, 19 Dec 2014 22:04:40 UTC

Friday Squid Blogging: Squid Beard

Posted By Bruce Schneier

Impressive. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 19 Dec 2014 18:44:19 UTC

Lessons from the Sony Hack

Posted By Bruce Schneier

Earlier this month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment's computer systems and began revealing many of the Hollywood studio's best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama's presumed movie-watching preferences) to the personnel data of employees, including salaries and...

Fri, 19 Dec 2014 12:41:24 UTC

SS7 Vulnerabilities

Posted By Bruce Schneier

There are security vulnerability in the phone-call routing protocol called SS7. The flaws discovered by the German researchers are actually functions built into SS7 for other purposes -- such as keeping calls connected as users speed down highways, switching from cell tower to cell tower -- that hackers can repurpose for surveillance because of the lax security on the network....

Thu, 18 Dec 2014 16:07:07 UTC

ISIS Cyberattacks

Posted By Bruce Schneier

Citizen Lab has a new report on a probable ISIS-launched cyberattack: This report describes a malware attack with circumstantial links to the Islamic State in Iraq and Syria. In the interest of highlighting a developing threat, this post analyzes the attack and provides a list of Indicators of Compromise. A Syrian citizen media group critical of Islamic State of Iraq...

Thu, 18 Dec 2014 12:57:49 UTC

The Limits of Police Subterfuge

Posted By Bruce Schneier

"The next time you call for assistance because the Internet service in your home is not working, the 'technician' who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and -- ­when he shows up at your door, impersonating a technician­ -- let...

Wed, 17 Dec 2014 12:44:57 UTC

How the FBI Unmasked Tor Users

Posted By Bruce Schneier

Kevin Poulson has a good article up on Wired about how the FBI used a Metasploit variant to identity Tor users....

Tue, 16 Dec 2014 17:34:04 UTC

Fake Cell Towers Found in Norway

Posted By Bruce Schneier

In yet another example of what happens when you build an insecure communications infrastructure, fake cell phone towers have been found in Oslo. No one knows who has been using them to eavesdrop. This is happening in the US, too. Remember the rule: we're all using the same infrastructure, so we can either keep it insecure so we -- and...

Mon, 15 Dec 2014 19:13:46 UTC

Understanding Zero-Knowledge Proofs

Posted By Bruce Schneier

Matthew Green has a good primer....

Mon, 15 Dec 2014 12:07:59 UTC

Over 700 Million People Taking Steps to Avoid NSA Surveillance

Posted By Bruce Schneier

There's a new international survey on Internet security and trust, of "23,376 Internet users in 24 countries," including "Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States." Amongst the findings, 60% of Internet users have heard of Edward...

Fri, 12 Dec 2014 22:32:17 UTC

Friday Squid Blogging: Recreational Squid Fishing in Washington State

Posted By Bruce Schneier

There is year-round recreational squid fishing from the Strait of Juan de Fuca to south Puget Sound. A nighttime sport that requires simple, inexpensive fishing tackle, squid fishing-or jigging-typically takes place on the many piers and docks throughout the Puget Sound region As usual, you can also use this squid post to talk about the security stories in the news...

Fri, 12 Dec 2014 20:05:56 UTC

Incident Response Webinar on Thursday

Posted By Bruce Schneier

On 12/18 I'll be part of a Co3 webinar where we examine incident-response trends of 2014 and look ahead to 2015. I tend not to do these, but this is an exception. Please sign up if you're interested....

Fri, 12 Dec 2014 15:26:41 UTC

Who Might Control Your Telephone Metadata

Posted By Bruce Schneier

Remember last winter when President Obama called for an end to the NSA's telephone metadata collection program? He didn't actually call for an end to it; he just wanted it moved from an NSA database to some commercial database. (I still think this is a bad idea, and that having the companies store it is worse than having the...

Thu, 11 Dec 2014 20:37:49 UTC

Comments on the Sony Hack

Posted By Bruce Schneier

I don't have a lot to say about the Sony hack, which seems to still be ongoing. I want to highlight a few points, though. At this point, the attacks seem to be a few hackers and not the North Korean government. (My guess is that it's not an insider, either.) That we live in the world where we aren't...

Thu, 11 Dec 2014 12:31:23 UTC

Not Enough CISOs to Go Around

Posted By Bruce Schneier

This article is reporting that the demand for Chief Information Security Officers far exceeds supply: Sony and every other company that realizes the need for a strong, senior-level security officer are scrambling to find talent, said Kris Lovejoy, general manager of IBM's security service and former IBM chief security officer. CISOs are "almost impossible to find these days," she said....

Wed, 10 Dec 2014 17:40:52 UTC

Effects of Terrorism Fears

Posted By Bruce Schneier

Interesting article: "How terrorism fears are transforming America's public space." I am reminded of my essay from four years ago: "Close the Washington Monument."...

Tue, 09 Dec 2014 12:33:00 UTC

NSA Hacking of Cell Phone Networks

Posted By Bruce Schneier

The Intercept has published an article -- based on the Snowden documents -- about AURORAGOLD, an NSA surveillance operation against cell phone network operators and standards bodies worldwide. This is not a typical NSA surveillance operation where agents identify the bad guys and spy on them. This is an operation where the NSA spies on people designing and building a...

Mon, 08 Dec 2014 17:09:12 UTC

Rapiscan Full-Body Scanner for Sale

Posted By Bruce Schneier

Government surplus. Only $8,000 on eBay. Note that this device has been analyzed before....

Mon, 08 Dec 2014 13:19:50 UTC

Corporate Abuse of our Data

Posted By Bruce Schneier

Last week, we learned about a striking piece of malware called Regin that has been infecting computer networks worldwide since 2008. It's more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there's substantial evidence that it was built and operated by the United States. This isn't...

Fri, 05 Dec 2014 22:10:35 UTC

Friday Squid Blogging: Squid Poaching off the Coast of Japan

Posted By Bruce Schneier

There has been an increase in squid poaching by North Korea out of Japanese territorial waters. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 05 Dec 2014 22:09:17 UTC

Surveillance Cartoon

Posted By Bruce Schneier

Funny....

Fri, 05 Dec 2014 12:45:27 UTC

Corporations Misusing Our Data

Posted By Bruce Schneier

In the Internet age, we have no choice but to entrust our data with private companies: e-mail providers, service providers, retailers, and so on. We realize that this data is at risk from hackers. But there's another risk as well: the employees of the companies who are holding our data for us. In the early years of Facebook, employees had...

Thu, 04 Dec 2014 21:40:56 UTC

Olfactory Surveillance

Posted By Bruce Schneier

The Denver police are using olfactometers to measure the concentration of cannabis in the air. I haven't found any technical information about these devices, their sensitivity, range, etc....

Thu, 04 Dec 2014 15:33:13 UTC

Quantum Attack on Public-Key Algorithm

Posted By Bruce Schneier

This talk (and paper) describe a lattice-based public-key algorithm called Soliloquy developed by GCHQ, and a quantum-computer attack on it. News article....

Tue, 02 Dec 2014 21:15:21 UTC

The Future of Auditory Surveillance

Posted By Bruce Schneier

Interesting essay on the future of speech recognition, microphone miniaturization, and the future ubiquity of auditory surveillance....

Mon, 01 Dec 2014 12:41:25 UTC

Putting NSA/GCHQ Spying Together

Posted By Bruce Schneier

This is a really good analysis of how the NSA/GCHQ spying programs actually work. It's nice that we finally have enough documents public that we can start putting together the complete pictures....

Fri, 28 Nov 2014 22:04:57 UTC

Friday Squid Blogging: Squid Bikes

Posted By Bruce Schneier

Squid Bikes is a California brand. Article from Velo News. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 28 Nov 2014 12:26:55 UTC

Economic Failures of HTTPS Encryption

Posted By Bruce Schneier

Interesting paper: "Security Collapse of the HTTPS Market." From the conclusion: Recent breaches at CAs have exposed several systemic vulnerabilities and market failures inherent in the current HTTPS authentication model: the security of the entire ecosystem suffers if any of the hundreds of CAs is compromised (weakest link); browsers are unable to revoke trust in major CAs ("too big to...

Thu, 27 Nov 2014 14:32:40 UTC

"Cooperating with the Future"

Posted By Bruce Schneier

This is an interesting paper -- the full version is behind a paywall -- about how we as humans can motivate people to cooperate with future generations. Abstract: Overexploitation of renewable resources today has a high cost on the welfare of future generations. Unlike in other public goods games, however, future generations cannot reciprocate actions made today. What mechanisms can...

Wed, 26 Nov 2014 19:29:21 UTC

New Snowden Documents Show GCHQ Paying Cable & Wireless for Access

Posted By Bruce Schneier

A new story based on the Snowden documents and published in the German newspaper Süddeutsche Zeitung shows how the GCHQ worked with Cable & Wireless -- acquired by Vodafone in 2012 -- to eavesdrop on Internet and telecommunications traffic. New documents on the page, and here. Ars Technica article. Slashdot thread....

Wed, 26 Nov 2014 12:50:06 UTC

FBI Agents Pose as Repairmen to Bypass Warrant Process

Posted By Bruce Schneier

This is a creepy story. The FBI wanted access to a hotel guest's room without a warrant. So agents broke his Internet connection, and then posed as Internet technicians to gain access to his hotel room without a warrant. From the motion to suppress: The next time you call for assistance because the internet service in your home is not...

Tue, 25 Nov 2014 12:57:03 UTC

Regin: Another Military-Grade Malware

Posted By Bruce Schneier

Regin is another military-grade surveillance malware (tech details from Symantec and Kaspersky). It seems to have been in operation between 2008 and 2011. The Intercept has linked it to NSA/GCHQ operations, although I am still skeptical of the NSA/GCHQ hacking Belgian cryptographer Jean-Jacques Quisquater....

Mon, 24 Nov 2014 20:21:52 UTC

The Security Underpinnnings of Cryptography

Posted By Bruce Schneier

Nice article on some of the security assumptions we rely on in cryptographic algorithms....

Mon, 24 Nov 2014 12:54:36 UTC

New Kryptos Clue

Posted By Bruce Schneier

Jim Sanborn has given he world another clue to the fourth cyphertext in his Kryptos sculpture at the CIA headquarters. Older posts on Kryptos....

Fri, 21 Nov 2014 22:09:49 UTC

Friday Squid Blogging: Cephalopod Cognition

Posted By Bruce Schneier

Tales of cephalopod behavior, including octopuses, squid, cuttlefish and nautiluses. Cephalopod Cognition, published by Cambridge University Press, is currently available in hardcover, and the paperback edition will be available next week....

Thu, 20 Nov 2014 20:42:24 UTC

Pre-Snowden Debate About NSA Call-Records Collection Program

Posted By Bruce Schneier

Reuters is reporting that in 2009, several senior NSA officials objected to the NSA call-records collection program. The now-retired NSA official, a longtime code-breaker who rose to top management, had just learned in 2009 about the top secret program that was created shortly after the Sept. 11, 2001, attacks. He says he argued to then-NSA Director Keith Alexander that storing...

Thu, 20 Nov 2014 15:51:13 UTC

Citadel Malware Steals Password Manager Master Passwords

Posted By Bruce Schneier

Citadel is the first piece of malware I know of that specifically steals master passwords from password managers. Note that my own Password Safe is a target....

Tue, 18 Nov 2014 18:38:11 UTC

A New Free CA

Posted By Bruce Schneier

Announcing Let's Encrypt, a new free certificate authority. This is a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan. This is an absolutely fantastic idea. The anchor for any TLS-protected communication is a public-key certificate which demonstrates that the server you're actually talking to is the server you intended to talk to. For many server operators,...

Tue, 18 Nov 2014 18:35:00 UTC

Whatsapp Is Now End-to-End Encrypted

Posted By Bruce Schneier

Whatapp is now offering end-to-end message encryption: Whatsapp will integrate the open-source software Textsecure, created by privacy-focused non-profit Open Whisper Systems, which scrambles messages with a cryptographic key that only the user can access and never leaves his or her device. I don't know the details, but the article talks about perfect forward secrecy. Moxie Marlinspike is involved, which gives...

Tue, 18 Nov 2014 16:50:48 UTC

Snarky 1992 NSA Report on Academic Cryptography

Posted By Bruce Schneier

The NSA recently declassified a report on the Eurocrypt '92 conference. Honestly, I share some of the writer's opinions on the more theoretical stuff. I know it's important, but it's not something I care all that much about....

Tue, 18 Nov 2014 03:19:18 UTC

The NSA's Efforts to Ban Cryptographic Research in the 1970s

Posted By Bruce Schneier

New article on the NSA's efforts to control academic cryptographic research in the 1970s. It includes new interviews with public-key cryptography inventor Martin Hellman and then NSA-director Bobby Inman....

Fri, 14 Nov 2014 22:37:29 UTC

Friday Squid Blogging: The Story of Inventing the SQUID

Posted By Bruce Schneier

The interesting story of how engineers at Ford Motor Co. invented the superconducting quantum interference device, or SQUID. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Nov 2014 15:18:34 UTC

The Return of Crypto Export Controls?

Posted By Bruce Schneier

Last month, for the first time since US export restrictions on cryptography were relaxed two decades ago, the US government has fined a company for exporting crypto software without a license. News article. No one knows what this means....

Thu, 13 Nov 2014 20:07:54 UTC

Pew Research Survey on Privacy Perceptions

Posted By Bruce Schneier

Pew Research has released a new survey on American's perceptions of privacy. The results are pretty much in line with all the other surveys on privacy I've read. As Cory Doctorow likes to say, we've reached "peak indifference to surveillance."...

Thu, 13 Nov 2014 13:10:01 UTC

ISPs Blocking TLS Encryption

Posted By Bruce Schneier

It's not happening often, but it seems that some ISPs are blocking STARTTLS messages and causing web encryption to fail. EFF has the story....

Tue, 11 Nov 2014 20:13:27 UTC

Narrowly Constructing National Surveillance Law

Posted By Bruce Schneier

Orin Kerr has a new article that argues for narrowly constructing national security law: This Essay argues that Congress should adopt a rule of narrow construction of the national security surveillance statutes. Under this interpretive rule, which the Essay calls a "rule of lenity," ambiguity in the powers granted to the executive branch in the sections of the United States...

Tue, 11 Nov 2014 12:37:27 UTC

Hacking Internet Voting from Wireless Routers

Posted By Bruce Schneier

Good paper, and layman's explanation. Internet voting scares me. It gives hackers the potential to seriously disrupt our democratic processes....

Mon, 10 Nov 2014 20:34:14 UTC

Sophisticated Targeted Attack Via Hotel Networks

Posted By Bruce Schneier

Kaspersky Labs is reporting (detailed report here, technical details here) on a sophisticated hacker group that is targeting specific individuals around the world. "Darkhotel" is the name the group and its techniques has been given. This APT precisely drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and...

Mon, 10 Nov 2014 12:51:26 UTC

The Future of Incident Response

Posted By Bruce Schneier

Security is a combination of protection, detection, and response. It's taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network. By 2000, we realized that detection needed to be formalized as well, and the industry was full of...

Fri, 07 Nov 2014 22:11:45 UTC

Friday Squid Blogging: Dried Squid Sold in Korean Baseball Stadiums

Posted By Bruce Schneier

I'm not sure why this is news, except that it makes for a startling headline. (Is the New York Times now into clickbait?) It's not as if people are throwing squid onto the field, as Detroit hockey fans do with octopus. As usual, you can also use this squid post to talk about the security stories in the news that...

Fri, 07 Nov 2014 19:06:50 UTC

Co3 Systems Is Hiring

Posted By Bruce Schneier

My company, Co3 Systems, is hiring both technical and nontechnical positions. If you live in the Boston area, click through and take a look....

Fri, 07 Nov 2014 15:59:57 UTC

Testing for Explosives in the Chicago Subway

Posted By Bruce Schneier

Chicago is doing random explosives screenings at random L stops in the Chicago area. Compliance is voluntary: Police made no arrests but one rider refused to submit to the screening and left the station without incident, Maloney said. [...] Passengers can decline the screening, but will not be allowed to board a train at that station. Riders can leave that...

Thu, 06 Nov 2014 20:54:50 UTC

Why Hyping Cyber Threats is Counterproductive

Posted By Bruce Schneier

Robert Lee and Thomas Rid have a new paper: "OMG Cyber! Thirteen Reasons Why Hype Makes for Bad Policy."...

Thu, 06 Nov 2014 12:46:32 UTC

How the Internet Affects National Sovereignty

Posted By Bruce Schneier

Interesting paper by Melissa Hathaway: "Connected Choices: How the Internet Is Challenging Sovereign Decisions." Abstract: Modern societies are in the middle of a strategic, multidimensional competition for money, power, and control over all aspects of the Internet and the Internet economy. This article discusses the increasing pace of discord and the competing interests that are unfolding in the current debate...

Tue, 04 Nov 2014 12:21:03 UTC

Verizon Tracking Mobile Internet Use

Posted By Bruce Schneier

Verizon is tracking the Internet use of its phones by surreptitiously modifying URLs. This is a good description of how it works....

Fri, 17 Oct 2014 22:17:51 UTC

Friday Squid Blogging: 1,057 Squid T-Shirts

Posted By Bruce Schneier

That's a lot. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. And commenting was broken for a couple of days. It's fixed now, I hope....

Fri, 17 Oct 2014 11:35:45 UTC

Hacking a Video Poker Machine

Posted By Bruce Schneier

Kevin Poulsen has written an interesting story about two people who successfully exploited a bug in a popular video poker machine....

Thu, 16 Oct 2014 11:22:09 UTC

NSA Classification ECI = Exceptionally Controlled Information

Posted By Bruce Schneier

ECI is a classification above Top Secret. It's for things that are so sensitive they're basically not written down, like the names of companies whose cryptography has been deliberately weakened by the NSA, or the names of agents who have infiltrated foreign IT companies. As part of the Intercept story on the NSA's using agents to infiltrate foreign companies and...

Wed, 15 Oct 2014 12:06:52 UTC

DEA Sets Up Fake Facebook Page in Woman's Name

Posted By Bruce Schneier

This is a creepy story. A woman has her phone seized by the Drug Enforcement Agency and gives them permission to look at her phone. Without her knowledge or consent, they steal photos off of the phone (the article says they were "racy") and use it to set up a fake Facebook page in her name. The woman sued the...

Wed, 15 Oct 2014 11:29:19 UTC

FOXACID Operations Manual

Posted By Bruce Schneier

A few days ago, I saw this tweet: "Just a reminder that it is now *a full year* since Schneier cited it, and the FOXACID ops manual remains unpublished." It's true. The citation is this: According to a top-secret operational procedures manual provided by Edward Snowden, an exploit named Validator might be the default, but the NSA has a variety...

Tue, 14 Oct 2014 10:59:32 UTC

Surveillance in Schools

Posted By Bruce Schneier

This essay, "Grooming students for a lifetime of surveillance," talks about the general trends in student surveillance. Related: essay on the need for student privacy in online learning....

Mon, 13 Oct 2014 11:55:37 UTC

How James Bamford Came to Write The Puzzle Palace

Posted By Bruce Schneier

Interesting essay about James Bamford and his efforts to publish The Puzzle Palace over the NSA's objections. Required reading for those who think the NSA's excesses are somehow new....

Sat, 11 Oct 2014 19:54:11 UTC

NSA Has Undercover Operatives in Foreign Companies

Posted By Bruce Schneier

The latest Intercept article on the Snowden NSA documents talks about their undercover operatives working in foreign companies. There are no specifics, although the countries China, Germany, and South Korea are mentioned. It's also hard to tell if the NSA has undercover operatives working in companies in those countries, or has undercover contractors visiting those companies. The document is dated...

Fri, 10 Oct 2014 21:13:32 UTC

Friday Squid Blogging: Flash-Fried Squid Recipe

Posted By Bruce Schneier

Recipe from Tom Douglas. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Oct 2014 17:31:14 UTC

Online Activism and the Computer Fraud and Abuse Act

Posted By Bruce Schneier

Good essay by Molly Sauter: basically, there is no legal avenue for activism and protest on the Internet. Also note Sauter's new book, The Coming Swarm....

Fri, 10 Oct 2014 08:07:14 UTC

Dynamic Encryption for Voice

Posted By Bruce Schneier

This article reads like snake oil. But the company was founded by Lars Knudsen, so it can't possibly be. I'm curious....

Thu, 09 Oct 2014 12:12:09 UTC

USB Cufflinks

Posted By Bruce Schneier

Just the thing for smuggling data out of secure locations....

Wed, 08 Oct 2014 20:38:26 UTC

BadUSB Code Has Been Published

Posted By Bruce Schneier

In July, I wrote about an unpatchable USB vulnerability called BadUSB. Code for the vulnerability has been published....

Tue, 07 Oct 2014 11:36:14 UTC

Data and Goliath Is Finished

Posted By Bruce Schneier

Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World is finished. I submitted it to my publisher, Norton, this morning. In a few weeks, I'll get the copyedited manuscript back, and a few weeks after that, it'll go into production. Stacks of printed books will come out the other end in February, and the book...

Mon, 06 Oct 2014 11:50:25 UTC

iPhone Encryption and the Return of the Crypto Wars

Posted By Bruce Schneier

Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone's encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it. From now on, all the phone's data is protected. It can no longer be accessed by...

Fri, 03 Oct 2014 23:19:55 UTC

Friday Squid Blogging: Squid Burger

Posted By Bruce Schneier

McDonald's has a Halloween-themed burger with a squid-ink bun. Only in Japan. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Oct 2014 11:59:40 UTC

William Binney Explains NSA Surveillance Using Snowden's Documents

Posted By Bruce Schneier

Former NSA employee -- not technical director, as the link says -- explains how NSA bulk surveillance works, using some of the Snowden documents. Very interesting....

Thu, 02 Oct 2014 11:58:52 UTC

The NSA's Private Cloud

Posted By Bruce Schneier

The NSA is building a private cloud with its own security features: As a result, the agency can now track every instance of every individual accessing what is in some cases a single word or name in a file. This includes when it arrived, who can access it, who did access it, downloaded it, copied it, printed it, forwarded it,...

Wed, 01 Oct 2014 19:25:16 UTC

Firechat

Posted By Bruce Schneier

Firechat is a secure wireless peer-to-peer chat app: Firechat is theoretically resistant to the kind of centralized surveillance that the Chinese government (as well as western states, especially the US and the UK) is infamous for. Phones connect directly to one another, establish encrypted connections, and transact without sending messages to servers where they can be sniffed and possibly decoded....

Wed, 01 Oct 2014 12:19:51 UTC

Security Theater in China

Posted By Bruce Schneier

The Chinese government checked ten thousand pigeons for "dangerous materials." Because fear....

Mon, 29 Sep 2014 11:02:29 UTC

NSA Patents Available for License

Posted By Bruce Schneier

There's a new article on NSA's Technology Transfer Program, a 1990s-era program to license NSA patents to private industry. I was pretty dismissive about the offerings in the article, but I didn't find anything interesting in the catalog. Does anyone see something I missed? My guess is that the good stuff remains classified, and isn't "transferred" to anyone. Slashdot thread....

Fri, 26 Sep 2014 21:28:15 UTC

Friday Squid Blogging: Squid Fishing Moves North in California

Posted By Bruce Schneier

Warmer waters are moving squid fishing up the California coast. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 26 Sep 2014 17:44:11 UTC

Medical Records Theft and Fraud

Posted By Bruce Schneier

There's a Reuters article on new types of fraud using stolen medical records. I don't know how much of this is real and how much is hype, but I'm certain that criminals are looking for new ways to monetize stolen data....

Thu, 25 Sep 2014 19:17:44 UTC

Security Trade-offs of Cloud Backup

Posted By Bruce Schneier

This is a good essay on the security trade-offs with cloud backup: iCloud backups have not eliminated this problem, but they have made it far less common. This is, like almost everything in tech, a trade-off: Your data is far safer from irretrievable loss if it is synced/backed up, regularly, to a cloud-based service. Your data is more at risk...

Thu, 25 Sep 2014 15:31:42 UTC

Nasty Vulnerability found in Bash

Posted By Bruce Schneier

It's a big and nasty one. Invariably we're going to see articles pointing at this and at Heartbleed and claim a trend in vulnerabilities in open-source software. If anyone has any actual data other than two instances and the natural human tendency to generalize, I'd like to see it....

Wed, 24 Sep 2014 19:21:26 UTC

Julian Sanchez on the NSA and Surveillance Reform

Posted By Bruce Schneier

Julian Sanchez of the Cato Institute has a lengthy audio interview on NSA surveillance and reform. Worth listening to....

Wed, 24 Sep 2014 12:12:41 UTC

Detecting Robot-Handwriting

Posted By Bruce Schneier

Interesting article on the arms race between creating robot "handwriting" that looks human, and detecting text that has been written by a robot. Robots will continue to get better, and will eventually fool all of us....

Tue, 23 Sep 2014 18:09:26 UTC

Lesson in Successful Disaster Planning

Posted By Bruce Schneier

I found the story of the Federal Reserve on 9/11 to be fascinating. It seems they just flipped a switch on all their Y2K preparations, and it worked....

Tue, 23 Sep 2014 13:22:53 UTC

Kill Switches for Weapons

Posted By Bruce Schneier

Jonathan Zittrain argues that our military weapons should be built with a kill switch, so they become useless when they fall into enemy hands....

Mon, 22 Sep 2014 11:03:39 UTC

Security for Vehicle-to-Vehicle Communications

Posted By Bruce Schneier

The National Highway Traffic Safety Administration (NHTSA) has released a report titled "Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application." It's very long, and mostly not interesting to me, but there are security concerns sprinkled throughout: both authentication to ensure that all the communications are accurate and can't be spoofed, and privacy to ensure that the communications can't be used...

Fri, 19 Sep 2014 21:29:07 UTC

Friday Squid Blogging: Colossal Squid Dissected in New Zealand

Posted By Bruce Schneier

Months after it was found in August, scientists have dissected a colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 19 Sep 2014 17:54:59 UTC

iOS 8 Security

Posted By Bruce Schneier

Apple claims that they can no longer unlock iPhones, even if the police show up with a warrant. Of course they still have access to everything in iCloud, but it's a start....

Fri, 19 Sep 2014 11:11:31 UTC

Fake Cell Phone Towers Across the US

Posted By Bruce Schneier

Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US These seems to be ISMI catchers, like Harris Corporation's Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone...

Thu, 18 Sep 2014 19:09:48 UTC

Terrible Article on Vernam Ciphers

Posted By Bruce Schneier

If there's anything that confuses wannabe cryptographers, it's one-time pads....

Thu, 18 Sep 2014 12:13:50 UTC

The Full Story of Yahoo's Fight Against PRISM

Posted By Bruce Schneier

In 2008 Yahoo fought the NSA to avoid becoming part of the PRISM program. They eventually lost their court battle, and at one point were threatened with a $250,000 a day fine if they continued to resist. I am continually amazed at the extent of the government coercion....

Wed, 17 Sep 2014 19:30:45 UTC

Identifying Dread Pirate Roberts

Posted By Bruce Schneier

According to court documents, Dread Pirate Roberts was identified because a CAPTCHA service used on the Silk Road login page leaked the users' true location....

Wed, 17 Sep 2014 12:15:19 UTC

Tracking People From their Cellphones with an SS7 Vulnerability

Posted By Bruce Schneier

What's interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What's interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability....

Mon, 15 Sep 2014 19:25:35 UTC

Two New Snowden Stories

Posted By Bruce Schneier

New Zealand is spying on its citizens. Edward Snowden weighs in personally. The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom....

Mon, 15 Sep 2014 14:26:00 UTC

Security of the SHA Family of Hash Functions

Posted By Bruce Schneier

Good article on the insecurity of SHA-1 and the need to replace it sooner rather than later....

Fri, 12 Sep 2014 21:26:13 UTC

Friday Squid Blogging: 200-Pound Squid Found in Gulf of Mexico

Posted By Bruce Schneier

A 200-pound dead giant squid was found near the coast of Matagorda, Texas. This is only the third giant squid ever found in the Gulf of Mexico. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Sep 2014 11:41:03 UTC

The Concerted Effort to Remove Data Collection Restrictions

Posted By Bruce Schneier

Since the beginning, data privacy regulation focused on collection, storage, and use. You can see it in the OECD Privacy Framework from 1980 (see also this proposed update). Recently, there has been concerted effort to focus all potential regulation on data use, completely ignoring data collection. Microsoft's Craig Mundie argues this. So does the PCAST report. And the World Economic...

Thu, 11 Sep 2014 11:15:57 UTC

Tabnapping: A New Phishing Attack

Posted By Bruce Schneier

Aza Raskin describes a new phishing attack: taking over a background tab on a browser to trick people into entering in their login credentials. Clever....

Wed, 10 Sep 2014 19:08:13 UTC

WikiLeaks Spy Files

Posted By Bruce Schneier

WikiLeaks has organized the trove of documents about corporations aiding government surveillance around the world. It's worth wandering around through all this material....

Wed, 10 Sep 2014 11:35:38 UTC

Safeplug Security Analysis

Posted By Bruce Schneier

Good security analysis of Safeplug, which is basically Tor in a box. Short answer: not yet....

Tue, 09 Sep 2014 19:07:27 UTC

Wi-Fi Jammer

Posted By Bruce Schneier

A device called Cyborg Unplugged can be configured to prevent any Wi-Fi connection: Oliver notes on the product's website that its so-called "All Out Mode" -- which prevents surveillance devices from connecting to any Wi-Fi network in the area -- is likely illegal, and he advises against its use. Nevertheless, we can imagine activists slipping these little devices into public...

Mon, 08 Sep 2014 12:21:19 UTC

iPhone Payment Security

Posted By Bruce Schneier

Apple is including some sort of automatic credit card payment system with the iPhone 6. It's using some security feature of the phone and system to negotiate a cheaper transaction fee. Basically, there are two kinds of credit card transactions: card-present, and card-not-present. The former is cheaper because there's less risk of fraud. The article says that Apple has negotiated...

Fri, 05 Sep 2014 21:06:55 UTC

Friday Squid Blogging: Book by One Squid-Obsessed Person About Another

Posted By Bruce Schneier

Preparing the Ghost: An Essay Concerning the Giant Squid and Its First Photographer, by Matthew Gavin Frank. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 05 Sep 2014 10:18:41 UTC

Security of Password Managers

Posted By Bruce Schneier

At USENIX Security this year, there were two papers studying the security of password managers: David Silver, Suman Jana, and Dan Boneh, "Password Managers: Attacks and Defenses." Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song, "The Emperor's New Password Manager: Security Analysis of Web-based Password Managers." It's interesting work, especially because it looks at security problems in something that...

Wed, 03 Sep 2014 11:53:54 UTC

JackPair Encrypted Phone Add-On

Posted By Bruce Schneier

JackPair is a clever device encrypts your voice between your headset and the audio jack. The crypto looks competent, and the design looks well-thought-out. I'd use it....

Tue, 02 Sep 2014 16:08:43 UTC

Electromagnetic Weapons

Posted By Bruce Schneier

Long article in IEEE Spectrum....

Mon, 01 Sep 2014 14:30:17 UTC

Pencil-and-Paper Codes Used by Central American Criminal Gangs

Posted By Bruce Schneier

No mention of how good the codes are. My guess is not very....

Fri, 29 Aug 2014 21:45:03 UTC

Squid Skin Inspires Eye-Like Photodetector

Posted By Bruce Schneier

Squid are color-blind, but may detect color directly through their skin. A researcher is working on a system to detect colored light the way squid do....

Fri, 29 Aug 2014 17:31:42 UTC

Cell Phone Kill Switches Mandatory in California

Posted By Bruce Schneier

California passed a kill-switch law, meaning that all cell phones sold in California must have the capability to be remotely turned off. It was sold as an antitheft measure. If the phone company could remotely render a cell phone inoperative, there would be less incentive to steal one. I worry more about the side effects: once the feature is in...

Fri, 29 Aug 2014 11:08:51 UTC

ISIS Threatens US with Terrorism

Posted By Bruce Schneier

They're openly mocking our profiling. But in several telephone conversations with a Reuters reporter over the past few months, Islamic State fighters had indicated that their leader, Iraqi Abu Bakr al-Baghdadi, had several surprises in store for the West. They hinted that attacks on American interests or even U.S. soil were possible through sleeper cells in Europe and the United...

Thu, 28 Aug 2014 11:14:24 UTC

Hacking Traffic Lights

Posted By Bruce Schneier

New paper: "Green Lights Forever: Analyzing the Security of Traffic Infrastructure," Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J. Alex Halderman. Abstract: The safety critical nature of traffic infrastructure requires that it be secure against computer-based attacks, but this is not always the case. We investigate a networked traffic signal system currently deployed in the United States and...

Wed, 04 Jun 2014 20:17:23 UTC

Edward Snowden Wins EPIC "Champion of Freedom" Award

Posted By Bruce Schneier

On Monday I had the honor of presenting Edward Snowden with a "Champion of Freedom" award at the EPIC dinner. Snowden couldn't be there in person -- his father and stepmother were there in his place -- but he recorded this message. Left to right: Mark Rotenberg, Jesselyn Radack (Snowden's attorney), Lonnie Snowden, and Bruce Schneier...

Wed, 04 Jun 2014 11:23:17 UTC

The Human Side of Heartbleed

Posted By Bruce Schneier

The announcement on April 7 was alarming. A new Internet vulnerability called Heartbleed could allow hackers to steal your logins and passwords. It affected a piece of security software that is used on half a million websites worldwide. Fixing it would be hard: It would strain our security infrastructure and the patience of users everywhere. It was a software insecurity,...

Mon, 02 Jun 2014 11:37:07 UTC

Chinese Hacking of the US

Posted By Bruce Schneier

Chinese hacking of American computer networks is old news. For years we've known about their attacks against U.S. government and corporate targets. We've seen detailed reports of how they hacked The New York Times. Google has detected them going after Gmail accounts of dissidents. They've built sophisticated worldwide eavesdropping networks. These hacks target both military secrets and corporate intellectual property....

Fri, 30 May 2014 21:10:05 UTC

Friday Squid Blogging: Squid-Shaped Pancakes

Posted By Bruce Schneier

Here are pictures of squid-shaped pancakes. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 29 May 2014 19:12:25 UTC

Vulnerabilities Found in Law Enforcement Surveillance System

Posted By Bruce Schneier

SEC Consult has published an advisory warning people not to use a government eavesdropping product called Recording eXpress, sold by the Israeli company Nice Systems. Basically, attackers can completely compromise the system. There are good stories on this by Brian Krebs and Dan Goodin....

Thu, 29 May 2014 13:02:59 UTC

TrueCrypt WTF

Posted By Bruce Schneier

I have no idea what's going on with TrueCrypt. Good summary of story is a ArsTechnica, and SlashDot, Hacker News, and Reddit all have long comment threads. See also Brian Krebs and Cory Doctorow. Speculations include a massive hack of the TrueCrypt developers, some Lavabit-like forced shutdown, and an internal power struggle within TrueCrypt. I suppose we'll have to wait...

Wed, 28 May 2014 20:49:30 UTC

Eben Moglen on Snowden and Surveillance

Posted By Bruce Schneier

This is well worth reading. It's based on a series of talks he gave last fall....

Tue, 27 May 2014 15:13:29 UTC

The Economics of Bulk Surveillance

Posted By Bruce Schneier

Ross Anderson has an important new paper on the economics that drive government-on-population bulk surveillance: My first big point is that all the three factors which lead to monopoly  network effects, low marginal costs and technical lock-in  are present and growing in the national-intelligence nexus itself. The Snowden papers show that neutrals like Sweden and India are heavily...

Fri, 23 May 2014 21:00:58 UTC

Friday Squid Blogging: Squid Ink Cocktail

Posted By Bruce Schneier

Del Campo, a restaurant in Washington DC, has a Bloody Mary made with squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 23 May 2014 11:42:33 UTC

Alan Watts on the Harms of Surveillance

Posted By Bruce Schneier

Biologist Alan Watts makes some good points: Mammals dont respond well to surveillance. We consider it a threat. It makes us paranoid, and aggressive and vengeful. [...] "Natural selection favors the paranoid," Watts said. Those who run away. In the earliest days of man on the savannah, when we roamed among the predatory, wild animals, someone realized pretty quickly that...

Thu, 22 May 2014 11:15:07 UTC

Disclosing vs Hoarding Vulnerabilities

Posted By Bruce Schneier

There's a debate going on about whether the U.S. government -- specifically, the NSA and United States Cyber Comman -- should stockpile Internet vulnerabilities or disclose and fix them. It's a complicated problem, and one that starkly illustrates the difficulty of separating attack and defense in cyberspace. A software vulnerability is a programming mistake that allows an adversary access into...

Wed, 21 May 2014 20:29:37 UTC

The NSA is Not Made of Magic

Posted By Bruce Schneier

I am regularly asked what is the most surprising thing about the Snowden NSA documents. It's this: the NSA is not made of magic. Its tools are no different from what we have in our world, it's just better-funded. X-KEYSCORE is Bro plus memory. FOXACID is Metasploit with a budget. QUANTUM is AirPwn with a seriously privileged position on the...

Wed, 21 May 2014 14:51:39 UTC

Government Policy on Cell Phone Interception Technology

Posted By Bruce Schneier

New paper: "Your Secret Stingray's No Secret Anymore: The Vanishing Government Monopoly Over Cell Phone Surveillance and its Impact on National Security and Consumer Privacy," by Christopher Soghoian and Stephanie K. Pell: Abstract: In the early 1990s, off-the-shelf radio scanners allowed any snoop or criminal to eavesdrop on the calls of nearby cell phone users. These radio scanners could intercept...

Tue, 20 May 2014 19:01:09 UTC

Preplay Attack on Chip and PIN

Posted By Bruce Schneier

Interesting research paper on a bank card chip-and-PIN vulnerability. From the blog post: Our new paper shows that it is possible to create clone chip cards which normal bank procedures will not be able to distinguish from the real card. When a Chip and PIN transaction is performed, the terminal requests that the card produces an authentication code for the...

Tue, 20 May 2014 11:13:45 UTC

Advances in Solving the Discrete Log Problem

Posted By Bruce Schneier

At Eurocrypt this year, researchers presented a paper that completely breaks the discrete log problem in any field with a small characteristic. It's nice work, and builds on a bunch of advances in this direction over the last several years. Despite headlines to the contrary, this does not have any cryptanalytic application -- unless they can generalize the result, which...

Mon, 19 May 2014 18:44:07 UTC

Pervasive Monitoring as Network Attack

Posted By Bruce Schneier

New IETF RFC: "RFC 7258: Pervasive Monitoring Is an Attack" that designers must mitigate. Slashdot thread....

Mon, 19 May 2014 12:07:28 UTC

Abusing Power to Shut Down a Twitter Parody Account

Posted By Bruce Schneier

This is a pretty horrible story of a small-town mayor abusing his authority -- warrants where there is no crime, police raids, incidental marijuana bust -- to identify and shut down a Twitter parody account. The ACLU is taking the case....

Fri, 16 May 2014 21:07:43 UTC

Friday Squid Blogging: Fossil Squid

Posted By Bruce Schneier

Rare fossilized cephalopods. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 May 2014 17:34:12 UTC

How to Stop an Insider from Stealing All Your Secrets

Posted By Bruce Schneier

This article from Communications of the ACM outlines some of the security measures the NSA could, and should, have had in place to stop someone like Snowden. Mostly obvious stuff, although I'm not sure it would have been effective against such a skilled and tenacious leaker. What's missing is the one thing that would have worked: have fewer secrets....

Fri, 16 May 2014 11:43:38 UTC

Forged SSL Certificates Pervasive on the Internet

Posted By Bruce Schneier

About 0.2% of all SSL certificates are forged. This is the first time I've ever seen a number based on real data. News article: Of 3.45 million real-world connections made to Facebook servers using the transport layer security (TLS) or secure sockets layer protocols, 6,845, or about 0.2 percent of them, were established using forged certificates. Actual paper....

Thu, 15 May 2014 18:18:28 UTC

Is Antivirus Dead?

Posted By Bruce Schneier

Symantec declared anti-virus dead, and Brian Krebs writes a good response. He's right: antivirus won't protect you from the ever-increasing percentage of malware that's specifically designed to bypass antivirus software, but it will protect you from all the random unsophisticated attacks out there: the "background radiation" of the Internet....

Thu, 15 May 2014 11:08:05 UTC

Seventh Movie-Plot Threat Contest Semifinalists

Posted By Bruce Schneier

On April 1, I announced the Seventh Movie Plot Threat Contest: The NSA has won, but how did it do it? How did it use its ability to conduct ubiquitous surveillance, its massive data centers, and its advanced data analytics capabilities to come out on top? Did it take over the world overtly, or is it just pulling the strings...

Wed, 14 May 2014 17:08:05 UTC

Espionage vs. Surveillance

Posted By Bruce Schneier

According to NSA documents published in Glenn Greenwald's new book No Place to Hide, we now know that the NSA spies on embassies and missions all over the world, including those of Brazil, Bulgaria, Colombia, the European Union, France, Georgia, Greece, India, Italy, Japan, Mexico, Slovakia, South Africa, South Korea, Taiwan, Venezuela and Vietnam. This will certainly strain international relations,...

Wed, 14 May 2014 11:30:22 UTC

New Al Qaeda Encryption Software

Posted By Bruce Schneier

The Web intelligence company Recorded Future is reporting -- picked up by the Wall Street Journal -- that al Qaeda is using new encryption software in the wake of the Snowden stories. I've been fielding press queries, asking me how this will adversely affect US intelligence efforts. I think the reverse is true. I think this will help US intelligence...

Tue, 13 May 2014 17:45:56 UTC

Computer Forensics in Fiction

Posted By Bruce Schneier

New television show -- CSI: Cyber. I hope they have some good technical advisers, but I doubt they do....

Tue, 13 May 2014 11:38:56 UTC

New NSA Snowden Documents

Posted By Bruce Schneier

Glenn Greenwald's book, No Place to Hide, has been published today. There are about 100 pages of NSA documents on the book's website. I haven't gone through them yet. At a quick glance, only a few of them have been published before. Here are two book reviews....

Mon, 12 May 2014 21:04:10 UTC

Steganography in Tweets

Posted By Bruce Schneier

Clever, but make sure to heed the caveats in the final two paragraphs....

Mon, 12 May 2014 11:26:04 UTC

Internet Subversion

Posted By Bruce Schneier

In addition to turning the Internet into a worldwide surveillance platform, the NSA has surreptitiously weakened the products, protocols, and standards we all use to protect ourselves. By doing so, it has destroyed the trust that underlies the Internet. We need that trust back. Trust is inherently social. It is personal, relative, situational, and fluid. It is not uniquely human,...

Fri, 09 May 2014 21:11:34 UTC

Friday Squid Blogging: The Evolutionary Purpose of Pain

Posted By Bruce Schneier

A new study shows that Doryteuthis pealei in pain -- or whatever passes for pain in that species -- has heightened sensory sensitivity and heightened reactions. News articles. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 08 May 2014 12:32:35 UTC

Retelling of Stories Increases Bias

Posted By Bruce Schneier

Interesting experiment shows that the retelling of stories increases conflict and bias. For their study, which featured 196 undergraduates, the researchers created a narrative about a dispute between two groups of young people. It described four specific points of tension, but left purposely ambiguous the issue of which party was the aggressor, and "depicted the groups as equally blameworthy." Half...

Wed, 07 May 2014 11:19:47 UTC

Correspondence Between the NSA and Google Leaked

Posted By Bruce Schneier

Al Jazeera is reporting on leaked emails (not leaked by Snowden, but by someone else) detailing close ties between the NSA and Google. There are no smoking guns in the correspondence -- and the Al Jazeera article makes more of the e-mails than I think is there -- but it does show a closer relationship than either side has admitted...

Tue, 06 May 2014 15:30:30 UTC

Fearing Google

Posted By Bruce Schneier

Mathias Dopfner writes an open letter explaining why he fears Google: We know of no alternative which could offer even partially comparable technological prerequisites for the automated marketing of advertising. And we cannot afford to give up this source of revenue because we desperately need the money for technological investments in the future. Which is why other publishers are increasingly...

Mon, 05 May 2014 11:55:02 UTC

The Economics of Video Game Cheating

Posted By Bruce Schneier

Interesting article on the business of selling enhancements that allow you to cheat in online video games....

Fri, 02 May 2014 21:10:24 UTC

Friday Squid Blogging: How Flying Squid Fly

Posted By Bruce Schneier

Someone has finally proven how: How do these squid go from swimming to flying? Four phases of flight are described in the research: launching, jetting, gliding and diving. While swimming, the squid open up their mantle and draw in water. Then these squid launch themselves into the air with a high-powered blast of the water from their bodies. Once launched...

Fri, 02 May 2014 19:00:16 UTC

Unusual Electronic Voting Machine Threat Model

Posted By Bruce Schneier

Rats have destroyed dozens of electronic voting machines by eating the cables. It would have been a better story if the rats had zeroed out the machines after the votes had been cast but before they were counted, but it seems that they just ate the machines while they were in storage. The EVMs had been stored in a pre-designated...

Fri, 02 May 2014 11:26:38 UTC

Analysis of the FBI's Failure to Stop the Boston Marathon Bombings

Posted By Bruce Schneier

Detailed response and analysis of the inspectors general report on the Boston Marathon bombings: Two opposite mistakes in an after-the-fact review of a terrorist incident are equally damaging. One is to fail to recognize the powerful difference between foresight and hindsight in evaluating how an investigative or intelligence agency should have behaved. After the fact, we know on whom we...

Fri, 02 May 2014 11:14:53 UTC

Putin Requires Russian Bloggers to Register with the Government

Posted By Bruce Schneier

This is not good news. Widely known as the "bloggers law," the new Russian measure specifies that any site with more than 3,000 visitors daily will be considered a media outlet akin to a newspaper and be responsible for the accuracy of the information published. Besides registering, bloggers can no longer remain anonymous online, and organizations that provide platforms for...

Thu, 01 May 2014 19:01:27 UTC

Really Weird Keith Alexander Interview

Posted By Bruce Schneier

Comedian John Oliver interviewed now-retired NSA director General Keith Alexander. It's truly weird....

Thu, 01 May 2014 11:52:28 UTC

The Federal Reserve System's Cyberdefense Force

Posted By Bruce Schneier

Interesting article on the cybersecurity branch of the Federal Reserve System....

Wed, 30 Apr 2014 18:05:52 UTC

Tracking People from Smartphone Accelerometers

Posted By Bruce Schneier

It's been long known that individual analog devices have their own fingerprints. Decades ago, individual radio transmitters were identifiable and trackable. Now, researchers have found that accelerometers in smartphone are unique enough to be identifiable. The researchers focused specifically on the accelerometer, a sensor that tracks three-dimensional movements of the phone ­ essential for countless applications, including pedometers, sleep monitoring,...

Wed, 30 Apr 2014 13:58:27 UTC

The Quantified Toilet Hoax

Posted By Bruce Schneier

Good essay on the Quantified Toilet hoax, and the difference between public surveillance and private self-surveillance....

Tue, 29 Apr 2014 11:47:54 UTC

Details of Apple's Fingerprint Recognition

Posted By Bruce Schneier

This is interesting: Touch ID takes a 88x88 500ppi scan of your finger and temporarily sends that data to a secure cache located near the RAM, after the data is vectorized and forwarded to the secure enclave located on the top left of the A7 near the M7 processor it is immediately discarded after processing. The fingerprint scanner uses subdermal...

Mon, 28 Apr 2014 11:45:04 UTC

A New Pencil-and-Paper Encryption Algorithm

Posted By Bruce Schneier

Handycipher is a new pencil-and-paper symmetric encryption algorithm. I'd bet a gazillion dollars that it's not secure, although I haven't done the cryptanalysis myself....

Fri, 25 Apr 2014 21:17:35 UTC

Friday Squid Blogging: New Squid Exhibit at the Monterey Bay Aquarium.

Posted By Bruce Schneier

It's called "Tentacles." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 24 Apr 2014 11:45:05 UTC

Is Google Too Big to Trust?

Posted By Bruce Schneier

Interesting essay about how Google's lack of transparency is hurting their trust: The reality is that Google's business is and has always been about mining as much data as possible to be able to present information to users. After all, it can't display what it doesn't know. Google Search has always been an ad-supported service, so it needs a way...

Wed, 23 Apr 2014 19:33:24 UTC

Conversnitch

Posted By Bruce Schneier

Surveillance is getting cheaper and easier: Two artists have revealed Conversnitch, a device they built for less than $100 that resembles a lightbulb or lamp and surreptitiously listens in on nearby conversations and posts snippets of transcribed audio to Twitter. Kyle McDonald and Brian House say they hope to raise questions about the nature of public and private spaces in...

Wed, 23 Apr 2014 12:53:07 UTC

The Security of Various Programming Languages

Posted By Bruce Schneier

Interesting research on the security of code written in different programming languages. We don't know whether the security is a result of inherent properties of the language, or the relative skill of the typical programmers of that language. The report....

Tue, 22 Apr 2014 12:52:48 UTC

Dan Geer on Heartbleed and Software Monocultures

Posted By Bruce Schneier

Good essay: To repeat, Heartbleed is a common mode failure. We would not know about it were it not open source (Good). That it is open source has been shown to be no talisman against error (Sad). Because errors are statistical while exploitation is not, either errors must be stamped out (which can only result in dampening the rate of...

Mon, 21 Apr 2014 10:55:55 UTC

Info on Russian Bulk Surveillance

Posted By Bruce Schneier

Good information: Russian law gives Russias security service, the FSB, the authority to use SORM (System for Operative Investigative Activities) to collect, analyze and store all data that transmitted or received on Russian networks, including calls, email, website visits and credit card transactions. SORM has been in use since 1990 and collects both metadata and content. SORM-1 collects mobile and...

Fri, 18 Apr 2014 21:16:41 UTC

Friday Squid Blogging: Squid Jigging

Posted By Bruce Schneier

Good news from Malaysia: The Terengganu International Squid Jigging Festival (TISJF) will be continued and become an annual event as one of the state's main tourism products, said Menteri Besar Datuk Seri Ahmad Said. He said TISJF will become a signature event intended to enhance the branding of Terengganu as a leading tourism destination in the region. "Beside introducing squid...

Fri, 18 Apr 2014 19:21:06 UTC

Metaphors of Surveillance

Posted By Bruce Schneier

There's a new study looking at the metaphors we use to describe surveillance. Over 62 days between December and February, we combed through 133 articles by 105 different authors and over 60 news outlets. We found that 91 percent of the articles contained metaphors about surveillance. There is rich thematic diversity in the types of metaphors that are used, but...

Fri, 18 Apr 2014 12:29:13 UTC

Reverse Heartbleed

Posted By Bruce Schneier

Heartbleed can affect clients as well as servers....

Fri, 18 Apr 2014 11:26:32 UTC

Overreacting to Risk

Posted By Bruce Schneier

This is a crazy overreaction: A 19-year-old man was caught on camera urinating in a reservoir that holds Portland's drinking water Wednesday, according to city officials. Now the city must drain 38 million gallons of water from Reservoir 5 at Mount Tabor Park in southeast Portland. I understand the natural human disgust reaction, but do these people actually think that...

Thu, 17 Apr 2014 18:38:41 UTC

Tails

Posted By Bruce Schneier

Nice article on the Tails stateless operating system. I use it. Initially I would boot my regular computer with Tails on a USB stick, but I went out and bought a remaindered computer from Best Buy for $250 and now use that....

Wed, 16 Apr 2014 14:32:27 UTC

Book Title

Posted By Bruce Schneier

I previously posted that I am writing a book on security and power. Here are some title suggestions: Permanent Record: The Hidden Battles to Capture Your Data and Control Your World Hunt and Gather: The Hidden Battles to Capture Your Data and Control Your World They Already Know: The Hidden Battles to Capture Your Data and Control Your World We...

Tue, 15 Apr 2014 11:56:11 UTC

Auditing TrueCrypt

Posted By Bruce Schneier

Recently, Matthew Green has been leading an independent project to audit TrueCrypt. Phase I, a source code audit by iSEC Partners, is complete. Next up is Phase II, formal cryptanalysis. Quick summary: I'm still using it....

Mon, 14 Apr 2014 21:12:54 UTC

Schneier Talks and Interviews

Posted By Bruce Schneier

Here are three articles about me from the last month. Also these three A/V links....

Mon, 14 Apr 2014 19:11:30 UTC

Schneier Speaking Schedule: AprilMay

Posted By Bruce Schneier

Here's my upcoming speaking schedule for April and May: Stanford Law School on April 15. Brown University in Providence, RI -- two times -- on April 24. The Global Summit for Leaders in Information Technology in Washington, DC, on May 7. The Institute of World Politics on May 8. The University of Zurich on May 21. IT Security Inside in...

Mon, 14 Apr 2014 14:19:59 UTC

GoGo Wireless Adds Surveillance Capabilities for Government

Posted By Bruce Schneier

The important piece of this story is not that GoGo complies with the law, but that it goes above and beyond what is required by law. It has voluntarily decided to violate your privacy and turn your data over to the government....

Fri, 11 Apr 2014 21:07:36 UTC

Friday Squid Blogging: Bronze Giant Squid Sculpture

Posted By Bruce Schneier

A little too big for my house....

Fri, 11 Apr 2014 18:10:35 UTC

More on Heartbleed

Posted By Bruce Schneier

This is an update to my earlier post. Cloudflare is reporting that its very difficult, if not practically impossible, to steal SSL private keys with this attack. Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not...

Fri, 11 Apr 2014 11:41:41 UTC

Police Disabling Their own Voice Recorders

Posted By Bruce Schneier

This is not a surprise: The Los Angeles Police Commission is investigating how half of the recording antennas in the Southeast Division went missing, seemingly as a way to evade new self-monitoring procedures that the Los Angeles Police Department imposed last year. The antennas, which are mounted onto individual patrol cars, receive recorded audio captured from an officers belt-worn transmitter....

Wed, 09 Apr 2014 10:03:09 UTC

Heartbleed

Posted By Bruce Schneier

Heartbleed is a catastrophic bug in OpenSSL: "The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows...

Tue, 08 Apr 2014 11:16:31 UTC

"Unbreakable" Encryption Almost Certainly Isn't

Posted By Bruce Schneier

This headline is provocative: "Human biology inspires 'unbreakable' encryption." The article is similarly nonsensical: Researchers at Lancaster University, UK have taken a hint from the way the human lungs and heart constantly communicate with each other, to devise an innovative, highly flexible encryption algorithm that they claim can't be broken using the traditional methods of cyberattack. Information can be encrypted...

Mon, 07 Apr 2014 14:34:03 UTC

The Youngest Security Researcher

Posted By Bruce Schneier

Five-year-old finds login vulnerability in Microsoft Xbox....

Fri, 04 Apr 2014 21:35:42 UTC

Friday Squid Blogging: Squid + Security in a Cartoon

Posted By Bruce Schneier

Funny....

Fri, 04 Apr 2014 13:25:01 UTC

Mass Surveillance by Eavesdropping on Web Cookies

Posted By Bruce Schneier

Interesting research: Abstract: We investigate the ability of a passive network observer to leverage third-party HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which emits a unique pseudonymous identifier, then the adversary can link visits to those pages from the same user (browser instance) even if the users IP address varies. Using simulated browsing...

Wed, 02 Apr 2014 10:07:04 UTC

Ephemeral Apps

Posted By Bruce Schneier

Ephemeral messaging apps such as Snapchat, Wickr and Frankly, all of which advertise that your photo, message or update will only be accessible for a short period, are on the rise. Snapchat and Frankly, for example, claim they permanently delete messages, photos and videos after 10 seconds. After that, there's no record. This notion is especially popular with young people,...

Tue, 01 Apr 2014 11:11:54 UTC

Seventh Movie-Plot Threat Contest

Posted By Bruce Schneier

As you might expect, this year's contest has the NSA as the villain: The NSA has won, but how did it do it? How did it use its ability to conduct ubiquitous surveillance, its massive data centers, and its advanced data analytics capabilities to come out on top? Did it take over the world overtly, or is it just pulling...

Mon, 31 Mar 2014 14:18:32 UTC

The Continuing Public/Private Surveillance Partnership

Posted By Bruce Schneier

If you've been reading the news recently, you might think that corporate America is doing its best to thwart NSA surveillance. Google just announced that it is encrypting Gmail when you access it from your computer or phone, and between data centers. Last week, Mark Zuckerberg personally called President Obama to complain about the NSA using Facebook as a means...

Fri, 28 Mar 2014 21:08:32 UTC

Friday Squid Blogging: Encounter Between a Submersible Robot and a Giant Squid

Posted By Bruce Schneier

Wow....

Fri, 28 Mar 2014 11:22:44 UTC

Creating Forensic Sketches from DNA

Posted By Bruce Schneier

This seems really science fictional: It's already possible to make some inferences about the appearance of crime suspects from their DNA alone, including their racial ancestry and some shades of hair colour. And in 2012, a team led by Manfred Kayser of Erasmus University Medical Center in Rotterdam, the Netherlands, identified five genetic variants with detectable effects on facial shape....

Thu, 27 Mar 2014 11:52:28 UTC

Smarter People are More Trusting

Posted By Bruce Schneier

Interesting research. Both vocabulary and question comprehension were positively correlated with generalized trust. Those with the highest vocab scores were 34 percent more likely to trust others than those with the lowest scores, and someone who had a good perceived understanding of the survey questions was 11 percent more likely to trust others than someone with a perceived poor understanding....

Wed, 26 Mar 2014 18:10:28 UTC

Geolocating Twitter Users

Posted By Bruce Schneier

Interesting research into figuring out where Twitter users are located, based on similar tweets from other users: While geotags are the most definitive location information a tweet can have, tweets can also have plenty more salient information: hashtags, FourSquare check-ins, or text references to certain cities or states, to name a few. The authors of the paper created their algorithm...

Wed, 26 Mar 2014 11:16:38 UTC

Chilean Drug Trafficker Pencil-and-Paper Code

Posted By Bruce Schneier

Interesting....

Tue, 25 Mar 2014 10:58:15 UTC

Password Hashing Competition

Posted By Bruce Schneier

There's a private competition to identify new password hashing schemes. Submissions are due at the end of the month....

Mon, 24 Mar 2014 17:51:46 UTC

NSA Hacks Huawei

Posted By Bruce Schneier

Both Der Spiegel and the New York Times are reporting that the NSA has hacked Huawei pretty extensively, getting copies of the company's products' source code and most of the e-mail from the company. Aside from being a pretty interesting story about the operational capabilities of the NSA, it exposes some pretty blatant US government hypocrisy on this issue. As...

Mon, 24 Mar 2014 11:58:53 UTC

An Open Letter to IBM's Open Letter

Posted By Bruce Schneier

Last week, IBM published an "open letter" about "government access to data," where it tried to assure its customers that it's not handing everything over to the NSA. Unfortunately, the letter (quoted in part below) leaves open more questions than it answers. At the outset, we think it is important for IBM to clearly state some simple facts: IBM has...

Fri, 21 Mar 2014 21:31:09 UTC

Giant Squid as an Omen

Posted By Bruce Schneier

An omen of what? An increase in the number of giant squid being caught along the Sea of Japan coast is leading puzzled fishermen to fear their presence may be some kind of 'omen' -- although experts think the invertebrate are simply a bit cold....

Fri, 21 Mar 2014 17:19:47 UTC

New Book on Data and Power

Posted By Bruce Schneier

I'm writing a new book, with the tentative title of Data and Power. While it's obvious that the proliferation of data affects power, it's less clear how it does so. Corporations are collecting vast dossiers on our activities on- and off-line -- initially to personalize marketing efforts, but increasingly to control their customer relationships. Governments are using surveillance, censorship, and...

Fri, 21 Mar 2014 12:42:54 UTC

Liveblogging the Financial Cryptography Conference

Posted By Bruce Schneier

Ross Anderson liveblogged Financial Cryptography 2014. Interesting stuff....

Fri, 28 Feb 2014 22:38:25 UTC

Friday Squid Blogging: Bobtail Squid Photos

Posted By Bruce Schneier

Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 28 Feb 2014 20:16:24 UTC

NEBULA: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: NEBULA (S//SI//FVEY) Multi-Protocol macro-class Network-In-a-Box (NIB) system. Leverages the existing Typhon GUI and supports GSM, UMTS, CDMA2000 applications. LTE capability currently under development. (S//SI//REL) Operational Restrictions exist for equipment deployment. (S//SI//REL) Features: Dual Carrier System EGSM 900MHz UMTS 2100MHz CDMA2000 1900MHz Macro-class Base station 32+Km Range Optional Battery...

Fri, 28 Feb 2014 12:25:43 UTC

Decoding the Voynich Manuscript

Posted By Bruce Schneier

The Voynich Manuscript has been partially decoded. This seems not to be a hoax. And the manuscript seems not to be a hoax, either. Here's the paper....

Thu, 27 Feb 2014 20:08:44 UTC

GENESIS: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: GENESIS (S//SI//REL) Commercial GSM handset that has been modified to include a Software Defined Radio (SDR) and additional system memory. The internal SDR allows a witting user to covertly perform network surveys, record RF spectrum, or perform handset location in hostile environments. (S//SI//REL) The GENESIS systems are designed...

Thu, 27 Feb 2014 12:03:56 UTC

Was the iOS SSL Flaw Deliberate?

Posted By Bruce Schneier

Last October, I speculated on the best ways to go about designing and implementing a software backdoor. I suggested three characteristics of a good backdoor: low chance of discovery, high deniability if discovered, and minimal conspiracy to implement. The critical iOS vulnerability that Apple patched last week is an excellent example. Look at the code. What caused the vulnerability is...

Wed, 26 Feb 2014 20:38:21 UTC

ENTOURAGE: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: ENTOURAGE (S//SI//REL) Direction Finding application operating on the HOLLOWPOINT platform. The system is capable of providing line of bearing for GSM/UMTS/CDMA2000/FRS signals. A band-specific antenna and laptop controller is needed to compliment the HOLLOWPOINT system and completes the ground based system. (S//SI) The ENTOURAGE application leverages the 4...

Wed, 26 Feb 2014 12:55:46 UTC

DDoSing a Cell Phone Network

Posted By Bruce Schneier

Interesting research: Abstract: The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel...

Tue, 25 Feb 2014 20:11:40 UTC

EBSR: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: EBSR (S//SI//REL) Multi-purpose, Pico class, tri-band active GSM base station with internal 802.11/GPS/handset capability. (S//SI//REL) Operational Restrictions exist for equipment deployment. (S//SI//REL) Features: LxT Model: 900/1800/1900MHz LxU Model: 850/1800/1900MHz Pico-class (1Watt) Base station Optional Battery Kits Highly Mobile and Deployable Integrated GPS, MS, & 802.11 Voice & High-speed...

Tue, 25 Feb 2014 12:43:23 UTC

Breaking Up the NSA

Posted By Bruce Schneier

The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission -- protecting the security of U.S. communications and eavesdropping on the communications of our enemies -- has become unbalanced in the post-Cold War, all-terrorism-all-the-time era. Putting the U.S. Cyber Command, the military's cyberwar wing, in the same location and...

Mon, 24 Feb 2014 20:44:34 UTC

CYCLONE Hx9: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: CYCLONE Hx9 (S//SI//FVEY) EGSM (900MGz) macro-class Network-In-a-Box (NIB) system. Uses the existing Typhon GUI and supports the full Typhon feature base and applications. (S//SI//REL) Operational Restrictions exist for equipment deployment. (S//SI//REL) Features: EGSM 900MHz Macro-class (+43dBm) 32+Km Range Optional Battery Kits Highly Mobile and Deployable Integrated GPS, MS,...

Mon, 24 Feb 2014 12:35:46 UTC

New Results in Software Obfuscation

Posted By Bruce Schneier

Amit Sahai and others have some new results in software obfuscation. The papers are here. An over-the top Wired.com story on the research is here. And Matthew Green has a great blog post explaining what's real and what's hype....

Fri, 21 Feb 2014 22:33:17 UTC

Friday Squid Blogging: Squid vs. Owlfish

Posted By Bruce Schneier

This video is pretty fantastic: The narrator does a great job at explaining what's going on here, blow by gross blow, but here are the highlights: Black-eyed squid snares owlfish with its two tentacles, which are tipped with hooks and suckers, and reels it in. Black-eyed squid gnaws away at the owlfish's spinal cord using its very sharp beak. Owlfish...

Fri, 21 Feb 2014 20:41:27 UTC

CROSSBEAM: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: CROSSBEAM (TS//SI//REL) CROSSBEAM is a GSM module that mates a modified commercial cellular product with a WAGONBED controller board. (TS//SI//REL) CROSSBEAM is a reusable CHIMNEYPOOL-compliant GSM communications module capable of collecting and compressing voice data. CROSSBEAM can receive GSM voice, record voice data, and transmit the received information...

Fri, 21 Feb 2014 20:06:00 UTC

Co3 Systems at the RSA Conference

Posted By Bruce Schneier

Co3 Systems is going to be at the RSA Conference. We don't have our own booth on the show floor, but there are four ways you can find us. Monday, we're at the Innovation Sandbox: 1:005:00 in Moscone North. At the conference, we're in the RSA Security booth. Go to the SecOps section of the booth and ask about us....

Fri, 21 Feb 2014 14:34:52 UTC

Building an Online Lie Detector

Posted By Bruce Schneier

There's an interesting project to detect false rumors on the Internet. The EU-funded project aims to classify online rumours into four types: speculation -- such as whether interest rates might rise; controversy -- as over the MMR vaccine; misinformation, where something untrue is spread unwittingly; and disinformation, where it's done with malicious intent. The system will also automatically categorise sources...

Thu, 20 Feb 2014 22:09:56 UTC

Brian Krebs

Posted By Bruce Schneier

Nice profile of Brian Krebs, cybersecurity journalist: Russian criminals routinely feed Mr. Krebs information about their rivals that they obtained through hacks. After one such episode, he began receiving daily calls from a major Russian cybercriminal seeking his files back. Mr. Krebs is writing a book about the ordeal, called "Spam Nation," to be published by Sourcebooks this year. In...

Thu, 20 Feb 2014 20:11:11 UTC

CANDYGRAM: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: CANDYGRAM (S//SI//REL) Mimics GSM cell tower of a target network. Capable of operations at 900, 1800, or 1900 MHz. Whenever a target handset enters the CANDYGRAM base station's area of influence, the system sends out an SMS through the external network to registered watch phones. (S//SI//REL) Typical use...

Thu, 20 Feb 2014 15:19:17 UTC

RCS Spyware and Citizen Lab

Posted By Bruce Schneier

Remote-Controlled System (RCS) is a piece of spyware sold exclusively to governments by a Milan company called Hacking Team. Recently, Citizen Lab found this spyware being used by the Ethiopian government against journalists, including American journalists. More recently, Citizen Lab mapped the software and who's using it: Hacking Team advertises that their RCS spyware is "untraceable" to a specific government...

Wed, 19 Feb 2014 20:18:58 UTC

TOTEGHOSTLY 2.0: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: TOTEGHOSTLY 2.0 (TS//SI//REL) TOTEGHOSTLY 2.0 is STRAITBIZARRE based implant for the Windows Mobile embedded operating system and uses the CHIMNEYPOOL framework. TOTEGHOSTLY 2.0 is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture. (TS//SI//REL) TOTEGHOSTLY 2.0 is a software implant for the Windows Mobile...

Wed, 19 Feb 2014 12:47:42 UTC

Debating Snowden's Actions

Posted By Bruce Schneier

It's the season. Here are two....

Tue, 18 Feb 2014 20:17:26 UTC

TOTECHASER: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: TOTECHASER (TS//SI//REL) TOTECHASER is a Windows CE implant targeting the Thuraya 2520 handset. The Thuraya is a dual mode phone that can operate either in SAT or GSM modes. The phone also supports a GPRS data connection for Web browsing, e-mail, and MMS messages. The initial software implant...

Tue, 18 Feb 2014 14:30:30 UTC

What Information Are Stun Guns Recording?

Posted By Bruce Schneier

In a story about a stolen Stradivarius violin, there's this: Information from a stun gun company, an anonymous tip and hours of surveillance paved the way for authorities to find a stolen 300-year-old Stradivarius violin in the attic of a Milwaukee home, police said Thursday. [...] Taser International, the maker of the stun gun used in the attack, "provided invaluable...

Mon, 17 Feb 2014 20:20:04 UTC

PICASSO: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: PICASSO (S//SI//REL) Modified GSM (target) handset that collects user data, location information and room audio. Command and data exfil is done from a laptop and regular phone via SMS (Short Messaging Service), without alerting the target. (S//SI) Target Data via SMS: Incoming call numbers Outgoing call numbers Recently...

Mon, 17 Feb 2014 18:13:49 UTC

US Infosec Researchers Against NSA Surveillance

Posted By Bruce Schneier

I signed an open letter from US researchers in cryptography and information security on NSA surveillance. It has received a lot of media coverage....

Mon, 17 Feb 2014 11:23:20 UTC

Who Should Store NSA Surveillance Data

Posted By Bruce Schneier

One of the recommendations by the president's Review Group on Intelligence and Communications Technologies on reforming the National Security Agency—No. 5, if you're counting—is that the government should not collect and store telephone metadata. Instead, a private company -- either the phone companies themselves or some other third party -- should store the metadata and provide it to the government...

Fri, 14 Feb 2014 22:02:09 UTC

Friday Squid Blogging: Giant Squid TED Talk

Posted By Bruce Schneier

Interesting. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Feb 2014 21:19:37 UTC

MONKEYCALENDAR: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: MONKEYCALENDAR (TS//SI//REL) MONKEYCALENDAR is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls geolocation information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS). (TS//SI//REL) Modern SIM cards (Phase 2+) have...

Fri, 14 Feb 2014 20:50:28 UTC

My Talk on the NSA

Posted By Bruce Schneier

Earlier this month, I gave a talk about the NSA at MIT. The video is available. ETA: The video doesn't display on some Firefox browsers. If you have trouble, try a different browser....

Fri, 14 Feb 2014 12:50:29 UTC

The Insecurity of Secret IT Systems

Posted By Bruce Schneier

We now know a lot about the security of the Rapiscan 522 B x-ray system used to scan carry-on baggage in airports worldwide. Billy Rios, director of threat intelligence at Qualys, got himself one and analyzed it. And he presented his results at the Kaspersky Security Analyst Summit this week. Its worse than you might have expected: It runs on...

Thu, 13 Feb 2014 20:05:20 UTC

GOPHERSET: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: GOPHERSET (TS//SI//REL) GOPHERSET is a software implant for GSM (Global System for Mobile communication) subscriber identity module (SIM) cards. This implant pulls Phonebook, SMS, and call log information from a target handset and exfiltrates it to a user-defined phone number via short message service (SMS). (TS//SI//REL) Modern SIM...

Thu, 13 Feb 2014 12:03:23 UTC

Finding People's Location Based on Their Activities in Cyberspace

Posted By Bruce Schneier

Glenn Greenwald is back reporting about the NSA, now with Pierre Omidyar's news organization FirstLook and its introductory publication, The Intercept. Writing with national security reporter Jeremy Scahill, his first article covers how the NSA helps target individuals for assassination by drone. Leaving aside the extensive political implications of the story, the article and the NSA source documents reveal additional...

Wed, 12 Feb 2014 20:06:33 UTC

DROPOUTJEEP: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: DROPOUTJEEP (TS//SI//REL) DROPOUTJEEP is a STRAITBIZARRE based software implant for the Apple iPhone operating system and uses the CHIMNEYPOOL framework. DROPOUTJEEP is compliant with the FREEFLOW project, therefore it is supported in the TURBULENCE architecture. (TS//SI//REL) DROPOUTJEEP is a software implant for the Apple iPhone that utilizes modular...

Tue, 11 Feb 2014 20:55:55 UTC

SURLYSPAWN: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SURLYSPAWN (TS//SI//REL TO USA,FVEY) Data RF retro-reflector. Provides return modulated with target data (keyboard, low data rate digital device) when illuminated with radar. (U) Capabilities(TS//SI//REL TO USA,FVEY) SURLYSPAWN has the capability to gather keystrokes without requiring any software running on the targeted system. It also only requires that...

Tue, 11 Feb 2014 13:15:04 UTC

DRM and the Law

Posted By Bruce Schneier

Cory Doctorow gives a good history of the intersection of Digital Rights Management (DRM) software and the law, describes how DRM software is antithetical to end-user security, and speculates how we might convince the law to recognize that. Every security system relies on reports of newly discovered vulnerabilities as a means of continuously improving. The forces that work against security...

Tue, 11 Feb 2014 12:57:22 UTC

"The Mask" Espionage Malware

Posted By Bruce Schneier

Weve got a new nation-state espionage malware. "The Mask" was discovered by Kaspersky Labs: The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world -- from the Middle East and Europe to Africa and the Americas. The...

Mon, 10 Feb 2014 20:58:24 UTC

WISTFULTOLL: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: WISTFULTOLL (TS//SI//REL) WISTFULTOLL is a UNITEDRAKE and STRAITBIZZARE plug-in used for harvesting and returning forensic information from a target using Windows Management Instrumentation (WMI) calls and Registry extractions. (TS//SI//REL) This plug-in supports systems running Microsoft Windows 2000, 2003, and XP. (TS//SI//REL) Through remote access or interdiction, WISTFULLTOLL is...

Mon, 10 Feb 2014 12:57:22 UTC

NSA/GCHQ Accused of Hacking Belgian Cryptographer

Posted By Bruce Schneier

There has been a lot of news about Bengian cryptographer Jean-Jacques Quisquater having his computer hacked, and whether the NSA or GCHQ is to blame. It's a lot of assumptions and hyperbole, mostly related to the GCHQ attack against the Belgian telcom operator Belgicom. I'm skeptical. Not about the attack, but about the NSA's or GCHQ's involvement. I don't think...

Fri, 07 Feb 2014 22:54:10 UTC

Friday Squid Blogging: Radioactive Giant Squid Washes Ashore in California

Posted By Bruce Schneier

Uh oh. And the real story. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 07 Feb 2014 20:53:50 UTC

TRINITY: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: TRINITY (TS//SI//REL) TRINITY is a miniaturized digital core packaged in a Multi-Chip Module (MCM) to be used in implants with size constraining concealments. (TS//SI//REL) TRINITY uses the TAO standard implant architecture. The architecture provides a robust, reconfigurable, standard digital platform resulting in a dramatic performance improvement over the...

Fri, 07 Feb 2014 20:23:19 UTC

Another Fake NSA Codename Generator

Posted By Bruce Schneier

Generate your own fake TAO implant. This is even more fun than the fake NSA program generator. Sadly, the NSA will probably use these to help develop their R&D roadmap....

Thu, 06 Feb 2014 20:07:54 UTC

SWAP: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SWAP (TS//SI//REL) SWAP provides software application persistence by exploiting the motherboard BIOS and the hard drive's Host Protected Area to gain periodic execution before the Operating System loads. (TS//SI//REL) This technique supports single or multi-processor systems running Windows, Linux, FreeBSD, or Solaris with the following file systems: FAT32,...

Thu, 06 Feb 2014 12:05:58 UTC

Dispute Resolution Systems for Security Protocols

Posted By Bruce Schneier

Interesting paper by Steven J. Murdoch and Ross Anderson in this year's Financial Cryptography conference: "Security Protocols and Evidence: Where Many Payment Systems Fail." Abstract: As security protocols are used to authenticate more transactions, they end up being relied on in legal proceedings. Designers often fail to anticipate this. Here we show how the EMV protocol -- the dominant card...

Wed, 05 Feb 2014 20:04:12 UTC

SOMBERKNAVE: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SOMBERKNAVE (TS//SI//REL) SOMBERKNAVE is Windows XP wireless software implant that provides covert internet connectivity for isolated targets. (TS//SI//REL) SOMBEKNAVE is a software implant that surreptitiously routes TCP traffic from a designated process to a secondary network via an unused embedded 802.11 network device. If an Internet-connected wireless Access...

Wed, 05 Feb 2014 12:02:38 UTC

1971 Social Engineering Attack

Posted By Bruce Schneier

From Betty Medsger's book on the 1971 FBI burglary (page 22): As burglars, they used some unusual techniques, ones Davidon enjoyed recalling years later, such as what some of them did in 1970 at a draft board office in Delaware. During their casing, they had noticed that the interior door that opened to the draft board office was always locked....

Tue, 04 Feb 2014 20:09:42 UTC

MAESTRO-II: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: MAESTRO-II (TS//SI//REL) MAESTRO-II is a miniaturized digital core packaged in a Multi-Chip Module (MCM) to be used in implants with size constraining concealments. (TS//SI//REL) MAESTRO-II uses the TAO standard implant architecture. The architecture provides a robust, reconfigurable, standard digital platform resulting in a dramatic performance improvement over the...

Tue, 04 Feb 2014 12:45:34 UTC

Hacking Airline Lounges for Free Meals

Posted By Bruce Schneier

I think this is a great hack: A man bought a first-class ticket and used it to have free meals and drinks at the airport's VIP lounge almost every day for nearly a year, Kwong Wah Yit Poh reported. The itinerary for the ticket was found to have been changed more than 300 times within a year, and the owner...

Mon, 03 Feb 2014 20:09:22 UTC

JUNIORMINT: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: JUNIORMINT (TS//SI//REL) JUNIORMINT is a digital core packaged in both a mini Printed circuit Board (PCB), to be used in typical concealments, and a miniaturized Flip Chip Module (FCM), to be used in implants with size constraining concealments. (TS//SI//REL) JUNIORMINT uses the TAO standard implant architecture. The architecture...

Mon, 03 Feb 2014 11:09:27 UTC

CSEC Surveillance Analysis of IP and User Data

Posted By Bruce Schneier

The most recent story from the Snowden documents is from Canada: it claims the CSEC (Communications Security Establishment Canada) used airport Wi-Fi information to track travelers. That's not really true. What the top-secret presentation shows is a proof-of-concept project to identify different IP networks, using a database of user IDs found on those networks over time, and then potentially using...

Fri, 31 Jan 2014 22:41:41 UTC

Friday Squid Blogging: Squid T-Shirt

Posted By Bruce Schneier

A T-shirt with a drawing of a squid reading. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 31 Jan 2014 20:17:41 UTC

IRATEMONK: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: IRATEMONK (TS//SI//REL) IRATEMONK provides software application persistence on desktop and laptop computers by implanting in the hard drive firmware to gain execution through Master Boot Record (MBR) substitution. (TS//SI//REL) This technique supports systems without RAID hardware that boot from a variety of Western Digital, Seagate, Maxtor, and Samsung...

Fri, 31 Jan 2014 12:16:44 UTC

Another Credit-Card-as-Authentication Hack

Posted By Bruce Schneier

This is a pretty impressive social engineering story: an attacker compromised someone's GoDaddy domain registration in order to change his e-mail address and steal his Twitter handle. It's a complicated attack. My claim was refused because I am not the "current registrant." GoDaddy asked the attacker if it was ok to change account information, while they didn't bother asking me...

Fri, 31 Jan 2014 02:38:00 UTC

HOWLERMONKEY: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: HOWLERMONKEY (TS//SI//REL) HOWLERMONKEY is a custom Short to Medium range impant RF Tranceiver. It is used in conjumction with a digital core to provide a complete implant. (TS//SI//REL) HOWLERMONKEY is a COTS-based transceiver deigned to be compatible with CONJECTURE/SPECULATION networks and STRIKEZONE devices running a HOWLERMONKEY personality. PCB...

Thu, 30 Jan 2014 18:08:19 UTC

Side-Channel Attacks on Frog Calls

Posted By Bruce Schneier

The male túngara frog Physalaemus pustulosus uses calls to attract females. But croaking also causes ripples in the water, which are eavesdropped on -- both by rival male frogs and frog-eating bats....

Thu, 30 Jan 2014 12:52:28 UTC

Catalog of Snowden Revelations

Posted By Bruce Schneier

This looks to be very good. Add that to these three indexes of NSA source material, and these two summaries. This excellent parody website has a good collection of all the leaks, too....

Wed, 29 Jan 2014 20:28:56 UTC

GINSU: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: GINSU (TS//SI//REL) GINSU provides software application persistence for the CNE implant, KONGUR, on target systems with the PCI bus hardware implant, BULLDOZER. (TS//SI//REL) This technique supports any desktop PC system that contains at least one PCI connector (for BULLDOZER installation) and Microsoft Windows 9x, 2000, 20003, XP, or...

Wed, 29 Jan 2014 18:26:19 UTC

Trying to Value Online Privacy

Posted By Bruce Schneier

Interesting paper: "The value of Online Privacy," by Scott Savage and Donald M. Waldman. Abstract: We estimate the value of online privacy with a differentiated products model of the demand for Smartphone apps. We study the apps market because it is typically necessary for the consumer to relinquish some personal information through "privacy permissions" to obtain the app and its...

Wed, 29 Jan 2014 12:24:23 UTC

The Politics of Fear

Posted By Bruce Schneier

This is very good: ...one might suppose that modern democratic states, with the lessons of history at hand, would seek to minimize fear ­ or at least minimize its effect on deliberative decision-making in both foreign and domestic policy. But today the opposite is frequently true. Even democracies founded in the principles of liberty and the common good often take...

Tue, 28 Jan 2014 20:13:13 UTC

TAWDRYYARD: NSA Exploit of the Day

Posted By Bruce Schneier

Back in December, Der Spiegel published a lot of information about the NSA's Tailored Access Operations (TAO) group, including a 2008 catalog of hardware and software "implants." Because there were so many items in the catalog, the individual items didn't get a lot of discussion. By highlighting an individual implant every day, my goal is to fix that. Today's item:...

Tue, 28 Jan 2014 18:39:12 UTC

US Privacy and Civil Liberties Oversight Board (PCLOB) Condems NSA Mass Surveillance

Posted By Bruce Schneier

Now we know why the president gave his speech on NSA surveillance last week; he wanted to get ahead of the Privacy and Civil Liberties Oversight Board. Last week, it issued a report saying that NSA mass surveillance of Americans is illegal and should end. Both EPIC and EFF have written about this. What frustrates me about all of this...

Tue, 28 Jan 2014 12:47:48 UTC

EU Might Raise Fines for Data Breaches

Posted By Bruce Schneier

This makes a lot of sense. Viviane Reding dismissed recent fines for Google as "pocket money" and said the firm would have had to pay $1bn under her plans for privacy failings. Ms Reding said such punishments were necessary to ensure firms took the use of personal data seriously. And she questioned how Google was able to take so long...

Tue, 28 Jan 2014 02:06:31 UTC

SPARROW II: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: SPARROW II (TS//SI//REL) An embedded computer system running BLINDDATE tools. Sparrow II is a fully functional WLAN collection system with integrated Mini PCI slots for added functionality such as GPS and multiple Wireless Network Interface Cards. (U//FOUO) System Specs Processor: IBM Power PC 405GPR Memory: 64MB (SDRAM), 16MB...

Mon, 27 Jan 2014 12:32:08 UTC

New Security Risks for Windows XP Systems

Posted By Bruce Schneier

Microsoft is trying to stop supporting Windows XP. The problem is that a majority of ATMs still use that OS. And once Microsoft stops issuing security updates to XP, those machines will become increasingly vulnerable. Although I have to ask the question: how many of those ATMs have been keeping up with their patches so far? We have far to...

Fri, 24 Jan 2014 22:15:05 UTC

Friday Squid Blogging: Giant Squid Caught by Japanese Fisherman

Posted By Bruce Schneier

It's big: 13 feet long. The fisherman was stunned to discover the giant squid trapped in his net, having been caught at a depth of around 70m, about two-thirds of a mile from the coast. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 24 Jan 2014 20:09:51 UTC

PHOTOANGLO: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: PHOTOANGLO (TS//SI//REL TO USA,FVEY) PHOTOANGLO is a joint NSA/GCHQ project to develop a new radar system to take the place of the CTX4000. (U) Capabilities(TS//SI//REL TO USA,FVEY) The planned capabilities for this system are: Frequency range: 1 - 2 GHz, which will be later extended to 1 -...

Fri, 24 Jan 2014 18:43:47 UTC

Applied Cryptography Available Online

Posted By Bruce Schneier

I'm sure this is a pirated copy. Looking at it, it's amazing how long ago twenty years was....

Fri, 24 Jan 2014 12:51:15 UTC

Income Inequality as a Security Issue

Posted By Bruce Schneier

This is an interesting way to characterizing income inequality as a security issue: &growing inequality menaces vigorous societies. It is a proxy for how effectively an elite has constructed institutions that extract value from the rest of society. Professor Sam Bowles, also part of the INET network, goes further. He argues that inequality pulls production away from value creation to...

Thu, 23 Jan 2014 20:39:35 UTC

NIGHTWATCH: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: NIGHTWATCH (TS//SI//REL TO USA,FVEY) NIGHTWATCH is a portable computer with specialized, internal hardware designed to process progressive-scan (non-interlaced VAGRANT signals. (U) Capability Summary (TS//SI//REL TO USA,FVEY) The current implementation of NIGHTWATCH consists of a general-purpose PC inside of a shielded case. The PC has PCI digitizing and clock...

Thu, 23 Jan 2014 13:03:05 UTC

Consumer Manipulation

Posted By Bruce Schneier

Tim Hartford talks about consumer manipulation: Consider, first, confusion by design: Las Vegas casinos are mazes, carefully crafted to draw players to the slot machines and to keep them there. Casino designers warn against the "yellow brick road" effect of having a clear route through the casino. (One side effect: it takes paramedics a long time to find gamblers in...

Wed, 22 Jan 2014 20:15:32 UTC

NIGHTSTAND: NSA Exploit of the Day

Posted By Bruce Schneier

Today's device from the NSA's Tailored Access Operations (TAO) group implant catalog: NIGHTSTAND (TS//SI//REL) An active 802.11 wireless exploitation and injection tool for payload /exploit delivery into otherwise denied target space. NIGHTSTAND is typically used in operations where wired access to the target is not possible. (TS//SI//REL) NIGHTSTAND - Close Access Operations " Battlefield Tested " Windows Exploitation " Standalone...

Wed, 22 Jan 2014 18:19:17 UTC

Refrigerator Sending Spam Messages?

Posted By Bruce Schneier

Coming barely weeks after my essay on the security risks from embedded systems, the Proofpoint report of a span-sending refrigerator was just too good to be true. I was skeptical, so I didn't blog it. Now Ars Technica has a good analysis of the report, and is also skeptical. In any case: it could happen, and sooner or later it...

Wed, 22 Jan 2014 12:41:07 UTC

Questioning the Efficacy of NSA's Bulk-Collection Programs

Posted By Bruce Schneier

Two reports have recently been published questioning the efficacy of the NSA's bulk-collection programs. The first one is from the left-leaning New American Foundation (report here, and one-page tabular summary here). However, our review of the governments claims about the role that NSA bulk surveillance of phone and email communications records has had in keeping the United States safe from...

Tue, 21 Jan 2014 20:11:39 UTC

LOUDAUTO: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: LOUDAUTO (TS//SI//REL TO USA,FVEY) Audio-based RF retro-reflector. Provides room audio from targeted space using radar and basic post-processing. (U) Capabilities (TS//SI//REL TO USA,FVEY) LOUDAUTO's current design maximizes the gain of the microphone. This makes it extremely useful for picking up room audio. It can pick up speech at...

Tue, 21 Jan 2014 12:33:41 UTC

Adware Vendors Buy and Abuse Chrome Extensions

Posted By Bruce Schneier

This is not a good development: To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is...

Mon, 20 Jan 2014 20:20:46 UTC

CTX4000: NSA Exploit of the Day

Posted By Bruce Schneier

Today's device -- this one isn't an implant -- from the NSA's Tailored Access Operations (TAO) group implant catalog: CTX4000 (TS//SI//REL TO USA,FVEY) The CTX4000 is a portable continuous wave (CW) radar unit. It can be used to illuminate a target system to recover different off net information. Primary uses include VAGRANT and DROPMIRE collection. (TS//SI//REL TO USA,FVEY) The CTX4000...

Mon, 20 Jan 2014 12:18:58 UTC

DDOS Attacks Using NTP

Posted By Bruce Schneier

This is new: The NTP method first began to appear late last year. To bring down a server such as one running "League of Legends," the attackers trick NTP servers into thinking they've been queried by the "League of Legends" server. The NTP servers, thinking they're responding to a legitimate query, message the "League of Legends" server, overloading it with...

Fri, 17 Jan 2014 22:44:12 UTC

Friday Squid Blogging: Camouflage in Squid Eyes

Posted By Bruce Schneier

Interesting research: Cephalopods possess a sophisticated array of mechanisms to achieve camouflage in dynamic underwater environments. While active mechanisms such as chromatophore patterning and body posturing are well known, passive mechanisms such as manipulating light with highly evolved reflectors may also play an important role. To explore the contribution of passive mechanisms to cephalopod camouflage, we investigated the optical and...

Fri, 17 Jan 2014 20:57:43 UTC

PowerLocker uses Blowfish

Posted By Bruce Schneier

There's a new piece of ransomware out there, PowerLocker (also called PrisonLocker), that uses Blowfish: PowerLocker could prove an even more potent threat because it would be sold in underground forums as a DIY malware kit to anyone who can afford the $100 for a license, Friday's post warned. CryptoLocker, by contrast, was custom built for use by a single...

Fri, 17 Jan 2014 20:06:48 UTC

STUCCOMONTANA: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: STUCCOMONTANA (TS//SI//REL) STUCCOMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card. (TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process...

Fri, 17 Jan 2014 18:53:57 UTC

NSA-O-Matic

Posted By Bruce Schneier

Generate your own fake NSA programs....

Fri, 17 Jan 2014 11:32:20 UTC

NSA Collects Hundreds of Millions of Text Messages Daily

Posted By Bruce Schneier

No surprise here. Although we some new codenames: DISHFIRE: The NSA's program to collect text messages and text-message metadata. PREFER: The NSA's program to perform automatic analysis on the text-message data and metadata. The documents talk about not just collecting chatty text messages, but VCards, SIM card changes, missed calls, roaming information indicating border crossings, travel itineraries, and financial transactions....

Thu, 16 Jan 2014 20:00:21 UTC

SIERRAMONTANA: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: SIERRAMONTANA (TS//SI//REL) SIERRAMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card. (TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process...

Thu, 16 Jan 2014 18:27:40 UTC

Today I Briefed Congress on the NSA

Posted By Bruce Schneier

This morning I spent an hour in a closed room with six Members of Congress: Rep. Logfren, Rep. Sensenbrenner, Rep. Scott, Rep. Goodlate, Rep Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn't forthcoming about their activities, and they wanted...

Thu, 16 Jan 2014 18:03:27 UTC

Edward Elgar's Ciphers

Posted By Bruce Schneier

Elgar's cryptography puzzles from the late 1890s....

Thu, 16 Jan 2014 13:29:59 UTC

Cell Phone Tracking by Non-State Actors

Posted By Bruce Schneier

This is interesting: Adding credence to the theory that Brooklyn landlord Menachem Stark was kidnapped and murdered by professionals, a law enforcement source tells the Post that the NYPD found a cell phone attached to the bottom of his car, which could have been used to track his movements. This is interesting. Presumably the criminals installed one of those "track...

Wed, 15 Jan 2014 20:56:44 UTC

SCHOOLMONTANA: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: SCHOOLMONTANA (TS//SI//REL) SCHOOLMONTANA provides persistence for DNT implants. The DNT implant will survive an upgrade or replacement of the operating system -- including physically replacing the router's compact flash card. (TS//SI//REL) Currently, the intended DNT Implant to persist is VALIDATOR, which must be run as a user process...

Wed, 15 Jan 2014 12:23:38 UTC

The Changing Cost of Surveillance

Posted By Bruce Schneier

From Ashkan Soltani's blog post: The Yale Law Journal Online (YLJO) just published an article that I co-authored with Kevin Bankston (first workshopped at the Privacy Law Scholars Conference last year) entitled "Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones." In it, we discuss the drastic reduction in the cost of tracking an...

Tue, 14 Jan 2014 20:10:22 UTC

HEADWATER: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: HEADWATER (TS//SI//REL) HEADWATER is a Persistent Backdoor (PDB) software implant for selected Huawei routers. The implant will enable covert functions to be remotely executed within the router via an Internet connection. (TS//SI//REL) HEADWATER PBD implant will be transferred remotely over the Internet to the selected target router by...

Tue, 14 Jan 2014 13:15:55 UTC

Debunking the "NSA Mass Surveillance Could Have Stopped 9/11" Myth

Posted By Bruce Schneier

It's something that we're hearing a lot, both from NSA Director General Keith Alexander and others: the NSA's mass surveillance programs could have stopped 9/11. It's not true, and recently two people have published good essays debunking this claim. The first is from Lawrence Wright, who wrote the best book (The Looming Tower) on the lead-up to 9/11: Judge Pauley...

Mon, 13 Jan 2014 20:45:09 UTC

SOUFFLETROUGH: NSA Exploit of the Day

Posted By Bruce Schneier

One of the top secret NSA documents published by Der Spiegel is a 50-page catalog of "implants" from the NSA's Tailored Access Group. Because the individual implants are so varied and we saw so many at once, most of them were never discussed in the security community. (Also, the pages were pds, which makes them harder to index and search.)...

Mon, 13 Jan 2014 12:28:55 UTC

How the NSA Threatens National Security

Posted By Bruce Schneier

Secret NSA eavesdropping is still in the news. Details about once secret programs continue to leak. The Director of National Intelligence has recently declassified additional information, and the President's Review Group has just released its report and recommendations. With all this going on, it's easy to become inured to the breadth and depth of the NSA's activities. But through the...

Fri, 10 Jan 2014 22:27:21 UTC

Friday Squid Blogging: Squid New Year

Posted By Bruce Schneier

Happy squid new year. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Jan 2014 12:45:35 UTC

1971 FBI Burglary

Posted By Bruce Schneier

Interesting story: ...burglars took a lock pick and a crowbar and broke into a Federal Bureau of Investigation office in a suburb of Philadelphia, making off with nearly every document inside. They were never caught, and the stolen documents that they mailed anonymously to newspaper reporters were the first trickle of what would become a flood of revelations about extensive...

Thu, 09 Jan 2014 19:02:25 UTC

JETPLOW: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: JETPLOW (TS//SI//REL) JETPLOW is a firmware persistence implant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls. It persists DNT's BANANAGLEE software implant. JETPLOW also has a persistent back-door capability. (TS//SI//REL) JETPLOW is a firmware persistence impant for Cisco PIX Series and ASA (Adaptive Security Appliance) firewalls....

Thu, 09 Jan 2014 12:33:29 UTC

Security Risks of Embedded Systems

Posted By Bruce Schneier

We're at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself -- as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there's no good way to patch them. It's not unlike what happened in the mid-1990s, when the insecurity of personal computers was reaching...

Wed, 08 Jan 2014 19:48:29 UTC

HALLUXWATER: NSA Exploit of the Day

Posted By Bruce Schneier

Today's implant from the NSA's Tailored Access Operations (TAO) group implant catalog: HALLUXWATER (TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine. Once installed,...

Wed, 08 Jan 2014 14:07:03 UTC

The Failure of Privacy Notices and Consumer Choice

Posted By Bruce Schneier

Paper from First Monday: "Transaction costs, privacy, and trust: The laudable goals and ultimate failure of notice and choice to respect privacy." Abstract: The goal of this paper is to outline the laudable goals and ultimate failure of notice and choice to respect privacy online and suggest an alternative framework to manage and research privacy. This paper suggests that the...

Tue, 07 Jan 2014 22:53:26 UTC

Twitter Users: Please Make Sure You're Following the Right Feed

Posted By Bruce Schneier

I have an official Twitter feed of my blog; it's @schneierblog. There's also an unofficial feed at @Bruce_Schneier. I have nothing to do with that one. I wouldn't mind the unofficial feed -- if people are reading my blog, who cares -- except that it isn't working right, and hasn't been for some time. It publishes some posts weeks late...

Tue, 07 Jan 2014 19:16:12 UTC

GOURMETTROUGH: NSA Exploit of the Day

Posted By Bruce Schneier

Continuing our walk through the NSA's Tailored Access Operations (TAO) group implant catalog: GOURMETTROUGH (TS//SI//REL) GOURMETTROUGH is a user configurable implant for certain Juniper firewalls. It persists DNT's BANANAGLEE implant across reboots and OS upgrades. For some platforms, it supports a minimal implant with beaconing for OS's unsupported by BANANAGLEE. (TS//SI//REL) For supported platforms, DNT may configure without ANT involvement....

Tue, 07 Jan 2014 14:22:45 UTC

Matt Blaze on TAO's Methods

Posted By Bruce Schneier

Matt Blaze makes a point that I have been saying for a while now: Don't get me wrong, as a security specialist, the NSA's Tailored Access Operations (TAO) scare the daylights of me. I would never want these capabilities used against me or any other innocent person. But these tools, as frightening and abusable as they are, represent far less...

Mon, 06 Jan 2014 19:28:37 UTC

FEEDTROUGH: NSA Exploit of the Day

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog: FEEDTROUGH (TS//SI//REL) FEEDTROUGH is a persistence technique for two software implants, DNT's BANANAGLEE and CES's ZESTYLEAK used against Juniper Netscreen firewalls. (TS//SI//REL) FEEDTROUGH can be used to persist two implants, ZESTYLEAK and/or BANANAGLEE across reboots and software upgrades on known and covered OS's for the following Netscreen firewalls,...

Mon, 06 Jan 2014 12:18:30 UTC

I've Joined Co3 Systems

Posted By Bruce Schneier

For decades, I've said that good security is a combination of protection, detection, and response. In 1999, when I formed Counterpane Internet Security, I focused the company on what was then the nascent area of detection. Since then, there have been many products and services that focus on detection, and it's a huge part of the information security industry. Now,...

Fri, 03 Jan 2014 22:09:38 UTC

Friday Squid Blogging: Squid-Shaped Dog Toy

Posted By Bruce Schneier

Just the thing....

Fri, 03 Jan 2014 20:23:43 UTC

NSA Documents from the Spiegel Story

Posted By Bruce Schneier

There are more source documents from the recent Spiegel story on the NSA than I realized. Here is what I think is the complete list: "Tailored Access Operations" presentation, 14 pages. Lots of information about QUANTUM. "NSA QUANTUM Tasking Techniques for the R&T Analyst" presentation, 28 pages. Includes details about MARINA. "Getting Close to the Adversary: Forward-based Defense with QFIRE"...

Fri, 03 Jan 2014 18:20:47 UTC

NSA Exploit of the Day: IRONCHEF

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog is IRONCHEF: IRONCHEF (TS//SI//REL) IRONCHEF provides access persistence to target systems by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to communicate with a hardware implant that provides two-way RF communication. (TS//SI//REL) This technique supports the HP Proliant 380DL G6 server, onto which a hardware implant...

Fri, 03 Jan 2014 12:10:49 UTC

Cost/Benefit Analysis of NSA's 215 Metadata Collection Program

Posted By Bruce Schneier

It has amazed me that the NSA doesn't seem to do any cost/benefit analyses on any of its surveillance programs. This seems particularly important for bulk surveillance programs, as they have significant costs aside from the obvious monetary costs. In this paper, John Mueller and Mark G. Stewart have done the analysis on one of these programs. Worth reading....

Thu, 02 Jan 2014 21:25:27 UTC

NSA Exploit of the Day: DEITYBOUNCE

Posted By Bruce Schneier

Today's item from the NSA's Tailored Access Operations (TAO) group implant catalog is DEITYBOUNCE: DEITYBOUNCE (TS//SI//REL) DEITYBOUNCE provides software application persistence on Dell PowerEdge servers by exploiting the motherboard BIOS and utilizing System Management Mode (SMM) to gain periodic execution while the Operating System loads. (TS//SI//REL) This technique supports multi-processor systems with RAID hardware and Microsoft Windows 2000, 2003, and...

Thu, 02 Jan 2014 12:40:02 UTC

"Military Style" Raid on California Power Station

Posted By Bruce Schneier

I don't know what to think about this: Around 1:00 AM on April 16, at least one individual (possibly two) entered two different manholes at the PG&E Metcalf power substation, southeast of San Jose, and cut fiber cables in the area around the substation. That knocked out some local 911 services, landline service to the substation, and cell phone service...

Tue, 31 Dec 2013 13:31:26 UTC

More about the NSA's Tailored Access Operations Unit

Posted By Bruce Schneier

Der Spiegel has a good article on the NSA's Tailored Access Operations unit: basically, its hackers. The article also has more details on how QUANTUM -- particularly, QUANTUMINSERT -- works. Another article discusses the various tools TAO has at its disposal. A document viewed by SPIEGEL resembling a product catalog reveals that an NSA division called ANT has burrowed its...

Mon, 30 Dec 2013 15:55:49 UTC

Joseph Stiglitz on Trust

Posted By Bruce Schneier

Joseph Stiglitz has an excellent essay on the value of trust, and the lack of it in today's society. Trust is what makes contracts, plans and everyday transactions possible; it facilitates the democratic process, from voting to law creation, and is necessary for social stability. It is essential for our lives. It is trust, more than money, that makes the...

Fri, 27 Dec 2013 22:14:27 UTC

Friday Squid Blogging: Kim Jong Un Tours Frozen Squid Factory

Posted By Bruce Schneier

Frozen squid makes him happy. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 26 Dec 2013 12:44:29 UTC

Operation Vula

Posted By Bruce Schneier

"Talking to Vula" is the story of a 1980s secret communications channel between black South African leaders and others living in exile in the UK. The system used encrypted text encoded into DTMF "touch tones" and transmitted from pay phones. Our next project was one that led to the breakthrough we had been waiting for. We had received a request,...

Wed, 25 Dec 2013 12:44:11 UTC

Christmas Comic

Posted By Bruce Schneier

Amusing....

Tue, 24 Dec 2013 12:54:43 UTC

Report on Syrian Malware

Posted By Bruce Schneier

Fascinating report from Citizen Lab on the use of malware in the current Syrian conflict (EFF summary and Wired article)....

Mon, 23 Dec 2013 12:26:23 UTC

NSA Spying: Who Do You Believe?

Posted By Bruce Schneier

On Friday, Reuters reported that RSA entered a secret contract to make DUAL_EC_PRNG the default random number generator in the BSAFE toolkit. DUA_EC_PRNG is now known to be back-doored by the NSA. Yesterday, RSA denied it: Recent press coverage has asserted that RSA entered into a secret contract with the NSA to incorporate a known flawed random number generator into...

Fri, 20 Dec 2013 22:21:51 UTC

Friday Squid Blogging: "What Does the Squid Say?"

Posted By Bruce Schneier

Minecraft parody. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 20 Dec 2013 20:31:43 UTC

Yes, I'm Leaving BT

Posted By Bruce Schneier

The Register reported that I am leaving BT at the end of the year. It quoted BT as saying: We hired Bruce because of his thought leadership in security and as part of our acquisition of Counterpane. We have agreed to part ways as we felt our relationship had run its course and come to a natural end. It has...

Fri, 20 Dec 2013 12:30:18 UTC

Eben Moglen and I Talk about the NSA

Posted By Bruce Schneier

Last week, Eben Moglen and I had a conversation about NSA surveillance. Audio and video are online....

Thu, 19 Dec 2013 12:29:58 UTC

Acoustic Cryptanalysis

Posted By Bruce Schneier

This is neat: Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be...

Wed, 18 Dec 2013 15:59:13 UTC

Tor User Identified by FBI

Posted By Bruce Schneier

Eldo Kim sent an e-mail bomb threat to Harvard so he could skip a final exam. (It's just a coincidence that I was on the Harvard campus that day.) Even though he used an anonymous account and Tor, the FBI identified him. Reading the criminal complaint, it seems that the FBI got itself a list of Harvard users that accessed...

Tue, 17 Dec 2013 13:10:05 UTC

Security Vulnerabilities of Legacy Code

Posted By Bruce Schneier

An interesting research paper documents a "honeymoon effect" when it comes to software and vulnerabilities: attackers are more likely to find vulnerabilities in older and more familiar code. It's a few years old, but I haven't seen it before now. The paper is by Sandy Clark, Stefan Frei, Matt Blaze, and Jonathan Smith: "Familiarity Breeds Contempt: The Honeymoon Effect and...

Mon, 16 Dec 2013 12:09:00 UTC

Attacking Online Poker Players

Posted By Bruce Schneier

This story is about how at least two professional online poker players had their hotel rooms broken into and their computers infected with malware. I agree with the conclusion: So, what's the moral of the story? If you have a laptop that is used to move large amounts of money, take good care of it. Lock the keyboard when you...

Fri, 13 Dec 2013 22:05:30 UTC

Friday Squid Blogging: Squid Bow Tie

Posted By Bruce Schneier

Snappy-looking bow tie. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Dec 2013 19:24:57 UTC

President Obama and the Intelligence Community

Posted By Bruce Schneier

Really good article from the New Yorker....

Fri, 13 Dec 2013 17:20:14 UTC

World War II Anecdote about Trust and Security

Posted By Bruce Schneier

This is an interesting story from World War II about trust: Jones notes that the Germans doubted their system because they knew the British could radio false orders to the German bombers with no trouble. As Jones recalls, "In fact we did not do this, but it seemed such an easy countermeasure that the German crews thought that we might,...

Thu, 12 Dec 2013 18:55:48 UTC

How the NSA Tracks Mobile Phone Data

Posted By Bruce Schneier

Last week the Washington Post reported on how the NSA tracks mobile phones world-wide, and this week they followed up with source documents and more detail. Barton Gellman and Ashkan Soltani are doing some fantastic reporting on the Snowden NSA documents. I hope to be able to do the same again, once Pierre Omidyar's media venture gets up and running....

Thu, 12 Dec 2013 12:21:27 UTC

NSA Tracks People Using Google Cookies

Posted By Bruce Schneier

The Washington Post has a detailed article on how the NSA uses cookie data to track individuals. The EFF also has a good post on this. I have been writing and saying that government surveillance largely piggy backs on corporate capabilities, and this is an example of that. The NSA doesn't need the cooperation of any Internet company to use...

Tue, 10 Dec 2013 15:08:34 UTC

NSA Spying on Online Gaming Worlds

Posted By Bruce Schneier

The NSA is spying on chats in World of Warcraft and other games. There's lots of information -- and a good source document. While it's fun to joke about the NSA and elves and dwarves from World of Warcraft, this kind of surveillance makes perfect sense. If, as Dan Geer has pointed out, your assigned mission is to ensure that...

Mon, 09 Dec 2013 17:33:41 UTC

Bitcoin Explanation

Posted By Bruce Schneier

This is the best explanation of the Bitcoin protocol that I have read....

Fri, 06 Dec 2013 22:33:23 UTC

Friday Squid Blogging: Hoax Squid-Like Creature

Posted By Bruce Schneier

The weird squid-like creature floating around Bristol Harbour is a hoax. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 06 Dec 2013 20:47:02 UTC

New Book: Carry On

Posted By Bruce Schneier

I have a new book. It's Carry On: Sound Advice from Schneier on Security, and it's my second collection of essays. This book covers my writings from March 2008 to June 2013. (My first collection of essays, Schneier on Security, covered my writings from April 2002 to February 2008.) There's nothing in this book that hasn't been published before, and...

Fri, 06 Dec 2013 20:16:03 UTC

Bruce Schneier Facts T-Shirts

Posted By Bruce Schneier

0-Day Clothing has taken 25 Bruce Schneier Facts and turned them into T-shirts just in time for Christmas....

Fri, 06 Dec 2013 12:19:52 UTC

Telepathwords: A New Password Strength Estimator

Posted By Bruce Schneier

Telepathwords is a pretty clever research project that tries to evaluate password strength. It's different from normal strength meters, and I think better. Telepathwords tries to predict the next character of your passwords by using knowledge of: common passwords, such as those made public as a result of security breaches common phrases, such as those that appear frequently on web...

Thu, 05 Dec 2013 19:16:13 UTC

Heartwave Biometric

Posted By Bruce Schneier

Here's a new biometric I know nothing about: The wristband relies on authenticating identity by matching the overall shape of the user's heartwave (captured via an electrocardiogram sensor). Unlike other biotech authentication methods -- like fingerprint scanning and iris-/facial-recognition tech -- the system doesn't require the user to authenticate every time they want to unlock something. Because it's a wearable...

Thu, 05 Dec 2013 12:58:15 UTC

The Problem with EULAs

Posted By Bruce Schneier

Some apps are being distributed with secret Bitcoin-mining software embedded in them. Coins found are sent back to the app owners, of course. And to make it legal, it's part of the end-user license agreement (EULA): COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and...

Wed, 04 Dec 2013 12:28:05 UTC

Evading Airport Security

Posted By Bruce Schneier

The news is reporting about Evan Booth, who builds weaponry out of items you can buy after airport security. It's clever stuff. It's not new, though. People have been explaining how to evade airport security for years. Back in 2006, I -- and others -- explained how to print your own boarding pass and evade the photo-ID check, a trick...

Tue, 03 Dec 2013 12:14:05 UTC

Keeping Track of All the Snowden Documents

Posted By Bruce Schneier

As more and more media outlets from all over the world continue to report on the Snowden documents, it's harder and harder to keep track of what has been released. The EFF, ACLU, and Cryptome are all trying. None of them is complete, I believe. Please post additions in the comments, and I will do my best to feed the...

Mon, 02 Dec 2013 18:48:37 UTC

The TQP Patent

Posted By Bruce Schneier

One of the things I do is expert witness work in patent litigations. Often, it's defending companies against patent trolls. One of the patents I have worked on for several defendants is owned by a company called TQP Development. The patent owner claims that it covers SSL and RC4, which is does not. The patent owner claims that the patent...

Mon, 02 Dec 2013 12:05:31 UTC

How Antivirus Companies Handle State-Sponsored Malware

Posted By Bruce Schneier

Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we've been wondering if it's done anything to antivirus products. Given that it engages in offensive cyberattacks -- and launches cyberweapons like Stuxnet and Flame -- it's reasonable to assume that it's asked antivirus companies to ignore its malware. (We know that antivirus...

Fri, 29 Nov 2013 22:15:54 UTC

Friday Squid Blogging: Squid Worm Discovered

Posted By Bruce Schneier

This squid-like worm -- Teuthidodrilus samae -- is new to science. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 29 Nov 2013 12:18:38 UTC

More on Stuxnet

Posted By Bruce Schneier

Ralph Langer has written the definitive analysis of Stuxnet: short, popular version, and long, technical version. Stuxnet is not really one weapon, but two. The vast majority of the attention has been paid to Stuxnet's smaller and simpler attack routine -- the one that changes the speeds of the rotors in a centrifuge, which is used to enrich uranium. But...

Wed, 27 Nov 2013 12:28:42 UTC

Tor Appliance

Posted By Bruce Schneier

Safeplug is an easy-to-use Tor appliance. I like that it can also act as a Tor exit node....

Tue, 26 Nov 2013 12:29:05 UTC

The FBI Might Do More Domestic Surveillance than the NSA

Posted By Bruce Schneier

This is a long article about the FBI's Data Intercept Technology Unit (DITU), which is basically its own internal NSA. It carries out its own signals intelligence operations and is trying to collect huge amounts of email and Internet data from U.S. companies -- an operation that the NSA once conducted, was reprimanded for, and says it abandoned. [...] The...

Mon, 25 Nov 2013 19:51:03 UTC

US Working to Kill UN Resolutions to Limit International Surveillance

Posted By Bruce Schneier

This story should get more publicity than it has....

Mon, 25 Nov 2013 12:53:29 UTC

Surveillance as a Business Model

Posted By Bruce Schneier

Google recently announced that it would start including individual users' names and photos in some ads. This means that if you rate some product positively, your friends may see ads for that product with your name and photo attached—without your knowledge or consent. Meanwhile, Facebook is eliminating a feature that allowed people to retain some portions of their anonymity on...

Fri, 22 Nov 2013 22:53:42 UTC

Friday Squid Blogging: Magnapinna Squid Photo

Posted By Bruce Schneier

Neat photo. Video, too. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 Nov 2013 20:56:26 UTC

Reddit "Ask Me Anything"

Posted By Bruce Schneier

I just did an AMA on Reddit....

Thu, 21 Nov 2013 19:42:38 UTC

Rerouting Internet Traffic by Attacking BGP

Posted By Bruce Schneier

Renesys is reporting that Internet traffic is being manipulatively rerouted, presumably for eavesdropping purposes. The attacks exploit flaws in the Border Gateway Protocol (BGP). Ars Technica has a good article explaining the details. The odds that the NSA is not doing this sort of thing are basically zero, but I'm sure that their activities are going to be harder to...

Wed, 20 Nov 2013 12:47:56 UTC

How to Avoid Getting Arrested

Posted By Bruce Schneier

The tips are more psychological than security....

Tue, 19 Nov 2013 12:32:54 UTC

Fokirtor

Posted By Bruce Schneier

Fokirtor is a Linux Trojan that exfiltrates traffic by inserting it into SSH connections. It looks very well-designed and -constructed....

Mon, 18 Nov 2013 13:35:01 UTC

Explaining and Speculating About QUANTUM

Posted By Bruce Schneier

Nicholas Weaver has a great essay explaining how the NSA's QUANTUM packet injection system works, what we know it does, what else it can possibly do, and how to defend against it. Remember that while QUANTUM is an NSA program, other countries engage in these sorts of attacks as well. By securing the Internet against QUANTUM, we protect ourselves against...

Fri, 15 Nov 2013 22:05:30 UTC

Friday Squid Blogging: Squid Fishermen Seen from Space

Posted By Bruce Schneier

Cool photo. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 15 Nov 2013 20:34:21 UTC

Various Schneier Audio and Video Talks and Interviews

Posted By Bruce Schneier

News articles about me (or with good quotes by me). My talk at the IETF Vancouver meeting on NSA and surveillance. I'm the first speaker after the administrivia. Press articles about me and the IETF meeting. Other video interviews with me....

Fri, 15 Nov 2013 12:28:45 UTC

Security Tents

Posted By Bruce Schneier

The US government sets up secure tents for the president and other officials to deal with classified material while traveling abroad. Even when Obama travels to allied nations, aides quickly set up the security tent -- which has opaque sides and noise-making devices inside -- in a room near his hotel suite. When the president needs to read a classified...

Thu, 14 Nov 2013 12:21:57 UTC

A Fraying of the Public/Private Surveillance Partnership

Posted By Bruce Schneier

The public/private surveillance partnership between the NSA and corporate data collectors is starting to fray. The reason is sunlight. The publicity resulting from the Snowden documents has made companies think twice before allowing the NSA access to their users' and customers' data. Pre-Snowden, there was no downside to cooperating with the NSA. If the NSA asked you for copies of...

Wed, 13 Nov 2013 20:17:52 UTC

Microsoft Retiring SHA-1 in 2016

Posted By Bruce Schneier

I think this is a good move on Microsoft's part: Microsoft is recommending that customers and CA's stop using SHA-1 for cryptographic applications, including use in SSL/TLS and code signing. Microsoft Security Advisory 2880823 has been released along with the policy announcement that Microsoft will stop recognizing the validity of SHA-1 based certificates after 2016. More news. SHA-1 isn't broken...

Wed, 13 Nov 2013 12:46:32 UTC

Another QUANTUMINSERT Attack Example

Posted By Bruce Schneier

Der Speigel is reporting that the GCHQ used QUANTUMINSERT to direct users to fake LinkedIn and Slashdot pages run by -- this code name is not in the article -- FOXACID servers. There's not a lot technically new in the article, but we do get some information about popularity and jargon. According to other secret documents, Quantum is an extremely...

Tue, 12 Nov 2013 19:04:12 UTC

Cryptographic Blunders Revealed by Adobe's Password Leak

Posted By Bruce Schneier

Adobe lost 150 million customer passwords. Even worse, they had a pretty dumb cryptographic hash system protecting those passwords....

Tue, 12 Nov 2013 12:35:43 UTC

Bizarre Online Gambling Movie-Plot Threat

Posted By Bruce Schneier

This article argues that online gambling is a strategic national threat because terrorists could use it to launder money. The Harper demonstration showed the technology and techniques that terror and crime organizations could use to operate untraceable money laundering built on a highly liquid legalized online poker industry -- just the environment that will result from the spread of poker...

Mon, 11 Nov 2013 12:21:29 UTC

Dan Geer Explains the Government Surveillance Mentality

Posted By Bruce Schneier

This talk by Dan Geer explains the NSA mindset of "collect everything": I previously worked for a data protection company. Our product was, and I believe still is, the most thorough on the market. By "thorough" I mean the dictionary definition, "careful about doing something in an accurate and exact way." To this end, installing our product instrumented every system...

Fri, 08 Nov 2013 22:10:50 UTC

Friday Squid Blogging: Tree Yarn-Bombed

Posted By Bruce Schneier

This tree http://www.thisiscolossal.com/2013/10/a-yarn-bombed-tree-squid/">in San Mateo, CA, has been turned into a giant blue squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Nov 2013 19:06:24 UTC

Another Snowden Lesson: People Are the Weak Security Link

Posted By Bruce Schneier

There's a story that Edward Snowden successfully socially engineered other NSA employees into giving him their passwords....

Fri, 08 Nov 2013 12:58:58 UTC

Why the Government Should Help Leakers

Posted By Bruce Schneier

In the Information Age, it's easier than ever to steal and publish data. Corporations and governments have to adjust to their secrets being exposed, regularly. When massive amounts of government documents are leaked, journalists sift through them to determine which pieces of information are newsworthy, and confer with government agencies over what needs to be redacted. Managing this reality is...

Thu, 07 Nov 2013 13:06:53 UTC

Risk-Based Authentication

Posted By Bruce Schneier

I like this idea of giving each individual login attempt a risk score, based on the characteristics of the attempt: The risk score estimates the risk associated with a log-in attempt based on a user's typical log-in and usage profile, taking into account their device and geographic location, the system they're trying to access, the time of day they typically...

Wed, 06 Nov 2013 19:53:31 UTC

Deception in Fruit Flies

Posted By Bruce Schneier

The wings of the Goniurellia tridens fruit fly have images of an ant on them, to deceive predators: "When threatened, the fly flashes its wings to give the appearance of ants walking back and forth. The predator gets confused and the fly zips off." Click on the link to see the photo....

Wed, 06 Nov 2013 12:35:02 UTC

Elliptic Curve Crypto Primer

Posted By Bruce Schneier

This is well-written and very good....

Tue, 05 Nov 2013 12:53:34 UTC

The Story of the Bomb Squad at the Boston Marathon

Posted By Bruce Schneier

This is interesting reading, but I'm left wanting more. What are the lessons here? How can we do this better next time? Clearly we won't be able to anticipate bombings; even Israel can't do that. We have to get better at responding. Several years after 9/11, I conducted training with a military bomb unit charged with guarding Washington, DC. Our...

Mon, 04 Nov 2013 19:39:56 UTC

More NSA Revelations

Posted By Bruce Schneier

This New York Times story on the NSA is very good, and contains lots of little tidbits of new information gleaned from the Snowden documents. The agencys Dishfire database -- nothing happens without a code word at the N.S.A. -- stores years of text messages from around the world, just in case. Its Tracfin collection accumulates gigabytes of credit card...

Mon, 04 Nov 2013 12:15:24 UTC

badBIOS

Posted By Bruce Schneier

Good story of badBIOS, a really nasty piece of malware. The weirdest part is how it uses ultrasonic sound to jump air gaps. Ruiu said he arrived at the theory about badBIOS's high-frequency networking capability after observing encrypted data packets being sent to and from an infected machine that had no obvious network connection with -- but was in close...

Fri, 01 Nov 2013 21:40:24 UTC

Friday Squid Blogging: 8-Foot Giant Squid Pillow

Posted By Bruce Schneier

Make your own 8-foot giant squid pillow. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 01 Nov 2013 19:26:53 UTC

A Template for Reporting Government Surveillance News Stories

Posted By Bruce Schneier

This is from 2006 -- I blogged it here -- but it's even more true today. Under a top secret program initiated by the Bush Administration after the Sept. 11 attacks, the [name of agency (FBI, CIA, NSA, etc.)] have been gathering a vast database of [type of records] involving United States citizens. "This program is a vital tool in...

Fri, 01 Nov 2013 19:03:32 UTC

Reading Group at Harvard Law School

Posted By Bruce Schneier

In Spring Semester, I'm running a reading group -- which seems to be a formal variant of a study group -- at Harvard Law School on "Security, Power, and the Internet. I would like a good mix of people, so non law students and non Harvard students are both welcome to sign up....

Fri, 01 Nov 2013 11:32:29 UTC

Close-In Surveillance Using Your Phone's Wi-Fi

Posted By Bruce Schneier

This article talks about applications in retail, but the possibilities are endless. Every smartphone these days comes equipped with a WiFi card. When the card is on and looking for networks to join, it's detectable by local routers. In your home, the router connects to your device, and then voila ­ you have the Internet on your phone. But in...

Thu, 31 Oct 2013 15:29:21 UTC

NSA Eavesdropping on Google and Yahoo Networks

Posted By Bruce Schneier

The Washington Post reported that the NSA is eavesdropping on the Google and Yahoo private networks -- the code name for the program is MUSCULAR. I may write more about this later, but I have some initial comments: It's a measure of how far off the rails the NSA has gone that it's taking its Cold Warera eavesdropping tactics --...

Wed, 30 Oct 2013 11:50:10 UTC

The Battle for Power on the Internet

Posted By Bruce Schneier

We're in the middle of an epic battle for power in cyberspace. On one side are the traditional, organized, institutional powers such as governments and large multinational corporations. On the other are the distributed and nimble: grassroots movements, dissident groups, hackers, and criminals. Initially, the Internet empowered the second side. It gave them a place to coordinate and communicate efficiently,...

Tue, 29 Oct 2013 18:46:58 UTC

What the NSA Can and Cannot Do

Posted By Bruce Schneier

Good summary from the London Review of Books....

Tue, 29 Oct 2013 10:54:52 UTC

Arguing for NSA-Level Internet Surveillance

Posted By Bruce Schneier

Jack Goldsmith argues that we need the NSA to surveil the Internet not for terrorism reasons, but for cyberespionage and cybercrime reasons. Daniel Gallington argues -- the headline has nothing to do with the content -- that the balance between surveillance and privacy is about right....

Mon, 28 Oct 2013 11:39:30 UTC

Understanding the Threats in Cyberspace

Posted By Bruce Schneier

The primary difficulty of cyber security isn't technology -- it's policy. The Internet mirrors real-world society, which makes security policy online as complicated as it is in the real world. Protecting critical infrastructure against cyber-attack is just one of cyberspace's many security challenges, so it's important to understand them all before any one of them can be solved. The list...

Sat, 26 Oct 2013 22:43:43 UTC

US Government Monitoring Public Internet in Real Time

Posted By Bruce Schneier

Here's a demonstration of the US government's capabilities to monitor the public Internet. Former CIA and NSA Director Michael Hayden was on the Acela train between New York and Washington DC, taking press interviews on the phone. Someone nearby overheard the conversation, and started tweeting about it. Within 15 or so minutes, someone somewhere noticed the tweets, and informed someone...

Sat, 26 Oct 2013 02:08:54 UTC

Friday Squid Blogging: Dynamic Biophotonics in Squid

Posted By Bruce Schneier

Female squid exhibit sexually dimorphic tunable leucophores and iridocytes. Just so you know. Here's the story in more accessible language. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 25 Oct 2013 14:26:30 UTC

Book Review: Cyber War Will Not Take Place

Posted By Bruce Schneier

Thomas Rid, Cyber War Will Not Take Place, Oxford University Press, 2013. Cyber war is possibly the most dangerous buzzword of the Internet era. The fear-inducing rhetoric surrounding it is being used to justify major changes in the way the Internet is organized, governed, and constructed. And in Cyber War Will Not Take Place, Thomas Rid convincingly argues that cyber...

Fri, 25 Oct 2013 11:30:01 UTC

Cognitive Biases About Violence as a Negotiating Tactic

Posted By Bruce Schneier

Interesting paper: Max Abrahms, "The Credibility Paradox: Violence as a Double-Edged Sword in International Politics," International Studies Quarterly, 2013: Abstract: Implicit in the rationalist literature on bargaining over the last half-century is the political utility of violence. Given our anarchical international system populated with egoistic actors, violence is thought to promote concessions by lending credibility to their threats. From the...

Thu, 24 Oct 2013 13:45:11 UTC

DARPA Contest for Fully-Automated Network Defense

Posted By Bruce Schneier

DARPA is looking for a fully-automated network defense system: What if computers had a "check engine" light that could indicate new, novel security problems? What if computers could go one step further and heal security problems before they happen? To find out, the Defense Advanced Research Projects Agency (DARPA) intends to hold the Cyber Grand Challenge (CGC) -- the first-ever...

Wed, 23 Oct 2013 15:03:13 UTC

Code Names for NSA Exploit Tools

Posted By Bruce Schneier

This is from a Snowden document released by Le Monde: General Term Descriptions: HIGHLANDS: Collection from Implants VAGRANT: Collection of Computer Screens MAGNETIC: Sensor Collection of Magnetic Emanations MINERALIZE: Collection from LAN Implant OCEAN: Optical Collection System for Raster-Based Computer Screens LIFESAFER: Imaging of the Hard Drive GENIE: Multi-stage operation: jumping the airgap etc. BLACKHEART: Collection from an FBI Implant...

Wed, 23 Oct 2013 10:35:39 UTC

Dry Ice Bombs at LAX

Posted By Bruce Schneier

The news story about the guy who left dry ice bombs in restricted areas of LAX is really weird. I can't get worked up over it, though. Dry ice bombs are a harmless prank. I set off a bunch of them when I was in college, although I used liquid nitrogen, because I was impatient -- and they're harmless. I...

Tue, 22 Oct 2013 16:32:49 UTC

Can I Be Trusted?

Posted By Bruce Schneier

SlashDot asks the question: I'm a big fan of Bruce Schneier, but just to play devil's advocate, let's say, hypothetically, that Schneier is actually in cahoots with the NSA. Who better to reinstate public trust in weakened cryptosystems? As an exercise in security that Schneier himself may find interesting, what methods are available for proving (or at least affirming) that...

Tue, 22 Oct 2013 11:15:41 UTC

Defending Against Crypto Backdoors

Posted By Bruce Schneier

We already know the NSA wants to eavesdrop on the Internet. It has secret agreements with telcos to get direct access to bulk Internet traffic. It has massive systems like TUMULT, TURMOIL, and TURBULENCE to sift through it all. And it can identify ciphertext -- encrypted information -- and figure out which programs could have created it. But what the...

Mon, 21 Oct 2013 11:05:05 UTC

The Trajectories of Government and Corporate Surveillance

Posted By Bruce Schneier

Historically, surveillance was difficult and expensive. Over the decades, as technology advanced, surveillance became easier and easier. Today, we find ourselves in a world of ubiquitous surveillance, where everything is collected, saved, searched, correlated and analyzed. But while technology allowed for an increase in both corporate and government surveillance, the private and public sectors took very different paths to get...

Fri, 18 Oct 2013 21:10:58 UTC

Friday Squid Blogging: Fiona Apple Wears a Squid as a Hat in New Video

Posted By Bruce Schneier

Even I think this is weird....

Fri, 18 Oct 2013 17:03:20 UTC

D-Link Router Backdoor

Posted By Bruce Schneier

Several versions of D-Link router firmware contain a backdoor. Just set the browser's user agent string to "xmlset_roodkcableoj28840ybtide," and you're in. (Hint, remove the number and read it backwards.) It was probably put there for debugging purposes, but has all sorts of applications for surveillance. Good article on the subject....

Fri, 18 Oct 2013 11:37:09 UTC

Identifying Cell Phones Through Sensor Imperfections

Posted By Bruce Schneier

There seems to be a bunch of research into uniquely identifying cell phones through unique analog characteristics of the various embedded sensors. These sorts of things could replace cookies as surveillance tools. Slashdot and MetaFilter threads....

Thu, 17 Oct 2013 17:50:15 UTC

"A Court Order Is an Insider Attack"

Posted By Bruce Schneier

Ed Felten makes a strong argument that a court order is exactly the same thing as an insider attack: To see why, consider two companies, which we'll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party -- in this case, the government. Meanwhile, over at Guavabit,...

Thu, 17 Oct 2013 12:15:08 UTC

SecureDrop

Posted By Bruce Schneier

SecureDrop is an open-source whistleblower support system, originally written by Aaron Swartz and now run by the Freedom of the Press Foundation. The first instance of this system was named StrongBox and is being run by the New Yorker. To further add to the naming confusion, Aaron Swartz called the system DeadDrop when he wrote the code. I participated in...

Wed, 16 Oct 2013 12:33:42 UTC

iPhone Sensor Surveillance

Posted By Bruce Schneier

The new iPhone has a motion sensor chip, and that opens up new opportunities for surveillance: The M7 coprocessors introduce functionality that some may instinctively identify as "creepy." Even Apples own description hints at eerie omniscience: "M7 knows when youre walking, running, or even driving&" While its quietly implemented within iOS, its not secret for third party apps (which require...

Tue, 15 Oct 2013 18:37:26 UTC

NSA Harvesting Contact Lists

Posted By Bruce Schneier

A new Snowden document shows that the NSA is harvesting contact lists -- e-mail address books, IM buddy lists, etc. -- from Google, Yahoo, Microsoft, Facebook, and others. Unlike PRISM, this unnamed program collects the data from the Internet . This is similar to how the NSA identifies Tor users. They get direct access to the Internet backbone, either through...

Tue, 15 Oct 2013 17:37:02 UTC

New Secure Smart Phone App

Posted By Bruce Schneier

It's hard not to poke fun at this press release for Safeslinger, a new cell phone security app from Carnegie Mellon. "SafeSlinger provides you with the confidence that the person you are communicating with is actually the person they have represented themselves to be," said Michael W. Farb, a research programmer at Carnegie Mellon CyLab. "The most important feature is...

Tue, 15 Oct 2013 11:27:14 UTC

Massive MIMO Cryptosystem

Posted By Bruce Schneier

New paper: "Physical-Layer Cryptography Through Massive MIMO." Abstract: We propose the new technique of physical-layer cryptography based on using a massive MIMO channel as a key between the sender and desired receiver, which need not be secret. The goal is for low-complexity encoding and decoding by the desired transmitter-receiver pair, whereas decoding by an eavesdropper is hard in terms of...

Mon, 14 Oct 2013 18:06:19 UTC

Insecurities in the Linux /dev/random

Posted By Bruce Schneier

New paper: "Security Analysis of Pseudo-Random Number Generators with Input: /dev/random is not Robust, by Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault, Damien Vergnaud, and Daniel Wichs. Abstract: A pseudo-random number generator (PRNG) is a deterministic algorithm that produces numbers whose distribution is indistinguishable from uniform. A formal security model for PRNGs with input was proposed in 2005 by Barak and...

Mon, 14 Oct 2013 11:37:44 UTC

Fingerprinting Burner Phones

Posted By Bruce Schneier

In one of the documents recently released by the NSA as a result of an EFF lawsuit, there's discussion of a specific capability of a call records database to identify disposable "burner" phones. Lets consider, then, the very specific data this query tool was designed to return: The times and dates of the first and last call events, but apparently...

Fri, 11 Oct 2013 21:09:00 UTC

Friday Squid Blogging: 30-Foot Giant Squid Washes Ashore

Posted By Bruce Schneier

A 30-foot-long giant squid has washed ashore in Cantabria, Spain. It died at sea, with a broken tentacle. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 11 Oct 2013 19:53:05 UTC

Stuff I Say

Posted By Bruce Schneier

It's a Tumblr feed. Right now there are only six posts, all a year old. Presumably that will change soon. To clarify: I have nothing to do with the feed, and anyone can post stuff to it....

Fri, 11 Oct 2013 17:33:27 UTC

New Low in Election Fraud

Posted By Bruce Schneier

Azerbaijan achieves a new low in voter fraud. They government accidentally publishes the results of the election before the polls open. The mistake came when an electoral commission accidentally published results showing a victory for Ilham Aliyev, the countrys long-standing President, a day before voting. Meydan TV, an online channel critical of the government, released a screenshot from a mobile...

Fri, 11 Oct 2013 11:45:00 UTC

Air Gaps

Posted By Bruce Schneier

Since I started working with Snowden's documents, I have been using a number of tools to try to stay secure from the NSA. The advice I shared included using Tor, preferring certain cryptography over others, and using public-domain encryption wherever possible. I also recommended using an air gap, which physically isolates a computer or local network of computers from the...

Thu, 10 Oct 2013 16:52:47 UTC

Build Your Own Enigma

Posted By Bruce Schneier

Neat....

Thu, 10 Oct 2013 11:03:46 UTC

Breaking Taiwan's Digital ID

Posted By Bruce Schneier

There's a serious random-number generation flaw in the cryptographic systems used to protect the Taiwanese digital ID. Article and paper....

Wed, 09 Oct 2013 18:08:09 UTC

A New Postal Privacy Product

Posted By Bruce Schneier

The idea is basically to use indirection to hide physical addresses. You would get a random number to give to your correspondents, and the post office would use that number to determine your real address. No security against government surveillance, but potentially valuable nonetheless. Here are a bunch of documents. I honestly have no idea what's going on. It seems...

Wed, 09 Oct 2013 11:28:27 UTC

The NSA's New Risk Analysis

Posted By Bruce Schneier

As I recently reported in the Guardian, the NSA has secret servers on the Internet that hack into other computers, codename FOXACID. These servers provide an excellent demonstration of how the NSA approaches risk management, and exposes flaws in how the agency thinks about the secrecy of its own programs. Here are the FOXACID basics: By the time the NSA...

Tue, 08 Oct 2013 18:05:16 UTC

Me on Surveillance

Posted By Bruce Schneier

This is a video of me talking about surveillance and privacy, both relating to the NSA and more generally....

Tue, 08 Oct 2013 11:44:23 UTC

Why It's Important to Publish the NSA Programs

Posted By Bruce Schneier

The Guardian recently reported on how the NSA targets Tor users, along with details of how it uses centrally placed servers on the Internet to attack individual computers. This builds on a Brazilian news story from a mid-September that, in part, shows that the NSA is impersonating Google servers to users; a German story on how the NSA is hacking...

Mon, 07 Oct 2013 18:35:41 UTC

Silk Road Author Arrested Due to Bad Operational Security

Posted By Bruce Schneier

Details of how the FBI found the administrator of Silk Road, a popular black market e-commerce site. Despite the elaborate technical underpinnings, however, the complaint portrays Ulbricht as a drug lord who made rookie mistakes. In an October 11, 2011 posting to a Bitcoin Talk forum, for instance, a user called "altoid" advertised he was looking for an "IT pro...

Mon, 07 Oct 2013 11:24:38 UTC

How the NSA Attacks Tor/Firefox Users With QUANTUM and FOXACID

Posted By Bruce Schneier

The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA's application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world. According to a...

Fri, 04 Oct 2013 21:17:25 UTC

Friday Squid Blogging: Squid Exhibit at the Monterey Bay Aquarium

Posted By Bruce Schneier

Opens spring 2014. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 04 Oct 2013 19:09:47 UTC

"Trust the Math"

Posted By Bruce Schneier

I like this piece of art. Someone should do T-shirts....

Fri, 04 Oct 2013 11:59:15 UTC

Developments in Microphone Technology

Posted By Bruce Schneier

What's interesting is that this matchstick-sized microphone can be attached to drones. Conventional microphones work when sound waves make a diaphragm move, creating an electrical signal. Microflown's sensor has no moving parts. It consists of two parallel platinum strips, each just 200 nanometres deep, that are heated to 200° C. Air molecules flowing across the strips cause temperature differences between...

Thu, 03 Oct 2013 17:55:15 UTC

Is Cybersecurity a Profession?

Posted By Bruce Schneier

A National Academy of Sciences panel says no: Sticking to the quality control aspect of the report, professionalization, it says, has the potential to attract workers and establish long-term paths to improving the work force overall, but measures such as standardized education or requirements for certification, have their disadvantages too. For example, formal education or certification could be helpful to...

Thu, 03 Oct 2013 11:43:05 UTC

On Anonymous

Posted By Bruce Schneier

Gabriella Coleman has published an interesting analysis of the hacker group Anonymous: Abstract: Since 2010, digital direct action, including leaks, hacking and mass protest, has become a regular feature of political life on the Internet. The source, strengths and weakness of this activity are considered in this paper through an in-depth analysis of Anonymous, the protest ensemble that has been...

Wed, 02 Oct 2013 18:28:58 UTC

On Secrecy

Posted By Bruce Schneier

"When everything is classified, then nothing is classified." I should suppose that moral, political, and practical considerations would dictate that a very first principle of that wisdom would be an insistence upon avoiding secrecy for its own sake. For when everything is classified, then nothing is classified, and the system becomes one to be disregarded by the cynical or the...

Wed, 02 Oct 2013 11:46:26 UTC

My TEDx Talk

Posted By Bruce Schneier

I spoke at TEDxCambridge last month on security and power. Here's the video....

Tue, 01 Oct 2013 18:08:15 UTC

NSA Storing Internet Data, Social Networking Data, on Pretty Much Everybody

Posted By Bruce Schneier

Two new stories based on the Snowden documents. This is getting silly. General Alexander just lied about this to Congress last week. The old NSA tactic of hiding behind a shell game of different code names is failing. It used to be they could get away with saying "Project X doesn't do that," knowing full well that Projects Y and...

Tue, 01 Oct 2013 15:50:19 UTC

Will Keccak = SHA-3?

Posted By Bruce Schneier

Last year, NIST selected Keccak as the winner of the SHA-3 hash function competition. Yes, I would have rather my own Skein had won, but it was a good choice. But last August, John Kelsey announced some changes to Keccak in a talk (slides 44-48 are relevant). Basically, the security levels were reduced and some internal changes to the algorithm...

Tue, 01 Oct 2013 14:09:00 UTC

WhoIs Privacy and Proxy Service Abuse

Posted By Bruce Schneier

ICANN has a draft study that looks at abuse of the Whois database. This study, conducted by the National Physical Laboratory (NPL) in the United Kingdom, analyzes gTLD domain names to measure whether the percentage of privacy/proxy use among domains engaged in illegal or harmful Internet activities is significantly greater than among domain names used for lawful Internet activities. Furthermore,...

Sat, 28 Sep 2013 11:10:09 UTC

Senator Feinstein Admits the NSA Taps the Internet Backbone

Posted By Bruce Schneier

We know from the Snowden documents (and other sources) that the NSA taps Internet backbone through secret-agreements with major U.S. telcos., but the U.S. government still hasn't admitted it. In late August, the Obama administration declassified a ruling from the Foreign Intelligence Surveillance Court. Footnote 3 reads: The term 'upstream collection' refers to NSA's interception of Internet communications as they...

Fri, 27 Sep 2013 21:53:26 UTC

Friday Squid Blogging: A Squid that Fishes

Posted By Bruce Schneier

The Grimalditeuthis bonplandi is the only known squid to use its tenticles to fish: Its tentacles are thin and fragile, and almost always break off when it's captured. For ages, people thought it lacked tentacles altogether until a full specimen was found in the stomach of a fish. Weirder still, its clubs have neither suckers nor hooks. Instead, they are...

Fri, 27 Sep 2013 19:47:26 UTC

Another Schneier Interview

Posted By Bruce Schneier

I was interviewed for Technology Review on the NSA and the Snowden documents....

Fri, 27 Sep 2013 11:21:59 UTC

3D-Printed Robot to Break Android PINs

Posted By Bruce Schneier

Neat project. The reason it works is that the Android system doesn't start putting in very long delays between PIN attempts after a whole bunch of unsuccessful attempts. The iPhone does....

Thu, 26 Sep 2013 11:58:35 UTC

Paradoxes of Big Data

Posted By Bruce Schneier

Interesting paper: "Three Paradoxes of Big Data," by Neil M. Richards and Jonathan H. King, Stanford Law Review Online, 2013. Abstract: Big data is all the rage. Its proponents tout the use of sophisticated analytics to mine large data sets for insight as the solution to many of our society's problems. These big data evangelists insist that data-driven decisionmaking can...

Wed, 25 Sep 2013 12:17:01 UTC

Good Summary of Potential NSA Involvement in a NIST RNG Standard

Posted By Bruce Schneier

Kim Zetter has written the definitive story -- at least so far -- of the possible backdoor in the Dual_EC_DRBG random number generator that's part of the NIST SP800-90 standard....

Tue, 24 Sep 2013 14:20:01 UTC

Apple's iPhone Fingerprint Reader Successfully Hacked

Posted By Bruce Schneier

Nice hack from the Chaos Computer Club: The method follows the steps outlined in this how-to with materials that can be found in almost every household: First, the fingerprint of the enrolled user is photographed with 2400 dpi resolution. The resulting image is then cleaned up, inverted and laser printed with 1200 dpi onto transparent sheet with a thick toner...

Mon, 23 Sep 2013 18:14:17 UTC

NSA Job Opening

Posted By Bruce Schneier

The NSA is looking for a Civil Liberties & Privacy Officer. It appears to be an internal posting. The NSA Civil Liberties & Privacy Officer (CLPO) is conceived as a completely new role, combining the separate responsibilities of NSA's existing Civil Liberties and Privacy (CL/P) protection programs under a single official. The CLPO will serve as the primary advisor to...

Mon, 23 Sep 2013 11:21:37 UTC

Metadata Equals Surveillance

Posted By Bruce Schneier

Back in June, when the contents of Edward Snowden's cache of NSA documents were just starting to be revealed and we learned about the NSA collecting phone metadata of every American, many people -- including President Obama -- discounted the seriousness of the NSA's actions by saying that it's just metadata. Lots and lots of people effectively demolished that trivialization,...

Fri, 20 Sep 2013 21:25:59 UTC

Friday Squid Blogging: How Bacteria Terraform a Squid

Posted By Bruce Schneier

Fascinating: The bacterium Vibrio fischeri is a squid terraformer. Although it can live independently in seawater, it also colonises the body of the adorable Hawaiian bobtail squid. The squid nourishes the bacteria with nutrients and the bacteria, in turn, act as an invisibility cloak. They produce a dim light that matches the moonlight shining down from above, masking the squid's...

Fri, 20 Sep 2013 17:01:34 UTC

Legally Justifying NSA Surveillance of Americans

Posted By Bruce Schneier

Kit Walsh has an interesting blog post where he looks at how existing law can be used to justify the surveillance of Americans. Just to challenge ourselves, we'll ignore the several statutory provisions and other doctrines that allow for spying without court oversight, such as urgent collection, gathering information not considered protected by the Fourth Amendment, the wartime spying provision,...

Fri, 20 Sep 2013 12:05:01 UTC

Google Knows Every Wi-Fi Password in the World

Posted By Bruce Schneier

This article points out that as people are logging into Wi-Fi networks from their Android phones, and backing up those passwords along with everything else into Google's cloud, that Google is amassing an enormous database of the world's Wi-Fi passwords. And while it's not every Wi-Fi password in the world, it's almost certainly a large percentage of them. Leaving aside...

Wed, 18 Sep 2013 12:06:23 UTC

Yochai Benkler on the NSA

Posted By Bruce Schneier

Excellent essay: We have learned that in pursuit of its bureaucratic mission to obtain signals intelligence in a pervasively networked world, the NSA has mounted a systematic campaign against the foundations of American power: constitutional checks and balances, technological leadership, and market entrepreneurship. The NSA scandal is no longer about privacy, or a particular violation of constitutional or legislative obligations....

Tue, 17 Sep 2013 11:15:46 UTC

The Limitations of Intelligence

Posted By Bruce Schneier

We recently learned that US intelligence agencies had at least three days' warning that Syrian President Bashar al-Assad was preparing to launch a chemical attack on his own people, but wasn't able to stop it. At least that's what an intelligence briefing from the White House reveals. With the combined abilities of our national intelligence apparatus -- the CIA, NSA,...

Mon, 16 Sep 2013 18:25:41 UTC

Surreptitiously Tampering with Computer Chips

Posted By Bruce Schneier

This is really interesting research: "Stealthy Dopant-Level Hardware Trojans." Basically, you can tamper with a logic gate to be either stuck-on or stuck-off by changing the doping of one transistor. This sort of sabotage will not be noticed on any visual reverse-engineering of the chip -- remove all the layers, generate the netlist-style reverse engineering, and so on. And it...

Mon, 16 Sep 2013 17:59:49 UTC

Tom Tomorrow from 1994

Posted By Bruce Schneier

This was published during the battle about the Clipper Chip, and is remarkably prescient....

Mon, 16 Sep 2013 11:55:42 UTC

Reforming the NSA

Posted By Bruce Schneier

Leaks from the whistleblower Edward Snowden have catapulted the NSA into newspaper headlines and demonstrated that it has become one of the most powerful government agencies in the country. From the secret court rulings that allow it collect data on all Americans to its systematic subversion of the entire Internet as a surveillance platform, the NSA has amassed an enormous...

Sun, 15 Sep 2013 16:53:06 UTC

Take Back the Internet

Posted By Bruce Schneier

Government and industry have betrayed the Internet, and us. By subverting the Internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our Internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our...

Sun, 15 Sep 2013 13:11:49 UTC

How to Remain Secure Against the NSA

Posted By Bruce Schneier

Now that we have enough details about how the >NSA eavesdrops on the Internet, including today's disclosures of the NSA's deliberate weakening of cryptographic systems, we can finally start to figure out how to protect ourselves. For the past two weeks, I have been working with the Guardian on NSA stories, and have read hundreds of top-secret NSA documents provided...

Fri, 13 Sep 2013 21:07:37 UTC

Friday Squid Blogging: Squid Fishing in the Cook Islands

Posted By Bruce Schneier

Diamondback squid could be a source of food. No word on taste. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Sep 2013 16:02:51 UTC

Radio Interviews with Me

Posted By Bruce Schneier

Four interviews with me on the NSA....

Fri, 13 Sep 2013 11:23:53 UTC

New NSA Leak Shows MITM Attacks Against Major Internet Services

Posted By Bruce Schneier

The Brazilian television show "Fantastico" has exposed an NSA training presentation that discusses how the agency runs man-in-the-middle attacks on the Internet. The point of the story was that the NSA engages in economic espionage against Petrobras, the Brazilian giant oil company, but I'm more interested in the tactical details. The video on the webpage is long, and includes what...

Thu, 12 Sep 2013 18:34:12 UTC

Did I Actually Say That?

Posted By Bruce Schneier

I'm quoted (also here) as using this analogy to explain how IT companies will be damaged by the news that they've been collaborating with the NSA: "How would it be if your doctor put rat poison in your medicine? Highly damaging," said Bruce Schneier, a US computer security expert. Not the most eloquent I've been recently. Clearly I need to...

Thu, 12 Sep 2013 11:05:14 UTC

Ed Felten on the NSA Disclosures

Posted By Bruce Schneier

Ed Felten has an excellent essay on the damage caused by the NSA secretly breaking the security of Internet systems: In security, the worst case -- the thing you most want to avoid -- is thinking you are secure when you're not. And that's exactly what the NSA seems to be trying to perpetuate. Suppose you're driving a car that...

Wed, 11 Sep 2013 16:53:04 UTC

Matthew Green Speculates on How the NSA Defeats Encryption

Posted By Bruce Schneier

This blog post is well worth reading, and not just because Johns Hopkins University asked him to remove it, and then backed down a few hours later....

Wed, 11 Sep 2013 11:43:37 UTC

iPhone Fingerprint Authentication

Posted By Bruce Schneier

When Apple bought AuthenTec for its biometrics technology -- reported as one of its most expensive purchases -- there was a lot of speculation about how the company would incorporate biometrics in its product line. Many speculate that the new Apple iPhone to be announced tomorrow will come with a fingerprint authentication system, and there are several ways it could...

Tue, 10 Sep 2013 11:55:08 UTC

The TSA Is Legally Allowed to Lie to Us

Posted By Bruce Schneier

The TSA does not have to tell the truth: Can the TSA (or local governments as directed by the TSA) lie in response to a FOIA request? Sure, no problem! Even the NSA responds that they "can't confirm or deny the existence" of classified things for which admitting or denying existence would (allegedly, of course) damage national security. But the...

Mon, 09 Sep 2013 18:30:59 UTC

Government Secrecy and the Generation Gap

Posted By Bruce Schneier

Big-government secrets require a lot of secret-keepers. As of October 2012, almost 5m people in the US have security clearances, with 1.4m at the top-secret level or higher, according to the Office of the Director of National Intelligence. Most of these people do not have access to as much information as Edward Snowden, the former National Security Agency contractor turned...

Mon, 09 Sep 2013 11:20:25 UTC

Excess Automobile Deaths as a Result of 9/11

Posted By Bruce Schneier

People commented about a point I made in a recent essay: In the months after 9/11, so many people chose to drive instead of fly that the resulting deaths dwarfed the deaths from the terrorist attack itself, because cars are much more dangerous than airplanes. Yes, that's wrong. Where I said "months," I should have said "years." I got the...

Sat, 07 Sep 2013 12:55:54 UTC

My New PGP/GPG and OTR Keys

Posted By Bruce Schneier

You can find my new PGP public key and my OTR key fingerprint here....

Fri, 06 Sep 2013 21:50:00 UTC

Friday Squid Blogging: Giant Squid Found Off the Coast of Spain

Posted By Bruce Schneier

The incomplete specimen weighs over 160 lbs. And here's a map of squid spottings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 06 Sep 2013 21:50:00 UTC

Friday Squid Blogging: Giant Squid Found Off the Coast of Spain

Posted By Bruce Schneier

The incomplete specimen weighs over 160 lbs. And here's a map of squid spottings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 06 Sep 2013 19:09:17 UTC

Another Interview

Posted By Bruce Schneier

I was interviewed by MinnPost....

Fri, 06 Sep 2013 19:09:17 UTC

Another Interview

Posted By Bruce Schneier

I was interviewed by MinnPost....

Fri, 06 Sep 2013 16:08:06 UTC

Conspiracy Theories and the NSA

Posted By Bruce Schneier

I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking -- and I have no idea whether any of it is true or not -- but it's a good illustration of what happens when trust in a public...

Fri, 06 Sep 2013 16:08:06 UTC

Conspiracy Theories and the NSA

Posted By Bruce Schneier

I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking -- and I have no idea whether any of it is true or not -- but it's a good illustration of what happens when trust in a public...

Fri, 06 Sep 2013 11:30:18 UTC

The NSA's Cryptographic Capabilities

Posted By Bruce Schneier

The latest Snowden document is the US intelligence "black budget." There's a lot of information in the few pages the Washington Post decided to publish, including an introduction by Director of National Intelligence James Clapper. In it, he drops a tantalizing hint: "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic." Honestly, I'm...

Fri, 06 Sep 2013 11:30:18 UTC

The NSA's Cryptographic Capabilities

Posted By Bruce Schneier

The latest Snowden document is the US intelligence "black budget." There's a lot of information in the few pages the Washington Post decided to publish, including an introduction by Director of National Intelligence James Clapper. In it, he drops a tantalizing hint: "Also, we are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic." Honestly, I'm...

Thu, 05 Sep 2013 19:46:54 UTC

The NSA is Breaking Most Encryption on the Internet

Posted By Bruce Schneier

The new Snoden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics. It's joint reporting between the Guardian, the New York Times, and ProPublica. I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my...

Thu, 05 Sep 2013 19:46:54 UTC

The NSA Is Breaking Most Encryption on the Internet

Posted By Bruce Schneier

The new Snowden revelations are explosive. Basically, the NSA is able to decrypt most of the Internet. They're doing it primarily by cheating, not by mathematics. It's joint reporting between the Guardian, the New York Times, and ProPublica. I have been working with Glenn Greenwald on the Snowden documents, and I have seen a lot of them. These are my...

Thu, 05 Sep 2013 18:57:05 UTC

The Effect of Money on Trust

Posted By Bruce Schneier

Money reduces trust in small groups, but increases it in larger groups. Basically, the introduction of money allows society to scale. The team devised an experiment where subjects in small and large groups had the option to give gifts in exchange for tokens. They found that there was a social cost to introducing this incentive. When all tokens were "spent",...

Thu, 05 Sep 2013 18:57:05 UTC

The Effect of Money on Trust

Posted By Bruce Schneier

Money reduces trust in small groups, but increases it in larger groups. Basically, the introduction of money allows society to scale. The team devised an experiment where subjects in small and large groups had the option to give gifts in exchange for tokens. They found that there was a social cost to introducing this incentive. When all tokens were "spent",...

Thu, 05 Sep 2013 17:13:09 UTC

Journal of Homeland Security and Emergency Management

Posted By Bruce Schneier

I keep getting alerts of new issues, but there are rarely articles I find interesting....

Thu, 05 Sep 2013 17:13:09 UTC

Journal of Homeland Security and Emergency Management

Posted By Bruce Schneier

I keep getting alerts of new issues, but there are rarely articles I find interesting....

Thu, 05 Sep 2013 13:32:30 UTC

Human/Machine Trust Failures

Posted By Bruce Schneier

I jacked a visitor's badge from the Eisenhower Executive Office Building in Washington, DC, last month. The badges are electronic; they're enabled when you check in at building security. You're supposed to wear it on a chain around your neck at all times and drop it through a slot when you leave. I kept the badge. I used my body...

Thu, 05 Sep 2013 13:32:30 UTC

Human-Machine Trust Failures

Posted By Bruce Schneier

I jacked a visitor's badge from the Eisenhower Executive Office Building in Washington, DC, last month. The badges are electronic; they're enabled when you check in at building security. You're supposed to wear it on a chain around your neck at all times and drop it through a slot when you leave. I kept the badge. I used my body...

Wed, 04 Sep 2013 17:08:48 UTC

SHA-3 Status

Posted By Bruce Schneier

NIST's John Kelsey gave an excellent talk on the history, status, and future of the SHA-3 hashing standard. The slides are online....

Wed, 04 Sep 2013 12:02:41 UTC

Business Opportunities in Cloud Security

Posted By Bruce Schneier

Bessemer Venture Partners partner David Cowan has an interesting article on the opportunities for cloud security companies. Richard Stiennnon, an industry analyst, has a similar article. And Zscaler comments on a 451 Research report on the cloud security business....

Tue, 03 Sep 2013 18:45:12 UTC

Syrian Electronic Army Cyberattacks

Posted By Bruce Schneier

The Syrian Electronic Army attacked again this week, compromising the websites of the New York Times, Twitter, the Huffington Post, and others. Political hacking isn't new. Hackers were breaking into systems for political reasons long before commerce and criminals discovered the Internet. Over the years, we've seen U.K. vs. Ireland, Israel vs. Arab states, Russia vs. its former Soviet republics,...

Tue, 03 Sep 2013 11:41:42 UTC

Our Newfound Fear of Risk

Posted By Bruce Schneier

We're afraid of risk. It's a normal part of life, but we're increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren't free. They cost money, of course, but they cost other things as well. They often don't provide the security they advertise, and -- paradoxically...

Mon, 02 Sep 2013 11:40:38 UTC

1983 Article on the NSA

Posted By Bruce Schneier

The moral is that NSA surveillance overreach has been going on for a long, long time....

Fri, 30 Aug 2013 21:40:28 UTC

Friday Squid Blogging: Bobtail Squid Photo

Posted By Bruce Schneier

Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 30 Aug 2013 18:54:06 UTC

Opsec Details of Snowden Meeting with Greenwald and Poitras

Posted By Bruce Schneier

I don't like stories about the personalities in the Snowden affair, because it detracts from the NSA and the policy issues. But I'm a sucker for operational security, and just have to post this detail from their first meeting in Hong Kong: Snowden had instructed them that once they were in Hong Kong, they were to go at an appointed...

Fri, 30 Aug 2013 11:12:23 UTC

More on the NSA Commandeering the Internet

Posted By Bruce Schneier

If there's any confirmation that the U.S. government has commandeered the Internet for worldwide surveillance, it is what happened with Lavabit earlier this month. Lavabit is -- well, was -- an e-mail service that offered more privacy than the typical large-Internet-corporation services that most of us use. It was a small company, owned and operated by Ladar Levison, and it...

Thu, 29 Aug 2013 18:13:22 UTC

How Many Leakers Came Before Snowden?

Posted By Bruce Schneier

Assume it's really true that the NSA has no idea what documents Snowden took, and that they wouldn't even know he'd taken anything if he hadn't gone public. The fact that abuses of their systems by NSA officers were largely discovered through self-reporting substantiates that belief. Given that, why should anyone believe that Snowden is the first person to walk...

Thu, 29 Aug 2013 17:28:05 UTC

The Federal Trade Commission and Privacy

Posted By Bruce Schneier

New paper on the FTC and its actions to protect privacy: Abstract: One of the great ironies about information privacy law is that the primary regulation of privacy in the United States has barely been studied in a scholarly way. Since the late 1990s, the Federal Trade Commission (FTC) has been enforcing companies' privacy policies through its authority to police...

Wed, 28 Aug 2013 20:13:31 UTC

Feds Target Polygraph-Beating Company

Posted By Bruce Schneier

A company that teaches people how to beat lie detectors is under investigation....

Wed, 28 Aug 2013 12:07:34 UTC

Evading Internet Censorship

Posted By Bruce Schneier

This research project by Brandon Wiley -- the tool is called "Dust" -- looks really interesting. Here's the description of his Defcon talk: Abstract: The greatest danger to free speech on the Internet today is filtering of traffic using protocol fingerprinting. Protocols such as SSL, Tor, BitTorrent, and VPNs are being summarily blocked, regardless of their legal and ethical uses....

Tue, 27 Aug 2013 18:19:13 UTC

More on NSA Data Collection

Posted By Bruce Schneier

There's an article from Wednesday's Wall Street Journal that gives more details about the NSA's data collection efforts. The system has the capacity to reach roughly 75% of all U.S. Internet traffic in the hunt for foreign intelligence, including a wide array of communications by foreigners and Americans. In some cases, it retains the written content of emails sent between...

Tue, 27 Aug 2013 11:39:27 UTC

Detaining David Miranda

Posted By Bruce Schneier

Last Sunday, David Miranda was detained while changing planes at London Heathrow Airport by British authorities for nine hours under a controversial British law -- the maximum time allowable without making an arrest. There has been much made of the fact that he's the partner of Glenn Greenwald, the Guardian reporter whom Edward Snowden trusted with many of his NSA...

Mon, 26 Aug 2013 18:19:59 UTC

Protecting Against Leakers

Posted By Bruce Schneier

Ever since Edward Snowden walked out of a National Security Agency facility in May with electronic copies of thousands of classified documents, the finger-pointing has concentrated on government's security failures. Yet the debacle illustrates the challenge with trusting people in any organization. The problem is easy to describe. Organizations require trusted people, but they don't necessarily know whether those people...

Mon, 26 Aug 2013 12:02:53 UTC

"The Next Generation Communications Privacy Act"

Posted By Bruce Schneier

Orin Kerr envisions what the ECPA should look like today: Abstract: In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to regulate government access to Internet communications and records. ECPA is widely seen as outdated, and ECPA reform is now on the Congressional agenda. At the same time, existing reform proposals retain the structure of the 1986 Act and...

Fri, 23 Aug 2013 21:00:09 UTC

Friday Squid Blogging: New Research in How Squids Change Color

Posted By Bruce Schneier

Interesting: Structural colors rely exclusively on the density and shape of the material rather than its chemical properties. The latest research from the UCSB team shows that specialized cells in the squid skin called iridocytes contain deep pleats or invaginations of the cell membrane extending deep into the body of the cell. This creates layers or lamellae that operate as...

Fri, 23 Aug 2013 18:23:00 UTC

How Security Becomes Banal

Posted By Bruce Schneier

Interesting paper: "The Banality of Security: The Curious Case of Surveillance Cameras," by Benjamin Goold, Ian Loader, and Angélica Thumala (full paper is behind a paywall). Abstract: Why do certain security goods become banal (while others do not)? Under what conditions does banality occur and with what effects? In this paper, we answer these questions by examining the story of...

Fri, 23 Aug 2013 11:00:11 UTC

Hacking Consumer Devices

Posted By Bruce Schneier

Last weekend, a Texas couple apparently discovered that the electronic baby monitor in their children's bedroom had been hacked. According to a local TV station, the couple said they heard an unfamiliar voice coming from the room, went to investigate and found that someone had taken control of the camera monitor remotely and was shouting profanity-laden abuse. The child's father...

Thu, 22 Aug 2013 11:54:17 UTC

Susan Landau Article on the Snowden Documents

Posted By Bruce Schneier

Really good article by Susan Landau on the Snowden documents and what they mean....

Wed, 21 Aug 2013 12:01:45 UTC

Measuring Entropy and its Applications to Encryption

Posted By Bruce Schneier

There have been a bunch of articles about an information theory paper with vaguely sensational headlines like "Encryption is less secure than we thought" and "Research shakes crypto foundations." It's actually not that bad. Basically, the researchers arguethat the traditional measurement of Shannon entropy isn't the right model to use for cryptography, and that minimum entropy is. This difference may...

Tue, 20 Aug 2013 12:10:15 UTC

Teens and Privacy

Posted By Bruce Schneier

Not much surprising in this new survey. Many teens ages 12-17 report that they usually figure out how to manage content sharing and privacy settings on their own. Focus group interviews with teens suggest that for their day-to-day privacy management, teens are guided through their choices in the app or platform when they sign up, or find answers through their...

Mon, 19 Aug 2013 11:47:58 UTC

The Cryptopocalypse

Posted By Bruce Schneier

There was a presentation at Black Hat last month warning us of a "factoring cryptopocalypse": a moment when factoring numbers and solving the discrete log problem become easy, and both RSA and DH break. This presentation was provocative, and has generated a lot of commentary, but I don't see any reason to worry. Yes, breaking modern public-key cryptosystems has gotten...

Fri, 16 Aug 2013 21:13:06 UTC

Friday Squid Blogging: Squid Ink as Food Coloring

Posted By Bruce Schneier

Alton Brown suggests it for ice cream. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Aug 2013 19:12:35 UTC

Wired Names "Schneier on Security" to Best Blog List

Posted By Bruce Schneier

I made the list of Wired's best "Government and Security" blogs....

Fri, 16 Aug 2013 12:31:09 UTC

Management Issues in Terrorist Organizations

Posted By Bruce Schneier

Terrorist organizations have the same management problems as other organizations, and new ones besides: Terrorist leaders also face a stubborn human resources problem: Their talent pool is inherently unstable. Terrorists are obliged to seek out recruits who are predisposed to violence -- that is to say, young men with a chip on their shoulder. Unsurprisingly, these recruits are not usually...

Thu, 15 Aug 2013 11:10:55 UTC

The NSA is Commandeering the Internet

Posted By Bruce Schneier

It turns out that the NSA's domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we've learned, fight and lose. Others cooperate, either out of patriotism or because they believe it's easier that way....

Wed, 14 Aug 2013 18:12:35 UTC

Time Magazine Names "Schneier on Security" to Best Blog List

Posted By Bruce Schneier

My blog as made the Time magazine "The 25 Best Bloggers 2013 Edition" list. I can't believe this was published ten days ago, and I'm only just finding out about it. Aren't all you people supposed to be sending me links of things I might be interested in?...

Wed, 14 Aug 2013 17:06:10 UTC

Stories from MI5

Posted By Bruce Schneier

This essay is filled historical MI5 stories -- often bizarre, sometimes amusing. My favorite: It was recently revealed that back in the 1970s -- at the height of the obsession with traitors -- MI5 trained a specially bred group of Gerbils to detect spies. Gerbils have a very acute sense of smell and they were used in interrogations to tell...

Wed, 14 Aug 2013 12:43:21 UTC

Circumventing Communications Blackouts

Posted By Bruce Schneier

Rangzen looks like a really interesting ad hoc mesh networking system to circumvent government-imposed communications blackouts. I am particularly interested in how it uses reputation to determine who can be trusted, while maintaining some level of anonymity. Academic paper: Abstract: A challenging problem in dissent networking is that of circumventing large-scale communication blackouts imposed by oppressive governments. Although prior work...

Tue, 13 Aug 2013 18:31:36 UTC

Book Review: Rise of the Warrior Cop

Posted By Bruce Schneier

Rise of the Warrior Cop: The Militarization of America's Police Forces, by Radley Balko, PublicAffairs, 2013, 400 pages. War as a rhetorical concept is firmly embedded in American culture. Over the past several decades, federal and local law enforcement has been enlisted in a war on crime, a war on drugs and a war on terror. These wars are...

Tue, 13 Aug 2013 11:45:54 UTC

The 2013 Cryptologic History Symposium

Posted By Bruce Schneier

The 2013 Cryptologic History Symposium, sponsored by the NSA, will be held at John Hopkins University this October....

Mon, 12 Aug 2013 19:33:02 UTC

NSA Increasing Security by Firing 90% of Its Sysadmins

Posted By Bruce Schneier

General Keith Alexander thinks he can improve security by automating sysadmin duties such that 90% of them can be fired: Using technology to automate much of the work now done by employees and contractors would make the NSA's networks "more defensible and more secure," as well as faster, he said at the conference, in which he did not mention Snowden...

Mon, 12 Aug 2013 11:29:54 UTC

Security at Sports Stadiums

Posted By Bruce Schneier

Lots of sports stadiums have instituted Draconian new rules. Here are the rules for St. Louis Rams games: Fans will be able to carry the following style and size bag, package, or container at stadium plaza areas, stadium gates, or when approaching queue lines of fans awaiting entry into the stadium: Bags that are clear plastic, vinyl or PVC and...

Fri, 09 Aug 2013 21:16:32 UTC

Friday Squid Blog: Rickshaw Cart Woodblock Print

Posted By Bruce Schneier

With a squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 09 Aug 2013 16:45:34 UTC

Lavabit E-Mail Service Shut Down

Posted By Bruce Schneier

Lavabit, the more-secure e-mail service that Edward Snowden -- among others -- used, has abruptly shut down. From the message on their homepage: I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I...

Fri, 09 Aug 2013 11:04:14 UTC

Latest Movie-Plot Threat: Explosive-Dipped Clothing

Posted By Bruce Schneier

It's being reported, although there's no indication of where this rumor is coming from or what it's based on. ...the new tactic allows terrorists to dip ordinary clothing into the liquid to make the clothes themselves into explosives once dry. "It's ingenious," one of the officials said. Another senior official said that the tactic would not be detected by current...

Thu, 08 Aug 2013 17:20:13 UTC

Twitter's Two-Factor Authentication System

Posted By Bruce Schneier

Twitter just rolled out a pretty nice two-factor authentication system using your smart phone as the second factor: The new two-factor system works like this. A user enrolls using the mobile app, which generates a 2048-bit RSA keypair. The private key lives on the phone itself, and the public key is uploaded to Twitters server. When Twitter receives a new...

Thu, 08 Aug 2013 11:14:49 UTC

Kip Hawley on Fixing the TSA

Posted By Bruce Schneier

The further Kip Hawley has gotten from running the TSA, the more sense he has started to make. This is pretty good....

Wed, 07 Aug 2013 11:29:18 UTC

Restoring Trust in Government and the Internet

Posted By Bruce Schneier

In July 2012, responding to allegations that the video-chat service Skype -- owned by Microsoft -- was changing its protocols to make it possible for the government to eavesdrop on users, Corporate Vice President Mark Gillett took to the company's blog to deny it. Turns out that wasn't quite true. Or at least he -- or the company's lawyers --...

Tue, 06 Aug 2013 18:42:19 UTC

Has Tor Been Compromised?

Posted By Bruce Schneier

There's speculation that the FBI is responsible for an exploit that compromised the Tor anonymity service. Note that Tor nodes installed or updated after June 26 are secure....

Tue, 06 Aug 2013 11:16:44 UTC

NSA Surveillance and Mission Creep

Posted By Bruce Schneier

Last month, I wrote about the potential for mass surveillance mission creep: the tendency for the vast NSA surveillance apparatus to be used for other, lesser, crimes. My essay was theoretical, but it turns out to be already happening. Other agencies are already asking to use the NSA data: Agencies working to curb drug trafficking, cyberattacks, money laundering, counterfeiting and...

Mon, 05 Aug 2013 11:02:44 UTC

The Public/Private Surveillance Partnership

Posted By Bruce Schneier

Imagine the government passed a law requiring all citizens to carry a tracking device. Such a law would immediately be found unconstitutional. Yet we all carry mobile phones. If the National Security Agency required us to notify it whenever we made a new friend, the nation would rebel. Yet we notify Facebook. If the Federal Bureau of Investigation demanded copies...

Fri, 02 Aug 2013 22:59:20 UTC

Friday Squid Blogging: Squid Watch

Posted By Bruce Schneier

I like watches with no numbers. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 02 Aug 2013 20:20:03 UTC

XKeyscore

Posted By Bruce Schneier

The Guardian discusses a new secret NSA program: XKeyscore. It's the desktop system that allows NSA agents to spy on anyone over the Internet in real time. It searches existing NSA databases -- presumably including PRISM -- and can create fingerprints to search for all future data collections from systems like TRAFFIC THIEF. This seems to be what Edward Snowden...

Fri, 02 Aug 2013 19:28:29 UTC

Cryptography Engineering Book Review

Posted By Bruce Schneier

Good review of the strengths and weaknesses of Cryptography Engineering and Applied Cryptography. Best -- at least to me -- is the list of things missing, which we'll have to address if we do another edition....

Fri, 02 Aug 2013 13:03:11 UTC

False Positives and Ubiquitous Surveillance

Posted By Bruce Schneier

Searching on Google for a pressure cooker and backpacks got one family investigated by the police. More stories and comments. This seems not to be the NSA eavesdropping on everyone's Internet traffic, as was first assumed. It was one of those "see something say something" amateur tips: Suffolk County Criminal Intelligence Detectives received a tip from a Bay Shore based...

Thu, 01 Aug 2013 20:54:50 UTC

Economist Cyberwar Debate

Posted By Bruce Schneier

Richard Bejtlich and Thomas Rid (author of the excellent book Cyber War Will Not Take Place) debate the cyberwar threat on the Economist website....

Thu, 01 Aug 2013 11:37:46 UTC

Scientists Banned from Revealing Details of Car-Security Hack

Posted By Bruce Schneier

The UK has banned researchers from revealing details of security vulnerabilities in car locks. In 2008, Phillips brought a similar suit against researchers who broke the Mifare chip. That time, they lost. This time, Volkswagen sued and won. This is bad news for security researchers. (Remember back in 2001 when security researcher Ed Felten sued the RIAA in the US...

Wed, 31 Jul 2013 11:25:29 UTC

Brian Krebs Harassed

Posted By Bruce Schneier

This is what happens when you're a security writer and you piss off the wrong people: they conspire to have heroin mailed to you, and then to tip off the police. And that's after they've called in a fake hostage situation....

Tue, 30 Jul 2013 18:44:06 UTC

Neighborhood Security: Feeling vs. Reality

Posted By Bruce Schneier

Research on why some neighborhoods feel safer: Salesses and collaborators Katja Schechtner and César A. Hidalgo built an online comparison tool using Google Street View images to identify these often unseen triggers of our perception of place. Have enough people compare paired images of streets in New York or Boston, for instance, for the scenes that look more "safe" or...

Tue, 30 Jul 2013 12:33:54 UTC

Really Clever Bank Card Fraud

Posted By Bruce Schneier

This is a really clever social engineering attack against a bank-card holder: It all started, according to the police, on the Saturday night where one of this gang will have watched me take money from the cash point. That's the details of my last transaction taken care of. Sinister enough, the thought of being spied on while you're trying to...

Mon, 29 Jul 2013 11:28:17 UTC

Obama's Continuing War Against Leakers

Posted By Bruce Schneier

The Obama Administration has a comprehensive "insider threat" program to detect leakers from within government. This is pre-Snowden. Not surprisingly, the combination of profiling and "see something, say something" is unlikely to work. In an initiative aimed at rooting out future leakers and other security violators, President Barack Obama has ordered federal employees to report suspicious actions of their colleagues...

Fri, 26 Jul 2013 21:27:18 UTC

Friday Squid Blogging: Squid Song

Posted By Bruce Schneier

It's "Sparky the Giant Squid." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 26 Jul 2013 18:19:18 UTC

NSA Cracked the Kryptos Sculpture Years Before the CIA Did

Posted By Bruce Schneier

We interrupt this blog for some important inter-agency rivalry. The fourth part is still uncracked, though. Older links....

Fri, 26 Jul 2013 11:25:05 UTC

Secret Information Is More Trusted

Posted By Bruce Schneier

This is an interesting, if slightly disturbing, result: In one experiment, we had subjects read two government policy papers from 1995, one from the State Department and the other from the National Security Council, concerning United States intervention to stop the sale of fighter jets between foreign countries. The documents, both of which were real papers released through the Freedom...

Thu, 25 Jul 2013 17:27:34 UTC

Details on NSA/FBI Eavesdropping

Posted By Bruce Schneier

We're starting to see Internet companies talk about the mechanics of how the US government spies on their users. Here, a Utah ISP owner describes his experiences with NSA eavesdropping: We had to facilitate them to set up a duplicate port to tap in to monitor that customer's traffic. It was a 2U (two-unit) PC that we ran a mirrored...

Thu, 25 Jul 2013 11:46:10 UTC

Poached Eggs

Posted By Bruce Schneier

The story of people who poach and collect rare eggs, and the people who hunt them down. Securing wildlife against poachers is a difficult problem, especially when the defenders are poor countries with not a lot of resources....

Wed, 24 Jul 2013 19:52:02 UTC

Michael Hayden on the Effects of Snowden's Whistleblowing

Posted By Bruce Schneier

Former NSA director Michael Hayden lists three effects of the Snowden documents: "...the undeniable operational effect of informing adversaries of American intelligence's tactics, techniques and procedures." "...the undeniable economic punishment that will be inflicted on American businesses for simply complying with American law." "...the erosion of confidence in the ability of the United States to do anything discreetly or keep...

Wed, 24 Jul 2013 11:18:36 UTC

NSA Implements Two-Man Control for Sysadmins

Posted By Bruce Schneier

In an effort to lock the barn door after the horse has escaped, the NSA is implementing two-man control for sysadmins: NSA chief Keith Alexander said his agency had implemented a "two-man rule," under which any system administrator like Snowden could only access or move key information with another administrator present. With some 15,000 sites to fix, Alexander said, it...

Tue, 23 Jul 2013 18:00:11 UTC

How the FISA Court Undermines Trust

Posted By Bruce Schneier

This is a succinct explanation of how the secrecy of the FISA court undermines trust. Surveillance types make a distinction between secrecy of laws, secrecy of procedures and secrecy of operations. The expectation is that the laws that empower or limit the government's surveillance powers are always public. The programs built atop those laws are often secret. And the individual...

Tue, 23 Jul 2013 11:21:50 UTC

Marc Rotenberg on the NSA Supreme Court Suit

Posted By Bruce Schneier

Marc Rotenberg of EPIC explains why he is suing the NSA in the Supreme Court. And USA Today has a back and forth on the topic....

Mon, 22 Jul 2013 18:04:08 UTC

Prosecuting Snowden

Posted By Bruce Schneier

I generally don't like stories about Snowden as a person, because they distract from the real story of the NSA surveillance programs, but this article on the costs and benefits of the US government prosecuting Edward Snowden is worth reading....

Mon, 22 Jul 2013 11:36:09 UTC

Violence as a Source of Trust in Criminal Societies

Posted By Bruce Schneier

This is interesting: If I know that you have committed a violent act, and you know that I have committed a violent act, we each have information on each other that we might threaten to use if relations go sour (Schelling notes that one of the most valuable rights in business relations is the right to be sued -- this...

Fri, 19 Jul 2013 21:12:31 UTC

Friday Squid Blogging: Paul Burke Giant Squid Sculpture

Posted By Bruce Schneier

The wood sculpture is part of an art exhibit at the VanDusen Botanical Garden in Vancouver....

Fri, 19 Jul 2013 19:45:23 UTC

TSA Considering Implementing Randomized Security

Posted By Bruce Schneier

For a change, here's a good idea by the TSA: TSA has just issued a Request for Information (RFI) to prospective vendors who could develop and supply such randomizers, which TSA expects to deploy at CAT X through CAT IV airports throughout the United States. "The Randomizers would be used to route passengers randomly to different checkpoint lines," says the...

Fri, 19 Jul 2013 14:40:22 UTC

Counterterrorism Mission Creep

Posted By Bruce Schneier

One of the assurances I keep hearing about the U.S. government's spying on American citizens is that it's only used in cases of terrorism. Terrorism is, of course, an extraordinary crime, and its horrific nature is supposed to justify permitting all sorts of excesses to prevent it. But there's a problem with this line of reasoning: mission creep. The definitions...

Thu, 18 Jul 2013 20:58:37 UTC

PRISM Q&A

Posted By Bruce Schneier

Mikko Hypponen and I answered questions about PRISM on the TED website....

Thu, 18 Jul 2013 13:37:39 UTC

Snowden's Dead Man's Switch

Posted By Bruce Schneier

Edward Snowden has set up a dead man's switch. He's distributed encrypted copies of his document trove to various people, and has set up some sort of automatic system to distribute the key, should something happen to him. Dead man's switches have a long history, both for safety (the machinery automatically stops if the operator's hand goes slack) and security...

Wed, 17 Jul 2013 19:45:20 UTC

DHS Puts its Head in the Sand

Posted By Bruce Schneier

On the subject of the recent Washington Post Snowden document, the DHS sent this e-mail out to at least some of its employees: From: xxxxx Sent: Thursday, July 11, 2013 10:28 AM To: xxxxx Cc: xxx Security Reps; xxx SSO; xxxx;xxxx Subject: //// SECURITY ADVISORY//// NEW WASHINGTON POST WEBPAGE ARTICLE -- DO NOT CLICK ON THIS LINK I have been...

Wed, 17 Jul 2013 17:03:02 UTC

Tapping Undersea Cables

Posted By Bruce Schneier

Good article on the longstanding practice of secretly tapping undersea cables. This is news right now because of a new Snowden document....

Tue, 16 Jul 2013 17:35:56 UTC

The Value of Breaking the Law

Posted By Bruce Schneier

Interesting essay on the impossibility of being entirely lawful all the time, the balance that results from the difficulty of law enforcement, and the societal value of being able to break the law. What's often overlooked, however, is that these legal victories would probably not have been possible without the ability to break the law. The state of Minnesota, for...

Tue, 16 Jul 2013 12:11:32 UTC

A Problem with the US Privacy and Civil Liberties Oversight Board

Posted By Bruce Schneier

I haven't heard much about the Privacy and Civil Liberties Oversight Board. They recently held hearings regarding the Snowden documents. This particular comment stood out: Rachel Brand, another seemingly unsympathetic board member, concluded: "There is nothing that is more harmful to civil liberties than terrorism. This discussion here has been quite sterile because we have not been talking about terrorism."...

Mon, 15 Jul 2013 12:03:16 UTC

Walls Around Nations

Posted By Bruce Schneier

A political history of walls: Roman walls such as Hadrian's Wall, the Great Wall of China, the Berlin Wall, and the wall between Mexico and the U.S. Moral: they solve the wrong problem....

Sat, 13 Jul 2013 23:30:27 UTC

My Fellowship at the Berkman Center

Posted By Bruce Schneier

I have been awarded a fellowship at the Berkman Center for Internet and Society at Harvard University, for the 20132014 academic year. I'm excited about this; Berkman and Harvard is where a lot of the cool kids hang out, and I'm looking forward to working with them this coming year. In particular, I have three goals for the year: I...

Fri, 12 Jul 2013 21:49:11 UTC

Friday Squid Blogging: SquidBacteria Symbiotic Relationships

Posted By Bruce Schneier

This is really interesting research. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Jul 2013 11:37:24 UTC

F2P Monetization Tricks

Posted By Bruce Schneier

This is a really interesting article about something I never even thought about before: how games ("F2P" means "free to play") trick players into paying for stuff. For example: This is my favorite coercive monetization technique, because it is just so powerful. The technique involves giving the player some really huge reward, that makes them really happy, and then threatening...

Thu, 11 Jul 2013 11:36:30 UTC

More NSA Code Names

Posted By Bruce Schneier

We don't know what they mean, but there are a bunch of NSA code names on LinkedIn profiles. ANCHORY, AMHS, NUCLEON, TRAFFICTHIEF, ARCMAP, SIGNAV, COASTLINE, DISHFIRE, FASTSCOPE, OCTAVE/CONTRAOCTAVE, PINWALE, UTT, WEBCANDID, MICHIGAN, PLUS, ASSOCIATION, MAINWAY, FASCIA, OCTSKYWARD, INTELINK, METRICS, BANYAN, MARINA...

Wed, 10 Jul 2013 18:19:52 UTC

The NSA's Project SHAMROCK

Posted By Bruce Schneier

Nice history of Project SHAMROCK, the NSA's illegal domestic surveillance program from the 1970s. It targeted telegrams....

Wed, 10 Jul 2013 10:55:10 UTC

Musing on Secret Languages

Posted By Bruce Schneier

This is really interesting. It starts by talking about a "cant" dictionary of 16th-century thieves' argot, and ends up talking about secret languages in general. Incomprehension breeds fear. A secret language can be a threat: signifier has no need of signified in order to pack a punch. Hearing a conversation in a language we don't speak, we wonder whether were...

Tue, 09 Jul 2013 17:17:12 UTC

The Effectiveness of Privacy Audits

Posted By Bruce Schneier

This study concludes that there is a benefit to forcing companies to undergo privacy audits: "The results show that there are empirical regularities consistent with the privacy disclosures in the audited financial statements having some effect. Companies disclosing privacy risks are less likely to incur a breach of privacy related to unintentional disclosure of privacy information; while companies suffering a...

Tue, 09 Jul 2013 11:24:03 UTC

Another Perspective on the Value of Privacy

Posted By Bruce Schneier

A philosophical perspective: But while Descartes's overall view has been rightly rejected, there is something profoundly right about the connection between privacy and the self, something that recent events should cause us to appreciate. What is right about it, in my view, is that to be an autonomous person is to be capable of having privileged access (in the two...

Mon, 08 Jul 2013 16:50:44 UTC

Big Data Surveillance Results in Bad Policy

Posted By Bruce Schneier

Evgeny Morozov makes a point about surveillance and big data: it just looks for useful correlations without worrying about causes, and leads people to implement "fixes" based simply on those correlations -- rather than understanding and correcting the underlying the causes. As the media academic Mark Andrejevic points out in Infoglut, his new book on the political implications of information...

Mon, 08 Jul 2013 11:43:43 UTC

Protecting E-Mail from Eavesdropping

Posted By Bruce Schneier

In the wake of the Snowden NSA documents, reporters have been asking me whether encryption can solve the problem. Leaving aside the fact that much of what the NSA is collecting can't be encrypted by the user -- telephone metadata, e-mail headers, phone calling records, e-mail you're reading from a phone or tablet or cloud provider, anything you post on...

Fri, 05 Jul 2013 21:01:02 UTC

Friday Squid Blogging: Giant Origami Squid

Posted By Bruce Schneier

Giant origami squid photo found -- without explanation -- on Reddit. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 05 Jul 2013 18:33:21 UTC

How Apple Continues to Make Security Invisible

Posted By Bruce Schneier

Interesting article: Apple is famously focused on design and human experience as their top guiding principles. When it comes to security, that focus created a conundrum. Security is all about placing obstacles in the way of attackers, but (despite the claims of security vendors) those same obstacles can get in the way of users, too. [...] For many years, Apple...

Fri, 05 Jul 2013 17:08:44 UTC

Sixth Movie-Plot Threat Contest Winner

Posted By Bruce Schneier

On April 1, I announced the Sixth Mostly-Annual Movie-Plot Threat Contest: For this year's contest, I want a cyberwar movie-plot threat. (For those who don't know, a movie-plot threat is a scare story that would make a great movie plot, but is much too specific to build security policy around.) Not the Chinese attacking our power grid or shutting off...

Fri, 05 Jul 2013 12:04:39 UTC

Is Cryptography Engineering or Science?

Posted By Bruce Schneier

Responding to a tweet by Thomas Ptacek saying, "If you're not learning crypto by coding attacks, you might not actually be learning crypto," Colin Percival published a well-thought-out rebuttal, saying in part: If we were still in the 1990s, I would agree with Thomas. 1990s cryptography was full of holes, and the best you could hope for was to know...

Thu, 04 Jul 2013 12:07:42 UTC

The Office of the Director of National Intelligence Defends NSA Surveillance Programs

Posted By Bruce Schneier

Here's a transcript of a panel discussion about NSA surveillance. There's a lot worth reading here, but I want to quote Bob Litt's opening remarks. He's the General Council for ODNI, and he has a lot to say about the programs revealed so far in the Snowden documents. I'm reminded a little bit of a quote that, like many quotes,...

Wed, 03 Jul 2013 17:30:40 UTC

Privacy Protests

Posted By Bruce Schneier

Interesting law journal article: "Privacy Protests: Surveillance Evasion and Fourth Amendment Suspicion," by Elizabeth E. Joh. Abstract: The police tend to think that those who evade surveillance are criminals. Yet the evasion may only be a protest against the surveillance itself. Faced with the growing surveillance capacities of the government, some people object. They buy "burners" (prepaid phones) or "freedom...

Wed, 03 Jul 2013 11:02:57 UTC

US Department of Defense Censors Snowden Story

Posted By Bruce Schneier

The US Department of Defense is blocking sites that are reporting about the Snowden documents. I presume they're not censoring sites that are smearing him personally. Note that the DoD is only blocking those sites on its own network, not on the Internet at large. The blocking is being done by automatic filters, presumably the same ones used to block...

Tue, 02 Jul 2013 17:08:09 UTC

Security Analysis of Children

Posted By Bruce Schneier

This is a really good paper describing the unique threat model of children in the home, and the sorts of security philosophies that are effective in dealing with them. Stuart Schechter, "The User IS the Enemy, and (S)he Keeps Reaching for that Bright Shiny Power Button!" Definitely worth reading. Abstract: Children represent a unique challenge to the security and privacy...

Tue, 02 Jul 2013 11:49:40 UTC

NSA E-Mail Eavesdropping

Posted By Bruce Schneier

More Snowden documents analyzed by the Guardian -- two articles -- discuss how the NSA collected e-mails and data on Internet activity of both Americans and foreigners. The program might have ended in 2011, or it might have continued under a different name. This is the program that resulted in that bizarre tale of Bush officials confronting then-Attorney General John...

Mon, 01 Jul 2013 19:06:36 UTC

I've Joined the EFF Board

Posted By Bruce Schneier

I'm now on the board of directors of the EFF....

Mon, 01 Jul 2013 17:16:50 UTC

How the NSA Eavesdrops on Americans

Posted By Bruce Schneier

Two weeks ago, the Guardian published two new Snowden documents. These outline how the NSA's data-collection procedures allow it to collect lots of data on Americans, and how the FISA court fails to provide oversight over these procedures. The documents are complicated, but I strongly recommend that people read both the Guardian analysis and the EFF analysis -- and possibly...

Mon, 01 Jul 2013 11:24:54 UTC

SIMON and SPECK: New NSA Encryption Algorithms

Posted By Bruce Schneier

The NSA has published some new symmetric algorithms: Abstract: In this paper we propose two families of block ciphers, SIMON and SPECK, each of which comes in a variety of widths and key sizes. While many lightweight block ciphers exist, most were designed to perform well on a single platform and were not meant to provide high performance across a...

Fri, 28 Jun 2013 21:07:47 UTC

Friday Squid Blogging: Man Pulled Under by Squids

Posted By Bruce Schneier

Video story on Animal Planet. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 28 Jun 2013 19:44:48 UTC

Me on EconTalk

Posted By Bruce Schneier

Another audio interview; this one is mostly about security and power....

Fri, 28 Jun 2013 19:42:25 UTC

My Talk at Google

Posted By Bruce Schneier

Last week, I gave a talk at Google. It's another talk about power and security, my continually evolving topic-of-the-moment that could very well become my next book. This installment is different than the previous talks and interviews, but not different enough that you should feel the need to watch it if you've seen the others. There are things I got...

Fri, 28 Jun 2013 18:37:18 UTC

Preventing Cell Phone Theft through Benefit Denial

Posted By Bruce Schneier

Adding a remote kill switch to cell phones would deter theft. Here we can see how the rise of the surveillance state permeates everything about computer security. On the face of it, this is a good idea. Assuming it works -- that 1) it's not possible for thieves to resurrect phones in order to resell them, and 2) that it's...

Fri, 28 Jun 2013 10:31:29 UTC

Malware that Foils Two-Factor Authentication

Posted By Bruce Schneier

This is an interesting article about a new breed of malware that also hijack's the victim's phone text messaging system, to intercept one-time passwords sent via that channel....

Thu, 27 Jun 2013 16:49:00 UTC

Pre-9/11 NSA Thinking

Posted By Bruce Schneier

This quote is from the Spring 1997 issue of CRYPTOLOG, the internal NSA newsletter. The writer is William J. Black, Jr., the Director's Special Assistant for Information Warfare. Specifically, the focus is on the potential abuse of the Government's applications of this new information technology that will result in an invasion of personal privacy. For us, this is difficult to...

Thu, 27 Jun 2013 11:34:02 UTC

Lessons from Biological Security

Posted By Bruce Schneier

Nice essay: The biological world is also open source in the sense that threats are always present, largely unpredictable, and always changing. Because of this, defensive measures that are perfectly designed for a particular threat leave you vulnerable to other ones. Imagine if our immune system were designed to deal only with a single strain of flu. In fact, our...

Wed, 26 Jun 2013 17:35:22 UTC

Secrecy and Privacy

Posted By Bruce Schneier

Interesting article on the history of, and the relationship between, secrecy and privacy As a matter of historical analysis, the relationship between secrecy and privacy can be stated in an axiom: the defense of privacy follows, and never precedes, the emergence of new technologies for the exposure of secrets. In other words, the case for privacy always comes too late....

Wed, 26 Jun 2013 12:02:56 UTC

Cracking the Kryptos Sculpture

Posted By Bruce Schneier

Great story....

Tue, 25 Jun 2013 11:24:04 UTC

MAD in Cyberspace

Posted By Bruce Schneier

Ron Beckstrom gives a talk ( ">video and transcript) about "Mutually Assured Destruction," "Mutually Assured Disruption," and "Mutually Assured Dependence."...

Mon, 24 Jun 2013 18:38:30 UTC

Spear Phishing Attack Against the Financial Times

Posted By Bruce Schneier

Interesting story with a lot of details....

Mon, 24 Jun 2013 10:31:09 UTC

The Future of Satellite Surveillance

Posted By Bruce Schneier

Pretty scary -- and cool. Remember, it's not any one thing that's worrisome; it's everything together....

Fri, 21 Jun 2013 21:28:54 UTC

Friday Squid Blogging: How the Acidification of the Oceans Affects Squid

Posted By Bruce Schneier

It's not good. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 21 Jun 2013 19:32:30 UTC

Me on the Lou Dobbs Show

Posted By Bruce Schneier

I was on the Lou Dobbs Show earlier this week....

Fri, 21 Jun 2013 16:43:45 UTC

US Offensive Cyberwar Policy

Posted By Bruce Schneier

Today, the United States is conducting offensive cyberwar actions around the world. More than passively eavesdropping, we're penetrating and damaging foreign networks for both espionage and to ready them for attack. We're creating custom-designed Internet weapons, pretargeted and ready to be "fired" against some piece of another country's electronic infrastructure on a moment's notice. This is much worse than what...

Fri, 21 Jun 2013 11:25:36 UTC

The Japanese Response to Terrorism

Posted By Bruce Schneier

Lessons from Japan's response to Aum Shinrikyo: Yet what's as remarkable as Aum's potential for mayhem is how little of it, on balance, they actually caused. Don't misunderstand me: Aum's crimes were horrific, not merely the terrible subway gassing but their long history of murder, intimidation, extortion, fraud, and exploitation. What they did was unforgivable, and the human cost, devastating....

Thu, 20 Jun 2013 19:42:51 UTC

New Details on Skype Eavesdropping

Posted By Bruce Schneier

This article, on the cozy relationship between the commercial personal-data industry and the intelligence industry, has new information on the security of Skype. Skype, the Internet-based calling service, began its own secret program, Project Chess, to explore the legal and technical issues in making Skype calls readily available to intelligence agencies and law enforcement officials, according to people briefed on...

Thu, 20 Jun 2013 17:19:30 UTC

Love Letter to an NSA Agent

Posted By Bruce Schneier

A fine piece: "A Love Letter to the NSA Agent who is Monitoring my Online Activity." A similar sentiment is expressed in this video....

Thu, 20 Jun 2013 11:04:23 UTC

The US Uses Vulnerability Data for Offensive Purposes

Posted By Bruce Schneier

Companies allow US intelligence to exploit vulnerabilities before it patches them: Microsoft Corp. (MSFT), the world's largest software company, provides intelligence agencies with information about bugs in its popular software before it publicly releases a fix, according to two people familiar with the process. That information can be used to protect government computers and to access the computers of terrorists...

Wed, 19 Jun 2013 19:18:05 UTC

Petition the NSA to Subject its Surveillance Program to Public Comment

Posted By Bruce Schneier

I have signed a petition calling on the NSA to "suspend its domestic surveillance program pending public comment." This is what's going on: In a request today to National Security Agency director Keith Alexander and Defense Secretary Chuck Hagel, the group argues that the NSA's recently revealed domestic surveillance program is "unlawful" because the agency neglected to request public comments...

Wed, 19 Jun 2013 16:19:12 UTC

Finding Sociopaths on Facebook

Posted By Bruce Schneier

On his blog, Scott Adams suggests that it might be possible to identify sociopaths based on their interactions on social media. My hypothesis is that science will someday be able to identify sociopaths and terrorists by their patterns of Facebook and Internet use. I'll bet normal people interact with Facebook in ways that sociopaths and terrorists couldn't duplicate. Anyone can...

Wed, 19 Jun 2013 11:24:04 UTC

Cost/Benefit Questions NSA Surveillance

Posted By Bruce Schneier

John Mueller and Mark Stewart ask the important questions about the NSA surveillance programs: why were they secret, what have they accomplished, and what do they cost? This essay attempts to figure out if they accomplished anything, and this essay attempts to figure out if they can be effective at all....

Tue, 18 Jun 2013 21:00:47 UTC

Details of NSA Data Requests from US Corporations

Posted By Bruce Schneier

Facebook (here), Apple (here), and Yahoo (here) have all released details of US government requests for data. They each say that they've turned over user data for about 10,000 people, although the time frames are different. The exact number isn't important; what's important is that it's much lower than the millions implied by the PRISM document. Now the big question:...

Tue, 18 Jun 2013 16:02:52 UTC

NSA Secrecy and Personal Privacy

Posted By Bruce Schneier

In an excellent essay about privacy and secrecy, law professor Daniel Solove makes an important point. There are two types of NSA secrecy being discussed. It's easy to confuse them, but they're very different. Of course, if the government is trying to gather data about a particular suspect, keeping the specifics of surveillance efforts secret will decrease the likelihood of...

Tue, 18 Jun 2013 11:57:57 UTC

Evidence that the NSA Is Storing Voice Content, Not Just Metadata

Posted By Bruce Schneier

Interesting speculation that the NSA is storing everyone's phone calls, and not just metadata. Definitely worth reading. I expressed skepticism about this just a month ago. My assumption had always been that everyone's compressed voice calls is just too much data to move around and store. Now, I don't know. There's a bit of a conspiracy-theory air to all of...

Mon, 17 Jun 2013 17:47:38 UTC

Project C-43: A Final Piece of Public-Key Cryptography History

Posted By Bruce Schneier

This finally explains what John Ellis was talking about in "The Possibility of Non-Secret Encryption" when he dropped a tantalizing hint about wartime work at Bell Labs....

Mon, 17 Jun 2013 11:13:27 UTC

Blowback from the NSA Surveillance

Posted By Bruce Schneier

There's one piece of blowback that isn't being discussed -- aside from the fact that Snowden killed the chances of a liberal arts major getting a job at the DoD for a decade -- and that's how the massive NSA surveillance of the Internet affects the US's role in Internet governance. Ron Deibert makes this point: But there are unintended...

Fri, 14 Jun 2013 21:53:53 UTC

Friday Squid Blogging: Sperm Consumption in the Southern Bottletail Squid

Posted By Bruce Schneier

It's a novel behavior. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Jun 2013 17:20:07 UTC

Sixth Annual Movie-Plot Threat Contest Semifinalists

Posted By Bruce Schneier

On April 1, I announced the Sixth Annual Movie Plot Threat Contest: I want a cyberwar movie-plot threat. (For those who don't know, a movie-plot threat is a scare story that would make a great movie plot, but is much too specific to build security policy around.) Not the Chinese attacking our power grid or shutting off 911 emergency services...

Fri, 14 Jun 2013 12:15:16 UTC

Ricin as a Terrorist Tool

Posted By Bruce Schneier

This paper (full paper behind paywall) -- from Environment International (2009) -- does a good job of separating fact from fiction: Abstract: In recent years there has been an increased concern regarding the potential use of chemical and biological weapons for mass urban terror. In particular, there are concerns that ricin could be employed as such an agent. This has...

Thu, 13 Jun 2013 21:06:11 UTC

Trading Privacy for Convenience

Posted By Bruce Schneier

Ray Wang makes an important point about trust and our data: This is the paradox. The companies contending to win our trust to manage our digital identities all seem to have complementary (or competing) business models that breach that trust by selling our data. ...and by turning it over to the government. The current surveillance state is a result of...

Thu, 13 Jun 2013 16:34:42 UTC

More on Feudal Security

Posted By Bruce Schneier

Facebook regularly abuses the privacy of its users. Google has stopped supporting its popular RSS feeder. Apple prohibits all iPhone apps that are political or sexual. Microsoft might be cooperating with some governments to spy on Skype calls, but we don't know which ones. Both Twitter and LinkedIn have recently suffered security breaches that affected the data of hundreds of...

Thu, 13 Jun 2013 11:09:34 UTC

Essays Related to NSA Spying Documents

Posted By Bruce Schneier

Here's a quick list of some of my older writings that are related to the current NSA spying documents: "The Internet Is a Surveillance State ," 2013. The importance of government transparency and accountability, 2013. The dangers of a government/corporate eavesdropping partnership, 2013. "Why Data Mining Won't Stop Terror," 2006. "The Eternal Value of Privacy," 2006. The dangers of our...

Wed, 12 Jun 2013 11:16:10 UTC

Prosecuting Snowden

Posted By Bruce Schneier

Edward Snowden broke the law by releasing classified information. This isn't under debate; it's something everyone with a security clearance knows. It's written in plain English on the documents you have to sign when you get a security clearance, and it's part of the culture. The law is there for a good reason, and secrecy has an important role in...

Tue, 11 Jun 2013 17:30:02 UTC

The Psychology of Conspiracy Theories

Posted By Bruce Schneier

Interesting. Crazy as these theories are, those propagating them are not -- theyre quite normal, in fact. But recent scientific research tells us this much: if you think one of the theories above is plausible, you probably feel the same way about the others, even though they contradict one another. And its very likely that this isn't the only news...

Tue, 11 Jun 2013 11:21:36 UTC

Trust in IT

Posted By Bruce Schneier

Ignore the sensationalist headline. This article is a good summary of the need for trust in IT, and provides some ideas for how to enable more of it. Virtually everything we work with on a day-to-day basis is built by someone else. Avoiding insanity requires trusting those who designed, developed and manufactured the instruments of our daily existence. All these...

Mon, 10 Jun 2013 17:50:39 UTC

Tagging and Location Technologies

Posted By Bruce Schneier

Interesting speculative article....

Mon, 10 Jun 2013 11:12:06 UTC

Government Secrets and the Need for Whistle-blowers

Posted By Bruce Schneier

Yesterday, we learned that the NSA received all calling records from Verizon customers for a three-month period starting in April. That's everything except the voice content: who called who, where they were, how long the call lasted -- for millions of people, both Americans and foreigners. This "metadata" allows the government to track the movements of everyone during that period,...

Fri, 07 Jun 2013 21:35:19 UTC

Friday Squid Blogging: Squid Comic

Posted By Bruce Schneier

A squid comic about the importance of precise language in security warnings. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 07 Jun 2013 19:22:58 UTC

Audio Interview with Me

Posted By Bruce Schneier

In this podcast interview, I talk about security, power, and the various things I have been thinking about recently....

Fri, 07 Jun 2013 11:41:26 UTC

A Really Good Article on How Easy it Is to Crack Passwords

Posted By Bruce Schneier

Ars Technica gave three experts a 16,000-entry encrypted password file, and asked them to break them. The winner got 90% of them, the loser 62% -- in a few hours. The list of "plains," as many crackers refer to deciphered hashes, contains the usual list of commonly used passcodes that are found in virtually every breach involving consumer websites. "123456,"...

Thu, 06 Jun 2013 10:58:02 UTC

The Cost of Terrorism in Pakistan

Posted By Bruce Schneier

This study claims "terrorism has cost Pakistan around 33.02% of its real national income" between the years 1973 and 2008, or about 1% per year. The St. Louis Fed puts the real gross national income of the U.S. at about $13 trillion total, hand-waving an average over the past few years. The best estimate I've seen for the increased cost...

Wed, 05 Jun 2013 18:11:21 UTC

Eugene Spafford Answers Questions on CNN.com

Posted By Bruce Schneier

Excellent interview....

Wed, 05 Jun 2013 12:20:43 UTC

Security and Human Behavior (SHB 2013)

Posted By Bruce Schneier

I'm at the Sixth Interdisciplinary Workshop on Security and Human Behavior (SHB 2013). This year we're in Los Angeles, at USC -- hosted by CREATE. My description from last year still applies: SHB is an invitational gathering of psychologists, computer security researchers, behavioral economists, sociologists, law professors, business school professors, political scientists, anthropologists, philosophers, and others -- all of whom...

Tue, 04 Jun 2013 17:44:37 UTC

The Problems with CALEA-II

Posted By Bruce Schneier

The FBI wants a new law that will make it easier to wiretap the Internet. Although its claim is that the new law will only maintain the status quo, it's really much worse than that. This law will result in less-secure Internet products and create a foreign industry in more-secure alternatives. It will impose costly burdens on affected companies. It...

Tue, 04 Jun 2013 11:19:24 UTC

The Security Risks of Unregulated Google Search

Posted By Bruce Schneier

Someday I need to write an essay on the security risks of secret algorithms that become part of our infrastructure. This paper gives one example of that. Could Google tip an election by manipulating what comes up from search results on the candidates? The studys participants, selected to resemble the US voting population, viewed the results for two candidates on...

Mon, 03 Jun 2013 11:15:22 UTC

The Problems with Managing Privacy by Asking and Giving Consent

Posted By Bruce Schneier

New paper from the Harvard Law Review by Daniel Solove: "Privacy Self-Management and the Consent Dilemma": Privacy self-management takes refuge in consent. It attempts to be neutral about substance -- whether certain forms of collecting, using, or disclosing personal data are good or bad -- and instead focuses on whether people consent to various privacy practices. Consent legitimizes nearly any...

Fri, 31 May 2013 21:39:11 UTC

Friday Squid Blogging: Squid Pronouns

Posted By Bruce Schneier

The translated version of a Spanish menu contains the entry "squids in his (her, your) ink." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 31 May 2013 11:07:46 UTC

The Rise of Amateurs Recording Events

Posted By Bruce Schneier

Interesting article on a greatly increased aspect of surveillance: "the ordinary citizen who by chance finds himself in a position to record events of great public import, and to share the results with the rest of us."...

Thu, 30 May 2013 11:31:22 UTC

Why We Lie

Posted By Bruce Schneier

This, by Judge Kozinski, is from a Federal court ruling about false statements and First Amendment protection Saints may always tell the truth, but for mortals living means lying. We lie to protect our privacy ("No, I don't live around here"); to avoid hurt feelings ("Friday is my study night"); to make others feel better ("Gee you've gotten skinny"); to...

Wed, 29 May 2013 16:22:22 UTC

Are We Finally Thinking Sensibly About Terrorism?

Posted By Bruce Schneier

This article wonders if we are: Yet for pretty much the first time there has been a considerable amount of media commentary seeking to put terrorism in context -- commentary that concludes, as a Doyle McManus article in the Los Angeles Times put it a day after the attack, "Were safer than we think." Similar tunes were sung by Tom...

Tue, 28 May 2013 17:52:54 UTC

Nassim Nicholas Taleb on Risk Perception

Posted By Bruce Schneier

From his Facebook page: An illustration of how the news are largely created, bloated and magnified by journalists. I have been in Lebanon for the past 24h, and there were shells falling on a suburb of Beirut. Yet the news did not pass the local *social filter* and did [not] reach me from social sources.... The shelling is the kind...

Tue, 28 May 2013 10:09:16 UTC

The Politics of Security in a Democracy

Posted By Bruce Schneier

Terrorism causes fear, and we overreact to that fear. Our brains aren't very good at probability and risk analysis. We tend to exaggerate spectacular, strange and rare events, and downplay ordinary, familiar and common ones. We think rare risks are more common than they are, and we fear them more than probability indicates we should. Our leaders are just as...

Fri, 24 May 2013 21:54:17 UTC

Friday Squid Blogging: Eating Giant Squid

Posted By Bruce Schneier

How does he know this? Chris Cosentino, the Bay Areas "Offal Chef" at Incanto in San Francisco and PIGG at Umamicatessen in Los Angeles, opted for the most intimidating choice of all -- giant squid. "When it comes to underutilized fish, I wish the public wasn't so afraid of different shapes and sizes outside of the standard fillet," he said....

Fri, 24 May 2013 17:17:02 UTC

Training Baggage Screeners

Posted By Bruce Schneier

The research in G. Giguère and B.C. Love, "Limits in decision making arise from limits in memory retrieval," Proceedings of the National Academy of Sciences v. 19 (2013) has applications in training airport baggage screeners. Abstract: Some decisions, such as predicting the winner of a baseball game, are challenging in part because outcomes are probabilistic. When making such decisions, one...

Fri, 24 May 2013 13:40:57 UTC

New Report on Teens, Social Media, and Privacy

Posted By Bruce Schneier

Interesting report from the From the Pew Internet and American Life Project: Teens are sharing more information about themselves on their social media profiles than they did when we last surveyed in 2006: 91% post a photo of themselves, up from 79% in 2006. 71% post their school name, up from 49%. 71% post the city or town where they...

Thu, 23 May 2013 14:18:26 UTC

One-Shot vs. Iterated Prisoner's Dilemma

Posted By Bruce Schneier

This post by Aleatha Parker-Wood is very applicable to the things I wrote in Liars & Outliers: A lot of fundamental social problems can be modeled as a disconnection between people who believe (correctly or incorrectly) that they are playing a non-iterated game (in the game theory sense of the word), and people who believe that (correctly or incorrectly) that...

Wed, 22 May 2013 17:05:54 UTC

"The Global Cyber Game"

Posted By Bruce Schneier

This 127-page report was just published by the UK Defence Academy. I have not read it yet, but it looks really interesting. Executive Summary: This report presents a systematic way of thinking about cyberpower and its use by a variety of global players. The urgency of addressing cyberpower in this way is a consequence of the very high value of...

Wed, 22 May 2013 11:24:45 UTC

DDOS as Civil Disobedience

Posted By Bruce Schneier

For a while now, I have been thinking about what civil disobedience looks like in the Internet Age. Certainly DDOS attacks, and politically motivated hacking in general, is a part of that. This is one of the reasons I found Molly Sauter's recent thesis, "Distributed Denial of Service Actions and the Challenge of Civil Disobedience on the Internet," so interesting:...

Tue, 21 May 2013 11:15:11 UTC

Surveillance and the Internet of Things

Posted By Bruce Schneier

The Internet has turned into a massive surveillance tool. We're constantly monitored on the Internet by hundreds of companies -- both familiar and unfamiliar. Everything we do there is recorded, collected, and collated -- sometimes by corporations wanting to sell us stuff and sometimes by governments wanting to keep an eye on us. Ephemeral conversation is over. Wholesale surveillance is...

Mon, 20 May 2013 11:34:17 UTC

Security Risks of Too Much Security

Posted By Bruce Schneier

All of the anti-counterfeiting features of the new Canadian $100 bill are resulting in people not bothering to verify them. The fanfare about the security features on the bills, may be part of the problem, said RCMP Sgt. Duncan Pound. "Because the polymer series' notes are so secure ... there's almost an overconfidence among retailers and the public in terms...

Fri, 17 May 2013 21:57:09 UTC

Friday Squid Blogging: Striped Pyjama Squid Pet Sculpture

Posted By Bruce Schneier

Technically, it's a cuttlefish and not a squid. But it's still nice art. I posted a photo of a real striped pyjama squid way back in 2006. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 May 2013 19:59:37 UTC

Applied Cryptography on Elementary

Posted By Bruce Schneier

In the episode that aired on May 9th, about eight or nine minutes in, there's a scene with a copy of Applied Cryptography prominently displayed on the coffee table. This isn't the first time that my books have appeared on that TV show....

Thu, 16 May 2013 13:45:20 UTC

Bluetooth-Controlled Door Lock

Posted By Bruce Schneier

Here is a new lock that you can control via Bluetooth and an iPhone app. That's pretty cool, and I can imagine all sorts of reasons to get one of those. But I'm sure there are all sorts of unforeseen security vulnerabilities in this system. And even worse, a single vulnerability can affect all the locks. Remember that vulnerability found...

Tue, 14 May 2013 10:48:13 UTC

Transparency and Accountability

Posted By Bruce Schneier

As part of the fallout of the Boston bombings, we're probably going to get some new laws that give the FBI additional investigative powers. As with the Patriot Act after 9/11, the debate over whether these new laws are helpful will be minimal, but the effects on civil liberties could be large. Even though most people are skeptical about sacrificing...

Mon, 13 May 2013 13:15:20 UTC

2007 NSA Manual on Internet Hacking

Posted By Bruce Schneier

Mildly interesting....

Fri, 10 May 2013 21:26:12 UTC

Friday Squid Blogging: Squid Festival in Monterey

Posted By Bruce Schneier

It's at the end of May. Note that it's being put on by the Calamari Entertainment Group. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 May 2013 18:49:42 UTC

The Onion on Browser Security

Posted By Bruce Schneier

Wise advice: At Chase Bank, we recognize the value of online banking­ -- its quick, convenient, and available any time you need it. Unfortunately, though, the threats posed by malware and identity theft are very real and all too common nowadays. Thats why, when youre finished with your online banking session, we recommend three simple steps to protect your personal...

Fri, 10 May 2013 11:47:32 UTC

Mail Cover

Posted By Bruce Schneier

From a FOIAed Department of Transportation document on investigative techniques: A "mail cover" is the process by which the U.S. Postal Service records any data appearing on the outside cover of any class of mail, sealed or unsealed, or by which a record is made of the contents of unsealed (second-, third-, or fourth-class) mail matter as allowed by law....

Thu, 09 May 2013 10:16:46 UTC

The Economist on Guantanamo

Posted By Bruce Schneier

Maybe the tide is turning: America is in a hole. The last response of the blowhards and cowards who have put it there is always: "So what would you do: set them free?" Our answer remains, yes. There is clearly a risk that some of them would then commit some act of violence -- in Yemen, elsewhere in the Middle...

Wed, 08 May 2013 18:54:28 UTC

Reidentifying Anonymous Data

Posted By Bruce Schneier

Latanya Sweeney has demonstrated how easy it can be to identify people from their birth date, gender, and zip code. The anonymous data she reidentified happened to be DNA data, but that's not relevant to her methods or results. Of the 1,130 volunteers Sweeney and her team reviewed, about 579 provided zip code, date of birth and gender, the three...

Wed, 08 May 2013 11:32:35 UTC

Evacuation Alerts at the Airport

Posted By Bruce Schneier

Last week, an employee error caused the monitors at LAX to display a building evacuation order: At a little before 9:47 p.m., the message read: "An emergency has been declared in the terminal. Please evacuate." An airport police source said officers responded to the scene at the Tom Bradley International Terminal, believing the system had been hacked. But an airport...

Tue, 07 May 2013 17:57:36 UTC

Is the U.S. Government Recording and Saving All Domestic Telephone Calls?

Posted By Bruce Schneier

I have no idea if "former counterterrorism agent for the FBI" Tom Clemente knows what he's talking about, but that's certainly what he implies here: More recently, two sources familiar with the investigation told CNN that Russell had spoken with Tamerlan after his picture appeared on national television April 18. What exactly the two said remains under investigation, the sources...

Tue, 07 May 2013 11:10:49 UTC

Intelligence Analysis and the Connect-the-Dots Metaphor

Posted By Bruce Schneier

The FBI and the CIA are being criticized for not keeping better track of Tamerlan Tsarnaev in the months before the Boston Marathon bombings. How could they have ignored such a dangerous person? How do we reform the intelligence community to ensure this kind of failure doesn't happen again? It's an old song by now, one we heard after the...

Mon, 06 May 2013 18:17:15 UTC

Michael Chertoff on Google Glass

Posted By Bruce Schneier

Interesting op-ed by former DHS head Michael Chertoff on the privacy risks of Google Glass. Now imagine that millions of Americans walk around each day wearing the equivalent of a drone on their head: a device capable of capturing video and audio recordings of everything that happens around them. And imagine that these devices upload the data to large-scale commercial...

Mon, 06 May 2013 10:44:34 UTC

Honeywords

Posted By Bruce Schneier

Here is a simple but clever idea. Seed password files with dummy entries that will trigger an alarm when used. That way a site can know when a hacker is trying to decrypt the password file....

Fri, 03 May 2013 21:33:52 UTC

Friday Squid Blogging: Squid Escape Artist

Posted By Bruce Schneier

It's amazing how small a hole he can fit through. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 May 2013 17:44:28 UTC

Another WWII Message Decoded

Posted By Bruce Schneier

It's a really interesting code and story. (The first link has the most detailed information about the code and the cryptanalysis.)...

Fri, 03 May 2013 11:15:48 UTC

The Public/Private Surveillance Partnership

Posted By Bruce Schneier

Our government collects a lot of information about us. Tax records, legal records, license records, records of government services received-- it's all in databases that are increasingly linked and correlated. Still, there's a lot of personal information the government can't collect. Either they're prohibited by law from asking without probable cause and a judicial order, or they simply have no...

Thu, 02 May 2013 18:09:29 UTC

Risks of Networked Systems

Posted By Bruce Schneier

Interesting research: Helbing's publication illustrates how cascade effects and complex dynamics amplify the vulnerability of networked systems. For example, just a few long-distance connections can largely decrease our ability to mitigate the threats posed by global pandemics. Initially beneficial trends, such as globalization, increasing network densities, higher complexity, and an acceleration of institutional decision processes may ultimately push human-made or...

Thu, 02 May 2013 11:50:28 UTC

More on FinSpy/FinFisher

Posted By Bruce Schneier

FinFisher (also called FinSpy) is a commercially sold spyware package that is used by governments world-wide, including the U.S. There's a new report that has a bunch of new information: Our new findings include: We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria. Taken together...

Wed, 01 May 2013 18:58:05 UTC

Google Pays $31,000 for Three Chrome Vulnerabilities

Posted By Bruce Schneier

Google is paying bug bounties. This is important; there's a market in vulnerabilities that provides incentives for their being kept secret and exploitable; for Google to buy and patch them makes us all more secure. The U.S. government should do the same....

Wed, 01 May 2013 15:26:40 UTC

Details of a Cyberheist

Posted By Bruce Schneier

Really interesting article detailing how criminals steal from a company's accounts over the Internet. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years. Basically, the criminals break into the...

Tue, 30 Apr 2013 18:29:38 UTC

The Importance of Backups

Posted By Bruce Schneier

I've already written about the guy who got a new trial because a virus ate his court records. Here's someone who will have to redo his thesis research because someone stole his only copy of the data. Remember the rule: no one ever wants backups, but everyone always wants restores. I have no idea if that image is real or...

Tue, 30 Apr 2013 11:11:44 UTC

Pinging the Entire Internet

Posted By Bruce Schneier

Turns out there's a lot of vulnerable systems out there: Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could to let anyone take control of them. On Tuesday, Moore published results on a particularly troubling segment...

Mon, 29 Apr 2013 15:27:24 UTC

More Links on the Boston Terrorist Attacks

Posted By Bruce Schneier

Max Abrahms has two sensible essays. Probably the ultimate in security theater: Williams-Sonoma stops selling pressure cookers "out of respect." They say it's temporary. (I bought a Williams-Sonoma pressure cooker last Christmas; I wonder if I'm now on a list.) A tragedy: Sunil Tripathi, whom Reddit and other sites wrongly identified as one of the bombers, was found dead in...

Fri, 26 Apr 2013 21:05:44 UTC

Friday Squid Blogging: Lego Giant Squid Model

Posted By Bruce Schneier

This is a fantastic Lego model of a space kraken attacking a Star Wars Super Star Destroyer. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 26 Apr 2013 17:21:46 UTC

xkcd on a Bad Threat Model

Posted By Bruce Schneier

Funny, and true....

Fri, 26 Apr 2013 12:19:58 UTC

Tor Needs Bridges

Posted By Bruce Schneier

The Internet anonymity service Tor needs people who are willing to run bridges. It's a goodness for the world; do it if you can....

Thu, 25 Apr 2013 19:37:05 UTC

Cryptanalyst on British Postage Stamps

Posted By Bruce Schneier

A 92-year-old World War II Bletchley Park codebreaker has had a set of commemorative stamps issued in his honor....

Thu, 25 Apr 2013 11:42:54 UTC

Random Links on the Boston Terrorist Attack

Posted By Bruce Schneier

Encouraging poll data says that maybe Americans are starting to have realistic fears about terrorism, or at least are refusing to be terrorized. Good essay by Scott Atran on terrorism and our reaction. Reddit apologizes. I think this is a big story. The Internet is going to help in everything, including trying to identify terrorists. This will happen whether or...

Wed, 24 Apr 2013 18:06:27 UTC

Ellen on Protecting Passwords

Posted By Bruce Schneier

Pretty good video. Ellen makes fun of the "Internet Password Minder," which is -- if you think about it -- only slightly different than Password Safe....

Wed, 24 Apr 2013 11:51:07 UTC

More Plant Security Countermeasures

Posted By Bruce Schneier

I've talked about plant security systems, both here and in Beyond Fear. Specifically, I've talked about tobacco plants that call air strikes against insects that eat them, by releasing a scent that attracts predators to those insects. Here's another defense: the plants also tag caterpillars for predators by feeding them a sweet snack (full episode here) that makes them give...

Tue, 23 Apr 2013 17:34:27 UTC

The Police Now Like Amateur Photography

Posted By Bruce Schneier

PhotographyIsNotACrime.com points out the obvious: after years of warning us that photography is suspicious, the police were happy to accept all of those amateur photographs and videos at the Boston Marathon. Adding to the hypocrisy is that these same authorities will most likely start clamping down on citizens with cameras more than ever once the smoke clears and we once...

Tue, 23 Apr 2013 12:10:50 UTC

Securing Members of Congress from Transparency

Posted By Bruce Schneier

I commented in this article on the repeal of the transparency provisions of the STOCK Act: Passed in 2012 after a 60 Minutes report on insider trading practices in Congress, the STOCK Act banned members of Congress and senior executive and legislative branch officials from trading based on government knowledge. To give the ban teeth, the law directed that many...

Sun, 21 Apr 2013 15:48:08 UTC

About Police Shoot Outs and Spectators

Posted By Bruce Schneier

Hopefully this advice is superfluous for my audience, but it's so well written it's worth reading nonetheless: 7. SO, the bottom line is this: If you are in a place where you hear steady, and sustained, and nearby (lets call that, for some technical reasons, anything less than 800 meters) gunfire, do these things: Go to your basement. You are...

Sun, 21 Apr 2013 11:36:17 UTC

A Discussion of Redaction

Posted By Bruce Schneier

Interesting....

Sat, 20 Apr 2013 13:19:32 UTC

The Boston Marathon Bomber Manhunt

Posted By Bruce Schneier

I generally give the police a lot of tactical leeway in times like this. The very armed and very dangerous suspects warranted extraordinary treatment. They were perfectly capable of killing again, taking hostages, planting more bombs -- and we didn't know the extent of the plot or the group. That's why I didn't object to the massive police dragnet, the...

Fri, 19 Apr 2013 18:40:57 UTC

Me at the Berkman Center

Posted By Bruce Schneier

Earlier this month I spent a week at the Berkman Center for Internet and Society, talking to people about power, security, technology, and threats (details here). As part of that week, I gave a public talk at Harvard. Because my thoughts are so diffuse and disjoint, I didn't think I could pull it all together into a coherent talk. Instead,...

Fri, 19 Apr 2013 18:35:01 UTC

Friday Squid Blogging: Giant Squid Bike Rack

Posted By Bruce Schneier

It's the first on this page. Apparently this is the finished version of the design I blogged about last year. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 19 Apr 2013 11:47:21 UTC

NSA Cryptography Course

Posted By Bruce Schneier

This article, from some internal NSA publication, is about Lambros Callimahos, who taught an intensive 18-week course on cryptology for many years and died in 1977. Be sure to notice the great redacted photo of him and his students on page 17....

Thu, 18 Apr 2013 16:36:56 UTC

The Nemim.gen Trojan

Posted By Bruce Schneier

This clever piece of malware evades forensic examination by deleting its own components....

Tue, 16 Apr 2013 14:19:09 UTC

Initial Thoughts on the Boston Bombings

Posted By Bruce Schneier

I rewrote my "refuse to be terrorized" essay for the Atlantic. David Rothkoph (author of the great book Power, Inc.) wrote something similar, and so did John Cole. It's interesting to see how much more resonance this idea has today than it did a dozen years ago. If other people have written similar essays, please post links in the comments....

Tue, 16 Apr 2013 11:37:40 UTC

FBI and Cell Phone Surveillance

Posted By Bruce Schneier

We're learning a lot about how the FBI eavesdrops on cell phones from a recent court battle....

Mon, 15 Apr 2013 09:29:45 UTC

Google Glass Enables New Forms of Cheating

Posted By Bruce Schneier

It's mentioned here: Mr. Doerr said he had been wearing the glasses and uses them especially for taking pictures and looking up words while playing Scattergories with his family, though it is questionable whether that follows the game's rules. Questionable? Questionable? It just like using a computer's dictionary while playing Scrabble, or a computer odds program while playing poker, or...

Fri, 12 Apr 2013 21:34:41 UTC

Friday Squid Blogging: Illegal Squid Fishing

Posted By Bruce Schneier

While we we're on the subject of squid fishing in Argentina, the country is dealing with foreign boats illegally fishing for squid inside its territorial waters. So yet again, squid and security collide. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Apr 2013 15:50:14 UTC

Remotely Hijacking an Aircraft

Posted By Bruce Schneier

There is a lot of buzz on the the Internet about a talk at the Hack-in-the Box conference by Hugo Teso, who claims he can hack in to remotely control an airplane's avionics. He even wrote an Android app to do it. I honestly can't tell how real this is, and how much of it is the unique configuration of...

Thu, 11 Apr 2013 11:42:43 UTC

Thieves Use Video Camera to Stake Out Properties

Posted By Bruce Schneier

If the police can use cameras, so can the burglars....

Wed, 10 Apr 2013 17:46:44 UTC

Security Externalities and DDOS Attacks

Posted By Bruce Schneier

Ed Felten has a really good blog post about the externalities that the recent Spamhaus DDOS attack exploited: The attackers' goal was to flood Spamhaus or its network providers with Internet traffic, to overwhelm their capacity to handle incoming network packets. The main technical problem faced by a DoS attacker is how to amplify the attacker's traffic-sending capacity, so that...

Wed, 10 Apr 2013 11:40:46 UTC

Last Battle of Midway Cryptanalyst

Posted By Bruce Schneier

The last cryptanalyst at the Battle of Midway, Rear Admiral Donald "Mac" Showers, USN-Ret, passed away 19 October 2012. His interment at Arlington National Cemetery at Arlington, Virginia, will be Monday, April 15, at 3:00. The family made this a public event to celebrate his life and contributions to the cryptologic community....

Tue, 09 Apr 2013 18:49:51 UTC

Nice Security Mindset Example

Posted By Bruce Schneier

A real-world one-way function: Alice and Bob procure the same edition of the white pages book for a particular town, say Cambridge. For each letter Alice wants to encrypt, she finds a person in the book whose last name starts with this letter and uses his/her phone number as the encryption of that letter. To decrypt the message Bob has...

Tue, 09 Apr 2013 11:05:25 UTC

Bitcoins in the Mainstream Media

Posted By Bruce Schneier

Interesting article from the New Yorker. I'm often asked what I think about bitcoins. I haven't analyzed the security, but what I have seen looks good. The real issues are economic and political, and I don't have the expertise to have an opinion on that. BTW, here's a recent criticism of BitCoins....

Mon, 08 Apr 2013 18:30:08 UTC

Elite Panic

Posted By Bruce Schneier

I hadn't heard of this term before, but it's an interesting one. The excerpt below is from an interview with Rebecca Solnit, author of A Paradise Built in Hell: The Extraordinary Communities That Arise in Disaster: The term "elite panic" was coined by Caron Chess and Lee Clarke of Rutgers. From the beginning of the field in the 1950s to...

Mon, 08 Apr 2013 11:34:49 UTC

Government Use of Hackers as an Object of Fear

Posted By Bruce Schneier

Interesting article about the perception of hackers in popular culture, and how the government uses the general fear of them to push for more power: But these more serious threats don't seem to loom as large as hackers in the minds of those who make the laws and regulations that shape the Internet. It is the hacker -- a sort...

Fri, 05 Apr 2013 21:08:43 UTC

Friday Squid Blogging: Nighttime Squid Fishing Seen from Space

Posted By Bruce Schneier

Page 18 of this thesis explains that squid fishing is done at night, and the lighting is so bright shows up in the satellite surveys of planetary lighting. This video shows the phenomenon off the coast line of Argentina. As usual, you can also use this squid post to talk about the security stories in the news that I haven't...

Fri, 05 Apr 2013 18:05:36 UTC

Apple's iMessage Encryption Seems to Be Pretty Good

Posted By Bruce Schneier

The U.S. Drug Enforcement Agency has complained (in a classified report, not publicly) that Apple's iMessage end-to-end encryption scheme can't be broken. On the one hand, I'm not surprised; end-to-end encryption of a messaging system is a fairly easy cryptographic problem, and it should be unbreakable. On the other hand, it's nice to have some confirmation that Apple is looking...

Fri, 05 Apr 2013 11:35:45 UTC

Skein Collision Competition

Posted By Bruce Schneier

Xkcd had a Skein collision competition. The contest is over -- Carnegie Mellon University won, with 384 (out of 1024) mismatched bits -- but it's explained here....

Thu, 04 Apr 2013 11:28:42 UTC

NSA Crossword Puzzles

Posted By Bruce Schneier

Two puzzles from a 1977 issue of Cryptolog....

Wed, 03 Apr 2013 12:29:39 UTC

IT for Oppression

Posted By Bruce Schneier

Whether it's Syria using Facebook to help identify and arrest dissidents or China using its "Great Firewall" to limit access to international news throughout the country, repressive regimes all over the world are using the Internet to more efficiently implement surveillance, censorship, propaganda, and control. They're getting really good at it, and the IT industry is helping. We're helping by...

Tue, 02 Apr 2013 11:02:06 UTC

Narratives of Secrecy

Posted By Bruce Schneier

How people talked about the secrecy surrounding the Manhattan project....

Mon, 01 Apr 2013 17:38:25 UTC

Sixth Movie-Plot Threat Contest

Posted By Bruce Schneier

It's back, after a two-year hiatus. Terrorism is boring; cyberwar is in. Cyberwar, and its kin: cyber Pearl Harbor, cyber 9/11, cyber Armageddon. (Or make up your own: a cyber Black Plague, cyber Ragnarok, cyber comet-hits-the-earth.) This is how we get budget and power for militaries. This is how we convince people to give up their freedoms and liberties. This...

Mon, 01 Apr 2013 11:07:15 UTC

What I've Been Thinking About

Posted By Bruce Schneier

I'm starting to think about my next book, which will be about power and the Internet -- from the perspective of security. My objective will be to describe current trends, explain where those trends are leading us, and discuss alternatives for avoiding that outcome. Many of my recent essays have touched on various facets of this, although Im still looking...

Fri, 29 Mar 2013 21:19:59 UTC

Friday Squid Blogging: Bomb Discovered in Squid at Market

Posted By Bruce Schneier

Really: An unexploded bomb was found inside a squid when the fish was slaughtered at a fish market in Guangdong province. Oddly enough, this doesn't seem to be the work of terrorists: The stall owner, who has been selling fish for 10 years, told the newspaper the 1-meter-long squid might have mistaken the bomb for food. Clearly there's much to...

Fri, 29 Mar 2013 17:25:11 UTC

The Dangers of Surveillance

Posted By Bruce Schneier

Interesting article, "The Dangers of Surveillance," by Neil M. Richards, Harvard Law Review, 2013. From the abstract: ....We need a better account of the dangers of surveillance. This article offers such an account. Drawing on law, history, literature, and the work of scholars in the emerging interdisciplinary field of "surveillance studies," I explain what those harms are and why they...

Fri, 29 Mar 2013 11:59:08 UTC

New RC4 Attack

Posted By Bruce Schneier

This is a really clever attack on the RC4 encryption algorithm as used in TLS. We have found a new attack against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical flaws in the keystream generated by the RC4 algorithm which become apparent...

Thu, 28 Mar 2013 13:36:49 UTC

Unwitting Drug Smugglers

Posted By Bruce Schneier

This is a story about a physicist who got taken in by an imaginary Internet girlfriend and ended up being arrested in Argentina for drug smuggling. Readers of this blog will see it coming, of course, but it's a still a good read. I don't know whether the professor knew what he was doing -- it's pretty clear that the...

Wed, 27 Mar 2013 11:47:03 UTC

Security Awareness Training

Posted By Bruce Schneier

Should companies spend money on security awareness training for their employees? It's a contentious topic, with respected experts on both sides of the debate. I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry's focus on training serves to obscure greater...

Tue, 26 Mar 2013 19:15:35 UTC

The NSA's Cryptolog

Posted By Bruce Schneier

The NSA has published declassified versions of its Cryptolog newsletter. All the issues from Aug 1974 through Summer 1997 are on the web, although there are some pretty heavy redactions in places. (Here's a link to the documents on a non-government site, in case they disappear.) I haven't even begun to go through these yet. If you find anything good,...

Tue, 26 Mar 2013 11:38:14 UTC

Identifying People from Mobile Phone Location Data

Posted By Bruce Schneier

Turns out that it's pretty easy: Researchers at the Massachusetts Institute of Technology (MIT) and the Catholic University of Louvain studied 15 months' worth of anonymised mobile phone records for 1.5 million individuals. They found from the "mobility traces" - the evident paths of each mobile phone - that only four locations and times were enough to identify a particular...

Mon, 25 Mar 2013 11:28:13 UTC

Our Internet Surveillance State

Posted By Bruce Schneier

I'm going to start with three data points. One: Some of the Chinese military hackers who were implicated in a broad set of attacks against the U.S. government and corporations were identified because they accessed Facebook from the same network infrastructure they used to carry out their attacks. Two: Hector Monsegur, one of the leaders of the LulzSac hacker movement,...

Fri, 22 Mar 2013 21:12:38 UTC

Friday Squid Blogging: Giant Squid Genetics

Posted By Bruce Schneier

Despite looking very different from each other and being distributed across the world's oceans, all giant squid are the same species. There's also not a lot of genetic diversity. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 Mar 2013 20:46:55 UTC

Changes to the Blog

Posted By Bruce Schneier

I have made a few changes to my blog that I'd like to talk about. The first is the various buttons associated with each post: a Facebook Like button, a Retweet button, and so on. These buttons are ubiquitous on the Internet now. We publishers like them because it makes it easier for our readers to share our content. I...

Fri, 22 Mar 2013 12:10:57 UTC

FBI Secretly Spying on Cloud Computer Users

Posted By Bruce Schneier

Both Google and Microsoft have admitted it. Presumably every other major cloud service provider is getting these National Security Letters as well. If you've been following along, you know that a U.S. District Court recently ruled National Security Letters unconstitutional. Not that this changes anything yet....

Thu, 21 Mar 2013 18:17:25 UTC

Text Message Retention Policies

Posted By Bruce Schneier

The FBI wants cell phone carriers to store SMS messages for a long time, enabling them to conduct surveillance backwards in time. Nothing new there -- data retention laws are being debated in many countries around the world -- but this was something I did not know: Wireless providers' current SMS retention policies vary. An internal Justice Department document (PDF)...

Thu, 21 Mar 2013 12:02:28 UTC

When Technology Overtakes Security

Posted By Bruce Schneier

A core, not side, effect of technology is its ability to magnify power and multiply force -- for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems. The problem is that it's not balanced: Attackers generally benefit from new...

Wed, 20 Mar 2013 16:51:42 UTC

Lessons From the FBI's Insider Threat Program

Posted By Bruce Schneier

This article is worth reading. One bit: For a time the FBI put its back into coming up with predictive analytics to help predict insider behavior prior to malicious activity. Rather than coming up with a powerful tool to stop criminals before they did damage, the FBI ended up with a system that was statistically worse than random at ferreting...

Tue, 19 Mar 2013 18:34:57 UTC

FinSpy

Posted By Bruce Schneier

Twenty five countries are using the FinSpy surveillance software package (also called FinFisher) to spy on their own citizens: The list of countries with servers running FinSpy is now Australia, Bahrain, Bangladesh, Britain, Brunei, Canada, the Czech Republic, Estonia, Ethiopia, Germany, India, Indonesia, Japan, Latvia, Malaysia, Mexico, Mongolia, Netherlands, Qatar, Serbia, Singapore, Turkmenistan, the United Arab Emirates, the United States...

Tue, 19 Mar 2013 11:44:17 UTC

Gauss

Posted By Bruce Schneier

Nice summary article on the state-sponsored Gauss malware....

Mon, 18 Mar 2013 18:00:52 UTC

A 1962 Speculative Essay on Computers and Intelligence

Posted By Bruce Schneier

From the CIA archives: Orrin Clotworthy, "Some Far-out Thoughts on Computers," Studies in Intelligence v. 6 (1962)....

Mon, 18 Mar 2013 14:38:00 UTC

Prison Escape

Posted By Bruce Schneier

Audacious daytime prison escape by helicopter. The escapees have since been recaptured....

Fri, 15 Mar 2013 21:10:46 UTC

Friday Squid Blogging: WTF, Evolution?

Posted By Bruce Schneier

WTF, Evolution? is a great blog, and they finally mentioned squid....

Fri, 15 Mar 2013 19:01:01 UTC

xkcd on PGP

Posted By Bruce Schneier

How security interacts with users....

Fri, 15 Mar 2013 10:46:12 UTC

Stuxnet is Much Older than We Thought

Posted By Bruce Schneier

Symantec has found evidence of Stuxnet variants from way back in 2005. That's much older than the 2009 creation date we originally thought it had. More here and here. What's impressive is how advanced the cyberattack capabilities of the U.S. and/or Israel were back then....

Thu, 14 Mar 2013 17:19:08 UTC

On Secrecy

Posted By Bruce Schneier

Interesting law paper: "The Implausibility of Secrecy," by Mark Fenster. Abstract: Government secrecy frequently fails. Despite the executive branchs obsessive hoarding of certain kinds of documents and its constitutional authority to do so, recent high-profile events ­ among them the WikiLeaks episode, the Obama administrations celebrated leak prosecutions, and the widespread disclosure by high-level officials of flattering confidential information to...

Thu, 14 Mar 2013 11:11:56 UTC

Nationalism on the Internet

Posted By Bruce Schneier

For technology that was supposed to ignore borders, bring the world closer together, and sidestep the influence of national governments the Internet is fostering an awful lot of nationalism right now. We've started to see increased concern about the country of origin of IT products and services; U.S. companies are worried about hardware from China; European companies are worried about...

Wed, 13 Mar 2013 18:30:38 UTC

Security Theater on the Wells Fargo Website

Posted By Bruce Schneier

Click on the "Establishing secure connection" link at the top of this page. It's a Wells Fargo page that displays a progress bar with a bunch of security phrases -- "Establishing Secure Connection," "Sending credentials," "Building Secure Environment," and so on -- and closes after a few seconds. It's complete security theater; it doesn't actually do anything but make account...

Wed, 13 Mar 2013 12:24:27 UTC

Hacking Best-seller Lists

Posted By Bruce Schneier

It turns out that you can buy a position for your book on best-seller lists....

Tue, 12 Mar 2013 18:43:11 UTC

Cisco IP Phone Hack

Posted By Bruce Schneier

Nice work: All current Cisco IP phones, including the ones seen on desks in the White House and aboard Air Force One, have a vulnerability that allows hackers to take complete control of the devices....

Tue, 12 Mar 2013 11:45:35 UTC

"The Logic of Surveillance"

Posted By Bruce Schneier

Interesting essay: Surveillance is part of the system of control. "The more surveillance, the more control" is the majority belief amongst the ruling elites. Automated surveillance requires fewer "watchers", and since the watchers cannot watch all the surveillance, long term storage increases the ability to find some "crime" anyone is guilty of. [...] This is one of the biggest problems...

Mon, 11 Mar 2013 17:58:40 UTC

Dead Drop from the 1870s

Posted By Bruce Schneier

Hats: De Blowitz was staying at the Kaiserhof. Each day his confederate went there for lunch and dinner. The two never acknowledged one another, but they hung their hats on neighboring pegs. At the end of the meal the confederate departed with de Blowitz's hat, and de Blowitz innocently took the confederate's. The communications were hidden in the hat's lining....

Mon, 11 Mar 2013 11:12:21 UTC

Is Software Security a Waste of Money?

Posted By Bruce Schneier

I worry that comments about the value of software security made at the RSA Conference last week will be taken out of context. John Viega did not say that software security wasn't important. He said: For large software companies or major corporations such as banks or health care firms with large custom software bases, investing in software security can prove...

Fri, 08 Mar 2013 22:06:27 UTC

Friday Squid Blogging: Squid/Whale Yin-Yang

Posted By Bruce Schneier

Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Mar 2013 18:08:07 UTC

Ross Anderson's Security Engineering Online

Posted By Bruce Schneier

The second edition of Ross Anderson's fantastic book, Security Engineering, is now free online. Required reading for any security engineer....

Fri, 08 Mar 2013 12:23:16 UTC

Oxford University Blocks Google Docs

Posted By Bruce Schneier

Google Docs is being used for phishing. Oxford University felt that it had to block the service because Google isn't responding to takedown requests quickly enough. Think about this in light of my essay on feudal security. Oxford University has to trust that Google will act in its best interest, and has no other option if it doesn't....

Thu, 07 Mar 2013 19:39:15 UTC

How the FBI Intercepts Cell Phone Data

Posted By Bruce Schneier

Good article on "Stingrays," which the FBI uses to monitor cell phone data. Basically, they trick the phone into joining a fake network. And, since cell phones inherently trust the network -- as opposed to computers which inherently do not trust the Internet -- it's easy to track people and collect data. There are lots of questions about whether or...

Thu, 07 Mar 2013 12:45:04 UTC

Browser Security

Posted By Bruce Schneier

Interesting discussion on browser security from Communications of the ACM. Also, an article on browser and web privacy from the same issue....

Wed, 06 Mar 2013 19:24:15 UTC

The NSA's Ragtime Surveillance Program and the Need for Leaks

Posted By Bruce Schneier

A new book reveals details about the NSA's Ragtime surveillance program: A book published earlier this month, "Deep State: Inside the Government Secrecy Industry," contains revelations about the NSA's snooping efforts, based on information gleaned from NSA sources. According to a detailed summary by Shane Harris at the Washingtonian yesterday, the book discloses that a codename for a controversial NSA...

Wed, 06 Mar 2013 12:50:07 UTC

Al Qaeda Document on Avoiding Drone Strikes

Posted By Bruce Schneier

Interesting: 3  Spreading the reflective pieces of glass on a car or on the roof of the building. 4  Placing a group of skilled snipers to hunt the drone, especially the reconnaissance ones because they fly low, about six kilometers or less. 5  Jamming of and confusing of electronic communication using the ordinary water-lifting dynamo fitted with...

Tue, 05 Mar 2013 19:58:04 UTC

Marketing at the RSA Conference

Posted By Bruce Schneier

Marcus Ranum has an interesting screed on "booth babes" in the RSA Conference exhibition hall: I'm not making a moral argument about sexism in our industry or the objectification of women. I could (and probably should) but it's easier to just point out the obvious: the only customers that will be impressed by anyone's ability to hire pretty models to...

Tue, 05 Mar 2013 12:28:50 UTC

Technologies of Surveillance

Posted By Bruce Schneier

It's a new day for the New York Police Department, with technology increasingly informing the way cops do their jobs. With innovation comes new possibilities but also new concerns. For one, the NYPD is testing a new type of security apparatus that uses terahertz radiation to detect guns under clothing from a distance. As Police Commissioner Ray Kelly explained to...

Mon, 04 Mar 2013 20:04:34 UTC

New Internet Porn Scam

Posted By Bruce Schneier

I hadn't heard of this one before. In New Zealand, people viewing adult websites -- it's unclear whether these are honeypot sites, or malware that notices the site being viewed -- get a pop-up message claiming it's from the NZ Police and demanding payment of an instant fine for viewing illegal pornography....

Mon, 04 Mar 2013 12:38:18 UTC

Getting Security Incentives Right

Posted By Bruce Schneier

One of the problems with motivating proper security behavior within an organization is that the incentives are all wrong. It doesn't matter how much management tells employees that security is important, employees know when it really isn't -- when getting the job done cheaply and on schedule is much more important. It seems to me that his co-workers understand the...

Fri, 01 Mar 2013 22:36:01 UTC

Friday Squid Blogging: Another Squid Cartoon.

Posted By Bruce Schneier

Another. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 01 Mar 2013 20:11:07 UTC

Me on "Virtually Speaking"

Posted By Bruce Schneier

Last week I was on "Virtually Speaking."...

Fri, 01 Mar 2013 11:05:22 UTC

Phishing Has Gotten Very Good

Posted By Bruce Schneier

This isn't phishing; it's not even spear phishing. It's laser-guided precision phishing: One of the leaked diplomatic cables referred to one attack via email on US officials who were on a trip in Copenhagen to debate issues surrounding climate change. "The message had the subject line 'China and Climate Change' and was spoofed to appear as if it were from...

Thu, 28 Feb 2013 20:40:38 UTC

The Court of Public Opinion

Posted By Bruce Schneier

Recently, Elon Musk and the New York Times took to Twitter and the Internet to argue the data -- and their grievances -- over a failed road test and car review. Meanwhile, an Applebee's server is part of a Change.org petition to get her job back after posting a pastor's no-tip receipt comment online. And when he wasn't paid quickly...

Thu, 28 Feb 2013 12:35:53 UTC

Brazen Physical Thefts

Posted By Bruce Schneier

Three brazen robberies are in the news this week. The first was a theft at a small museum of gold nuggets worth $750,000: Police said the daring heist happened between daytime tours, during a 20-minute window. Museum employees said the thief used an ax to smash the acrylic window, and then left the ax behind. "He just grabbed it, threw...

Wed, 27 Feb 2013 19:26:01 UTC

Alan F. Westin Died

Posted By Bruce Schneier

Obituary here. His 1967 book, Privacy and Freedom, almost single-handedly created modern privacy law....

Wed, 27 Feb 2013 13:09:47 UTC

How Complex Systems Fail

Posted By Bruce Schneier

Good summary list. It's not directly about security, but it's all fundamentally about security. Any real-world security system is inherently complex. I wrote about this long ago in Beyond Fear....

Tue, 26 Feb 2013 19:38:35 UTC

Security Lessons from the Battle of Hoth

Posted By Bruce Schneier

Someone has analyzed the security mistakes in the Battle of Hoth, from the movie The Empire Strikes Back....

Tue, 26 Feb 2013 13:10:03 UTC

House Hearing: How Well Is the TSA Doing?

Posted By Bruce Schneier

I would have liked to participate in this hearing: Committee on Homeland Security, Subcommittee on Oversight and Management Efficiency: "Assessing DHS 10 Years Later: How Wisely is DHS Spending Taxpayer Dollars?" February 15, 2013....

Mon, 25 Feb 2013 19:49:53 UTC

Me at the RSA Conference

Posted By Bruce Schneier

I'll be speaking twice at the RSA Conference this year. I'm giving a solo talk Tuesday at 1:00, and participating in a debate about training Wednesday at noon. This is a short written preview of my solo talk, and this is an audio interview on the topic. Additionally: Akamai is giving away 1,500 copies of Liars and Outliers, and Zcaler...

Mon, 25 Feb 2013 11:52:51 UTC

Another Essay about Liars and Outliers

Posted By Bruce Schneier

The Montréal Review asked me to write an essay about my latest book. Not much that regular readers haven't seen before....

Fri, 22 Feb 2013 22:38:30 UTC

Friday Squid Blogging: Land Squids

Posted By Bruce Schneier

Funny. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 22 Feb 2013 20:21:39 UTC

I Was on Inventing the Future

Posted By Bruce Schneier

I was a guest on Inventing the Future, for an episode on surveillance technology. The video is here....

Fri, 22 Feb 2013 17:12:01 UTC

Hacking the Papal Election

Posted By Bruce Schneier

As the College of Cardinals prepares to elect a new pope, security people like me wonder about the process. How does it work, and just how hard would it be to hack the vote? The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The...

Fri, 22 Feb 2013 12:03:34 UTC

All Those Companies that Can't Afford Dedicated Security

Posted By Bruce Schneier

This is interesting: In the security practice, we have our own version of no-man's land, and that's midsize companies. Wendy Nather refers to these folks as being below the "Security Poverty Line." These folks have a couple hundred to a couple thousand employees. That's big enough to have real data interesting to attackers, but not big enough to have a...

Thu, 21 Feb 2013 18:54:28 UTC

More on Chinese Cyberattacks

Posted By Bruce Schneier

Wow, is this a crazy media frenzy. We should know better. These attacks happen all the time, and just because the media is reporting about them with greater frequency doesn't mean that they're happening with greater frequency. Hype aside, the Mandiant report on the hackers is very good, especially the part where the Chinese hackers outted themselves through poor opsec:...

Thu, 21 Feb 2013 13:24:45 UTC

Age Biases in Perceptions of Trust

Posted By Bruce Schneier

Interesting research (full article is behind a paywall): Abstract: Older adults are disproportionately vulnerable to fraud, and federal agencies have speculated that excessive trust explains their greater vulnerability. Two studies, one behavioral and one using neuroimaging methodology, identified age differences in trust and their neural underpinnings. Older and younger adults rated faces high in trust cues similarly, but older adults...

Wed, 20 Feb 2013 18:03:29 UTC

Cheating at Chess

Posted By Bruce Schneier

Good summary of cheating in tournament chess....

Wed, 20 Feb 2013 13:29:50 UTC

Fixing Soccer Matches

Posted By Bruce Schneier

How international soccer matches are fixed. Right now, Dan Tan's programmers are busy reverse-engineering the safeguards of online betting houses. About $3 billion is wagered on sports every day, most of it on soccer, most of it in Asia. That's a lot of noise on the big exchanges. We can exploit the fluctuations, rig the bets in a way that...

Tue, 19 Feb 2013 18:52:43 UTC

19th-Century Traffic Analysis

Posted By Bruce Schneier

There's a nice example of traffic analysis in the book No Name, by Wilkie Collins (1862). The attacker, Captain Wragge, needs to know whether a letter has been placed in the mail. He knows who it will have been addressed to if it has been mailed, and with that information, is able to convince the postmaster to tell him that...

Tue, 19 Feb 2013 12:11:29 UTC

Hacking Citation Counts

Posted By Bruce Schneier

Hacking citation counts using Google Scholar....

Mon, 18 Feb 2013 19:43:55 UTC

More State-Sponsored Hacking

Posted By Bruce Schneier

After the New York Times broke the story of what seemed to be a state-sponsored hack from China against the newspaper, the Register has stories of two similar attacks: one from Burma and another from China....

Mon, 18 Feb 2013 12:14:41 UTC

Automobile Data Surveillance and the Future of Black Boxes

Posted By Bruce Schneier

Tesla Motors gave one of its electric cars to John Broder, a very outspoken electric-car skeptic from the New York Times, for a test drive. After a negative review, Tesla revealed that it logged a dizzying amount of data from that text drive. The company then matched the reporter's claims against its logs and published a rebuttal. Broder rebutted the...

Fri, 15 Feb 2013 22:09:57 UTC

Friday Squid Blogging: More on Flying Squid

Posted By Bruce Schneier

Japanese squid researchers have confirmed flying squid can fly, and how they do it. (Note: I have written about flying squid before.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 15 Feb 2013 18:52:24 UTC

Jacob Appelbaum's 29C3 Keynote Speech

Posted By Bruce Schneier

This QNsePZj_Yks">speech from last December's 29C3 (29th Chaos Communication Congress) is worth listening to. He talks about what we can do in the face of oppressive power on the Internet. I'm not sure his answers are right, but am glad to hear someone talking about the real problems....

Fri, 15 Feb 2013 12:48:58 UTC

Guessing Smart Phone PINs by Monitoring the Accelerometer

Posted By Bruce Schneier

"Practicality of Accelerometer Side Channels on Smartphones," by Adam J. Aviv. Benjamin Sapp, Matt Blaze, and Jonathan M. Smith. Abstract: Modern smartphones are equipped with a plethora of sensors that enable a wide range of interactions, but some of these sensors can be employed as a side channel to surreptitiously learn about user input. In this paper, we show that...

Thu, 14 Feb 2013 17:42:59 UTC

Using the iWatch for Authentication

Posted By Bruce Schneier

Usability engineer Bruce Tognazzini talks about how an iWatch -- which seems to be either a mythical Apple product or one actually in development -- can make authentication easier. Passcodes. The watch can and should, for most of us, eliminate passcodes altogether on iPhones, and Macs and, if Apple's smart, PCs: As long as my watch is in range, let...

Thu, 14 Feb 2013 12:32:47 UTC

Anti-Cheating Security in Casinos

Posted By Bruce Schneier

Long article. With over a thousand cameras operating 24/7, the monitoring room creates tremendous amounts of data every day, most of which goes unseen. Six technicians watch about 40 monitors, but all the feeds are saved for later analysis. One day, as with OCR scanning, it might be possible to search all that data for suspicious activity. Say, a baccarat...

Wed, 13 Feb 2013 19:39:57 UTC

Real-World Prisoner's Dilemma from France

Posted By Bruce Schneier

This is a real story of a pair of identical twins who are suspected in a crime. There is there is CCTV and DNA evidence that could implicate either suspect. Detailed DNA testing that could resolve the guilty twin is prohibitively expensive. So both have been arrested in the hope that one may confess or implicate the other....

Wed, 13 Feb 2013 12:13:31 UTC

New al Qaeda Encryption Tool

Posted By Bruce Schneier

There's not a lot of information -- and quite a lot of hyperbole -- in this article: With the release of the Asrar Al Dardashah plugin, GIMF promised "secure correspondence" based on the Pidgin chat client, which supports multiple chat platforms, including Yahoo Messenger, Windows Live Messenger, AOL Instant Messenger, Google Talk and Jabber/XMPP. "The Asrar Al Dardashah plugin supports...

Tue, 12 Feb 2013 18:55:26 UTC

Massive Police Shootout in Cleveland Despite Lack of Criminals

Posted By Bruce Schneier

This is an amazing story. I urge you to read the whole thing, but here's the basics: A November car chase ended in a "full blown-out" firefight, with glass and bullets flying, according to Cleveland police officers who described for investigators the chaotic scene at the end of the deadly 25-minute pursuit. But when the smoky haze -- caused by...

Tue, 12 Feb 2013 12:53:19 UTC

Our New Regimes of Trust

Posted By Bruce Schneier

Society runs on trust. Over the millennia, we've developed a variety of mechanisms to induce trustworthy behavior in society. These range from a sense of guilt when we cheat, to societal disapproval when we lie, to laws that arrest fraudsters, to door locks and burglar alarms that keep thieves out of our homes. They're complicated and interrelated, but they tend...

Mon, 11 Feb 2013 19:25:40 UTC

Really Clever TLS Attack

Posted By Bruce Schneier

This is an extremely clever man-in-the-middle timing attack against AES that exploits the interaction between how the protocol implements AES in CBC mode for encryption, and HMAC-SHA1 for authentication. (And this is a really good plain-language description of it.)...

Mon, 11 Feb 2013 12:49:11 UTC

Platform Fragmentation as a Security Issue

Posted By Bruce Schneier

Interesting article about the difficulty Google has pushing security updates onto Android phones. The problem is that the phone manufacturer is in charge, and there are a lot of different phone manufacturers of varying ability and interest....

Sat, 09 Feb 2013 00:28:21 UTC

Friday Squid Blogging: Squid Recipe

Posted By Bruce Schneier

Chorizo-stuffed squid with potatoes, capers and sage. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Feb 2013 20:41:19 UTC

I Seem to Be a Physical Security Expert Now

Posted By Bruce Schneier

This seems so obviously written by someone who Googled me on the Internet, without any other knowledge of who I am or what i do....

Fri, 08 Feb 2013 17:20:44 UTC

Millennials and Cybersecurity

Posted By Bruce Schneier

This long report looks at risky online behavior among the Millennial generation, and finds that they respond positively to automatic reminders and prodding. No surprise, really....

Fri, 08 Feb 2013 12:16:47 UTC

Inauguration Security

Posted By Bruce Schneier

A first-person account of the security surrounding the second inauguration of President Obama....

Thu, 07 Feb 2013 18:51:41 UTC

Tide Becomes Drug Currency

Posted By Bruce Schneier

Basically, Tide detergent is a popular product with a very small profit margin. So small non-chain grocery and convenience stores are happy to buy it cheaply, no questions asked. This makes it easy to sell if you steal it. And drug dealers have started taking it as currency, large bottles being worth about $5....

Thu, 07 Feb 2013 12:35:01 UTC

Over $3M in Prizes to Hack Google Chrome

Posted By Bruce Schneier

Google's contest at the CanSecWest conference: Today were announcing our third Pwnium competition­Pwnium 3. Google Chrome is already featured in the Pwn2Own competition this year, so Pwnium 3 will have a new focus: Chrome OS. Well issue Pwnium 3 rewards for Chrome OS at the following levels, up to a total of $3.14159 million USD: $110,000: browser or system level...

Wed, 06 Feb 2013 18:21:36 UTC

Why Is Quantum Computing So Hard?

Posted By Bruce Schneier

Blog post (and two papers) by Ross Anderson and Robert Brady. News article....

Wed, 06 Feb 2013 12:36:06 UTC

New York Times Hacked by China

Posted By Bruce Schneier

This was big news last week, and I spent a lot of time doing press interviews about it. But while it is an important story -- hacking a newspaper, looking for confidential sources is fundamentally different from hacking for financial gain -- it's not much different than GhostNet in 2009, Google's Chinese hacking stories from 2010 and 2011, or others....

Tue, 05 Feb 2013 18:16:05 UTC

Anti-Drone Clothing

Posted By Bruce Schneier

Clothing designed to thwart drones....

Tue, 05 Feb 2013 13:38:59 UTC

Proactive Defense Papers

Posted By Bruce Schneier

I just printed this out: "Proactive Defense for Evolving Cyber Threats," a Sandia Report by Richard Colbaugh and Kristin Glass. It's a collection of academic papers, and it looks interesting....

Mon, 04 Feb 2013 19:43:40 UTC

Security Seals

Posted By Bruce Schneier

I don't see a lot written about security seals, despite how common they are. This article is a very basic overview of the technologies....

Mon, 04 Feb 2013 12:39:35 UTC

Using Imagery to Avoid Censorship

Posted By Bruce Schneier

Interesting: "It's really hard for the government to censor things when they don't understand the made-up words or meaning behind the imagery," said Kevin Lee, COO of China Youthology, in conversation at the DLD conference in Munich on Monday. "The people there aren't even relying on text anymore It's audio, visual, photos. All the young people are creating their own...

Fri, 01 Feb 2013 22:40:31 UTC

Friday Squid Blogging: Squid Anchor

Posted By Bruce Schneier

Webpage says that it's "the most effective lightweight, portable anchor around." As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 01 Feb 2013 18:36:44 UTC

Pentagon Staffs Up U.S. Cyber Command

Posted By Bruce Schneier

The Washington Post has the story: The move, requested by the head of the Defense Department's Cyber Command, is part of an effort to turn an organization that has focused largely on defensive measures into the equivalent of an Internet-era fighting force. The command, made up of about 900 personnel, will expand to include 4,900 troops and civilians. [...] The...

Fri, 01 Feb 2013 12:08:15 UTC

Jared Diamond on Common Risks

Posted By Bruce Schneier

Jared Diamond has an op-ed in the New York Times where he talks about how we overestimate rare risks and underestimate common ones. Nothing new here -- I and others have written about this sort of thing extensively -- but he says that this is a bias found more in developed countries than in primitive cultures. I first became aware...

Thu, 31 Jan 2013 19:28:59 UTC

The Eavesdropping System in Your Computer

Posted By Bruce Schneier

Dan Farmer has an interesting paper (long version here; short version here) discussing the Baseboard Management Controller on your computer's motherboard: The BMC is an embedded computer found on most server motherboards made in the last 10 or 15 years. Often running Linux, the BMC's CPU, memory, storage, and network run independently. It runs Intel's IPMI out-of-band systems management protocol...

Thu, 31 Jan 2013 13:09:16 UTC

Power and the Internet

Posted By Bruce Schneier

All disruptive technologies upset traditional power balances, and the Internet is no exception. The standard story is that it empowers the powerless, but that's only half the story. The Internet empowers everyone. Powerful institutions might be slow to make use of that new power, but since they are powerful, they can use it more effectively. Governments and corporations have woken...

Wed, 30 Jan 2013 18:20:08 UTC

"People, Process, and Technology"

Posted By Bruce Schneier

Back in 1999 when I formed Counterpane Internet Security, Inc., I popularized the notion that security was a combination of people, process, and technology. Back then, it was an important notion; security back then was largely technology-only, and I was trying to push the idea that people and process needed to be incorporated into an overall security system. This blog...

Wed, 30 Jan 2013 12:51:55 UTC

Who Does Skype Let Spy?

Posted By Bruce Schneier

Lately I've been thinking a lot about power and the Internet, and what I call the feudal model of IT security that is becoming more and more pervasive. Basically, between cloud services and locked-down end-user devices, we have less control and visibility over our security -- and have no point but to trust those in power to keep us safe....

Tue, 29 Jan 2013 19:06:14 UTC

Backdoors Built in to Barracuda Networks Equipment

Posted By Bruce Schneier

Don't we know enough not to do this anymore?...

Tue, 29 Jan 2013 12:32:58 UTC

Complexity and Security

Posted By Bruce Schneier

I have written about complexity and security for over a decade now (for example, this from 1999). Here's the results of a survey that confirms this: Results showed that more than half of the survey respondents from mid-sized (identified as 50-2500 employees) and enterprise organizations (identified as 2500+ employees) stated that complex policies ultimately led to a security breach, system...

Mon, 28 Jan 2013 19:25:17 UTC

Dangerous Security Theater: Scrambling Fighter Jets

Posted By Bruce Schneier

This story exemplifies everything that's wrong with our see-something-say-something war on terror: a perfectly innocent person on an airplane, a random person identifying him as a terrorist threat, and a complete overreaction on the part of the authorities. Typical overreaction, but in this case -- as in several others over the past decade -- F-15 fighter jets were scrambled to...

Mon, 28 Jan 2013 12:07:31 UTC

Violence as a Contagious Disease

Posted By Bruce Schneier

This is fascinating: Intuitively we understand that people surrounded by violence are more likely to be violent themselves. This isn't just some nebulous phenomenon, argue Slutkin and his colleagues, but a dynamic that can be rigorously quantified and understood. According to their theory, exposure to violence is conceptually similar to exposure to, say, cholera or tuberculosis. Acts of violence are...

Fri, 25 Jan 2013 22:15:12 UTC

Friday Squid Blogging: Squirming Tentacle USB Drive

Posted By Bruce Schneier

Just the thing. (Note that this is different than the previous squid USB drive I blogged about.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 25 Jan 2013 20:47:30 UTC

Video Interview with Me

Posted By Bruce Schneier

This interview was conducted last month, at an artificial intelligence conference at Oxford....

Fri, 25 Jan 2013 13:03:50 UTC

Shaming as Punishment for Repeated Drunk Driving

Posted By Bruce Schneier

Janesville, Wisconsin, has published information about repeated drunk driving offenders since 2010. The idea is that the public shame will reduce future incidents....

Thu, 24 Jan 2013 19:33:22 UTC

Identifying People from their Writing Style

Posted By Bruce Schneier

It's called stylometry, and it's based on the analysis of things like word choice, sentence structure, syntax and punctuation. In one experiment, researchers were able to identify 80% of users with a 5,000-word writing sample. Download tools here, including one to anonymize your writing style....

Thu, 24 Jan 2013 12:48:36 UTC

Identifying People from their DNA

Posted By Bruce Schneier

Interesting: The genetic data posted online seemed perfectly anonymous ­- strings of billions of DNA letters from more than 1,000 people. But all it took was some clever sleuthing on the Web for a genetics researcher to identify five people he randomly selected from the study group. Not only that, he found their entire families, even though the relatives had...

Wed, 23 Jan 2013 18:55:43 UTC

The Security of the Mega File-Sharing Service

Posted By Bruce Schneier

Ever since the launch of Kim Dotcom's file-sharing service, I have been asked about the unorthodox encryption and security system. I have not reviewed it, and don't have an opinion. All I know is what I read: this, this, this, this, and this. Please add other links in the comments....

Wed, 23 Jan 2013 12:14:37 UTC

Commenting on Aaron Swartz's Death

Posted By Bruce Schneier

There has been an enormous amount written about the suicide of Aaron Swartz. This is primarily a collection of links, starting with those that use his death to talk about the broader issues at play: Orin Kerr, Larry Lessig, Jennifer Granick, Glenn Greenwald, Henry Farrell, danah boyd, Cory Doctorow, James Fallows, Brewster Kahle, Carl Malamud, and Mark Bernstein. Here are...

Tue, 22 Jan 2013 18:04:33 UTC

Google's Authentication Research

Posted By Bruce Schneier

Google is working on non-password authentication techniques. But for Google's password-liberation plan to really take off, theyre going to need other websites to play ball. "Others have tried similar approaches but achieved little success in the consumer world," they write. "Although we recognize that our initiative will likewise remain speculative until we've proven large scale acceptance, were eager to test...

Tue, 22 Jan 2013 11:23:44 UTC

Thinking About Obscurity

Posted By Bruce Schneier

This essay is worth reading: Obscurity is the idea that when information is hard to obtain or understand, it is, to some degree, safe. Safety, here, doesn't mean inaccessible. Competent and determined data hunters armed with the right tools can always find a way to get it. Less committed folks, however, experience great effort as a deterrent. Online, obscurity is...

Mon, 21 Jan 2013 12:38:47 UTC

TSA Removing Rapiscan Full-Body Scanners from U.S. Airports

Posted By Bruce Schneier

This is big news: The U.S. Transportation Security Administration will remove airport body scanners that privacy advocates likened to strip searches after OSI Systems Inc. (OSIS) couldn't write software to make passenger images less revealing. This doesn't mean the end of full-body scanning. There are two categories of these devices: backscatter X-ray and millimeter wave. The government said Friday it...

Fri, 18 Jan 2013 21:31:17 UTC

Friday Squid Blogging: The Search for the Colossal Squid

Posted By Bruce Schneier

Now that videographers have bagged a giant squid, the search turns to the colossal squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 17 Jan 2013 15:50:13 UTC

Man-in-the-Middle Attacks Against Browser Encryption

Posted By Bruce Schneier

Last week, a story broke about how Nokia mounts man-in-the-middle attacks against secure browser sessions. The Finnish phone giant has since admitted that it decrypts secure data that passes through HTTPS connections -- including social networking accounts, online banking, email and other secure sessions -- in order to compress the data and speed up the loading of Web pages. The...

Thu, 17 Jan 2013 13:39:07 UTC

Essay on FBI-Mandated Backdoors

Posted By Bruce Schneier

Good essay by Matt Blaze and Susan Landau....

Wed, 16 Jan 2013 12:25:47 UTC

Cheating at Chess

Posted By Bruce Schneier

There's a fascinating story about a probable tournament chess cheat. No one knows how he does it; there's only the facts that 1) historically he's not nearly as good as his recent record, and 2) his moves correlate almost perfectly with one of best computer chess programs. The general question is how valid statistical evidence is when there is no...

Tue, 15 Jan 2013 12:10:50 UTC

Lexical Warfare

Posted By Bruce Schneier

This essay, which uses the suicide of Aaron Swartz as a jumping off point for how the term "hactivist" has been manipulated by various powers, has this to say about "lexical warfare": I believe the debate itself is far broader than the specifics of this unhappy case, for if there was prosecutorial overreach it raises the question of whether we...

Mon, 14 Jan 2013 19:27:28 UTC

Anti-Surveillance Clothing

Posted By Bruce Schneier

It's both an art project and a practical clothing line. ...Harvey's line of "Stealth Wear" clothing includes an "anti-drone hoodie" that uses metalized material designed to counter thermal imaging used by drones to spot people on the ground. He's also created a cellphone pouch made of a special "signal attenuating fabric." The pocket blocks your phone signal so that it...

Mon, 14 Jan 2013 12:54:58 UTC

The Origins of War

Posted By Bruce Schneier

Philosophy professor David Livingstone Smith on the origins of war....

Fri, 11 Jan 2013 21:59:07 UTC

Friday Squid Blogging: Giant Squid Video

Posted By Bruce Schneier

Last week, I blogged about an upcoming Discovery Channel program with actual video footage of a live giant squid. ABC News has a tantalizingly short sneak peak. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 11 Jan 2013 14:10:17 UTC

Experimental Results: Liars and Outliers Trust Offer

Posted By Bruce Schneier

Last August, I offered to sell Liars and Outliers for $11 in exchange for a book review. This was much less than the $30 list price; less even than the $16 Amazon price. For readers outside the U.S., where books can be very expensive, it was a great price. I sold 800 books from this offer -- much more than...

Thu, 10 Jan 2013 12:49:12 UTC

The Politics and Philosophy of National Security

Posted By Bruce Schneier

This essay explains why we're all living in failed Hobbesian states: What do these three implications -- states have a great deal of freedom to determine what threatens a people and how to respond to those threats, and in making those determinations, they are influenced by the interests and ideologies of their primary constituencies; states have strong incentives and have...

Wed, 09 Jan 2013 12:44:18 UTC

Denial-of-Service Attack Against Facebook

Posted By Bruce Schneier

Just claim the person is dead. All you need to do is fake an online obituary....

Tue, 08 Jan 2013 19:36:53 UTC

Cat Smuggler

Posted By Bruce Schneier

Not a cat burglar, a cat smuggler. Guards thought there was something suspicious about a little white cat slipping through a prison gate in northeastern Brazil. A prison official says that when they caught the animal, they found a cellphone, drills, small saws and other contraband taped to its body. Another article, with video. A prison spokesperson was quoted by...

Tue, 08 Jan 2013 12:28:14 UTC

DHS Gets to Spy on Everyone

Posted By Bruce Schneier

This Wall Street Journal investigative piece is a month old, but well worth reading. Basically, the Total Information Awareness program is back with a different name: The rules now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure...

Mon, 07 Jan 2013 12:31:33 UTC

Details of an Internet Scam

Posted By Bruce Schneier

Interesting details of an Amazon Marketplace scam. Worth reading. Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or...

Fri, 04 Jan 2013 21:36:32 UTC

Friday Squid Blogging: Giant Squid Finally Captured on Video

Posted By Bruce Schneier

We'll see it later this month. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 04 Jan 2013 13:48:22 UTC

What Facebook Gives the Police

Posted By Bruce Schneier

This is what Facebook gives the police in response to a subpoena. (Note that this isn't in response to a warrant; it's in response to a subpoena.) This might be the first one of these that has ever become public....

Thu, 03 Jan 2013 12:03:48 UTC

Classifying a Shape

Posted By Bruce Schneier

This is a great essay: Spheres are special shapes for nuclear weapons designers. Most nuclear weapons have, somewhere in them, that spheres-within-spheres arrangement of the implosion nuclear weapon design. You dont have to use spheres -- cylinders can be made to work, and there are lots of rumblings and rumors about non-spherical implosion designs around these here Internets -- but...

Wed, 02 Jan 2013 14:44:41 UTC

Apollo Robbins, Pickpocket

Posted By Bruce Schneier

Fascianting story: "Come on," Jillette said. "Steal something from me." Again, Robbins begged off, but he offered to do a trick instead. He instructed Jillette to place a ring that he was wearing on a piece of paper and trace its outline with a pen. By now, a small crowd had gathered. Jillette removed his ring, put it down on...

Mon, 31 Dec 2012 12:44:16 UTC

Terms of Service as a Security Threat

Posted By Bruce Schneier

After the Instagram debacle, where it changed its terms of service to give itself greater rights over user photos and reversed itself after a user backlash, it's worth thinking about the security threat stemming from terms of service in general. As cloud computing becomes the norm, as Internet security becomes more feudal, these terms of service agreements define what our...

Fri, 28 Dec 2012 21:16:09 UTC

Friday Squid Blogging: William Gilly, Squid Researcher

Posted By Bruce Schneier

Good article. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 28 Dec 2012 18:34:37 UTC

I Seem to Be a Verb

Posted By Bruce Schneier

From "The Insider's TSA Dictionary": Bruce Schneiered: (V, ints) When a passenger uses logic in order to confound and perplex an officer into submission. Ex: "A TSA officer took my Swiss army knife, but let my scissors go. I then asked him wouldn't it be more dangerous if I were to make my scissors into two blades, or to go...

Fri, 28 Dec 2012 12:37:49 UTC

Becoming a Police Informant in Exchange for a Lighter Sentence

Posted By Bruce Schneier

Fascinating article. Snitching has become so commonplace that in the past five years at least 48,895 federal convicts -- one of every eight -- had their prison sentences reduced in exchange for helping government investigators, a USA TODAY examination of hundreds of thousands of court cases found. The deals can chop a decade or more off of their sentences. How...

Thu, 27 Dec 2012 19:02:46 UTC

Breaking Hard-Disk Encryption

Posted By Bruce Schneier

The newly announced ElcomSoft Forensic Disk Decryptor can decrypt BitLocker, PGP, and TrueCrypt. And it's only $300. How does it work? Elcomsoft Forensic Disk Decryptor acquires the necessary decryption keys by analyzing memory dumps and/or hibernation files obtained from the target PC. You'll thus need to get a memory dump from a running PC (locked or unlocked) with encrypted volumes...

Thu, 27 Dec 2012 12:21:53 UTC

Public Shaming as a Security Measure

Posted By Bruce Schneier

In Liars and Outliers, I talk a lot about the more social forms of security. One of them is reputational. This post is about that squishy sociological security measure: public shaming as a way to punish bigotry (and, by extension, to reduce the incidence of bigotry). It's a pretty rambling post, first listing some of the public shaming sites, then...

Wed, 26 Dec 2012 17:50:21 UTC

Cryptography Engineering Available as an eBook

Posted By Bruce Schneier

Finally, Cryptography Engineering is available as an ebook. Even better, it's today's deal of the day at O'Reilly: $27.50 (50% off) and no copy protection. (The discount won't show until you add the book to your cart.)...

Wed, 26 Dec 2012 12:05:50 UTC

Hackers Use Backdoor to Break System

Posted By Bruce Schneier

Industrial control system comes with a backdoor: Although the system was password protected in general, the backdoor through the IP address apparently required no password and allowed direct access to the control system. "[Th]e published backdoor URL provided the same level of access to the company's control system as the password-protected administrator login," said the memo. The security of this...

Mon, 24 Dec 2012 18:59:13 UTC

Peruvian Spider Species Creates Decoys

Posted By Bruce Schneier

Clyclosa spiders create decoys to fool predators....

Mon, 24 Dec 2012 12:31:48 UTC

Phishing via Twitter

Posted By Bruce Schneier

Interesting firsthand phishing story: A few nights ago, I got a Twitter direct message (DM) from a friend saying that someone was saying nasty things about me, with a link. The link was a shortened (t.co) link, so it was hard to see exactly what it pointed to. I followed the link on my cell phone, and got to a...

Fri, 21 Dec 2012 22:58:14 UTC

Friday Squid Blogging: Laughing Squid

Posted By Bruce Schneier

The small San Francisco film and video company is celebrating its 17th anniversary. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 21 Dec 2012 18:12:11 UTC

This Week's Overreactions

Posted By Bruce Schneier

Schools go into lockdown over a thermometer, a car backfiring, a bank robbery a few blocks away, a student alone in a gym, a neighbor on the street, and some vague unfounded rumors. And one high-school kid was arrested for drawing pictures of guns. Everywhere else, post-traumatic stupidity syndrome." (It's not a new phrase -- Google shows hits back to...

Fri, 21 Dec 2012 12:20:05 UTC

Amazon Replacement-Order Scam

Posted By Bruce Schneier

Clever: Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon....

Thu, 20 Dec 2012 12:32:21 UTC

China Now Blocking Encryption

Posted By Bruce Schneier

The "Great Firewall of China" is now able to detect and block encryption: A number of companies providing "virtual private network" (VPN) services to users in China say the new system is able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems. China Unicom, one of the biggest telecoms providers in the...

Wed, 19 Dec 2012 12:47:27 UTC

Information-Age Law Enforcement Techniques

Posted By Bruce Schneier

This is an interesting blog post: Buried inside a recent United Nations Office on Drugs and Crime report titled Use of Internet for Terrorist Purposes one can carve out details and examples of law enforcement electronic surveillance techniques that are normally kept secret. [...] Point 280: International members of the guerilla group Revolutionary Armed Forces of Colombia (FARC) communicated with...

Tue, 18 Dec 2012 12:38:47 UTC

Nasty Samsung Phone Exploit

Posted By Bruce Schneier

There's a new exploit against Samsung Galaxy phones that allows a rogue app access to all memory. A hacker could copy all of your data, erase all of your data, and basically brick your phone. I haven't found an offical Samsung response, but there is a quick fix....

Mon, 17 Dec 2012 18:39:05 UTC

Possible Decryption of World War II Pigeon Message

Posted By Bruce Schneier

A Canadian claims that the message is based on a WWI codebook. A spokesman from GCHQ remains dubious, but says they'll be happy to look at the proposed solution....

Fri, 14 Dec 2012 22:44:32 UTC

Friday Squid Blogging: Giant PVC Squid

Posted By Bruce Schneier

Neat art project. Another link. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Dec 2012 18:24:13 UTC

Book Review: Against Security

Posted By Bruce Schneier

Against Security: How We Go Wrong at Airports, Subways, and Other Sites of Ambiguous Danger, by Harvey Molotch, Princeton University Press, 278 pages, $35 Security is both a feeling and a reality, and the two are different things. People can feel secure when theyre actually not, and they can be secure even when they believe otherwise. This discord explains much...

Fri, 14 Dec 2012 13:28:14 UTC

The History of Security Economics

Posted By Bruce Schneier

Ross Anderson recalls the history of security economics (presentation and paper.)...

Thu, 13 Dec 2012 18:33:14 UTC

The Internet in North Korea

Posted By Bruce Schneier

How Internet censorship works in North Korea....

Thu, 13 Dec 2012 12:19:23 UTC

QR Code Scams

Posted By Bruce Schneier

There's a rise in QR codes that point to fraudulent sites. One of the warning signs seems to be a sticker with the code, rather than a code embedded in an advertising poster. This brings up another question: does anyone actually use these things?...

Wed, 12 Dec 2012 18:59:30 UTC

Detecting Edited Audio

Posted By Bruce Schneier

Interesting development in forensic analysis: Comparing the unique pattern of the frequencies on an audio recording with a database that has been logging these changes for 24 hours a day, 365 days a year provides a digital watermark: a date and time stamp on the recording. Philip Harrison, from JP French Associates, another forensic audio laboratory that has been logging...

Wed, 12 Dec 2012 12:06:26 UTC

Drone Flights Over the US

Posted By Bruce Schneier

The EFF has been prying data out of the government and analyzing it....

Tue, 11 Dec 2012 19:03:22 UTC

The National Cyber Security Framework Manual

Posted By Bruce Schneier

This book is available as a free pdf download: The National Cyber Security Framework Manual provides detailed background information and in-depth theoretical frameworks to help the reader understand the various facets of National Cyber Security, according to different levels of public policy formulation. The four levels of government -- political, strategic, operational and tactical/technical -- each have their own perspectives...

Tue, 11 Dec 2012 12:08:25 UTC

Dictators Shutting Down the Internet

Posted By Bruce Schneier

Excellent article: "How to Shut Down Internets." First, he describes what just happened in Syria. Then: Egypt turned off the internet by using the Border Gateway Protocol trick, and also by switching off DNS. This has a similar effect to throwing bleach over a map. The location of every street and house in the country is blotted out. All the...

Mon, 10 Dec 2012 19:04:05 UTC

Bypassing Two-Factor Authentication

Posted By Bruce Schneier

Yet another way two-factor authentication has been bypassed: For a user to fall prey to Eurograbber, he or she must first be using a computer infected with the trojan. This was typically done by luring the user onto a malicious web page via a round of unfortunate web surfing or email phishing attempts. Once infected, the trojan would monitor that...

Mon, 10 Dec 2012 11:56:12 UTC

Buy Your Own ATM Skimmer for $3000

Posted By Bruce Schneier

I have no idea if this is real. If I had to guess, I would say no....

Fri, 07 Dec 2012 22:04:33 UTC

Squids on the Economist Cover

Posted By Bruce Schneier

Four squids on the cover of this week's Economist represent the four massive (and intrusive) data-driven Internet giants: Google, Facebook, Apple, and Amazon. Interestingly, these are the same four companies I've been listing as the new corporate threat to the Internet. The first of three pillars propping up this outside threat are big data collectors, which in addition to Apple...

Thu, 06 Dec 2012 16:59:03 UTC

Comedy and Cryptography

Posted By Bruce Schneier

Not the sort of pairing I normally think of, but: Robin Ince and Brian Cox are joined on stage by comedian Dave Gorman, author and Enigma Machine owner Simon Singh and Bletchley Park enthusiast Dr Sue Black as they discuss secret science, code-breaking and the extraordinary achievements of the team working at Bletchley during WW II. Audio here....

Wed, 05 Dec 2012 12:01:00 UTC

Roger Williams' Cipher Cracked

Posted By Bruce Schneier

Another historical cipher, this one from the 1600s, has been cracked: Senior math major Lucas Mason-Brown, who has done the majority of the decoding, said his first instinct was to develop a statistical tool. The 21-year-old from Belmont, Mass., used frequency analysis, which looks at the frequency of letters or groups of letters in a text, but initially didn't get...

Mon, 03 Dec 2012 13:24:27 UTC

Feudal Security

Posted By Bruce Schneier

Its a feudal world out there. Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft...

Fri, 30 Nov 2012 20:18:00 UTC

Friday Squid Blogging: Possible Squid Eyeball Found in Florida

Posted By Bruce Schneier

It's the size of a softball. No sign of the squid it came from. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 30 Nov 2012 11:23:15 UTC

Hacking by the Syrian Government

Posted By Bruce Schneier

Good article on how the Syrian government hacked into the computers of dissidents: The cyberwar in Syria began with a feint. On Feb. 8, 2011, just as the Arab Spring was reaching a crescendo, the government in Damascus suddenly reversed a long-standing ban on websites such as Facebook, Twitter, YouTube, and the Arabic version of Wikipedia. It was an odd...

Thu, 29 Nov 2012 22:36:25 UTC

Advances in Attacking ATMs

Posted By Bruce Schneier

Cash traps and card traps are the new thing: [Card traps] involve devices that fit over the card acceptance slot and include a razor-edged spring trap that prevents the customers card from being ejected from the ATM when the transaction is completed. "Spring traps are still being widely used," EAST wrote in its most recently European Fraud Update. "Once the...

Wed, 28 Nov 2012 19:30:35 UTC

James Bond Movie-Plot Threats

Posted By Bruce Schneier

Amusing post on the plausibility of the evil plans from the various movies....

Wed, 28 Nov 2012 11:55:47 UTC

The Psychology of IT Security Trade-offs

Posted By Bruce Schneier

Good article. I agree with the conclusion that the solution isn't to convince people to make better choices, but to change the IT architecture so that it's easier to make better choices....

Tue, 27 Nov 2012 18:12:19 UTC

Classified Information Confetti

Posted By Bruce Schneier

Some of the confetti at the Macy's Thanksgiving Day Parade in New York consisted of confidential documents from the Nassau County Police Department, shredded sideways....

Tue, 27 Nov 2012 12:39:05 UTC

Hackback

Posted By Bruce Schneier

Stewart Baker, Orin Kerr, and Eugene Volokh on the legality of hackback....

Mon, 26 Nov 2012 15:48:10 UTC

Liars and Outliers Ebook 50% Off and DRM-Free

Posted By Bruce Schneier

Today only, O'Reilly is offering 50% off all its ebooks, including Liars and Outliers. This is probably the cheapest you'll find a DRM-free copy of the book....

Mon, 26 Nov 2012 15:35:19 UTC

Homeland Security Essay Contest

Posted By Bruce Schneier

The Naval Postgraduate School's Center for Homeland Defense and Security is running its sixth annual essay competition. There are cash prizes. (Info on previous years here.)...

Fri, 23 Nov 2012 22:50:52 UTC

Friday Squid Blogging: Another Squid Comic

Posted By Bruce Schneier

Another squid comic. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 23 Nov 2012 12:18:19 UTC

Preventing Catastrophic Threats

Posted By Bruce Schneier

"Recommendations to Prevent Catastrophic Threats." Federation of American Scientists, 9 November 2012. It's twelve specific sets of recommendations for twelve specific threats. See also this....

Wed, 21 Nov 2012 20:06:29 UTC

Cell Phone Surveillance

Posted By Bruce Schneier

Good article on the different ways the police can eavesdrop on cell phone calls....

Wed, 21 Nov 2012 12:34:40 UTC

Decrypting a Secret Society's Documents from the 1740s

Posted By Bruce Schneier

Great story, both the cryptanalysis process and the Oculists....

Tue, 20 Nov 2012 18:53:47 UTC

Anonymous Claims it Sabotaged Rove Election Hacking

Posted By Bruce Schneier

Can anyone make heads or tails of this story? (More links.) For my part, I'd like a little -- you know -- evidence. Remember that Ohio was not the deciding state in the election. Neither was Florida or Virginia. It was Colorado. So even if there was this magic election-stealing software running in Ohio, it wouldn't have made any difference....

Mon, 19 Nov 2012 18:40:03 UTC

E-Mail Security in the Wake of Petraeus

Posted By Bruce Schneier

I've been reading lots of articles articles discussing how little e-mail and Internet privacy we actually have in the U.S. This is a good one to start with: The FBI obliged apparently obtaining subpoenas for Internet Protocol logs, which allowed them to connect the senders anonymous Google Mail account to others accessed from the same computers, accounts that belonged to...

Mon, 19 Nov 2012 11:41:01 UTC

Security Theater in American Diplomatic Missions

Posted By Bruce Schneier

I noticed this in an article about how increased security and a general risk aversion is harming US diplomatic missions: "Barbara Bodine, who was the U.S. ambassador to Yemen during the Qaeda bombing of the U.S.S. Cole in 2000, told me she believes that much of the security American diplomats are forced to travel with is counterproductive. "There's this idea...

Fri, 16 Nov 2012 22:30:44 UTC

Friday Squid Blogging: Vampire Squid

Posted By Bruce Schneier

Vampire squid eats marine wastes (paper and video). As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Nov 2012 18:11:27 UTC

Jamming 4G Cell Networks

Posted By Bruce Schneier

It's easy....

Fri, 16 Nov 2012 12:13:03 UTC

Stealing VM Keys from the Hardware Cache

Posted By Bruce Schneier

Research into one VM stealing crypto keys from another VM running on the same hardware. ABSTRACT: This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrated on a symmetric multiprocessing system virtualized...

Thu, 15 Nov 2012 12:45:24 UTC

The Terrorist Risk of Food Trucks

Posted By Bruce Schneier

This is idiotic: Public Intelligence recently posted a Powerpoint presentation from the NYC fire department (FDNY) discussing the unique safety issues mobile food trucks present. Along with some actual concerns (many food trucks use propane and/or gasoline-powered generators to cook; some *gasp* aren't properly licensed food vendors), the presenter decided to toss in some DHS speculation on yet another way...

Wed, 14 Nov 2012 18:28:08 UTC

Webmail as Dead Drop

Posted By Bruce Schneier

I noticed this amongst the details of the Petraeus scandal: Petraeus and Broadwell apparently used a trick, known to terrorists and teenagers alike, to conceal their email traffic, one of the law enforcement officials said. Rather than transmitting emails to the other's inbox, they composed at least some messages and instead of transmitting them, left them in a draft folder...

Wed, 14 Nov 2012 11:57:07 UTC

Keys to the Crown Jewels Stolen?

Posted By Bruce Schneier

At least, that's the story: The locks at the Tower of London, home to the Crown Jewels, had to be changed after a burglar broke in and stole keys. The intruder scaled gates and took the keys from a sentry post. Guards spotted him but couldn't give chase as they are not allowed to leave their posts. But the story...

Tue, 13 Nov 2012 12:15:35 UTC

Free Online Cryptography Course

Posted By Bruce Schneier

Dan Boneh of Stanford University is offering a free online cryptography course. The course runs for six weeks, and has five to seven hours of coursework per week. It just started last week....

Mon, 12 Nov 2012 19:03:48 UTC

Fairy Wren Passwords

Posted By Bruce Schneier

Mother fairy wrens teach their children passwords while they're still in their eggs to tell them from cuckoo impostors: She kept 15 nests under constant audio surveillance, and discovered that fairy-wrens call to their unhatched chicks, using a two-second trill with 19 separate elements to it. They call once every four minutes while sitting on their eggs, starting on the...

Mon, 12 Nov 2012 11:47:17 UTC

Encryption in Cloud Computing

Posted By Bruce Schneier

This article makes the important argument that encryption -- where the user and not the cloud provider holds the keys -- is critical to protect cloud data. The problem is, it upsets cloud providers' business models: In part it is because encryption with customer controlled keys is inconsistent with portions of their business model. This architecture limits a cloud provider's...

Fri, 09 Nov 2012 22:16:27 UTC

Friday Squid Blogging: Squid Ink as a Condiment

Posted By Bruce Schneier

Burger King introduces a black burger with ketchup that includes squid ink. Only in Japan, of course....

Fri, 09 Nov 2012 19:32:39 UTC

How To Tell if Your Hotel Guest Is a Terrorist

Posted By Bruce Schneier

From the Department of Homeland Security, a handy list of 19 suspicious behaviors that could indicate that a hotel guest is actually a terrorist. I myself have done several of these. More generally, this is another example of why all the "see something say something" campaigns fail: "If you ask amateurs to act as front-line security personnel, you shouldn't be...

Fri, 09 Nov 2012 12:41:39 UTC

How Terrorist Groups Disband

Posted By Bruce Schneier

Interesting research from RAND: Abstract: How do terrorist groups end? The evidence since 1968 indicates that terrorist groups rarely cease to exist as a result of winning or losing a military campaign. Rather, most groups end because of operations carried out by local police or intelligence agencies or because they join the political process. This suggests that the United States...

Thu, 08 Nov 2012 19:24:59 UTC

Gary McGraw on National Cybersecurity

Posted By Bruce Schneier

Good essay, making the point that cyberattack and counterattack aren't very useful -- actual cyberdefense is what's wanted. Creating a cyber-rock is cheap. Buying a cyber-rock is even cheaper since zero-day attacks exist on the open market for sale to the highest bidder. In fact, if the bad guy is willing to invest time rather than dollars and become an...

Thu, 08 Nov 2012 12:57:17 UTC

Micromorts

Posted By Bruce Schneier

Here's a great concept: a micromort: Shopping for coffee you would not ask for 0.00025 tons (unless you were naturally irritating), you would ask for 250 grams. In the same way, talking about a 1/125,000 or 0.000008 risk of death associated with a hang-gliding flight is rather awkward. With that in mind. Howard coined the term "microprobability" (¼p) to refer...

Wed, 07 Nov 2012 19:39:08 UTC

New SSL Vulnerability

Posted By Bruce Schneier

It's hard for me to get too worked up about this vulnerability: Many popular applications, HTTP(S) and WebSocket transport libraries, and SOAP and REST Web-services middleware use SSL/TLS libraries incorrectly, breaking or disabling certificate validation. Their SSL and TLS connections are not authenticated, thus they -- and any software using them -- are completely insecure against a man-in-the-middle attacker. Great...

Wed, 07 Nov 2012 12:16:10 UTC

Regulation as a Prisoner's Dilemma

Posted By Bruce Schneier

This is the sort of thing I wrote about in my latest book. The Prisoners Dilemma as outlined above can be seen in action in two variants within regulatory activities, and offers a clear insight into why those involved in regulation act as they do. The first relationship is that between the various people and organisations being regulated ­ banks,...

Tue, 06 Nov 2012 18:17:00 UTC

Three-Rotor Enigma Machine Up for Auction

Posted By Bruce Schneier

Expensive, but it's in complete working order. They're also auctioning off a complete set of rotors; those are even rarer than the machines -- which are often missing their rotors....

Tue, 06 Nov 2012 16:13:43 UTC

Wanted: RSA Exhibitor for Book Signing

Posted By Bruce Schneier

Is anyone out there interested in buying a pile of copies of my Liars and Outliers for a giveaway and book signing at the RSA Conference? I can guarantee enormous crowds at your booth for as long as there are books to give away. This could also work for an after-hours event. Please let me know. I can get you...

Tue, 06 Nov 2012 12:40:09 UTC

New Vulnerability Against Industrial Control Systems

Posted By Bruce Schneier

It doesn't look good. These are often called SCADA vulnerabilities, although it isn't SCADA that's involved here. They're against programmable logic controllers (PLCs): the same industrial controllers that Stuxnet attacked....

Mon, 05 Nov 2012 20:54:47 UTC

New Jersey Allows Voting by E-Mail

Posted By Bruce Schneier

I'm not filled with confidence, but this seems like the best of a bunch of bad alternatives....

Mon, 05 Nov 2012 19:26:20 UTC

New WWII Cryptanalysis

Posted By Bruce Schneier

I'd sure like to know more about this: Government code-breakers are working on deciphering a message that has remained a secret for 70 years. It was found on the remains of a carrier pigeon that was discovered in a chimney, in Surrey, having been there for decades. It is thought the contents of the note, once decoded, could provide fresh...

Mon, 05 Nov 2012 12:19:55 UTC

On the Ineffectiveness of Airport Security Pat-Downs

Posted By Bruce Schneier

I've written about it before, but not half as well as this story: "That search was absolutely useless." I said. "And just shows how much of all of this is security theatre. You guys are just feeling up passengers for no good effect, which means that you get all the downsides of a search -- such as annoyed travellers who...

Fri, 02 Nov 2012 11:37:14 UTC

Loopholes

Posted By Bruce Schneier

Interesting This American Life show on loopholes. The first part is about getting around the Church's ban against suicide. The second part is about an interesting insurance scheme....

Fri, 02 Nov 2012 11:30:07 UTC

Friday Squid Blogging: Squid Costume

Posted By Bruce Schneier

This is great....

Thu, 01 Nov 2012 11:34:11 UTC

Peter Neumann Profile

Posted By Bruce Schneier

Really nice profile in the New York Times. It includes a discussion of the Clean Slate program: Run by Dr. Howard Shrobe, an M.I.T. computer scientist who is now a Darpa program manager, the effort began with a premise: If the computer industry got a do-over, what should it do differently? The program includes two separate but related efforts: Crash,...

Tue, 30 Oct 2012 17:57:30 UTC

Doping in Professional Sports

Posted By Bruce Schneier

I updated a 2006 essay of mine on the security issues around sports doping....

Tue, 30 Oct 2012 14:24:13 UTC

Rap News on Internet Surveillance

Posted By Bruce Schneier

Wow....

Tue, 30 Oct 2012 11:49:06 UTC

Dan Ariely on Dishonesty

Posted By Bruce Schneier

Good talk, and I've always liked these animators....

Mon, 29 Oct 2012 22:24:43 UTC

Detecting Fake Hurricane Photographs

Posted By Bruce Schneier

A short tutorial here. Actually, it's good advice even if there weren't a hurricane....

Mon, 29 Oct 2012 18:53:37 UTC

Protecting (and Collecting) the DNA of World Leaders

Posted By Bruce Schneier

There's a lot of hype and hyperbole in this story, but here's the interesting bit: According to Ronald Kessler, the author of the 2009 book In the Presidents Secret Service, Navy stewards gather bedsheets, drinking glasses, and other objects the president has touched­they are later sanitized or destroyed­in an effort to keep would be malefactors from obtaining his genetic material....

Mon, 29 Oct 2012 11:36:19 UTC

Sony Playstation 3 Master Key Leaked

Posted By Bruce Schneier

Oops....

Fri, 26 Oct 2012 21:26:20 UTC

Friday Squid Blogging: Squid from the Power Ranger Universe

Posted By Bruce Schneier

Ika Origami....

Fri, 26 Oct 2012 11:46:52 UTC

Hacking TSA PreCheck

Posted By Bruce Schneier

I have a hard time getting worked up about this story: I have X'd out any information that you could use to change my reservation. But it's all there, PNR, seat assignment, flight number, name, ect. But what is interesting is the bolded three on the end. This is the TSA Pre-Check information. The number means the number of beeps....

Thu, 25 Oct 2012 11:27:58 UTC

The Risks of Trusting Experts

Posted By Bruce Schneier

I'm not sure what to think about this story: Six Italian scientists and an ex-government official have been sentenced to six years in prison over the 2009 deadly earthquake in L'Aquila. A regional court found them guilty of multiple manslaughter. Prosecutors said the defendants gave a falsely reassuring statement before the quake, while the defence maintained there was no way...

Wed, 24 Oct 2012 18:27:15 UTC

Risks of Data Portability

Posted By Bruce Schneier

Peter Swire and Yianni Lagos have pre-published a law journal article on the risks of data portability. It specifically addresses an EU data protection regulation, but the security discussion is more general. ...Article 18 poses serious risks to a long-established E.U. fundamental right of data protection, the right to security of a person's data. Previous access requests by individuals were...

Wed, 24 Oct 2012 10:57:41 UTC

Weaponizing Office Supplies

Posted By Bruce Schneier

Now this is interesting....

Mon, 22 Oct 2012 12:18:53 UTC

Camera Jammer that Protects Licence Plates

Posted By Bruce Schneier

noPhoto reacts to a camera flash, and then jams the image with a bright light. The website makes the point that this is legal, but that can't last....

Fri, 19 Oct 2012 21:54:20 UTC

Friday Squid Blogging: Squid Insurance

Posted By Bruce Schneier

This was once a real insurance product. Squid Insurance Marketing was the low-end offering at Astonish, complete with the tagline "Nothing Kills a Squid!" As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 19 Oct 2012 12:45:59 UTC

Stoking Cyber Fears

Posted By Bruce Schneier

A lot of the debate around President Obama's cubsersecurity initiative center on how much of a burden it would be on industry, and how that should be financed. As important as that debate is, it obscures some of the larger issues surrounding cyberwar, cyberterrorism, and cybersecurity in general. It's difficult to have any serious policy discussion amongst the fear mongering....

Thu, 18 Oct 2012 11:11:51 UTC

Analysis of How Bitcoin Is Actually Used

Posted By Bruce Schneier

"Quantitative Analysis of the Full Bitcoin Transaction Graph," by Dorit Ron and Adi Shamir: Abstract. The Bitcoin scheme is a rare example of a large scale global payment system in which all the transactions are publicly accessible (but in an anonymous way). We downloaded the full history of this scheme, and analyzed many statistical properties of its associated transaction graph....

Wed, 17 Oct 2012 11:23:52 UTC

Genetic Privacy

Posted By Bruce Schneier

New report from the Presidential Commission for the Study of Biothethical Issues. It's called "Privacy and Progress in Whole Genome Sequencing." The Commission described the rapid advances underway in the field of genome sequencing, but also noted growing concerns about privacy and security. The report lists twelve recommendations to improve current practices and to help safeguard privacy and security, including...

Tue, 16 Oct 2012 11:12:52 UTC

Studying Zero-Day Attacks

Posted By Bruce Schneier

Interesting paper: "Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World," by Leyla Bilge and Tudor Dumitras: Abstract: Little is known about the duration and prevalence of zeroday attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing,...

Mon, 15 Oct 2012 18:21:40 UTC

Apple Turns on iPhone Tracking in iOS6

Posted By Bruce Schneier

This is important: Previously, Apple had all but disabled tracking of iPhone users by advertisers when it stopped app developers from utilizing Apple mobile device data via UDID, the unique, permanent, non-deletable serial number that previously identified every Apple device. For the last few months, iPhone users have enjoyed an unusual environment in which advertisers have been largely unable to...

Mon, 15 Oct 2012 12:02:08 UTC

Master Keys

Posted By Bruce Schneier

Earlier this month, a retired New York City locksmith was selling a set of "master keys" on eBay: Three of the five are standard issue for members of the FDNY, and the set had a metal dog tag that was embossed with an FDNY lieutenant's shield number, 6896. The keys include the all-purpose "1620," a master firefighter key that with...

Sat, 13 Oct 2012 12:28:56 UTC

Another Liars and Outliers Review

Posted By Bruce Schneier

I was reviewed in Science: Thus it helps to have a lucid and informative account such as Bruce Schneier's Liars and Outliers. The book provides an interesting and entertaining summary of the state of play of research on human social behavior, with a special emphasis on trust and trustworthiness. [...] Free from preoccupations and personal attachments to any of the...

Fri, 12 Oct 2012 21:17:00 UTC

Friday Squid Blogging: Squid Car

Posted By Bruce Schneier

A squid art car. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 11 Oct 2012 12:03:15 UTC

"Ask Nicely" Doesn't Work as a Security Mechanism

Posted By Bruce Schneier

Apple's map application shows more of Taiwan than Google Maps: The Taiwanese government/military, like many others around the world, requests that satellite imagery providers, such as Google Maps, blur out certain sensitive military installations. Unfortunately, Apple apparently didn't get that memo. [...] According to reports the Taiwanese defence ministry hasn't filed a formal request with Apple yet but thought it...

Wed, 10 Oct 2012 13:18:42 UTC

The Insecurity of Networks

Posted By Bruce Schneier

Not computer networks, networks in general: Findings so far suggest that networks of networks pose risks of catastrophic danger that can exceed the risks in isolated systems. A seemingly benign disruption can generate rippling negative effects. Those effects can cost millions of dollars, or even billions, when stock markets crash, half of India loses power or an Icelandic volcano spews...

Tue, 09 Oct 2012 11:31:43 UTC

Story of a CIA Burglar

Posted By Bruce Schneier

This is a fascinating story of a CIA burglar, who worked for the CIA until he tried to work against the CIA. The fact that he stole code books and keys from foreign embassies makes it extra interesting, and the complete disregard for the Constitution at the end makes it extra scary....

Mon, 08 Oct 2012 13:12:38 UTC

New Developments in Captchas

Posted By Bruce Schneier

In the never-ending arms race between systems to prove that you're a human and computers that can fake it, here's a captcha that tests whether you have human feelings. Instead of your run-of-the-mill alphanumeric gibberish, or random selection of words, the Civil Rights Captcha presents you with a short blurb about a Civil Rights violation and asks you how you...

Fri, 05 Oct 2012 21:38:19 UTC

Friday Squid Blogging: Giant Squid Engraving from the 1870s

Posted By Bruce Schneier

Neat book illustration. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 05 Oct 2012 18:24:43 UTC

When Will We See Collisions for SHA-1?

Posted By Bruce Schneier

On a NIST-sponsored hash function mailing list, Jesse Walker (from Intel; also a member of the Skein team) did some back-of-the-envelope calculations to estimate how long it will be before we see a practical collision attack against SHA-1. I'm reprinting his analysis here, so it reaches a broader audience. According to E-BASH, the cost of one block of a SHA-1...

Fri, 05 Oct 2012 12:44:48 UTC

Maps Showing Spread of ZeroAccess Botnet

Posted By Bruce Schneier

The folks at F-Secure have plotted ZeroAccess infections across the U.S. and across Europe. It's interesting to see, but I'm curious to see the data normalized to the number of computers on the Internet....

Thu, 04 Oct 2012 20:35:10 UTC

Tradecraft and Terrorism

Posted By Bruce Schneier

Interesting....

Wed, 03 Oct 2012 15:00:21 UTC

Authentication Stories

Posted By Bruce Schneier

Anecdotes from Asia on seals versus signatures on official documents....

Tue, 02 Oct 2012 21:50:11 UTC

Keccak is SHA-3

Posted By Bruce Schneier

NIST has just announced that Keccak has been selected as SHA-3. It's a fine choice. I'm glad that SHA-3 is nothing like the SHA-2 family; something completely different is good. Congratulations to the Keccak team. Congratulations -- and thank you -- to NIST for running a very professional, interesting, and enjoyable competition. The process has increased our understanding about the...

Tue, 02 Oct 2012 14:41:26 UTC

2013 U.S. Homeland Security Budget

Posted By Bruce Schneier

Among other findings in this CBO report: Funding for homeland security has dropped somewhat from its 2009 peak of $76 billion, in inflation-adjusted terms; funding for 2012 totaled $68 billion. Nevertheless, the nation is now spending substantially more than what it spent on homeland security in 2001. Note that this is just direct spending on homeland security. This does not...

Mon, 01 Oct 2012 18:12:55 UTC

Security Question Cartoon

Posted By Bruce Schneier

Funny....

Mon, 01 Oct 2012 11:52:27 UTC

Scary iPhone Malware Story

Posted By Bruce Schneier

This story sounds pretty scary: Developed by Robert Templeman at the Naval Surface Warfare Center in Indiana and a few buddies from Indiana University, PlaceRader hijacks your phone's camera and takes a series of secret photographs, recording the time, and the phone's orientation and location with each shot. Using that information, it can reliably build a 3D model of your...

Thu, 27 Sep 2012 18:14:22 UTC

NPR on Biometric Data Collection

Posted By Bruce Schneier

Interesting Talk of the Nation segment....

Thu, 27 Sep 2012 14:10:59 UTC

Replacing Alice and Bob

Posted By Bruce Schneier

A proposal to replace cryptography's Alice and Bob with Sita and Rama: Any book on cryptography invariably involves the characters Alice and Bob. It is always Alice who wants to send a message to Bob. This article replaces the dramatis personnae of cryptography with characters drawn from Hindu mythology....

Wed, 26 Sep 2012 12:11:15 UTC

Using Agent-Based Simulations to Evaluate Security Systems

Posted By Bruce Schneier

Kay Hamacher and Stefan Katzenbeisser, "Public Security: Simulations Need to Replace Conventional Wisdom," New Security Paradigms Workshop, 2011. Abstract: Is more always better? Is conventional wisdom always the right guideline in the development of security policies that have large opportunity costs? Is the evaluation of security measures after their introduction the best way? In the past, these questions were frequently...

Tue, 25 Sep 2012 18:29:10 UTC

Quantum Cryptography

Posted By Bruce Schneier

Long article on quantum cryptography and cryptanalysis....

Tue, 25 Sep 2012 12:40:52 UTC

Homomorphic Encryption

Posted By Bruce Schneier

Good summary article....

Mon, 24 Sep 2012 18:09:24 UTC

Security Vulnerability in Windows 8 Unified Extensible Firmware Interface (UEFI)

Posted By Bruce Schneier

This is the first one discovered, I think....

Mon, 24 Sep 2012 11:59:58 UTC

SHA-3 to Be Announced

Posted By Bruce Schneier

NIST is about to announce the new hash algorithm that will become SHA-3. This is the result of a six-year competition, and my own Skein is one of the five remaining finalists (out of an initial 64). It's probably too late for me to affect the final decision, but I am hoping for "no award." It's not that the new...

Fri, 21 Sep 2012 21:30:53 UTC

Friday Squid Blogging: Beached Firefly Squid

Posted By Bruce Schneier

Pretty photo of firefly squid beached along a coast. I've written about firefly squid before. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 21 Sep 2012 20:29:25 UTC

Another Review of Liars and Outliers

Posted By Bruce Schneier

I usually don't post reviews of Liars and Outliers -- they're all here -- but I am particularly proud of this one....

Fri, 21 Sep 2012 11:45:47 UTC

Accountable Algorithms

Posted By Bruce Schneier

Ed Felten has two posts about accountable algorithms. Good stuff....

Thu, 20 Sep 2012 11:02:44 UTC

The NSA and the Risk of Off-the-Shelf Devices

Posted By Bruce Schneier

Interesting article on how the NSA is approaching risk in the era of cool consumer devices. There's a discussion of the president's network-disabled iPad, and the classified cell phone that flopped because it took so long to develop and was so clunky. Turns out that everyone wants to use iPhones. Levine concluded, "Using commercial devices to process classified phone calls,...

Wed, 19 Sep 2012 17:31:26 UTC

Analysis of PIN Data

Posted By Bruce Schneier

An analysis of 3.4 million four-digit PINs. ("1234" is the most common: 10.7% of all PINs. The top 20 PINs are 26.8% of the total. "8068" is the least common PIN -- that'll probably change now that the fact is published.)...

Wed, 19 Sep 2012 09:41:36 UTC

Recent Developments in Password Cracking

Posted By Bruce Schneier

A recent Ars Technica article made the point that password crackers are getting better, and therefore passwords are getting weaker. It's not just computing speed; we now have many databases of actual passwords we can use to create dictionaries of common passwords, or common password-generation techniques. (Example: dictionary word plus a single digit.) This really isn't anything new. I wrote...

Tue, 18 Sep 2012 21:37:55 UTC

Friday Squid Blogging: Octonaut

Posted By Bruce Schneier

A space-traveling squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Mon, 17 Sep 2012 12:03:54 UTC

Diamond Swallowing as a Ruse

Posted By Bruce Schneier

It's a known theft tactic to swallow what you're stealing. It works for food at the supermarket, and it also can work for diamonds. Here's a twist on that tactic: Police say he could have swallowed the stone in an attempt to distract the diamond's owner, Suresh de Silva, while his accomplice stole the real gem. Mr de Silva told...

Fri, 14 Sep 2012 21:15:29 UTC

Friday Squid Blogging: Giant Squid Museum

Posted By Bruce Schneier

In Valdés, Spain. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 14 Sep 2012 19:20:59 UTC

Schneier on Security on Elementary

Posted By Bruce Schneier

Two of my books can be seen in the background in CBS' new Sherlock Holmes drama, Elementary. A copy of Schneier on Security is prominently displayed on Sherlock Holmes' bookshelf. You can see it in the first few minutes of the pilot episode. The show's producers contacted me early on to ask permission to use my books, so it didn't...

Fri, 14 Sep 2012 16:23:20 UTC

Man-in-the-Middle Bank Fraud Attack

Posted By Bruce Schneier

This sort of attack will become more common as banks require two-factor authentication: Tatanga checks the user account details including the number of accounts, supported currency, balance/limit details. It then chooses the account from which it could steal the highest amount. Next, it initiates a transfer. At this point Tatanga uses a Web Inject to trick the user into believing...

Fri, 14 Sep 2012 11:47:58 UTC

UGNazi

Posted By Bruce Schneier

Good article on the hacker group UGNazi....

Thu, 13 Sep 2012 18:20:33 UTC

Estimating the Probability of Another 9/11

Posted By Bruce Schneier

This statistical research says once per decade: Abstract: Quantities with right-skewed distributions are ubiquitous in complex social systems, including political conflict, economics and social networks, and these systems sometimes produce extremely large events. For instance, the 9/11 terrorist events produced nearly 3000 fatalities, nearly six times more than the next largest event. But, was this enormous loss of life statistically...

Thu, 13 Sep 2012 11:15:57 UTC

Steganography in the Wild

Posted By Bruce Schneier

Steganographic information is embedded in World of Warcraft screen shots....

Wed, 12 Sep 2012 17:55:56 UTC

Stopping Terrorism

Posted By Bruce Schneier

Nice essay on the futility of trying to prevent another 9/11: "Never again." It is as simplistic as it is absurd. It is as vague as it is damaging. No two words have provided so little meaning or context; no catchphrase has so warped policy discussions that it has permanently confused the public's understanding of homeland security. It convinced us...

Wed, 12 Sep 2012 11:23:16 UTC

A Real Movie-Plot Threat Contest

Posted By Bruce Schneier

The "Australia's Security Nightmares: The National Security Short Story Competition" is part of Safeguarding Australia 2012. To aid the national security community in imagining contemporary threats, the Australian Security Research Centre (ASRC) is organising Australia's Security Nightmares: The National Security Short Story Competition. The competition aims to produce a set of short stories that will contribute to a better conception...

Tue, 11 Sep 2012 17:38:40 UTC

New Attack Against Chip-and-Pin Systems

Posted By Bruce Schneier

Well, new to us: You see, an EMV payment card authenticates itself with a MAC of transaction data, for which the freshly generated component is the unpredictable number (UN). If you can predict it, you can record everything you need from momentary access to a chip card to play it back and impersonate the card at a future date and...

Tue, 11 Sep 2012 11:45:18 UTC

Security at the 9/11 WTC Memorial

Posted By Bruce Schneier

There's a lot: Advance tickets are required to enter this public, outdoor memorial. To book them, youre obliged to provide your home address, email address, and phone number, and the full names of everyone in your party. It is strongly recommended that you print your tickets at home, which is where you must leave explosives, large bags, hand soap, glass...

Mon, 10 Sep 2012 11:51:47 UTC

Another Stuxnet Post

Posted By Bruce Schneier

Larry Constantine disputes David Stanger's book about Stuxnet: So, what did he get wrong? First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that...

Fri, 07 Sep 2012 21:41:03 UTC

Friday Squid Blogging: Controlling Squid Chromatophores with Music

Posted By Bruce Schneier

Wacky. Other stories about the story. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 07 Sep 2012 12:10:06 UTC

Hacking Marathon Races

Posted By Bruce Schneier

Truly bizarre story of someone who seems to have figured out how to successfully cheat at marathons. The evidence of his cheating is overwhelming, but no one knows how he does it....

Thu, 06 Sep 2012 17:31:43 UTC

CSOs/CISOs Wanted: Cloud Security Questions

Posted By Bruce Schneier

I'm trying to separate cloud security hype from reality. To that end, I'd like to talk to a few big corporate CSOs or CISOs about their cloud security worries, requirements, etc. If you're willing to talk, please contact me via e-mail. Eventually I will share the results of this inquiry. Thank you....

Thu, 06 Sep 2012 11:48:48 UTC

Database of 12 Million Apple UDIDs Haked

Posted By Bruce Schneier

In this story, we learn that hackers got their hands on a database of 12 million Apple Apple Unique Device Identifiers (UDIDs) by hacking an FBI laptop. When I first read the story, my questions were not about the hack but about the data. Why does an FBI agent have user identification information about 12 million iPhone users on his...

Wed, 05 Sep 2012 19:04:29 UTC

Wall Street Journal Review of Liars and Outliers

Posted By Bruce Schneier

Liars and Outliers (along with two other books: Kip Hawley's memoir of his time at the TSA and Against Security, by Harvey Molotch) has been reviewed in the Wall Street Journal....

Wed, 05 Sep 2012 11:06:03 UTC

Hacking Brain-Computer Interfaces

Posted By Bruce Schneier

In this fascinating piece of research, the question is asked: can we surreptitiously collect secret information from the brains of people using brain-computer interface devices? One article: A team of security researchers from Oxford, UC Berkeley, and the University of Geneva say that they were able to deduce digits of PIN numbers, birth months, areas of residence and other personal...

Tue, 04 Sep 2012 14:04:49 UTC

Eye Twitch Patterns as a Biometric

Posted By Bruce Schneier

Yet another biometric: eye twitch patterns: ...a person's saccades, their tiny, but rapid, involuntary eye movements, can be measured using a video camera. The pattern of saccades is as unique as an iris or fingerprint scan but easier to record and so could provide an alternative secure biometric identification technology. Probably harder to fool than iris scanners....

Fri, 31 Aug 2012 21:22:07 UTC

Friday Squid Blogging: "The Seasick Squid"

Posted By Bruce Schneier

A fable. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 31 Aug 2012 14:20:06 UTC

Conversation about Liars and Outliers on The WELL

Posted By Bruce Schneier

I'm on The WELL right now -- for the next week or so -- discussing my new book with anyone who wants to participate. I'm also at Dragon*Con this weekend in Atlanta....

Thu, 30 Aug 2012 14:22:54 UTC

The Psychological Effects of Terrorism

Posted By Bruce Schneier

Shelly C. McArdle, Heather Rosoff, Richard S. John (2012), "The Dynamics of Evolving Beliefs, Concerns Emotions, and Behavioral Avoidance Following 9/11: A Longitudinal Analysis of Representative Archival Samples," Risk Analysis v. 32, pp. 744­761. Abstract: September 11 created a natural experiment that enables us to track the psychological effects of a large-scale terror event over time. The archival data came...

Wed, 29 Aug 2012 11:37:46 UTC

Shared Lock

Posted By Bruce Schneier

A reader sent me this photo of a shared lock. It's at the gate of a large ranch outside of Victoria, Texas. Multiple padlocks secure the device, but when a single padlock is removed, the center pin can be fully lifted and the gate can be opened. The point is to allow multiple entities (oil and gas, hunting parties, ranch...

Tue, 28 Aug 2012 15:38:30 UTC

The Importance of Security Engineering

Posted By Bruce Schneier

In May, neuroscientist and popular author Sam Harris and I debated the issue of profiling Muslims at airport security. We each wrote essays, then went back and forth on the issue. I don't recommend reading the entire discussion; we spent 14,000 words talking past each other. But what's interesting is how our debate illustrates the differences between a security engineer...

Tue, 28 Aug 2012 00:06:22 UTC

Fear and Imagination

Posted By Bruce Schneier

Interesting anecdote from World War II....

Fri, 24 Aug 2012 21:32:51 UTC

Friday Squid Blogging: Squid Sacrifices Arms to Avoid Predators

Posted By Bruce Schneier

The squid Octopoteuthis deletron will drop portions of an arm to escape from a predator. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 24 Aug 2012 18:18:45 UTC

Internet Safety Talking Points for Schools

Posted By Bruce Schneier

A surprisingly sensible list. E. Why are you penalizing the 95% for the 5%? You don't do this in other areas of discipline at school. Even though you know some students will use their voices or bodies inappropriately in school, you don't ban everyone from speaking or moving. You know some students may show up drunk to the prom, yet...

Fri, 24 Aug 2012 11:27:07 UTC

Fear and How it Scales

Posted By Bruce Schneier

Nice post: The screaming fear in your stomach before you give a speech to 12 kids in the fifth grade is precisely the same fear a presidential candidate feels before the final debate. The fight-or-flight reflex that speeds up your heart when you're about to get a speeding ticket you don't deserve isn't very different than the chemical reaction in...

Thu, 23 Aug 2012 18:23:14 UTC

Exaggerating Cybercrime

Posted By Bruce Schneier

Finally, someone takes a look at the $1 trillion number government officials are quoting as the cost of cybercrime. While it's a good figure to scare people, it doesn't have much of a basis in reality....

Thu, 23 Aug 2012 11:43:42 UTC

Video Filter that Detects a Pulse

Posted By Bruce Schneier

Fascinating. How long before someone claims he can use this technology to detect nervous people in airports?...

Wed, 22 Aug 2012 17:34:51 UTC

Five "Neglects" in Risk Management

Posted By Bruce Schneier

Good list, summarized here: 1. Probability neglect  people sometimes dont consider the probability of the occurrence of an outcome, but focus on the consequences only. 2. Consequence neglect  just like probability neglect, sometimes individuals neglect the magnitude of outcomes. 3. Statistical neglect  instead of subjectively assessing small probabilities and continuously updating them, people choose to use rules-of-thumb...

Wed, 22 Aug 2012 11:09:11 UTC

Poll: Americans Like the TSA

Posted By Bruce Schneier

Gallup has the results: Despite recent negative press, a majority of Americans, 54%, think the U.S. Transportation Security Administration is doing either an excellent or a good job of handling security screening at airports. At the same time, 41% think TSA screening procedures are extremely or very effective at preventing acts of terrorism on U.S. airplanes, with most of the...

Tue, 21 Aug 2012 18:42:31 UTC

Is iPhone Security Really this Good?

Posted By Bruce Schneier

Simson Garfinkel writes that the iPhone has such good security that the police can't use it for forensics anymore: Technologies the company has adopted protect Apple customers' content so well that in many situations it's impossible for law enforcement to perform forensic examinations of devices seized from criminals. Most significant is the increasing use of encryption, which is beginning to...

Tue, 21 Aug 2012 10:53:54 UTC

Help Cryptanalyze Gauss

Posted By Bruce Schneier

Kaspersky is looking for help decrypting the Gauss payload....

Mon, 20 Aug 2012 18:05:08 UTC

Passive Sensor that Sees Through Walls

Posted By Bruce Schneier

A new technology uses the radiation given off by wi-fi devices to sense the positions of people through a one-foot-thick brick wall....

Mon, 20 Aug 2012 11:36:29 UTC

The View from an Israeli Security Checkpoint

Posted By Bruce Schneier

This is an extraordinary (and gut-wrenching) first-person account of what it's like to staff an Israeli security checkpoint. It shows how power corrupts: how it's impossible to make humane decisions in such a circumstance....

Fri, 17 Aug 2012 21:16:40 UTC

Friday Squid Blogging: Efforts to Film a Live Giant Squid

Posted By Bruce Schneier

Japanese researchers are attempting to film the elusive giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 Aug 2012 11:39:14 UTC

$200 for a Fake Security System

Posted By Bruce Schneier

This is pretty funny: Moving red laser beams scare away potential intruders Laser beams move along floor and wall 180 degrees Easy to install, 110v comes on automatically w/timer Watch the video. This is not an alarm, and it doesn't do anything other than the laser light show. But, as the product advertisement says, "perception can be an excellent deterrent...

Thu, 16 Aug 2012 18:52:38 UTC

Rudyard Kipling on Societal Pressures

Posted By Bruce Schneier

In the short story "A Wayside Comedy," published in 1888 in Under the Deodars, Kipling wrote: You must remember, though you will not understand, that all laws weaken in a small and hidden community where there is no public opinion. When a man is absolutely alone in a Station he runs a certain risk of falling into evil ways. This...

Thu, 16 Aug 2012 11:49:54 UTC

An Analysis of Apple's FileVault 2

Posted By Bruce Schneier

This is an analysis of Apple's disk encryption program, FileVault 2, that first appeared in the Lion operating system. Short summary: they couldn't break it. (Presumably, the version in Mountain Lion isn't any different.)...

Wed, 15 Aug 2012 19:23:52 UTC

Lousy Password Security on Tesco Website

Posted By Bruce Schneier

Good post, not because it picks on Tesco but because it's filled with good advice on how not to do it wrong....

Wed, 15 Aug 2012 13:57:59 UTC

Sexual Harassment at DefCon (and Other Hacker Cons)

Posted By Bruce Schneier

Excellent blog post by Valerie Aurora about sexual harassment at the DefCon hackers conference. Aside from the fact that this is utterly reprehensible behavior by the perpetrators involved, this is a real problem for our community. The response of "this is just what hacker culture is, and changing it will destroy hackerdom" is just plain wrong. When swaths of the...

Wed, 15 Aug 2012 10:59:19 UTC

Liars and Outliers on Special Discount

Posted By Bruce Schneier

Liars and Outliers has been out since late February, and while it's selling great, I'd like it to sell better. So I have a special offer for my regular readers. People in the U.S. can buy a signed copy of the book for $11, Media Mail postage included. (Yes, I'm selling the book at a loss.) People in other countries...

Tue, 14 Aug 2012 19:27:23 UTC

Schneier in the News

Posted By Bruce Schneier

Here are links to three news articles about me, and two video interviews with me....

Tue, 14 Aug 2012 18:16:15 UTC

Measuring Cooperation and Defection using Shipwreck Data

Posted By Bruce Schneier

In Liars and Outliers, I talk a lot about social norms and when people follow them. This research uses survival data from shipwrecks to measure it. The authors argue that shipwrecks can actually tell us a fair bit about human behavior, since everyone stuck on a sinking ship has to do a bit of cost-benefit analysis. People will weigh their...

Tue, 14 Aug 2012 11:00:34 UTC

Cryptocat

Posted By Bruce Schneier

I'm late writing about this one. Cryptocat is a web-based encrypted chat application. After Wired published a pretty fluffy profile on the program and its author, security researcher Chris Soghoian wrote an essay criticizing the unskeptical coverage. Ryan Singal, the editor (not the writer) of the Wired piece, responded by defending the original article and attacking Soghoian. At this point,...

Mon, 13 Aug 2012 17:41:37 UTC

Preventive vs. Reactive Security

Posted By Bruce Schneier

This is kind of a rambling essay on the need to spend more on infrastructure, but I was struck by this paragraph: Here's a news flash: There are some events that no society can afford to be prepared for to the extent that we have come to expect. Some quite natural events -- hurricanes, earthquakes, tsunamis, derechos -- have such...

Mon, 13 Aug 2012 11:57:01 UTC

U.S. and China Talking About Cyberweapons

Posted By Bruce Schneier

Stuart Baker calls them "proxy talks" because they're not government to government, but it's a start....

Fri, 10 Aug 2012 21:02:56 UTC

Friday Squid Blogging: Dumpling Squid

Posted By Bruce Schneier

The sex life of the dumpling squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Aug 2012 18:22:46 UTC

Termite Suicide Bombers

Posted By Bruce Schneier

Some termites blow themselves up to expel invaders from their nest....

Fri, 10 Aug 2012 10:51:17 UTC

11-Year-Old Bypasses Airport Security

Posted By Bruce Schneier

Sure, stories like this are great fun, but I don't think it's much of a security concern. Terrorists can't build a plot around random occasional security failures....

Thu, 09 Aug 2012 18:46:02 UTC

Rolling Stone Magazine Writes About Computer Security

Posted By Bruce Schneier

It's a virus that plays AC/DC, so it makes sense. Surreal, though. Another article....

Thu, 09 Aug 2012 11:32:29 UTC

Detecting Spoofed GPS Signals

Posted By Bruce Schneier

This is the latest in the arms race between spoofing GPS signals and detecting spoofed GPS signals. Unfortunately, the countermeasures all seem to be patent pending....

Wed, 08 Aug 2012 18:04:58 UTC

Chinese Gang Sells Fake Professional Certifications

Posted By Bruce Schneier

They were able to hack into government websites: The gangs USP, and the reason it could charge up to 10,000 yuan (£1,000) per certificate, was that it could hack the relevant government site and tamper with the back-end database to ensure that the fake certs name and registration number appeared legitimate. The gang made £30M before being arrested....

Wed, 08 Aug 2012 11:31:24 UTC

Yet Another Risk of Storing Everything in the Cloud

Posted By Bruce Schneier

A hacker can social-engineer his way into your cloud storageand delete everything you have. It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud....

Tue, 07 Aug 2012 18:45:30 UTC

Peter Swire Testifies on the Inadequacy of Privacy Self-Regulation

Posted By Bruce Schneier

Ohio State University Law Professor Peter Swire testifies before Congress on the inadequacy of industry self-regulation to protect privacy....

Tue, 07 Aug 2012 12:14:03 UTC

Verifying Elections Using Risk-Limiting Auditing

Posted By Bruce Schneier

Interesting article on using risk-limiting auditing in determining if an election's results are likely to be valid. The risk, in this case, is in the chance of a false negative, and the election being deemed valid. The risk level determines the extent of the audit....

Mon, 06 Aug 2012 16:22:12 UTC

Breaking Microsoft's PPTP Protocol

Posted By Bruce Schneier

Some things never change. Thirteen years ago, Mudge and I published a paper breaking Microsoft's PPTP protocol and the MS-CHAP authentication system. I haven't been paying attention, but I presume it's been fixed and improved over the years. Well, it's been broken again. ChapCrack can take captured network traffic that contains a MS-CHAPv2 network handshake (PPTP VPN or WPA2 Enterprise...

Mon, 06 Aug 2012 11:43:27 UTC

State-by-State Report on Electronic Voting

Posted By Bruce Schneier

The Verified Voting Foundation has released a comprehensive state-by-state report on electronic voting machines (report, executive summary, and news coverage). Let's hope it does some good....

Fri, 03 Aug 2012 21:08:24 UTC

Friday Squid Blogging: SQUIDS and Quantum Computing

Posted By Bruce Schneier

It seems that quantum computers might use superconducting quantum interference devices (SQUIDs). As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Aug 2012 17:57:09 UTC

Unsafe Safes

Posted By Bruce Schneier

In a long article about insecurities in gun safes, there's this great paragraph: Unfortunately, manufacturers and consumers are deceived and misled into a false sense of security by electronic credentials, codes, and biometrics. We have seen this often, even with high security locks. Our rule: electrons do not open doors; mechanical components do. If you can compromise the mechanisms then...

Fri, 03 Aug 2012 11:03:04 UTC

Overreaction and Overly Specific Reactions to Rare Risks

Posted By Bruce Schneier

Horrific events, such as the massacre in Aurora, can be catalysts for social and political change. Sometimes it seems that they're the only catalyst; recall how drastically our policies toward terrorism changed after 9/11 despite how moribund they were before. The problem is that fear can cloud our reasoning, causing us to overreact and to overly focus on the specifics....

Thu, 02 Aug 2012 19:19:59 UTC

Court Orders TSA to Answer EPIC

Posted By Bruce Schneier

Year ago, EPIC sued the TSA over full body scanners (I was one of the plantiffs), demanding that they follow their own rules and ask for public comment. The court agreed, and ordered the TSA to do that. In response, the TSA has done nothing. Now, a year later, the court has again ordered the TSA to answer EPIC's position....

Thu, 02 Aug 2012 18:08:30 UTC

Hotel Door Lock Vulnerability

Posted By Bruce Schneier

The attack only works sometimes, but it does allow access to millions of hotel rooms worldwide that are secured by Onity brand locks. Basically, you can read the unit's key out of the power port on the bottom of the lock, and then feed it back to the lock to authenticate an open command using the same power port....

Thu, 02 Aug 2012 11:23:40 UTC

Profile on Eugene Kaspersky

Posted By Bruce Schneier

Wired has an interesting and comprehensive profile on Eugene Kaspersky. Especially note Kaspersky Lab's work to uncover US cyberespionage against Iran, Kaspersky's relationship with Russia's state security services, and the story of the kidnapping of Kaspersky's son, Ivan. Kaspersky responded (not kindly) to the article, and the author responded to the response....

Wed, 01 Aug 2012 18:34:23 UTC

Lone Shooters and Body Armor

Posted By Bruce Schneier

The new thing about the Aurora shooting wasn't the weaponry, but the armor: What distinguished Holmes wasn't his offense. It was his defense. At Columbine, Harris and Klebold did their damage in T-shirts and cargo pants. Cho and Loughner wore sweatshirts. Hasan was gunned down in his Army uniform. Holmes' outfit blew these jokers away. He wore a ballistic helmet,...

Wed, 01 Aug 2012 12:17:47 UTC

On Soft Targets

Posted By Bruce Schneier

Stratfor has an interesting article....

Tue, 31 Jul 2012 16:11:42 UTC

Fake Irises Fool Scanners

Posted By Bruce Schneier

We already know you can wear fake irises to fool a scanner into thinking you're not you, but this is the first fake iris you can use for impersonation: to fool a scanner into thinking you're someone else....

Tue, 31 Jul 2012 11:30:42 UTC

Hacking Tool Disguised as a Power Strip

Posted By Bruce Schneier

This is impressive: The device has Bluetooth and Wi-Fi adapters, a cellular connection, dual Ethernet ports, and hacking and remote access tools that let security professionals test the network and call home to be remotely controlled via the cellular network. The device comes with easy-to-use scripts that cause it to boot up and then phone home for instructions. A "text-to-bash"...

Mon, 30 Jul 2012 17:40:17 UTC

Fear-Mongering at TED

Posted By Bruce Schneier

This TED talk trots out the usual fear-mongering that technology leads to terrorism. The facts are basically correct, but there are no counterbalancing facts, and the conclusions all one-sided. I'm not impressed with the speaker's crowdsourcing solution, either. Sure, crowdsourcing is a great tool for a lot of problems, but it's not the single thing that's going to protect us...

Mon, 30 Jul 2012 12:34:40 UTC

Detroit Bomb Threats

Posted By Bruce Schneier

There have been a few hoax bomb threats in Detroit recently (Windsor tunnel, US-Canada bridge, Tiger Stadium). The good news is that police learned; during the third one, they didn't close down the threatened location....

Fri, 27 Jul 2012 21:26:34 UTC

Friday Squid Blogging: Tentacle Doorstop

Posted By Bruce Schneier

Now this is neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 27 Jul 2012 19:17:17 UTC

Liars and Outliers Summed Up in Two Comic Strips

Posted By Bruce Schneier

I don't know the context, but these strips sum up my latest book nicely....

Fri, 27 Jul 2012 14:42:07 UTC

Criminals Using Commercial Spamflooding Services

Posted By Bruce Schneier

Cybercriminals are using commercial spamflooding services to distract their victims during key moments of a cyberattack. Clever, but in retrospect kind of obvious....

Thu, 26 Jul 2012 11:55:10 UTC

Police Sting Operation Yields No Mobile Phone Thefts

Posted By Bruce Schneier

Police in Hastings, in the UK, outfitted mobile phones with tracking devices and left them in bars and restaurants, hoping to catch mobile phone thieves in the act. But no one stole them: Nine premises were visited in total and officers were delighted that not one of the bait phones was 'stolen'. In fact, on nearly every occasion good hearted...

Wed, 25 Jul 2012 11:42:46 UTC

Making Handcuff Keys with 3D Printers

Posted By Bruce Schneier

Handcuffs pose a particular key management problem. Officers need to be able to unlock handcuffs locked by another officer, so they're all designed to be opened by a standard set of keys. This system only works if the bad guys can't get a copy of the key, and modern handcuff manufacturers go out of their way to make it hard...

Tue, 24 Jul 2012 11:28:28 UTC

Implicit Passwords

Posted By Bruce Schneier

This is a really interesting research paper (article here) on implicit passwords: something your unconscious mind remembers but your conscious mind doesn't know. The Slashdot post is a nice summary: A cross-disciplinary team of US neuroscientists and cryptographers have developed a password/passkey system that removes the weakest link in any security system: the human user. It's ingenious: The system still...

Mon, 23 Jul 2012 11:15:59 UTC

How the Norwegians Reacted to Terrorism

Posted By Bruce Schneier

An antidote to the American cycle of threat, fear, and overspending in response to terrorism is this, about Norway on the first anniversary of its terrorist massacre: And at the political level, the Prime Minister Jens Stoltenberg pledged to do everything to ensure the country's core values were not undermined. "The Norwegian response to violence is more democracy, more openness...

Fri, 20 Jul 2012 21:17:07 UTC

Friday Squid Blogging: Preserved Squid

Posted By Bruce Schneier

Science or art? As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Thu, 19 Jul 2012 11:46:23 UTC

Camera-Transparent Plastic

Posted By Bruce Schneier

I just wrote about the coming age of invisible surveillance. Here's another step along that process. The material is black in color and cannot be seen through with the naked eye. However, if you point a black and white camera at a sheet of Black-Ops Plastic, it becomes transparent allowing the camera to record whatever is on the other side....

Wed, 18 Jul 2012 14:27:13 UTC

Chinese Airline Rewards Crew for Resisting Hijackers

Posted By Bruce Schneier

Normally, companies instruct their employees not to resist. But Hainan Airlines did the opposite: Two safety officers and the chief purser got cash and property worth 4m yuan ($628,500; £406,200) each. The rest got assets worth 2.5m yuan each. That's a lot of money, especially in China. I'm sure it will influence future decisions by crew, and even passengers, about...

Mon, 16 Jul 2012 18:59:02 UTC

Remote Scanning Technology

Posted By Bruce Schneier

I don't know if this is real or fantasy: Within the next year or two, the U.S. Department of Homeland Security will instantly know everything about your body, clothes, and luggage with a new laser-based molecular scanner fired from 164 feet (50 meters) away. From traces of drugs or gun powder on your clothes to what you had for breakfast...

Fri, 13 Jul 2012 21:53:36 UTC

Friday Squid Blogging: Barbecued Squid -- New Summer Favorite

Posted By Bruce Schneier

In the UK, barbecued squid is in: Sales of squid have tripled in recent months due to the growing popularity of Mediterranean food and the rise of the Dukan diet, as calamari looks set to become the barbecue hit of the summer....

Fri, 13 Jul 2012 11:51:20 UTC

Hacking BMW's Remote Keyless Entry System

Posted By Bruce Schneier

It turns out to be surprisingingly easy: The owner, who posted the video at 1addicts.com, suspects the thieves broke the glass to access the BMW's on-board diagnostics port (OBD) in the footwell of the car, then used a special device to obtain the car's unique key fob digital ID and reprogram a blank key fob to start the car. It...

Thu, 12 Jul 2012 17:59:35 UTC

All-or-Nothing Access Control for Mobile Phones

Posted By Bruce Schneier

This paper looks at access control for mobile phones. Basically, it's all or nothing: either you have a password that protects everything, or you have no password and protect nothing. The authors argue that there should be more user choice: some applications should be available immediately without a password, and the rest should require a password. This makes a lot...

Thu, 12 Jul 2012 14:47:50 UTC

Dropped USB Sticks in Parking Lot as Actual Attack Vector

Posted By Bruce Schneier

For years, it's been a clever trick to drop USB sticks in parking lots of unsuspecting businesses, and track how many people plug them into computers. I have long argued that the problem isn't that people are plugging the sticks in, but that the computers trust them enough to run software off of them. This is the first time I've...

Wed, 11 Jul 2012 17:39:21 UTC

Petition the U.S. Government to Force the TSA to Follow the Law

Posted By Bruce Schneier

This is important: In July 2011, a federal appeals court ruled that the Transportation Security Administration had to conduct a notice-and-comment rulemaking on its policy of using "Advanced Imaging Technology" for primary screening at airports. TSA was supposed to publish the policy in the Federal Register, take comments from the public, and justify its policy based on public input. The...

Wed, 11 Jul 2012 12:49:46 UTC

Cryptanalyze the Agrippa Code

Posted By Bruce Schneier

William Gibson's Grippa Code is available for cryptanalysis. Break the code, win a prize....

Tue, 10 Jul 2012 09:33:49 UTC

Attacking Fences

Posted By Bruce Schneier

From an article on the cocaine trade between Mexico and the U.S.: "They erect this fence," he said, "only to go out there a few days later and discover that these guys have a catapult, and they're flinging hundred-pound bales of marijuana over to the other side." He paused and looked at me for a second. "A catapult," he repeated....

Mon, 09 Jul 2012 17:36:20 UTC

Sensible Comments about Terrorism

Posted By Bruce Schneier

Two, at least: "Bee stings killed as many in UK as terrorists, says watchdog." "Americans Are as Likely to Be Killed by Their Own Furniture as by Terrorism." Is this a new trend in common sense? In case you forgot, here's a comprehensive list of ridiculous predictions about terrorist attacks (and an essay). And here's the best data on U.S....

Mon, 09 Jul 2012 11:02:43 UTC

Students Hack DHS Drone

Posted By Bruce Schneier

A team at the University of Texas successfully spoofed the GPS and took control of a DHS drone, for about $1,000 in off-the-shelf parts. Does anyone think that the bad guys won't be able to do this?...

Fri, 06 Jul 2012 21:58:09 UTC

Friday Squid Blogging: Dissecting a Squid

Posted By Bruce Schneier

This was suprisingly interesting. When a body is mysterious, you cut it open. You peel back the skin and take stock of its guts. It is the science of an arrow, the epistemology of a list. There and here and look: You tick off organs, muscles, bones. Its belly becomes fact. It glows like fluorescent lights. The air turns aseptic...

Fri, 06 Jul 2012 19:44:49 UTC

Me on Military Cyberattacks and Cyberweapons Treaties

Posted By Bruce Schneier

I did a short Q&A for Network World....

Fri, 06 Jul 2012 14:40:08 UTC

Naming Pets

Posted By Bruce Schneier

Children are being warned that the name of their first pet should contain at least eight characters and a digit....

Thu, 05 Jul 2012 11:17:04 UTC

So You Want to Be a Security Expert

Posted By Bruce Schneier

I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice. First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating...

Tue, 03 Jul 2012 11:22:50 UTC

Commercial Espionage Virus

Posted By Bruce Schneier

It's designed to steal blueprints and send them to China. Note that although this is circumstantial evidence that the virus is from China, it is possible that the Chinese e-mail accounts that are collecting the blueprints are simply drops, and the controllers are elsewhere on the planet....

Mon, 02 Jul 2012 18:10:23 UTC

On Fear

Posted By Bruce Schneier

A poet reflects on the nature of fear....

Mon, 02 Jul 2012 11:20:35 UTC

WEIS 2012

Posted By Bruce Schneier

Last week I was at the Workshop on Economics and Information Security in Berlin. Excellent conference, as always. Ross Anderson liveblogged the event; see the comments for summaries of the talks. On the second day, Ross and I debated -- well, discussed -- cybersecurity spending. A the first WEIS, he and I had a similar discussion: I argued that we...

Fri, 29 Jun 2012 21:14:36 UTC

Friday Squid Blogging: Another Giant Squid Found

Posted By Bruce Schneier

A dead 13-foot-long giant squid has been found off the coast of New South Wales. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 29 Jun 2012 19:47:28 UTC

FireDogLake Book Salon for Liars and Outliers

Posted By Bruce Schneier

Here's the permalink....

Fri, 29 Jun 2012 11:35:28 UTC

On Securing Potentially Dangerous Virology Research

Posted By Bruce Schneier

Abstract: The problem of securing biological research data is a difficult and complicated one. Our ability to secure data on computers is not robust enough to ensure the security of existing data sets. Lessons from cryptography illustrate that neither secrecy measures, such as deleting technical details, nor national solutions, such as export controls, will work. --------- Science and Nature have...

Thu, 28 Jun 2012 13:50:43 UTC

Nuclear Fears

Posted By Bruce Schneier

Interesting review -- by David Roepik -- of The Rise of Nuclear Fear, by Spencer Weart: Along with contributing to the birth of the environmental movement, Weart shows how fear of radiation began to undermine society's faith in science and modern technology. He writes "Polls showed that the number of Americans who felt 'a great deal' of confidence in science...

Wed, 27 Jun 2012 11:35:37 UTC

Top Secret America on the Post-9/11 Cycle of Fear and Funding

Posted By Bruce Schneier

I'm reading Top Secret America: The Rise of the New American Security State, by Dana Priest and William M. Arkin. Both work for The Washington Post. The book talks about the rise of the security-industrial complex in post 9/11 America. This short quote is from Chapter 3: Such dread was a large part of the post-9/11 decade. A culture of...

Wed, 27 Jun 2012 11:30:31 UTC

Russian Nuclear Launch Code Backup Procedure

Posted By Bruce Schneier

If the safe doesn't open, use a sledgehammer: The sledgehammer's existence first came to light in 1980, when a group of inspecting officers from the General Staff visiting Strategic Missile Forces headquarters asked General Georgy Novikov what he would do if he received a missile launch order but the safe containing the launch codes failed to open. Novikov said he...

Tue, 26 Jun 2012 18:57:43 UTC

E-Mail Accounts More Valuable than Bank Accounts

Posted By Bruce Schneier

This informal survey produced the following result: "45% of the users found their email accounts more valuable than their bank accounts." The author believes this is evidence of some sophisticated security reasoning on the part of users: From a security standpoint, I cant agree more with these people. Email accounts are used most commonly to reset other websites account passwords,...

Tue, 26 Jun 2012 11:39:19 UTC

Stratfor on the Phoenix Serial Flashlight Bomber

Posted By Bruce Schneier

Interesting....

Mon, 25 Jun 2012 16:17:21 UTC

Resilience

Posted By Bruce Schneier

There was a conference on resilience (highlights here, and complete videos here) earlier this year. Here's an interview with professor Sander van der Leeuw on the topic. Although he never mentions security, it's all about security. Any system, whether its the financial system, the environmental system, or something else, is always subject to all kinds of pressures. If it can...

Mon, 25 Jun 2012 11:58:25 UTC

Op-ed Explaining why Terrorism Doesn't Work

Posted By Bruce Schneier

Good essay by Max Abrams. I've written about his research before....

Fri, 22 Jun 2012 21:03:07 UTC

Friday Squid Blogging: Giant Mutant Squid at the Queen's Jubilee

Posted By Bruce Schneier

I think this is a parody, but you can never be sure. Millions of Britons turned out for the Queens four-day celebrations, undaunted by the 500-foot mutant squid that was destroying London. Huge crowds of well-wishers lined the banks of the Thames on Sunday to watch a spectacular flotilla, continuing to cheer and wave even as tentacles thicker than tree...

Fri, 22 Jun 2012 19:01:47 UTC

Colbert Report on the Orangutan Cyberthreat

Posted By Bruce Schneier

Very funny video exposé of the cyberthreat posed by giving iPads to orangutans. Best part is near the end, when Richard Clarke suddenly realizes that he's being interviewed about orangutans -- and not the Chinese....

Fri, 22 Jun 2012 12:20:20 UTC

Economic Analysis of Bank Robberies

Posted By Bruce Schneier

Yes, it's clever: The basic problem is the average haul from a bank job: for the three-year period, it was only £20,330.50 (~$31,613). And it gets worse, as the average robbery involved 1.6 thieves. So the authors conclude, "The return on an average bank robbery is, frankly, rubbish. It is not unimaginable wealth. It is a very modest £12,706.60 per...

Thu, 21 Jun 2012 18:03:03 UTC

Far-Fetched Scams Separate the Gullible from Everyone Else

Posted By Bruce Schneier

Interesting conclusion by Cormac Herley, in this paper: "Why Do Nigerian Scammers Say They are From Nigeria?" Abstract: False positives cause many promising detection technologies to be unworkable in practice. Attackers, we show, face this problem too. In deciding who to attack true positives are targets successfully attacked, while false positives are those that are attacked but yield nothing. This...

Thu, 21 Jun 2012 10:51:50 UTC

Apple Patents Data-Poisoning

Posted By Bruce Schneier

It's not a new idea, but Apple Computer has received a patent on "Techniques to pollute electronic profiling": Abstract: Techniques to pollute electronic profiling are provided. A cloned identity is created for a principal. Areas of interest are assigned to the cloned identity, where a number of the areas of interest are divergent from true interests of the principal. One...

Wed, 20 Jun 2012 18:19:50 UTC

Rand Paul Takes on the TSA

Posted By Bruce Schneier

Paul Rand has introduced legislation to rein in the TSA. There are two bills: One bill would require that the mostly federalized program be turned over to private screeners and allow airports ­ with Department of Homeland Security approval ­ to select companies to handle the work. This seems to be a result of a fundamental misunderstanding of the economic...

Wed, 20 Jun 2012 12:27:22 UTC

Switzerland National Defense

Posted By Bruce Schneier

Interesting blog post about this book about Switzerland's national defense. To make a long story short, McPhee describes two things: how Switzerland requires military service from every able-bodied male Swiss citizen -- a model later emulated and expanded by Israel -- and how the Swiss military has, in effect, wired the entire country to blow in the event of foreign...

Tue, 19 Jun 2012 18:02:20 UTC

Attack Against Point-of-Sale Terminal

Posted By Bruce Schneier

Clever attack: When you pay a restaurant bill at your table using a point-of-sale machine, are you sure it's legit? In the past three months, Toronto and Peel police have discovered many that aren't. In what is the latest financial fraud, crooks are using distraction techniques to replace merchants' machines with their own, police say. At the end of the...

Tue, 19 Jun 2012 12:11:14 UTC

The Failure of Anti-Virus Companies to Catch Military Malware

Posted By Bruce Schneier

Mikko Hyponnen of F-Secure attempts to explain why anti-virus companies didn't catch Stuxnet, DuQu, and Flame: When we went digging through our archive for related samples of malware, we were surprised to find that we already had samples of Flame, dating back to 2010 and 2011, that we were unaware we possessed. They had come through automated reporting mechanisms, but...

Mon, 18 Jun 2012 17:38:17 UTC

England's Prince Phillip on Security

Posted By Bruce Schneier

On banning guns: "If a cricketer, for instance, suddenly decided to go into a school and batter a lot of people to death with a cricket bat,which he could do very easily, I mean, are you going to ban cricket bats?" In a Radio 4 interview shortly after the Dunblane shootings in 1996. He said to the interviewer off-air afterwards:...

Mon, 18 Jun 2012 11:40:18 UTC

Honor System Farm Stands

Posted By Bruce Schneier

Many roadside farm stands in the U.S. are unmanned. They work on the honor system: take what you want, and pay what you owe. And today at his farm stand, Cochran says, just as at the donut shop years ago, most customers leave more money than they owe. That doesn't surprise social psychologist Michael Cunningham of the University of Louisville...

Fri, 15 Jun 2012 21:02:33 UTC

Friday Squid Blogging: Woman's Mouth Inseminated by Cooked Squid

Posted By Bruce Schneier

This story is so freaky I'm not even sure I want to post it. But if I don't, you'll all send me the links. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 15 Jun 2012 19:55:06 UTC

FireDogLake Book Salon for Liars and Outliers

Posted By Bruce Schneier

On Sunday, I will be participating in a public discussion about my new book on the FireDogLake website. James Fallows will be the moderator, and I will be answering questions from all comers -- you do have to register an ID, though -- from 5:00 - 7:00 EDT. Stop by and join the discussion....

Fri, 15 Jun 2012 11:51:32 UTC

Rare Rational Comment on al Qaeda's Capabilities

Posted By Bruce Schneier

From "CNN national security analyst" Peter Bergen: Few Americans harbor irrational fears about being killed by a lightning bolt. Abu Yahya al-Libi's death on Monday should remind them that fear of al Qaeda in its present state is even more irrational. Will anyone listen?...

Thu, 14 Jun 2012 17:27:14 UTC

Cheating in Online Classes

Posted By Bruce Schneier

Interesting article: In the case of that student, the professor in the course had tried to prevent cheating by using a testing system that pulled questions at random from a bank of possibilities. The online tests could be taken anywhere and were open-book, but students had only a short window each week in which to take them, which was not...

Thu, 14 Jun 2012 11:40:29 UTC

Cyberwar Treaties

Posted By Bruce Schneier

We're in the early years of a cyberwar arms race. It's expensive, it's destabilizing, and it threatens the very fabric of the Internet we use every day. Cyberwar treaties, as imperfect as they might be, are the only way to contain the threat. If you read the press and listen to government leaders, we're already in the middle of a...

Wed, 13 Jun 2012 17:08:44 UTC

Teaching the Security Mindset

Posted By Bruce Schneier

In 2008 I wrote about the security mindset and how difficult it is to teach. Two professors teaching a cyberwarfare class gave an exam where they expected their students to cheat: Our variation of the Kobayashi Maru utilized a deliberately unfair exam -- write the first 100 digits of pi (3.14159...) from memory and took place in the pilot offering...

Wed, 13 Jun 2012 11:45:30 UTC

High-Quality Fake IDs from China

Posted By Bruce Schneier

USA Today article: Most troubling to authorities is the sophistication of the forgeries: Digital holograms are replicated, PVC plastic identical to that found in credit cards is used, and ink appearing only under ultraviolet light is stamped onto the cards. Each of those manufacturing methods helps the IDs defeat security measures aimed at identifying forged documents. The overseas forgers are...

Tue, 12 Jun 2012 10:09:50 UTC

Israel Demanding Passwords at the Border

Posted By Bruce Schneier

There have been a bunch of stories about employers demanding passwords to social networking sites, like Facebook, from prospective employees, and several states have passed laws prohibiting this practice. This is the first story I've seen of a country doing this at its borders. The country is Israel, and they're asking for passwords to e-mail accounts....

Mon, 11 Jun 2012 11:36:49 UTC

Changing Surveillance Techniques for Changed Communications Technologies

Posted By Bruce Schneier

New paper by Peter P. Swire -- "From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud": Abstract: This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The...

Fri, 08 Jun 2012 21:28:48 UTC

Friday Squid Blogging: Baby Opalescent Squid

Posted By Bruce Schneier

Baby squid larvae are transparent after they hatch, so you can see the chromataphores (color control mechanisms) developing after a few days. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 08 Jun 2012 11:43:22 UTC

The Catastrophic Consequences of 9/11

Posted By Bruce Schneier

This is an interesting essay -- it claims to be the first in a series -- that looks at the rise of "homeland security" as a catastrophic consequence of the 9/11 terrorist attacks: In this usage catastrophic is not a pejorative, it is a description of an atypically radical shift in perception and behavior from one condition to another very...

Thu, 07 Jun 2012 11:15:06 UTC

Homeland Security as Security Theater Metaphor

Posted By Bruce Schneier

Look at the last sentence in this article on hotel cleanliness: "I relate this to homeland security. We are not any safer, but many people believe that we are," he said. It's interesting to see the waste-of-money meme used so cavalierly....

Wed, 06 Jun 2012 14:36:46 UTC

Ghostery

Posted By Bruce Schneier

Ghostery is a Firefox plug-in that tracks who is tracking your browsing habits in cyberspace. Here's a TED talk by Gary Kovacs, the CEO of Mozilla Corp., on it. I use AdBlock Plus, and dump my cookies whenever I close Firefox. Should I switch to Ghostery? What do other people do for web privacy?...

Tue, 05 Jun 2012 18:16:59 UTC

Security and Human Behavior (SHB 2012)

Posted By Bruce Schneier

I'm at the Fifth Interdisciplinary Workshop on Security and Human Behavior, SHB 2012. Google is hosting this year, at its offices in lower Manhattan. SHB is an invitational gathering of psychologists, computer security researchers, behavioral economists, sociologists, law professors, business school professors, political scientists, anthropologists, philosophers, and others -- all of whom are studying the human side of security --...

Tue, 05 Jun 2012 11:07:26 UTC

Interesting Article on Libyan Internet Intelligence Gathering

Posted By Bruce Schneier

This is worth reading, for the insights it provides on how a country goes about monitoring its citizens in the information age: a combination of targeted attacks and wholesale surveillance. I'll just quote one bit, this list of Western companies that helped: Amesys, with its Eagle system, was just one of Libya's partners in repression. A South African firm called...

Mon, 04 Jun 2012 11:36:33 UTC

The Unreliability of Eyewitness Testimony

Posted By Bruce Schneier

Interesting article: The reliability of witness testimony is a vastly complex subject, but legal scholars and forensic psychologists say it's possible to extract the truth from contradictory accounts and evolving memories. According to Barbara Tversky, professor emerita of psychology at Stanford University, the bottom line is this: "All other things equal, earlier recountings are more likely to be accurate than...

Mon, 04 Jun 2012 11:21:58 UTC

Flame

Posted By Bruce Schneier

Flame seems to be another military-grade cyber-weapon, this one optimized for espionage. The worm is at least two years old, and is mainly confined to computers in the Middle East. (It does not replicate and spread automatically, which is certainly so that its controllers can target it better and evade detection longer.) And its espionage capabilities are pretty impressive. We'll...

Fri, 01 Jun 2012 21:40:38 UTC

Friday Squid Blogging: Mimicking Squid Camouflage

Posted By Bruce Schneier

Interesting: Cephalopods - squid, cuttlefish and octopuses - change colour by using tiny muscles in their skins to stretch out small sacs of black colouration. These sacs are located in the animal's skin cells, and when a cell is ready to change colour, the brain sends a signal to the muscles and they contract. This makes the sacs expand and...

Fri, 01 Jun 2012 18:08:17 UTC

Obama's Role in Stuxnet and Iranian Cyberattacks

Posted By Bruce Schneier

Really interesting article....

Fri, 01 Jun 2012 11:48:41 UTC

The Vulnerabilities Market and the Future of Security

Posted By Bruce Schneier

Recently, there have been several articles about the new market in zero-day exploits: new and unpatched computer vulnerabilities. It's not just software companies, who sometimes pay bounties to researchers who alert them of security vulnerabilities so they can fix them. And it's not only criminal organizations, who pay for vulnerabilities they can exploit. Now there are governments, and companies who...

Thu, 31 May 2012 18:19:52 UTC

Tax Return Identity Theft

Posted By Bruce Schneier

I wrote about this sort of thing in 2006 in the UK, but it's even bigger business here: The criminals, some of them former drug dealers, outwit the Internal Revenue Service by filing a return before the legitimate taxpayer files. Then the criminals receive the refund, sometimes by check but more often though a convenient but hard-to-trace prepaid debit card....

Thu, 31 May 2012 11:17:28 UTC

Bar Code Switching

Posted By Bruce Schneier

A particularly clever form of retail theft -- especially when salesclerks are working fast and don't know the products -- is to switch bar codes. This particular thief stole Lego sets. If you know Lego, you know there's a vast price difference between the small sets and the large ones. He was caught by in-store surveillance....

Wed, 30 May 2012 17:54:29 UTC

The Psychology of Immoral (and Illegal) Behavior

Posted By Bruce Schneier

When I talk about Liars and Outliers to security audiences, one of the things I stress is our traditional security focus -- on technical countermeasures -- is much narrower than it could be. Leveraging moral, repetitional, and institutional pressures are likely to be much more effective in motivating cooperative behavior. This story illustrates the point. It's about the psychology of...

Wed, 30 May 2012 11:44:56 UTC

The Problem of False Alarms

Posted By Bruce Schneier

The context is tornado warnings: The basic problem, Smith says, it that sirens are sounded too often in most places. Sometimes they sound in an entire county for a warning that covers just a sliver of it; sometimes for other thunderstorm phenomena like large hail and/or strong straight-line winds; and sometimes for false alarm warnings ­ warnings for tornadoes that...

Tue, 29 May 2012 19:07:49 UTC

Backdoor Found in Chinese-Made Military Silicon Chips

Posted By Bruce Schneier

We all knew this was possible, but researchers have found the exploit in the wild: Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption...

Tue, 29 May 2012 11:03:48 UTC

Interview with a Safecracker

Posted By Bruce Schneier

The legal kind. It's interesting: Q: How realistic are movies that show people breaking into vaults? A: Not very! In the movies it takes five minutes of razzle-dazzle; in real life it's usually at least a couple of hours of precision work for an easy, lost combination lockout. [...] Q: Have you ever met a lock you couldn't pick? A:...

Mon, 28 May 2012 11:58:33 UTC

My Last Post About Ethnic Profiling at Airports

Posted By Bruce Schneier

Remember my rebuttal of Sam Harris's essay advocating the profiling of Muslims at airports? That wasn't the end of it. Harris and I conducted a back-and-forth e-mail discussion, the results of which are here. At 14,000+ words, I only recommend it for the most stalwort of readers....

Fri, 25 May 2012 21:01:55 UTC

Friday Squid Blogging: Squid Ink from the Jurassic

Posted By Bruce Schneier

Seems that squid ink hasn't changed much in 160 million years. From this, researchers argue that the security mechanism of spraying ink into the water and escaping is also that old. Simon and his colleagues used a combination of direct, high-resolution chemical techniques to determine that the melanin had been preserved. The researchers also compared the chemical composition of the...

Fri, 25 May 2012 11:43:23 UTC

The Explosive from the Latest Foiled Al Qaeda Underwear Bomb Plot

Posted By Bruce Schneier

Interesting: Although the plot was disrupted before a particular airline was targeted and tickets were purchased, al Qaeda's continued attempts to attack the U.S. speak to the organization's persistence and willingness to refine specific approaches to killing. Unlike Abdulmutallab's bomb, the new device contained lead azide, an explosive often used as a detonator. If the new underwear bomb had been...

Thu, 24 May 2012 16:31:46 UTC

The Ubiquity of Cyber-Fears

Posted By Bruce Schneier

A new study concludes that more people are worried about cyber threats than terrorism. ...the three highest priorities for Americans when it comes to security issues in the presidential campaign are: Protecting government computer systems against hackers and criminals (74 percent) Protecting our electric power grid, water utilities and transportation systems against computer or terrorist attacks (73 percent) Homeland security...

Thu, 24 May 2012 11:17:59 UTC

The Banality of Surveillance Photos

Posted By Bruce Schneier

Interesting essay on a trove on surveillance photos from Cold War-era Prague. Cops, even secret cops, are for the most part ordinary people. Working stiffs concerned with holding down jobs and earning a living. Even those who thought it was important to find enemies recognized the absurdity of their task. I take photos all the time and these empty blurry...

Wed, 23 May 2012 17:32:12 UTC

Lessons in Trust from Web Hoaxes

Posted By Bruce Schneier

Interesting discussion of trust in this article on web hoaxes. Kelly's students, like all good con artists, built their stories out of small, compelling details to give them a veneer of veracity. Ultimately, though, they aimed to succeed less by assembling convincing stories than by exploiting the trust of their marks, inducing them to lower their guard. Most of us...

Wed, 23 May 2012 12:25:35 UTC

Privacy Concerns Around "Social Reading"

Posted By Bruce Schneier

Interesting paper: "The Perils of Social Reading," by Neil M. Richards, from the Georgetown Law Journal. Abstract: Our law currently treats records of our reading habits under two contradictory rules ­ rules mandating confidentiality, and rules permitting disclosure. Recently, the rise of the social Internet has created more of these records and more pressures on when and how they should...

Tue, 22 May 2012 18:10:22 UTC

Racism as a Vestigal Remnant of a Security Mechanism

Posted By Bruce Schneier

"Roots of Racism," by Elizabeth Culotta in Science: Our attitudes toward outgroups are part of a threat-detection system that allows us to rapidly determine friend from foe, says psychologist Steven Neuberg of ASU Tempe. The problem, he says, is that like smoke detectors, the system is designed to give many false alarms rather than miss a true threat. So outgroup...

Tue, 22 May 2012 11:24:51 UTC

Security Incentives and Advertising Fraud

Posted By Bruce Schneier

Details are in the article, but here's the general idea: Let's follow the flow of the users: Scammer buys user traffic from PornoXo.com and sends it to HQTubeVideos. HQTubeVideos loads, in invisible iframes, some parked domains with innocent-sounding names (relaxhealth.com, etc). In the parked domains, ad networks serve display and PPC ads. The click-fraud sites click on the ads that...

Mon, 21 May 2012 15:32:57 UTC

Portrait of a Counterfeiter

Posted By Bruce Schneier

Interesting article from Wired....

Fri, 18 May 2012 21:26:57 UTC

Friday Squid Blogging: Squid Scalp Massager

Posted By Bruce Schneier

Cheap! As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 18 May 2012 11:06:51 UTC

Kip Hawley Reviews Liars and Outliers

Posted By Bruce Schneier

In his blog: I think the most important security issues going forward center around identity and trust. Before knowing I would soon encounter Bruce again in the media, I bought and read his new book Liars & Outliers and it is a must-read book for people looking forward into our security future and thinking about where this all leads. For...

Thu, 17 May 2012 17:28:45 UTC

Cybersecurity at the Doctor's Office

Posted By Bruce Schneier

I like this essay because it nicely illustrates the security mindset....

Thu, 17 May 2012 12:20:14 UTC

Rules for Radicals

Posted By Bruce Schneier

It was written in 1971, but this still seems like a cool book: For an elementary illustration of tactics, take parts of your face as the point of reference; your eyes, your ears, and your nose. First the eyes: if you have organized a vast, mass-based people's organization, you can parade it visibly before the enemy and openly show your...

Wed, 16 May 2012 18:50:05 UTC

USB Drives and Wax Seals

Posted By Bruce Schneier

Need some pre-industrial security for your USB drive? How about a wax seal? Neat, but I recommend combining it with encryption for even more security!...

Wed, 16 May 2012 11:15:10 UTC

Security Vulnerabilities in Airport Full-Body Scanners

Posted By Bruce Schneier

According to a report from the DHS Office of Inspector General: Federal investigators "identified vulnerabilities in the screening process" at domestic airports using so-called "full body scanners," according to a classified internal Department of Homeland Security report. EPIC obtained an unclassified version of the report in a FOIA response. Here's the summary....

Tue, 15 May 2012 11:17:04 UTC

U.S. Exports Terrorism Fears

Posted By Bruce Schneier

To New Zealand: United States Secretary of Homeland Security Janet Napolitano has warned the New Zealand Government about the latest terrorist threat known as "body bombers." [...] "Do we have specific credible evidence of a [body bomb] threat today? I would not say that we do, however, the importance is that we all lean forward." Why the headline of this...

Mon, 14 May 2012 11:19:44 UTC

The Trouble with Airport Profiling

Posted By Bruce Schneier

Why do otherwise rational people think it's a good idea to profile people at airports? Recently, neuroscientist and best-selling author Sam Harris related a story of an elderly couple being given the twice-over by the TSA, pointed out how these two were obviously not a threat, and recommended that the TSA focus on the actual threat: "Muslims, or anyone who...

Fri, 11 May 2012 21:58:04 UTC

Friday Squid Blogging: New Book on Squid

Posted By Bruce Schneier

Kraken: The Curious, Exciting, and Slightly Disturbing Science of Squid. And a review. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 11 May 2012 11:42:22 UTC

Smart Phone Privacy App

Posted By Bruce Schneier

MobileScope looks like a great tool for monitoring and controlling what information third parties get from your smart phone apps: We built MobileScope as a proof-of-concept tool that automates much of what we were doing manually; monitoring mobile devices for surprising traffic and highlighting potentially privacy-revealing flows [...] Unlike PCs, we have little control over the underlying privacy and security...

Thu, 10 May 2012 10:46:52 UTC

Security Fail

Posted By Bruce Schneier

Funny....

Wed, 09 May 2012 11:24:17 UTC

RuggedCom Inserts Backdoor into Its Products

Posted By Bruce Schneier

All RuggedCom equipment comes with a built-in backdoor: The backdoor, which cannot be disabled, is found in all versions of the Rugged Operating System made by RuggedCom, according to independent researcher Justin W. Clarke, who works in the energy sector. The login credentials for the backdoor include a static username, "factory," that was assigned by the vendor and can't be...

Tue, 08 May 2012 18:14:17 UTC

A Foiled Terrorist Plot

Posted By Bruce Schneier

We don't know much, but here are my predictions: There's a lot more hyperbole to this story than reality. The explosive would have either 1) been caught by pre-9/11 security, or 2) not been caught by post-9/11 security. Nonetheless, it will be used to justify more invasive airport security....

Tue, 08 May 2012 12:03:52 UTC

Overreacting to Potential Bombs

Posted By Bruce Schneier

This is a ridiculous overreaction: The police bomb squad was called to 2 World Financial Center in lower Manhattan at midday when a security guard reported a package that seemed suspicious. Brookfield Properties, which runs the property, ordered an evacuation as a precaution. That's the entire building, a 44-story, 2.5-million-square-foot office building. And why? The bomb squad determined the package...

Mon, 07 May 2012 11:52:51 UTC

Naval Drones

Posted By Bruce Schneier

With all the talk about airborne drones like the Predator, it's easy to forget that drones can be in the water as well. Meet the Common Unmanned Surface Vessel (CUSV): The boat -- painted in Navy gray and with a striking resemblance to a PT boat -- is 39 feet long and can reach a top speed of 28 knots....

Fri, 04 May 2012 21:01:04 UTC

Friday Squid Blogging: Squid Bicycle Parking Sculpture

Posted By Bruce Schneier

Neat. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 04 May 2012 18:31:57 UTC

Tampon-Shaped USB Drive

Posted By Bruce Schneier

This vendor is selling a tampon-shaped USB drive. Although it's less secure now that there are blog posts about it....

Fri, 04 May 2012 11:31:19 UTC

Facial Recognition of Avatars

Posted By Bruce Schneier

I suppose this sort of thing might be useful someday. In Second Life, avatars are easily identified by their username, meaning police can just ask San Francisco-based Linden Labs, which runs the virtual world, to look up a particular user. But what happens when virtual worlds start running on peer-to-peer networks, leaving no central authority to appeal to? Then there...

Thu, 03 May 2012 11:22:45 UTC

Criminal Intent Prescreening and the Base Rate Fallacy

Posted By Bruce Schneier

I've often written about the base rate fallacy and how it makes tests for rare events -- like airplane terrorists -- useless because the false positives vastly outnumber the real positives. This essay uses that argument to demonstrate why the TSA's FAST program is useless: First, predictive software of this kind is undermined by a simple statistical problem known as...

Wed, 02 May 2012 17:41:39 UTC

Al Qaeda Steganography

Posted By Bruce Schneier

The reports are still early, but it seems that a bunch of terrorist planning documents were found embedded in a digital file of a porn movie. Several weeks later, after laborious efforts to crack a password and software to make the file almost invisible, German investigators discovered encoded inside the actual video a treasure trove of intelligence -- more than...

Wed, 02 May 2012 12:10:38 UTC

Cybercrime as a Tragedy of the Commons

Posted By Bruce Schneier

Two very interesting points in this essay on cybercrime. The first is that cybercrime isn't as big a problem as conventional wisdom makes it out to be. We have examined cybercrime from an economics standpoint and found a story at odds with the conventional wisdom. A few criminals do well, but cybercrime is a relentless, low-profit struggle for the majority....

Tue, 01 May 2012 12:31:44 UTC

When Investigation Fails to Prevent Terrorism

Posted By Bruce Schneier

I've long advocated investigation, intelligence, and emergency response as the places where we can most usefully spend our counterterrorism dollars. Here's an example where that didn't work: Starting in April 1991, three FBI agents posed as members of an invented racist militia group called the Veterans Aryan Movement. According to their cover story, VAM members robbed armored cars, using the...

Mon, 30 Apr 2012 11:52:17 UTC

JCS Chairman Sows Cyberwar Fears

Posted By Bruce Schneier

Army General Martin E. Dempsey, the chairman of the Joint Chiefs of Staff, said: A cyber attack could stop our society in its tracks. Gadzooks. A scared populace is much more willing to pour money into the cyberwar arms race....

Sat, 28 Apr 2012 00:57:28 UTC

Vote for Liars and Outliers

Posted By Bruce Schneier

Actionable Books is having a vote to determine which of four books to summarize on their site. If you are willing, please go there and vote for Liars and Outliers. (Voting requires a Facebook ID.) Voting closes Monday at noon EST, although I presume they mean EDT....

Fri, 27 Apr 2012 16:32:49 UTC

Friday Squid Blogging: Chesapeake Bay Squid

Posted By Bruce Schneier

Great pictures. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 27 Apr 2012 11:53:30 UTC

Attack Mitigation

Posted By Bruce Schneier

At the RSA Conference this year, I noticed a trend of companies that have products and services designed to help victims recover from attacks. Kelly Jackson Higgins noticed the same thing: "Damage Mitigation as the New Defense." That new reality, which has been building for several years starting in the military sector, has shifted the focus from trying to stop...

Thu, 26 Apr 2012 11:57:58 UTC

Biometric Passports Make it Harder for Undercover CIA Officers

Posted By Bruce Schneier

Last year, I wrote about how social media sites are making it harder than ever for undercover police officers. This story talks about how biometric passports are making it harder than ever for undercover CIA agents. Busy spy crossroads such as Dubai, Jordan, India and many E.U. points of entry are employing iris scanners to link eyeballs irrevocably to a...

Wed, 25 Apr 2012 11:51:32 UTC

Fear and the Attention Economy

Posted By Bruce Schneier

danah boyd is thinking about -- in a draft essay, and as a recording of a presentation -- fear and the attention economy. Basically, she is making the argument that the attention economy magnifies the culture of fear because fear is a good way to get attention, and that this is being made worse by the rise of social media....

Tue, 24 Apr 2012 11:43:44 UTC

Amazing Round of "Split or Steal"

Posted By Bruce Schneier

In Liars and Outliers, I use the metaphor of the Prisoner's Dilemma to exemplify the conflict between group interest and self-interest. There are a gazillion academic papers on the Prisoner's Dilemma from a good dozen different academic disciplines, but the weirdest dataset on real people playing the game is from a British game show called Golden Balls. In the final...

Mon, 23 Apr 2012 11:18:12 UTC

Alan Turing Cryptanalysis Papers

Posted By Bruce Schneier

GCHQ, the UK government's communications headquarters, has released two new -- well, 70 years old, but new to us -- cryptanalysis documents by Alan Turing. The papers, one entitled The Applications of Probability to Crypt, and the other entitled Paper on the Statistics of Repetitions, discuss mathematical approaches to code breaking. [...] According to the GCHQ mathematician, who identified himself...

Fri, 20 Apr 2012 21:49:34 UTC

Friday Squid Blogging: Extracting Squid Ink

Posted By Bruce Schneier

How to extract squid ink. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 20 Apr 2012 17:48:07 UTC

Liars & Outliers Update

Posted By Bruce Schneier

Liars & Outliers has been available for about two months, and is selling well both in hardcover and e-book formats. More importantly, I'm very pleased with the book's reception. The reviews I've gotten have been great, and I read a lot of tweets from people who have enjoyed the book. My goal was to give people new ways to think...

Fri, 20 Apr 2012 11:19:44 UTC

TSA Behavioral Detection Statistics

Posted By Bruce Schneier

Interesting data from the U.S. Government Accounting Office: But congressional auditors have questions about other efficiencies as well, like having 3,000 "behavior detection" officers assigned to question passengers. The officers sidetracked 50,000 passengers in 2010, resulting in the arrests of 300 passengers, the GAO found. None turned out to be terrorists. Yet in the same year, behavior detection teams apparently...

Thu, 19 Apr 2012 18:03:11 UTC

Dance Moves As an Identifier

Posted By Bruce Schneier

A burglar was identified by his dance moves, captured on security cameras: "The 16-year-old juvenile suspect is known for his 'swag,' or signature dance move," Heyse said, "and [he] does it in the hallways at school." Presumably, although the report doesn't make it clear, a classmate or teacher saw the video, recognized the distinctive swag and notified authorities. But is...

Thu, 19 Apr 2012 10:52:09 UTC

Smart Meter Hacks

Posted By Bruce Schneier

Brian Krebs writes about smart meter hacks: But it appears that some of these meters are smarter than others in their ability to deter hackers and block unauthorized modifications. The FBI warns that insiders and individuals with only a moderate level of computer knowledge are likely able to compromise meters with low-cost tools and software readily available on the Internet....

Wed, 18 Apr 2012 18:30:47 UTC

Password Security at Linode

Posted By Bruce Schneier

Here's something good: We have implemented sophisticated brute force protection for Linode Manager user accounts that combines a time delay on failed attempts, forced single threading of log in attempts from a given remote address, and automatic tarpitting of requests from attackers. And this: Some of you may have noticed a few changes to the Linode Manger over the past...

Wed, 18 Apr 2012 11:49:43 UTC

Stolen Phone Database

Posted By Bruce Schneier

This article talks about a database of stolen cell phone IDs that will be used to deny service. While I think this is a good idea, I don't know how much it would deter cell phone theft. As long as there are countries that don't implement blocking based on the IDs in the databases -- and surely there will always...

Tue, 17 Apr 2012 18:22:44 UTC

Forever-Day Bugs

Posted By Bruce Schneier

That's a nice turn of phrase: Forever day is a play on "zero day," a phrase used to classify vulnerabilities that come under attack before the responsible manufacturer has issued a patch. Also called iDays, or "infinite days" by some researchers, forever days refer to bugs that never get fixed­--even when they're acknowledged by the company that developed the software....

Tue, 17 Apr 2012 11:15:38 UTC

Outliers in Intelligence Analysis

Posted By Bruce Schneier

From the CIA journal Studies in Intelligence: "Capturing the Potential of Outlier Ideas in the Intelligence Community." In war you will generally find that the enemy has at any time three courses of action open to him. Of those three, he will invariably choose the fourth. Helmuth Von Moltke With that quip, Von Moltke may have launched a spirited debate...

Mon, 16 Apr 2012 17:29:40 UTC

Hawley Channels His Inner Schneier

Posted By Bruce Schneier

Kip Hawley wrote an essay for the Wall Street Journal on airport security. In it, he says so many sensible things that people have been forwarding it to me with comments like "did you ghostwrite this?" and "it looks like you won an argument" and "how did you convince him?" (Sadly, the essay was published in the Journal, which means...

Mon, 16 Apr 2012 10:55:15 UTC

How Information Warfare Changes Warfare

Posted By Bruce Schneier

Really interesting paper on the moral and ethical implications of cyberwar, and the use of information technology in war (drones, for example): "Information Warfare: A Philosophical Perspective," by Mariarosaria Taddeo, Philosophy and Technology, 2012. Abstract: This paper focuses on Information Warfare -- the warfare characterised by the use of information and communication technologies. This is a fast growing phenomenon, which...

Fri, 13 Apr 2012 21:48:05 UTC

Friday Squid Blogging: Squid Fiction

Posted By Bruce Schneier

Great short story in Nature. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Apr 2012 19:11:30 UTC

Me at RSA 2012

Posted By Bruce Schneier

This is not a video of my talk at the RSA Conference earlier this year. This is a 16-minute version of that talk -- TED-like -- that the conference filmed the day after for the purpose of putting it on the Internet. Today's Internet threats are not technical; they're social and political. They aren't criminals, hackers, or terrorists. They're the...

Fri, 13 Apr 2012 12:08:15 UTC

Disguising Tor Traffic as Skype Video Calls

Posted By Bruce Schneier

One of the problems with Tor traffic is that it can de detected and blocked. Here's SkypeMorph, a clever system that disguises Tor traffic as Skype video traffic. To prevent the Tor traffic from being recognized by anyone analyzing the network flow, SkypeMorph uses what's known as traffic shaping to convert Tor packets into User Datagram Protocol packets, as used...

Thu, 12 Apr 2012 18:34:02 UTC

Bomb Threats As a Denial-of-Service Attack

Posted By Bruce Schneier

The University of Pittsburgh has been the recipient of 50 bomb threats in the past two months (over 30 during the last week). Each time, the university evacuates the threatened building, searches it top to bottom -- one of the threatened buildings is the 42-story Cathedral of Learning -- finds nothing, and eventually resumes classes. This seems to be nothing...

Thu, 12 Apr 2012 11:38:56 UTC

Brian Snow on Cybersecurity

Posted By Bruce Schneier

Interesting video of Brian Snow speaking from last November. (Brian used to be the Technical Director of NSA's Information Assurance Directorate.) About a year and a half ago, I complained that his words were being used to sow cyber-fear. This talk -- about 30 minutes -- is a better reflection of what he really thinks....

Wed, 11 Apr 2012 18:25:54 UTC

"Raise the Crime Rate"

Posted By Bruce Schneier

I read this a couple of months ago, and I'm still not sure what I think about it. It's definitely of the most thought-provoking essays I've read this year. According to government statistics, Americans are safer today than at any time in the last forty years. In 1990, there were 2,245 homicides in New York City. In 2010, there were...

Wed, 11 Apr 2012 14:57:15 UTC

A Heathrow Airport Story about Trousers

Posted By Bruce Schneier

Usually I don't bother posting random stories about dumb or inconsistent airport security measures. But this one is particularly interesting: "Sir, your trousers." "Pardon?" "Sir, please take your trousers off." A pause. "No." "No?" The security official clearly was not expecting that response. He begins to look like he doesn't know what to do, bless him. "You have no power...

Tue, 10 Apr 2012 15:21:50 UTC

Teenagers and Privacy

Posted By Bruce Schneier

Good article debunking the myth that young people don't care about privacy on the Intenet. Most kids are well aware of risks, and make "fairly sophisticated" decisions about privacy settings based on advice and information from their parents, teachers, and friends. They differentiate between people they don't know out in the world (distant strangers) and those they don't know in...

Mon, 09 Apr 2012 12:45:06 UTC

Laptops and the TSA

Posted By Bruce Schneier

The New York Times tries to make sense of the TSA's policies on computers. Why do you have to take your tiny laptop out of your bag, but not your iPad? Their conclusion: security theater....

Fri, 06 Apr 2012 21:14:23 UTC

Friday Squid Blogging: Squid Art

Posted By Bruce Schneier

Happy Easter. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 06 Apr 2012 16:03:38 UTC

A Systems Framework for Catastrophic Disaster Response

Posted By Bruce Schneier

The National Academies Press has published Crisis Standards of Care: A Systems Framework for Catastrophic Disaster Response. When a nation or region prepares for public health emergencies such as a pandemic influenza, a large-scale earthquake, or any major disaster scenario in which the health system may be destroyed or stressed to its limits, it is important to describe how standards...

Fri, 06 Apr 2012 10:35:08 UTC

James Randi on Magicians and the Security Mindset

Posted By Bruce Schneier

Okay, so he doesn't use that term. But he explains how a magician's inherent ability to detect deception can be useful to science. We can't make magicians out of scientists -- we wouldn't want to -- but we can help scientists "think in the groove" -- think like a magician. And we should. We are not scientists ­ with a...

Thu, 05 Apr 2012 17:42:06 UTC

Helen Nussenbaum, Privacy, and the Federal Trade Commission

Posted By Bruce Schneier

Good article....

Thu, 05 Apr 2012 11:19:30 UTC

JetBlue Captain Clayton Osbon and Resilient Security

Posted By Bruce Schneier

This is the most intelligent thing I've read about the JetBlue incident where a pilot had a mental breakdown in the cockpit: For decades, public safety officials and those who fund them have focused on training and equipment that has a dual-use function for any hazard that may come our way. The post-9/11 focus on terrorism, with all the gizmos...

Wed, 04 Apr 2012 17:34:27 UTC

The Battle for Internet Governance

Posted By Bruce Schneier

Good article on the current battle for Internet governance: The War for the Internet was inevitable -- a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers...

Wed, 04 Apr 2012 11:07:36 UTC

Lost Smart Phones and Human Nature

Posted By Bruce Schneier

Symantec deliberately "lost" a bunch of smart phones with tracking software on them, just to see what would happen: Some 43 percent of finders clicked on an app labeled "online banking." And 53 percent clicked on a filed named "HR salaries." A file named "saved passwords" was opened by 57 percent of finders. Social networking tools and personal e-mail were...

Tue, 03 Apr 2012 19:01:02 UTC

Law Enforcement Forensics Tools Against Smart Phones

Posted By Bruce Schneier

Turns out the password can be easily bypassed: XRY works by first jailbreaking the handset. According to Micro Systemation, no backdoors created by Apple used, but instead it makes use of security flaws in the operating system the same way that regular jailbreakers do. Once the iPhone has been jailbroken, the tool then goes on to brute-force the passcode, trying...

Tue, 03 Apr 2012 11:53:15 UTC

Computer Forensics: An Example

Posted By Bruce Schneier

Paul Ceglia's lawsuit against Facebook is fascinating, but that's not the point of this blog post. As part of the case, there are allegations that documents and e-mails have been electronically forged. I found this story about the forensics done on Ceglia's computer to be interesting....

Mon, 02 Apr 2012 12:56:45 UTC

Buying Exploits on the Grey Market

Posted By Bruce Schneier

This article talks about legitimate companies buying zero-day exploits, including the fact that "an undisclosed U.S. government contractor recently paid $250,000 for an iOS exploit." The price goes up if the hack is exclusive, works on the latest version of the software, and is unknown to the developer of that particular software. Also, more popular software results in a higher...

Fri, 30 Mar 2012 21:28:52 UTC

Friday Squid Blogging: How Squid Hear

Posted By Bruce Schneier

Interesting research: The squid use two closely spaced organs called statocysts to sense sound. "I think of a statocyst as an inside-out tennis ball," explains Dr Mooney. "It's got hairs on the inside and this little dense calcium stone that sits on those hair cells. "What happens is that the sound wave actually moves the squid back and forth, and...

Thu, 29 Mar 2012 19:07:38 UTC

Summer Schools in Cryptography and Software Security at Penn State

Posted By Bruce Schneier

Normally I just delete these as spam, but this summer program for graduate students 1) looks interesting, and 2) has some scholarship money available....

Thu, 29 Mar 2012 11:53:30 UTC

Harms of Post-9/11 Airline Security

Posted By Bruce Schneier

As I posted previously, I have been debating former TSA Administrator Kip Hawley on the Economist website. I didn't bother reposting my opening statement and rebuttal, because -- even thought I thought I did a really good job with them -- they were largely things I've said before. In my closing statement, I talked about specific harms post-9/11 airport security...

Wed, 28 Mar 2012 11:05:26 UTC

SHARCS Conference

Posted By Bruce Schneier

Last weekend was the 2012 SHARCS (Special-Purpose Hardware for Attacking Cryptographic Systems) conference. The presentations are online....

Tue, 27 Mar 2012 11:46:48 UTC

The Effects of Data Breach Litigation

Posted By Bruce Schneier

"Empirical Analysis of Data Breach Litigation," Sasha Romanosky, David Hoffman, and Alessandro Acquisti: Abstract: In recent years, a large number of data breaches have resulted in lawsuits in which individuals seek redress for alleged harm resulting from an organization losing or compromising their personal information. Currently, however, very little is known about those lawsuits. Which types of breaches are litigated,...

Mon, 26 Mar 2012 18:02:24 UTC

Congressional Testimony on the TSA

Posted By Bruce Schneier

I was supposed to testify today about the TSA in front of the House Committee on Oversight and Government Reform. I was informally invited a couple of weeks ago, and formally invited last Tuesday: The hearing will examine the successes and challenges associated with Advanced Imaging Technology (AIT), the Screening of Passengers by Observation Techniques (SPOT) program, the Transportation Worker...

Mon, 26 Mar 2012 11:38:16 UTC

Rare Spanish Enigma Machine

Posted By Bruce Schneier

This is a neat story: A pair of rare Enigma machines used in the Spanish Civil War have been given to the head of GCHQ, Britain's communications intelligence agency. The machines - only recently discovered in Spain - fill in a missing chapter in the history of British code-breaking, paving the way for crucial successes in World War II. Fun...

Fri, 23 Mar 2012 21:18:40 UTC

Friday Squid Blogging: Giant Squid Eyes

Posted By Bruce Schneier

It seems that the huge eyes of the giant squid are optimized to see sperm whales....

Fri, 23 Mar 2012 11:33:14 UTC

The Economist Debate on Airplane Security

Posted By Bruce Schneier

On The Economist website, I am currently debating Kip Hawley on airplane security. On Tuesday we posted our initial statements, and today (London time) we posted our rebuttals. We have one more round to go. I've set it up to talk about the myriad of harms airport security has caused: loss of trust in government, increased fear, creeping police state,...

Thu, 22 Mar 2012 12:17:05 UTC

Can the NSA Break AES?

Posted By Bruce Schneier

In an excellent article in Wired, James Bamford talks about the NSA's codebreaking capability. According to another top official also involved with the program, the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments around the world but also many average computer users in the...

Wed, 21 Mar 2012 19:36:19 UTC

Another Liars and Outliers Excerpt

Posted By Bruce Schneier

IT World published an excerpt from Chapter 4....

Wed, 21 Mar 2012 11:26:26 UTC

Unprinter

Posted By Bruce Schneier

A way to securely erase paper: "The key idea was to find a laser energy level that is high enough to ablate - or vaporise - the toner that at the same time is lower than the destruction threshold of the paper substrate. It turns out the best wavelength is 532 nanometres - that's green visible light - with a...

Tue, 20 Mar 2012 13:52:05 UTC

Hacking Critical Infrastructure

Posted By Bruce Schneier

A otherwise uninteresting article on Internet threats to public infrastructure contains this paragraph: At a closed-door briefing, the senators were shown how a power company employee could derail the New York City electrical grid by clicking on an e-mail attachment sent by a hacker, and how an attack during a heat wave could have a cascading impact that would lead...

Mon, 19 Mar 2012 19:33:02 UTC

Avi Rubin on Computer Security

Posted By Bruce Schneier

Avi Rubin has a TEDx talk on hacking various computer devices: medical devices, automobiles, police radios, smart phones, etc....

Mon, 19 Mar 2012 11:38:58 UTC

Australian Security Theater

Posted By Bruce Schneier

I like the quote at the end of this excerpt: Aviation officials have questioned the need for such a strong permanent police presence at airports, suggesting they were there simply "to make the government look tough on terror". One senior executive said in his experience, the officers were expensive window-dressing. "When you add the body scanners, the ritual humiliation of...

Fri, 16 Mar 2012 21:57:45 UTC

Friday Squid Blogging: Squid-Shaped USB Drive

Posted By Bruce Schneier

It looks great. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Mar 2012 18:15:24 UTC

BitCoin Security Musings

Posted By Bruce Schneier

Jon Callas talks about BitCoin's security model, and how susceptible it would be to a Goldfinger-style attack (destroy everyone else's BitCoins)....

Fri, 16 Mar 2012 12:09:58 UTC

Non-Lethal Heat Ray

Posted By Bruce Schneier

The U.S. military has a non-lethal heat ray. No details on what "non-lethal" means in this context....

Thu, 15 Mar 2012 19:35:42 UTC

Assorted Schneier News Stories

Posted By Bruce Schneier

I have several stories in the news (and one podcast), mostly surrounding the talks I gave at the RSA Conference last month....

Thu, 15 Mar 2012 11:16:13 UTC

More "Liars and Outliers" Links

Posted By Bruce Schneier

First, five new reviews of the book. Second, four new AV interviews about the book. Third, I take the Page 99 Test....

Wed, 14 Mar 2012 11:22:09 UTC

On Cyberwar Hype

Posted By Bruce Schneier

Good article by Thomas Rid on the hype surrounding cyberwar. It's well worth reading. And in a more academic paper, published in the RUSI Journal, Thomas Rid and Peter McBurney argue that cyber-weapons aren't all that destructive and that we've been misled by some bad metaphors. Some fundamental questions on the use of force in cyberspace are still unanswered. Worse,...

Tue, 13 Mar 2012 19:01:46 UTC

A Negative Liars and Outliers Review

Posted By Bruce Schneier

Ths person didn't like it at all. It'll go up on the book's webpage, along with all the positive reviews....

Tue, 13 Mar 2012 11:22:26 UTC

The Security of Multi-Word Passphrases

Posted By Bruce Schneier

Interesting research on the security of passphrases. From a blog post on the work: We found about 8,000 phrases using a 20,000 phrase dictionary. Using a very rough estimate for the total number of phrases and some probability calculations, this produced an estimate that passphrase distribution provides only about 20 bits of security against an attacker trying to compromise 1%...

Mon, 12 Mar 2012 21:30:34 UTC

Video Shows TSA Full-Body Scanner Failure

Posted By Bruce Schneier

The Internet is buzzing about this video, showing a blogger walking through two different types of full-body scanners with metal objects. Basically, by placing the object on your side, the black image is hidden against the scanner's black background. This isn't new, by the way. This vulnerability was discussed in a paper published last year by the Journal of Transportation...

Mon, 12 Mar 2012 11:35:12 UTC

Jamming Speech with Recorded Speech

Posted By Bruce Schneier

This is cool: The idea is simple. Psychologists have known for some years that it is almost impossible to speak when your words are replayed to you with a delay of a fraction of a second. Kurihara and Tsukada have simply built a handheld device consisting of a microphone and a speaker that does just that: it records a person's...

Fri, 09 Mar 2012 22:01:37 UTC

Friday Squid Blogging: Humboldt Squid Can Dive to 1.5 km

Posted By Bruce Schneier

Yet another impressive Humboldt squid feat: "We've seen them make really impressive dives up to a kilometre and a half deep, swimming straight through a zone where there's really low oxygen," the Hopkins Marine Station researcher said. "They're able to spend several hours at this kilometre-and-a-half-deep, and then they go back up and continue their normal daily swimming behaviour. It's...

Fri, 09 Mar 2012 19:40:25 UTC

Liars and Outliers: Book Excerpt

Posted By Bruce Schneier

Gizmodo published the beginning of Chapter 17: the last chapter....

Thu, 08 Mar 2012 12:50:26 UTC

Cloud Computing As a Man-in-the-Middle Attack

Posted By Bruce Schneier

This essay uses the interesting metaphor of the man-in-the-middle attacker to describe cloud providers like Facebook and Google. Basically, they get in the middle of our interactions with others and eavesdrop on the data going back and forth....

Wed, 07 Mar 2012 19:35:11 UTC

NSA's Secure Android Spec

Posted By Bruce Schneier

The NSA has released its specification for a secure Android. One of the interesting things it's requiring is that all data be tunneled through a secure VPN: Inter-relationship to Other Elements of the Secure VoIP System The phone must be a commercial device that supports the ability to pass data over a commercial cellular network. Standard voice phone calls, with...

Wed, 07 Mar 2012 12:14:28 UTC

How Changing Technology Affects Security

Posted By Bruce Schneier

Security is a tradeoff, a balancing act between attacker and defender. Unfortunately, that balance is never static. Changes in technology affect both sides. Society uses new technologies to decrease what I call the scope of defection -- what attackers can get away with -- and attackers use new technologies to increase it. What's interesting is the difference between how the...

Tue, 06 Mar 2012 19:22:57 UTC

The Keywords the DHS Is Using to Analyze Your Social Media Posts

Posted By Bruce Schneier

According to this document, received by EPIC under the Freedom of Information Act, the U.S. Department of Homeland Security is combing through the gazillions of social media postings looking for terrorists. A partial list of keywords is included in the document (pages 2023), and is reprinted in this blog post....

Tue, 06 Mar 2012 12:20:29 UTC

Comic: Movie Hacking vs. Real Hacking

Posted By Bruce Schneier

Funny....

Mon, 05 Mar 2012 19:30:02 UTC

Themes from the RSA Conference

Posted By Bruce Schneier

Last week was the big RSA Conference in San Francisco: something like 20,000 people. From what I saw, these were the major themes on the show floor: Companies that deal with "Advanced Persistent Threat." Companies that help you recover after you've been hacked. Companies that deal with "Bring Your Own Device" at work, also known as consumerization. Who else went...

Mon, 05 Mar 2012 12:45:51 UTC

British Anti-Theft Briefcase from the 1960s

Posted By Bruce Schneier

Fantastic....

Fri, 02 Mar 2012 22:41:45 UTC

Friday Squid Blogging: Squid Vision

Posted By Bruce Schneier

Some squid can see aspects of light that are invisible to humans, including polarized light. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 02 Mar 2012 19:21:49 UTC

Liars and Outliers: The Big Idea

Posted By Bruce Schneier

My big idea is a big question. Every cooperative system contains parasites. How do we ensure that society's parasites don't destroy society's systems? It's all about trust, really. Not the intimate trust we have in our close friends and relatives, but the more impersonal trust we have in the various people and systems we interact with in society. I trust...

Fri, 02 Mar 2012 12:11:46 UTC

GPS Spoofers

Posted By Bruce Schneier

Great movie-plot threat: Financial institutions depend on timing that is accurate to the microsecond on a global scale so that stock exchanges in, say, London and New York are perfectly synchronised. One of the main ways of doing this is through GPS, and major financial institutions will have a GPS antenna on their main buildings. "They are always visible because...

Thu, 01 Mar 2012 19:32:57 UTC

State Department Redacts Wikileaks Cables

Posted By Bruce Schneier

The ACLU filed a FOIA request for a bunch of cables that Wikileaks had already released complete versions of. This is what happened: The agency released redacted versions of 11 and withheld the other 12 in full. The five excerpts below show the government's selective and self-serving decisions to withhold information. Because the leaked versions of these cables have already...

Thu, 01 Mar 2012 12:39:45 UTC

Detect Which Social Networking Sites Website Visitors Are Logged Into

Posted By Bruce Schneier

Clever hack....

Wed, 29 Feb 2012 13:11:17 UTC

FBI Special Agent and Counterterrorism Expert Criticizes the TSA

Posted By Bruce Schneier

Good essay. Nothing I haven't said before, but it's good to hear it from someone with a widely different set of credentials than I have....

Tue, 28 Feb 2012 12:43:08 UTC

"Cyberwar Is the New Yellowcake"

Posted By Bruce Schneier

Good essay on the dangers of cyberwar rhetoric -- and the cyberwar arms race....

Mon, 27 Feb 2012 18:30:37 UTC

Liars and Outliers: Interview on The Browser

Posted By Bruce Schneier

I was asked to talk about five books related to privacy. You're best known as a security expert but our theme today is "trust". How would you describe the connection between the two? Security exists to facilitate trust. Trust is the goal, and security is how we enable it. Think of it this way: As members of modern society, we...

Mon, 27 Feb 2012 11:49:52 UTC

U.S. Federal Court Rules that it is Unconstitutional for the Police to Force Someone to Decrypt their Laptop

Posted By Bruce Schneier

A U.S. Federal Court ruled that it is unconstitutional for the police to force someone to decrypt their laptop computer: Thursdays decision by the 11th U.S. Circuit Court of Appeals said that an encrypted hard drive is akin to a combination to a safe, and is off limits, because compelling the unlocking of either of them is the equivalent of...

Fri, 24 Feb 2012 22:08:07 UTC

Friday Squid Blogging: Squid Can Fly to Save Energy

Posted By Bruce Schneier

There's a new study that shows that squid are faster in the air than in the water. Squid of many species have been seen to 'fly' using the same jet-propulsion mechanisms that they use to swim: squirting water out of their mantles so that they rocket out of the sea and glide through the air. Until now, most researchers have...

Fri, 24 Feb 2012 21:18:30 UTC

Liars and Outliers News

Posted By Bruce Schneier

The book is selling well. (Signed copies are still available on the website.) All the online stores have it, and most bookstores as well. It is available in Europe and elsewhere outside the U.S. And for those who wanted a DRM-free electronic copy, it's available on the OReilly.com bookstore for $11.99. I have collected four new reviews. And a bunch...

Fri, 24 Feb 2012 20:56:52 UTC

Press Mentions

Posted By Bruce Schneier

One article on me, and a podcast about my RSA talk next week....

Fri, 24 Feb 2012 19:37:50 UTC

Mention of Cryptography in a Rap Song

Posted By Bruce Schneier

The new movie Safe House features the song "No Church in the Wild," by Kanye West, which includes this verse: I live by you, desire I stand by you, walk through the fire Your love is my scripture Let me into your encryption...

Fri, 24 Feb 2012 13:06:19 UTC

Computer Security when Traveling to China

Posted By Bruce Schneier

Interesting: When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film. He leaves his cellphone and laptop at home and instead brings "loaner" devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables...

Thu, 23 Feb 2012 18:29:46 UTC

Another Piece of the Stuxnet Puzzle

Posted By Bruce Schneier

We can now conclusively link Stuxnet to the centrifuge structure at the Natanz nuclear enrichment lab in Iran. Watch this new video presentation from Ralph Langner, the researcher who has done the most work on Stuxnet. It's a long clip, but the good stuff is between 21:00 and 29:00. The pictures he's referring to are still up. My previous writings...

Thu, 23 Feb 2012 12:27:50 UTC

Mobile Malware Is Increasing

Posted By Bruce Schneier

According to a report by Juniper, mobile malware is increasing dramatically. In 2011, we saw unprecedented growth of mobile malware attacks with a 155 percent increase across all platforms. Most noteworthy was the dramatic growth in Android Malware from roughly 400 samples in June to over 13,000 samples by the end of 2011. This amounts to a cumulative increase of...

Wed, 22 Feb 2012 12:53:59 UTC

John Nash's 1955 Letter to the NSA

Posted By Bruce Schneier

Fascinating....

Tue, 21 Feb 2012 13:36:38 UTC

"1234" and Birthdays Are the Most Common PINs

Posted By Bruce Schneier

Research paper: "A birthday present every eleven wallets? The security of customer-chosen banking PINs," by Joseph Bonneau, Sören Preibusch, and Ross Anderson: Abstract: We provide the first published estimates of the difficulty of guessing a human-chosen 4-digit PIN. We begin with two large sets of 4-digit sequences chosen outside banking for online passwords and smartphone unlock-codes. We use a regression...

Mon, 20 Feb 2012 12:30:58 UTC

Covert Communications Channel in Tarsiers

Posted By Bruce Schneier

Marissa A. Ramsier, Andrew J. Cunningham, Gillian L. Moritz, James J. Finneran, Cathy V. Williams, Perry S. Ong, Sharon L. Gursky-Doyen, and Nathaniel J. Dominy (2012), "Primate communication in the pure ultrasound," Biology Letters. Abstract: Few mammals -- cetaceans, domestic cats and select bats and rodents -- can send and receive vocal signals contained within the ultrasonic domain, or pure...

Fri, 17 Feb 2012 22:37:21 UTC

Friday Squid Blogging: Squid Desk Lamp

Posted By Bruce Schneier

Beautiful sculpture. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 17 Feb 2012 19:45:41 UTC

What Is a Suspicious-Looking Package, Anyway?

Posted By Bruce Schneier

Funny comic....

Fri, 17 Feb 2012 12:25:49 UTC

Self-Domestication in Bonobos and Other Animals

Posted By Bruce Schneier

Self-domestication happens when the benefits of cooperation outweigh the costs: But why and how could natural selection tame the bonobo? One possible narrative begins about 2.5 million years ago, when the last common ancestor of bonobos and chimpanzees lived both north and south of the Zaire River, as did gorillas, their ecological rivals. A massive drought drove gorillas from the...

Thu, 16 Feb 2012 18:22:26 UTC

Cryptanalysis of Satellite Phone Encryption Algorithms

Posted By Bruce Schneier

From the abstract of the paper: In this paper, we analyze the encryption systems used in the two existing (and competing) satphone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the...

Thu, 16 Feb 2012 12:51:51 UTC

Lousy Random Numbers Cause Insecure Public Keys

Posted By Bruce Schneier

There's some excellent research (paper, news articles) surveying public keys in the wild. Basically, the researchers found that a small fraction of them (27,000 out of 7.1 million, or 0.38%) share a common factor and are inherently weak. The researchers can break those public keys, and anyone who duplicates their research can as well. The cause of this is almost...

Wed, 15 Feb 2012 19:11:06 UTC

Dumb Risk of the Day

Posted By Bruce Schneier

Geotagged images of children: Joanne Kuzma of the University of Worcester, England, has analyzed photos that clearly show children's faces on the photo sharing site Flickr. She found that a significant proportion of those analyzed were geotagged and a large number of those were associated with 50 of the more expensive residential zip codes in the USA. The location information...

Wed, 15 Feb 2012 13:09:22 UTC

The Sudafed Security Trade-Off

Posted By Bruce Schneier

This writer wrestles with the costs and benefits of tighter controls on pseudoephedrine, a key chemical used to make methamphetamine: Now, personally, I sincerely doubt that the pharmaceutical industry has reliable estimates of how many of their purchasers actually have colds--or that they would share data indicating that half of their revenues came from meth cooks. But let's say this...

Tue, 14 Feb 2012 18:36:11 UTC

SSL Traffic Analysis on Google Maps

Posted By Bruce Schneier

Interesting....

Tue, 14 Feb 2012 13:12:53 UTC

Trust Requires Transparency

Posted By Bruce Schneier

Adam Shostack explains to Verisign that trust requires transparency. This is a lesson Path should have learned....

Mon, 13 Feb 2012 20:53:30 UTC

Liars and Outliers Update

Posted By Bruce Schneier

Liars and Outliers is available. Amazon and Barnes & Noble have ben shipping the book since the beginning of the month. Both the Kindle and the Nook versions are available for download. I have received 250 books myself. Everyone who read and commented on a draft will get a copy in the mail. And as of today, I have shipped...

Mon, 13 Feb 2012 11:20:24 UTC

What Happens When the Court Demands You Decrypt a Document and You Forget the Key?

Posted By Bruce Schneier

Last month, a U.S. court demanded that a defendent surrender the encryption key to a laptop so the police could examine it. Now it seems that she's forgotten the key. What happens now? It seems as if this excuse would always be available to someone who doesn't want the police to decrypt her files. On the other hand, it might...

Fri, 10 Feb 2012 22:04:47 UTC

Friday Squid Blogging: Squid's Beard

Posted By Bruce Schneier

It's an acoustic bluegrass band. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 10 Feb 2012 20:08:22 UTC

Captchas

Posted By Bruce Schneier

Funny....

Fri, 10 Feb 2012 12:21:14 UTC

Securing iPads for Exams

Posted By Bruce Schneier

Interesting blog post about locking down an iPad so students can take exams on them....

Thu, 09 Feb 2012 12:10:35 UTC

Security Implications of "Lower-Risk Aircraft"

Posted By Bruce Schneier

Interesting paper: Paul J. Freitas (2012), "Passenger aviation security, risk management, and simple physics," Journal of Transportation Security. Abstract: Since the September 11, 2001 suicide hijacking attacks on the United States, preventing similar attacks from recurring has been perhaps the most important goal of aviation security. In addition to other measures, the US government has increased passenger screening requirements to...

Wed, 08 Feb 2012 12:46:04 UTC

Solving the Underlying Economic Problem of Internet Piracy

Posted By Bruce Schneier

This essay is definitely thinking along the correct directions....

Tue, 07 Feb 2012 11:53:41 UTC

Error Rates of Hand-Counted Voting Systems

Posted By Bruce Schneier

The error rate for hand-counted ballots is about two percent. All voting systems have nonzero error rates. This doesn't surprise technologists, but does surprise the general public. There's a myth out there that elections are perfectly accurate, down to the single vote. They're not. If the vote is within a few percentage points, they're likely a statistical tie. (The problem,...

Mon, 06 Feb 2012 19:23:27 UTC

The Failure of Two-Factor Authentication

Posted By Bruce Schneier

In 2005, I wrote an essay called "The Failure of Two-Factor Authentication," where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint. This BBC article describes exactly that: After logging in to the bank's real site, account holders are being tricked...

Fri, 03 Feb 2012 22:18:41 UTC

Friday Squid Blogging: Clothing that Keeps an Exercise Journal

Posted By Bruce Schneier

It's called Squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 03 Feb 2012 20:49:54 UTC

The Problems of Too Much Information Sharing

Posted By Bruce Schneier

Funny. Fake, but funny....

Fri, 03 Feb 2012 16:49:08 UTC

VeriSign Hacked, Successfully and Repeatedly, in 2010

Posted By Bruce Schneier

Reuters discovered the information: The VeriSign attacks were revealed in a quarterly U.S. Securities and Exchange Commission filing in October that followed new guidelines on reporting security breaches to investors. It was the most striking disclosure to emerge in a review by Reuters of more than 2,000 documents mentioning breach risks since the SEC guidance was published. The company, unsurprisingly,...

Thu, 02 Feb 2012 15:04:12 UTC

Prisons in the U.S.

Posted By Bruce Schneier

Really good article on the huge incarceration rate in the U.S., its causes, its effects, and its value: Over all, there are now more people under "correctional supervision" in America -- more than six million -- than were in the Gulag Archipelago under Stalin at its height. That city of the confined and the controlled, Lockuptown, is now the second...

Wed, 01 Feb 2012 12:05:59 UTC

The Idaho Loophole

Posted By Bruce Schneier

Brian C. Kalt (2012), "The Idaho Loophole," Georgetown Law Journal, Vol. 93, No. 2. Abstract: This article argues that there is a 50-square-mile swath of Idaho in which one can commit felonies with impunity. This is because of the intersection of a poorly drafted statute with a clear but neglected constitutional provision: the Sixth Amendment's Vicinage Clause. Although lesser criminal...

Tue, 31 Jan 2012 23:03:31 UTC

Possibly the Most Incompetent TSA Story Yet

Posted By Bruce Schneier

The storyline: TSA screener finds two pipes in passenger's bags. Screener determines that they're not a threat. Screener confiscates them anyway, because of their "material and appearance." Because they're not actually a threat, screener leaves them at the checkpoint. Everyone forgets about them. Six hours later, the next shift of TSA screeners notices the pipes and -- not being able...

Tue, 31 Jan 2012 17:13:27 UTC

Biases in Forensic Science

Posted By Bruce Schneier

Some errors in forensic science may be the result of the biases of the medical examiners: Though they cannot prove it, Dr Dror and Dr Hampikian suspect the difference in contextual information given to the examiners was the cause of the different results. The original pair may have subliminally interpreted ambiguous information in a way helpful to the prosecution, even...

Mon, 30 Jan 2012 19:59:42 UTC

Liars and Outliers Update

Posted By Bruce Schneier

According to my publisher, the book was printed last week and the warehouse is shipping orders to booksellers today. Amazon is likely to start shipping books on Thursday. (Yes, Amazon's webpage claims that the book will be published on February 21, 2012, but they'll ship copies as soon as they get them -- this ain't Harry Potter.) The Kindle edition...

Mon, 30 Jan 2012 16:52:01 UTC

British Tourists Arrested in the U.S. for Tweeting

Posted By Bruce Schneier

Does this story make sense to anyone? The Department of Homeland Security flagged him as a potential threat when he posted an excited tweet to his pals about his forthcoming trip to Hollywood which read: 'Free this week, for quick gossip/prep before I go and destroy America'. After making their way through passport control at Los Angeles International Airport (LAX)...

Mon, 30 Jan 2012 12:02:49 UTC

The Nature of Cyberwar

Posted By Bruce Schneier

This was pretty good, I thought: However, it may be difficult to write military doctrine for many aspects of cyberconflict that are truly revolutionary. Here are no fewer than 10 to consider: The Internet is an artificial environment that can be shaped in part according to national security requirements. The blinding proliferation of technology and hacker tools makes it impossible...

Fri, 27 Jan 2012 12:39:16 UTC

Password Sharing Among American Teenagers

Posted By Bruce Schneier

Interesting article from the New York Times on password sharing as a show of affection. "It's a sign of trust," Tiffany Carandang, a high school senior in San Francisco, said of the decision she and her boyfriend made several months ago to share passwords for e-mail and Facebook. "I have nothing to hide from him, and he has nothing to...

Thu, 26 Jan 2012 16:36:32 UTC

Evidence on the Effectiveness of Terrorism

Posted By Bruce Schneier

Readers of this blog will know that I like the works of Max Abrams, and regularly blog them. He has a new paper (full paper behind paywall) in Defence and Peace Economics, 22:6 (2011), 58394, "Does Terrorism Really Work? Evolution in the Conventional Wisdom since 9/11, Defence and Peace Economics": The basic narrative of bargaining theory predicts that, all else...

Wed, 25 Jan 2012 19:56:57 UTC

Federal Judge Orders Defendant to Decrypt Laptop

Posted By Bruce Schneier

A U.S. federal judge has ordered a defendent to decrypt her laptop....

Wed, 25 Jan 2012 18:54:19 UTC

Supreme Court Rules that GPS Tracking Requires a Warrant

Posted By Bruce Schneier

The U.S Supreme Court has ruled that the police cannot attach a GPS tracking device to a car without a warrant....

Wed, 25 Jan 2012 12:44:26 UTC

Research into an Information Security Risk Rating

Posted By Bruce Schneier

The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals: Existing risk management techniques are based on annual audits and only provide a snapshot of a partner's security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all...

Tue, 24 Jan 2012 12:46:08 UTC

Using Plant DNA for Authentication

Posted By Bruce Schneier

Turns out you can create unique signatures from plant DNA. The idea is to spray this stuff on military components in order to verify authentic items and detect counterfeits, similar to SmartWater. It's a good idea in theory, but my guess is that the security is not going to center around counterfeiting the plant DNA, but rather in subverting the...

Mon, 23 Jan 2012 17:49:29 UTC

Authentication by "Cognitive Footprint"

Posted By Bruce Schneier

DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when...

Fri, 20 Jan 2012 12:39:45 UTC

The Continued Militarization of the U.S. Police

Posted By Bruce Schneier

The state of Texas gets an armed PT boat. I guess armed drones weren't enough for them....

Thu, 19 Jan 2012 19:02:09 UTC

The Onion on Facebook

Posted By Bruce Schneier

Funny news video on Facebook and the CIA....

Thu, 19 Jan 2012 12:36:38 UTC

Using False Alarms to Disable Security

Posted By Bruce Schneier

I wrote about this technique in Beyond Fear: Beginning Sunday evening, the robbers intentionally set off the gallery's alarm system several times without entering the building, according to police. The security staffers on duty, who investigated and found no disturbances, subsequently disabled at least one alarm. The burglars then entered through a balcony door....

Tue, 17 Jan 2012 22:10:01 UTC

Going Dark to Protest SOPA/PIPA

Posted By Bruce Schneier

Tomorrow, from 8 am to 8 pm EDT, this site, Schneier on Security, is going on strike to protest SOPA and PIPA. In doing so, I'll be joining Wikipedia (in English), BoingBoing, WordPress, and many others. A list of participants, and HTML and JavaScript code for anyone who wants to participate, can be found here....

Tue, 17 Jan 2012 18:29:58 UTC

Tor Opsec

Posted By Bruce Schneier

Good operational security guide to Tor....

Tue, 17 Jan 2012 13:31:14 UTC

The Importance of Good Backups

Posted By Bruce Schneier

Thankfully, this doesn't happen very often: A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings....

Mon, 16 Jan 2012 15:58:56 UTC

PCI Lawsuit

Posted By Bruce Schneier

This is a first: ...the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to...

Fri, 13 Jan 2012 22:19:13 UTC

Friday Squid Blogging: Argentina Attempts a Squid Blockage against the Falkland Islands

Posted By Bruce Schneier

Yet another story that combines squid and security. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 13 Jan 2012 18:58:24 UTC

Recovering a Hacked Gmail Account

Posted By Bruce Schneier

Long (but well-written and interesting) story of someone whose Gmail account was hacked and erased, and eventually restored. Many interesting lessons about the security of largely support-free cloud services....

Fri, 13 Jan 2012 12:58:01 UTC

"Going Dark" vs. a "Golden Age of Surveillance"

Posted By Bruce Schneier

It's a policy debate that's been going on since the crypto wars of the early 1990s. The FBI, NSA, and other agencies continue to claim they're losing their ability to engage in surveillance: that it's "going dark." Whether the cause of the problem is encrypted e-mail, digital telephony, or Skype, the bad guys use it to communicate, so we need...

Thu, 12 Jan 2012 21:04:36 UTC

Abolish the Department of Homeland Security

Posted By Bruce Schneier

I have a love/hate relationship with the CATO Institute. Most of their analysis I strongly disagree with, but some of it I equally strongly agree with. Last September 11 -- the tenth anniversary of 9/11 -- CATO's David Rittgers published "Abolish the Department of Homeland Security": DHS has too many subdivisions in too many disparate fields to operate effectively. Agencies...

Thu, 12 Jan 2012 20:39:49 UTC

TSA Cupcake Update

Posted By Bruce Schneier

The TSA claims that the cupcake they confiscated was in a jar. So this is a less obviously stupid story than I previously thought....

Thu, 12 Jan 2012 18:37:28 UTC

A Theory of Online Jihadist Sites

Posted By Bruce Schneier

Very interesting: The counterterrorism community has spent years trying to determine why so many people are engaged in online jihadi communities in such a meaningful way. After all, the life of an online administrator for a hard-line Islamist forum is not as exciting as one might expect. You don't get paid, and you spend most of your time posting links...

Thu, 12 Jan 2012 11:53:20 UTC

Apple Split-Key Patent

Posted By Bruce Schneier

Apple has a patent on splitting a key between a portable device and its power supply. Clever idea....

Wed, 11 Jan 2012 13:15:30 UTC

Protecting Your Privacy at International Borders

Posted By Bruce Schneier

The EFF has published a good guide. My own advice is here and here....

Tue, 10 Jan 2012 12:56:27 UTC

Collecting Expert Predictions about Terrorist Attacks

Posted By Bruce Schneier

John Mueller has been collecting them: Some 116 of these Very People were surveyed in 2006 by Foreign Policy magazine in a joint project with the Center for America Progress. The magazine stressed that its survey drew from the "highest echelons of Americas foreign policy establishment" and included the occasional secretary of state and national security adviser, as well as...

Mon, 09 Jan 2012 18:55:57 UTC

Stealing Source Code

Posted By Bruce Schneier

Hackers stole some source code to Symantec's products. We don't know what was stolen or how recent the code is -- the company is, of course, minimizing the story -- but it's hard to get worked up about this. Yes, maybe the bad guys will comb the code looking for vulnerabilities, and maybe there's some smoking gun that proves Symantec's...

Mon, 09 Jan 2012 12:00:55 UTC

The TSA Proves its Own Irrelevance

Posted By Bruce Schneier

Have you wondered what $1.2 billion in airport security gets you? The TSA has compiled its own "Top 10 Good Catches of 2011": 10) Snakes, turtles, and birds were found at Miami (MIA) and Los Angeles (LAX). Im just happy there werent any lions, tigers, and bears& [...] 3) Over 1,200 firearms were discovered at TSA checkpoints across the nation...

Fri, 06 Jan 2012 22:36:05 UTC

Friday Squid Blogging: Squid Skateboards

Posted By Bruce Schneier

Great designs.....

Fri, 06 Jan 2012 19:50:49 UTC

Time to Patch Your HP Printers

Posted By Bruce Schneier

It's a serious vulnerability. Note that this is the research that was mistakenly reported as allowing hackers to set your printer on fire. Here's a list of all the printers affected....

Fri, 06 Jan 2012 12:30:24 UTC

Improving the Security of Four-Digit PINs on Cell Phones

Posted By Bruce Schneier

The author of this article notices that it's often easy to guess a cell phone PIN because of smudge marks on the screen. Those smudge marks indicate the four PIN digits, so an attacker knows that the PIN is one of 24 possible permutations of those digits. Then he points out that if your PIN has only three different digits...

Thu, 05 Jan 2012 19:39:55 UTC

Liars and Outliers News

Posted By Bruce Schneier

The Liars and Outliers webpage is live. On it you can find links to order both paper and e-book copies from a variety of online retailers, and signed copies directly from me. I've also posted the jacket copy, the table of contents, the first chapter, the 15 figures from the book, an image of the full wraparound cover, and all...

Thu, 05 Jan 2012 12:28:59 UTC

Newly Released Papers from NSA Journals

Posted By Bruce Schneier

The papers are old, but they have just been released under FOIA....

Wed, 04 Jan 2012 14:37:07 UTC

Sending Coded Messages with Postage Stamps

Posted By Bruce Schneier

The history of coded messages in postage-stamp placement. I wonder how prevalent this actually was. My guess is that it was more a clever idea than an actual signaling system. And I notice that a lot of the code systems don't have a placement that indicates "no message; this is just as stamp."...

Mon, 02 Jan 2012 18:33:56 UTC

Allocating Security Resources to Protect Critical Infrastructure

Posted By Bruce Schneier

Alan T. Murray and Tony H. Grubesic, "Critical Infrastructure Protection: The Vulnerability Conundrum," Telematics & Informatics, 29 (February 2012): 56­65 (full article behind paywall). Abstract: Critical infrastructure and key resources (CIKR) refer to a broad array of assets which are essential to the everyday functionality of social, economic, political and cultural systems in the United States. The interruption of CIKR...

Mon, 02 Jan 2012 12:15:26 UTC

Applying Game Theory to Cyberattacks and Defenses

Posted By Bruce Schneier

Behzad Zare Moayedi, Mohammad Abdollahi Azgomi, "A Game Theoretic Framework for Evaluation of the Impacts of Hackers Diversity on Security Measures," Reliability Engineering & System Safety, 99 (2012): 45-54 (full article behind paywall). Abstract: Game theoretical methods offer new insights into quantitative evaluation of dependability and security. Currently, there is a wide range of useful game theoretic approaches to model...

Fri, 30 Dec 2011 12:11:13 UTC

Studying Airport Security

Posted By Bruce Schneier

Alan A. Kirschenbaum, Michele Mariani, Coen Van Gulijk, Sharon Lubasz, Carmit Rapaport, and Hinke Andriessen, "Airport Security: An Ethnographic Study," Journal of Air Transport Management, 18 (January 2012): 68-73 (full article is behind a paywall). Abstract: This paper employs a behavioral science perspective of airport security to, examine security related decision behaviors using exploratory ethnographic observations. Sampling employees from a...

Thu, 29 Dec 2011 19:58:17 UTC

Tying Up Phone Lines as a Cyberattack Tactic

Posted By Bruce Schneier

There's a service that can be hired to tie up target phone lines indefinitely. The article talks about how this can be used as a diversionary tactic to mask a cyberattack, but that seems a bit odd to me. I'd be more concerned about how this sort of thing could be used to disrupt the operations of a political candidate...

Thu, 29 Dec 2011 15:47:40 UTC

Hacking Marconi's Wireless in 1903

Posted By Bruce Schneier

A great story: Yet before the demonstration could begin, the apparatus in the lecture theatre began to tap out a message. At first, it spelled out just one word repeated over and over. Then it changed into a facetious poem accusing Marconi of "diddling the public". Their demonstration had been hacked -- and this was more than 100 years before...

Wed, 28 Dec 2011 17:40:33 UTC

Butt Identification

Posted By Bruce Schneier

Here's a new biometric: how you sit: ...researchers there developed a system that can recognize a person by the backside when the person takes a seat. The system performs a precise measurement of the person's posterior, its contours and the way the person applies pressure on the seat. The developers say that in lab tests, the system was able to...

Tue, 27 Dec 2011 12:22:54 UTC

The Collar Bomb Robbery

Posted By Bruce Schneier

Really interesting story of the collar-bomb robbery -- and subsequent investigation -- from 2003....

Mon, 26 Dec 2011 14:39:56 UTC

Hacking Subway's POS System

Posted By Bruce Schneier

The story of how Subway's point-of-sale system was hacked for $3M....

Sun, 25 Dec 2011 16:28:21 UTC

Merry Christmas from the TSA

Posted By Bruce Schneier

Cupcakes deemed security threat: Rebecca Hains says she was going through security at the airport in Las Vegas when a TSA agent pulled her aside and said the cupcake frosting was "gel-like" enough to constitute a security risk. The TSA has officially jumped the shark....

Sat, 24 Dec 2011 00:10:39 UTC

Friday Squid Blogging: Goldman Sachs and the Vampire Squid Metaphor

Posted By Bruce Schneier

It's a metaphor that will not die. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 23 Dec 2011 20:50:39 UTC

Santa Hacked

Posted By Bruce Schneier

Mildly amusing video....

Fri, 23 Dec 2011 17:03:00 UTC

Me on Airport Security

Posted By Bruce Schneier

Charles Mann made me the central focus of his article on airport security for Vanity Fair. (Mann also wrote about me in 2002 for The Atlantic.) The article was supposed to have been in the tenth-anniversary-of-9/11 issue, but got delayed....

Fri, 23 Dec 2011 13:51:45 UTC

Human Ear Biometric

Posted By Bruce Schneier

I have no idea how good this biometric actually is....

Thu, 22 Dec 2011 12:09:44 UTC

Giveaway: Liars and Outliers Galleys

Posted By Bruce Schneier

My box of galley copies arrived in the mail yesterday. They're filled with uncorrected typos, but otherwise look great. Wiley printed about 500 of them, and they're mostly going to journalists and book reviewers, with some going to different wholesale and retail outlets. I have 20 copies to give away to readers of my blog and Crypto-Gram. Earlier this month,...

Wed, 21 Dec 2011 11:55:34 UTC

Chinese Hacking of iBahn Internet Services

Posted By Bruce Schneier

Citing unexplained "intelligence data," an unnamed "senior intelligence official," and an anonymous "privacy security official," Bloomberg News claims that iBahn -- the company that runs Internet services for a bunch of hotel chains -- has been hacked by the Chinese. The rest of the story is pretty obvious: all sorts of private e-mails stolen, corporate networks hacked via iBahn, China...

Tue, 20 Dec 2011 12:24:12 UTC

Multiple Protocol Attacks

Posted By Bruce Schneier

In 1997, I wrote about something called a chosen-protocol attack, where an attacker can use one protocol to break another. Here's an example of the same thing in the real world: two different parking garages that mask different digits of credit cards on their receipts. Find two from the same car, and you can reconstruct the entire number. I have...

Mon, 19 Dec 2011 19:38:57 UTC

How to Open a Padlock with a Coke Can

Posted By Bruce Schneier

A nice tutorial on making and using shims to open padlocks....

Mon, 19 Dec 2011 12:48:40 UTC

Plasmonics Anti-Counterfeiting Technology

Posted By Bruce Schneier

This could be interesting: NOtES exploits an obscure area of physics to accomplish its bright and sharp display, known as plasmonics. Light waves interact with the array of nano-scale holes on a NOtES display--which are typically 100-200 nanometers in diameter--in a way that creates what are called "surface plasmons." In the words of the company, this means light "[collects] on...

Fri, 16 Dec 2011 22:24:15 UTC

Friday Squid Blogging: Squid Season

Posted By Bruce Schneier

It's squid season off the coast of Southern California. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 16 Dec 2011 20:52:10 UTC

Me Speaking on Cryptography in 1997

Posted By Bruce Schneier

In 1997, I spoke at the Beyond HOPE Conference in New York. (HOPE stood for "Hackers Over Planet Earth.) A video of that talk is available online....

Fri, 16 Dec 2011 19:28:39 UTC

Cameo in a Rock Video

Posted By Bruce Schneier

At the 1:46 mark, you'll see my first cameo appearance in a transvestite-themed rock video....

Fri, 16 Dec 2011 18:01:45 UTC

More on the Captured U.S. Drone

Posted By Bruce Schneier

There's a report that Iran hacked the drones' GPS systems: "The GPS navigation is the weakest point," the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran's "electronic ambush" of the highly classified US drone. "By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its...

Fri, 16 Dec 2011 17:21:18 UTC

Snow Cone Machines for Homeland Security

Posted By Bruce Schneier

When you give out money based on politics, without any accounting, this is what you get: The West Michigan Shoreline Regional Development Commission (WMSRDC) is a federal- and state-designated agency responsible for managing and administrating the homeland security program in Montcalm County and 12 other counties. The WMSRDC recently purchased and transferred homeland security equipment to these counties -- including...

Fri, 16 Dec 2011 13:04:32 UTC

The EFF's Sovereign Key Proposal

Posted By Bruce Schneier

Proposal here....

Fri, 16 Dec 2011 05:00:00 UTC

Liars and Outliers Galleys

Posted By Bruce Schneier

My publisher is printing galley copies of Liars and Outliers. If anyone out there has a legitimate reason to get one, like writing book reviews for a newspaper, magazine, popular blog, etc., send me an e-mail and I'll forward your request to Wiley's PR department. I think they'll be ready in a week or so, although it might be after...

Thu, 15 Dec 2011 18:50:39 UTC

Investigative Report on "Buckshot Yankee"

Posted By Bruce Schneier

This is a really good analysis about the Buckshot Yankee attack against the classified military computer network in 2008. It contains a bunch of details I had not previously known....

Wed, 14 Dec 2011 19:22:03 UTC

Feeling vs. Reality of Security in Sparrows

Posted By Bruce Schneier

Sparrows have fewer surviving offspring if they feel insecure, regardless of whether they actually are insecure. Liana Y. Zanette, Aija F. White, Marek C. Allen, and Michael Clinchy, "Perceived Predation Risk Reduces the Number of Offspring Songbirds Produce per Year," Science, 9 Dec 2011: Abstract: Predator effects on prey demography have traditionally been ascribed solely to direct killing in studies...

Wed, 14 Dec 2011 12:17:39 UTC

Yet More Fear-Mongering from the DHS

Posted By Bruce Schneier

Al Qaeda is sewing bombs into people. Actually, not really. This is an "aspirational" terrorist threat, which basically means that someone mentioned it while drunk in a bar somewhere. Of course, that won't stop the DHS from trying to terrorize people with the idea and the security-industrial complex from selling us an expensive "solution" to reduce our fears. Wired: "So:...

Tue, 13 Dec 2011 18:46:26 UTC

Assessing Terrorist Threats to Commercial Aviation

Posted By Bruce Schneier

This article on airplane security says many of the same things I've been saying for years: Given the breadth and complexity of threats to commercial aviation, those who criticize the TSA and other aviation security regulatory agencies for reactive policies and overly narrow focus appear to have substantial grounding. Three particularly serious charges can be levied against the TSA: it...

Tue, 13 Dec 2011 12:30:41 UTC

Iranians Capture U.S. Drone

Posted By Bruce Schneier

Iran has captured a U.S. surveillance drone. No one is sure how it happened. Looking at the pictures of the drone, it wasn't shot down and it didn't crash. The various fail-safe mechanisms on the drone seem to have failed; otherwise, it would have returned home. The U.S. claims that it was a simple "malfunction," but that doesn't make a...

Mon, 12 Dec 2011 18:08:49 UTC

Dumbest Camera Ban Ever

Posted By Bruce Schneier

In London: While photography bans are pretty common, the station has decided to only ban DSLRs due to "their combination of high quality sensor and high resolution". Other cameras are allowed in, as long as they don't look "big" enough to shoot amazing photos. The iPhone 4S camera is pretty amazing....

Mon, 12 Dec 2011 12:09:29 UTC

First-Person Account of a TSA Airport Screener

Posted By Bruce Schneier

This is a few years old, but I seem not to have blogged it before....

Fri, 09 Dec 2011 22:30:43 UTC

Friday Squid Blogging: Humbolt Squid Mystery Solved

Posted By Bruce Schneier

Humbolt Squid off the coast of Mexico are spawning younger and smaller than usual. El Nino is to blame. The mystery was solved by a class of biology students. (A blog of the expedition.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 09 Dec 2011 18:30:57 UTC

Robbing a Bank as Part of a Penetration Test

Posted By Bruce Schneier

A funny story....

Thu, 08 Dec 2011 19:40:52 UTC

Lockable USB Hard Drive

Posted By Bruce Schneier

Just in time for Christmas, a USB drive housed in a physical combination lock....

Thu, 08 Dec 2011 12:12:35 UTC

DARPA Unshredding Contest

Posted By Bruce Schneier

DARPA held an unshredding contest, and there's a winner: "Lots of experts were skeptical that a solution could be produced at all let alone within the short time frame," said Dan Kaufman, director, DARPA Information Innovation Office. "The most effective approaches were not purely computational or crowd-sourced, but used a combination blended with some clever detective work. We are impressed...

Wed, 07 Dec 2011 18:49:49 UTC

Skype Security Flaw

Posted By Bruce Schneier

Just announced: The researchers found several properties of Skype that can track not only users' locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without...

Wed, 07 Dec 2011 12:13:38 UTC

Tagging People with Invisible Ink

Posted By Bruce Schneier

In Montreal, police marked protesters with invisible ink to be able to identify them later. The next step is going to be a spray that marks people surreptitiously, maybe with SmartWater....

Tue, 06 Dec 2011 19:50:58 UTC

Security Problems with U.S. Cloud Providers

Posted By Bruce Schneier

Invasive U.S. surveillance programs, either illegal like the NSA's wiretapping of AT&T phone lines or legal as authorized by the PATRIOT Act, are causing foreign companies to think twice about putting their data in U.S. cloud systems. I think these are legitimate concerns. I don't trust the U.S. government, law or no law, not to spy on my data if...

Tue, 06 Dec 2011 13:31:10 UTC

Recent Developments in Full Disclosure

Posted By Bruce Schneier

Last week, I had a long conversation with Robert Lemos over an article he was writing about full disclosure. He had noticed that companies have recently been reacting more negatively to security researchers publishing vulnerabilities about their products. The debate over full disclosure is as old as computing, and I've written about it before. Disclosing security vulnerabilities is good for...

Mon, 05 Dec 2011 18:21:10 UTC

GCHQ Hacking Contest

Posted By Bruce Schneier

GCHQ is holding a hacking contest to drum up ">new recruits....

Mon, 05 Dec 2011 12:05:54 UTC

Carrier IQ Spyware

Posted By Bruce Schneier

Spyware on many smart phones monitors your every action, including collecting individual keystrokes. The company that makes and runs this software on behalf of different carriers, Carrier IQ, freaked when a security researcher outed them. It initially claimed it didn't monitor keystrokes -- an easily refuted lie -- and threatened to sue the researcher. It took EFF getting involved to...

Fri, 02 Dec 2011 22:34:16 UTC

Friday Squid Blogging: Squid-Inspired Robot

Posted By Bruce Schneier

It crawls on land....

Fri, 02 Dec 2011 19:57:36 UTC

I Received an Honorary Doctorate

Posted By Bruce Schneier

Last weekend, I received an honorary PhD from the University of Westminster, in London. I have had mixed feelings about this since I was asked early this year. The best piece of advice I've read is: "It's a great honor, but it is an honor, not a degree."...

Fri, 02 Dec 2011 19:17:18 UTC

Hacking Printers and Setting Them on Fire

Posted By Bruce Schneier

It's the kind of research result that screams hype, but online attacks that have physical-world consequences are fundamentally a different sort of threat. I suspect we'll learn more about what's actually possible in the coming weeks. HP has issued a rebuttal....

Fri, 02 Dec 2011 11:30:51 UTC

Walls as Security Theater

Posted By Bruce Schneier

Interesting essay on walls and their effects: Walls, then, are built not for security, but for a sense of security. The distinction is important, as those who commission them know very well. What a wall satisfies is not so much a material need as a mental one. Walls protect people not from barbarians, but from anxieties and fears, which can...

Thu, 01 Dec 2011 19:44:18 UTC

Full-Disk Encryption Works

Posted By Bruce Schneier

According to researchers, full-disk encryption is hampering police forensics. The authors of the report suggest there are some things law enforcement can do, but they all must happen prior to a drive being buttoned up by encryption. Specifically, they say that law enforcement should stop turning computers off to bring them to another location for study, doing so only causes...

Thu, 01 Dec 2011 12:25:00 UTC

Status Report: Liars and Outliers

Posted By Bruce Schneier

After a long and hard year, Liars and Outliers is done. I submitted the manuscript to the publisher on Oct 1, got edits back from both an outside editor and a copyeditor about a week later, spent another week integrating the comments and edits, and submitted the final manuscript to the publisher just before Thanksgiving. Now it's being laid out,...

Wed, 30 Nov 2011 18:28:50 UTC

Full Disclosure in Biology

Posted By Bruce Schneier

The debate over full disclosure in computer security has been going on for the better part of two decades now. The stakes are much higher in biology: The virus is an H5N1 avian influenza strain that has been genetically altered and is now easily transmissible between ferrets, the animals that most closely mimic the human response to flu. Scientists believe...

Wed, 30 Nov 2011 12:57:18 UTC

Bad CIA Operational Security

Posted By Bruce Schneier

I have no idea if this story about CIA spies in Lebanon is true, and it will almost certainly never be confirmed or denied: But others inside the American intelligence community say sloppy "tradecraft" -- the method of covert operations -- by the CIA is also to blame for the disruption of the vital spy networks. In Beirut, two Hezbollah...

Tue, 29 Nov 2011 20:13:48 UTC

Security Systems as a Marker for High-Value Targets

Posted By Bruce Schneier

If something is protected by heavy security, it's obviously worth stealing. Here's an example from the insect world: Maize plants, like many others, protect themselves with poisons. They pump their roots with highly toxic insecticides called BXDs, which deters hungry mandibles. But these toxins dont come free. The plant needs energy to act as its own pharmacist, so it distributes...

Tue, 29 Nov 2011 13:01:18 UTC

Shopper Surveillance Using Cell Phones

Posted By Bruce Schneier

Electronic surveillance is becoming so easy that even marketers can do it: The cellphone tracking technology, called Footpath, is made by Path Intelligence Ltd., a Portsmouth, U.K.-based company. It uses sensors placed throughout the mall to detect signals from mobile phones and track their path around the mall. The sensors cannot gather phone numbers or other identifying data, or intercept...

Mon, 28 Nov 2011 18:55:27 UTC

Spider Webs Contain Ant Poison

Posted By Bruce Schneier

Shichang Zhang, Teck Hui Koh, Wee Khee Seah, Yee Hing Lai, Mark A. Elgar, and Daiqin Li (2011), "A Novel Property of Spider Silk: Chemical Defence Against Ants," Proceedings of the Royal Society B: Biological Sciences (full text is behind a paywall). Abstract: Spider webs are made of silk, the properties of which ensure remarkable efficiency at capturing prey. However,...

Mon, 28 Nov 2011 13:26:46 UTC

The DHS Partners with Major League Soccer to Promote Fear

Posted By Bruce Schneier

It seems to be harder and harder to keep people scared: The Departments "If You See Something, Say Something"" partnership with the MLS Cup will feature a "If You See Something, Say Something"" graphic that will aired on the video board during the MLS Cup championship game in Carson City, Calif. Safety messaging will also be printed on the back...

Fri, 25 Nov 2011 22:27:50 UTC

Friday Squid Blogging: Cephalopod Art Conference

Posted By Bruce Schneier

There was an interdisciplinary cephalopod art conference earlier this year, in Minneapolis. Videos of the conference are available online. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 25 Nov 2011 12:06:09 UTC

Android Malware

Posted By Bruce Schneier

The Android platform is where the malware action is: What happens when anyone can develop and publish an application to the Android Market? A 472% increase in Android malware samples since July 2011. These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications. [...] In...

Tue, 22 Nov 2011 11:59:00 UTC

Free Cryptography Class

Posted By Bruce Schneier

Dan Boheh of Stanford University is teaching a free cryptography class starting in January....

Mon, 21 Nov 2011 12:57:25 UTC

Hack Against SCADA System

Posted By Bruce Schneier

A hack against a SCADA system controlling a water pump in Illinois destroyed the pump. We know absolutely nothing here about the attack or the attacker's motivations. Was it on purpose? An accident? a fluke?...

Fri, 18 Nov 2011 22:41:39 UTC

Friday Squid Blogging: Squid Camouflage

Posted By Bruce Schneier

Some squid can switch their camouflage instantly. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 18 Nov 2011 11:50:48 UTC

A Link between Altruism and Fairness

Posted By Bruce Schneier

I write a lot about altruism, fairness, and cooperation in my new book (out in February!), and this sort of thing interests me a lot: In a new study, researchers had 15-month old babies watch movies of a person distributing crackers or milk to two others, either evenly or unevenly. Babies look at things longer when they're surprised, so measuring...

Thu, 17 Nov 2011 19:13:47 UTC

EU Bans X-Ray Body Scanners

Posted By Bruce Schneier

The European Union has banned X-ray full body scanners at airports. Millimeter wave scanners are allowed as long as they conform to privacy guidelines. Under the new EU legislation the use of security scanners is only allowed in accordance with minimum conditions such as for example that: security scanners shall not store, retain, copy, print or retrieve images; any unauthorised...

Thu, 17 Nov 2011 12:37:40 UTC

Detecting Psychopaths by their Speech Patterns

Posted By Bruce Schneier

Interesting: The researchers interviewed 52 convicted murderers, 14 of them ranked as psychopaths according to the Psychopathy Checklist-Revised, a 20-item assessment, and asked them to describe their crimes in detail. Using computer programs to analyze what the men said, the researchers found that those with psychopathic scores showed a lack of emotion, spoke in terms of cause-and-effect when describing their...

Wed, 16 Nov 2011 22:45:16 UTC

Paul Kocher

Posted By Bruce Schneier

Really nice article on crypotographer Paul Kocher and his company, Cryptography Research, Inc....

Wed, 16 Nov 2011 15:17:37 UTC

Sam Harris on Self-Defense

Posted By Bruce Schneier

I thought this was very interesting. His three principles are: Avoid dangerous people and dangerous places. Do not defend your property. Respond immediately and escape....

Tue, 15 Nov 2011 11:26:20 UTC

Identity Theft Call Center

Posted By Bruce Schneier

There's a group who charges to make social engineering calls to obtain missing personal information for identity theft. This doesn't surprise me at all. Fraud is a business, too....

Mon, 14 Nov 2011 20:02:34 UTC

More SSL Woes

Posted By Bruce Schneier

From Mikko Hypponen: "We found a malware sample. Which was signed. With a valid certificate. Belonging to the Government of Malaysia."...

Mon, 14 Nov 2011 13:14:49 UTC

Remotely Opening Prison Doors

Posted By Bruce Schneier

This seems like a bad vulnerability: Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems. [...] The researchers began their work after Strauchs was called in by a...

Fri, 11 Nov 2011 11:52:50 UTC

Commentary on Strong Passwords

Posted By Bruce Schneier

It turns out that "2bon2btitq" is not a strong password....

Wed, 09 Nov 2011 19:51:51 UTC

Advanced Persistent Threat (APT)

Posted By Bruce Schneier

It's taken me a few years, but I've come around to this buzzword. It highlights an important characteristic of a particular sort of Internet attacker. A conventional hacker or criminal isn't interested in any particular target. He wants a thousand credit card numbers for fraud, or to break into an account and turn it into a zombie, or whatever. Security...

Wed, 09 Nov 2011 09:39:47 UTC

Unlocking any iPad2 using a Smart Cover

Posted By Bruce Schneier

This security bug is just plain weird....

Mon, 07 Nov 2011 18:43:18 UTC

Cutting Wallets Out of Drunks' Pockets on New York City Subways

Posted By Bruce Schneier

It's a crime with finesse: But he is actually a middle-aged or older man who has been doing this for a very long time. And he is a fading breed. "It's like a lost art," the lieutenant said. "It's all old-school guys who cut the pocket. They die off." And they do not seem to be replacing themselves, he said....

Mon, 07 Nov 2011 12:26:43 UTC

Fake Documents that Alarm if Opened

Posted By Bruce Schneier

This sort of thing seems like a decent approach, but it has a lot of practical problems: In the wake of Wikileaks, the Department of Defense has stepped up its game to stop leaked documents from making their way into the hands of undesirables -- be they enemy forces or concerned citizens. A new piece of software has created a...

Fri, 04 Nov 2011 21:47:13 UTC

Friday Squid Blogging: Star Trek IV, now with Squid

Posted By Bruce Schneier

Someone edited Star Trek IV, removing the whales and replacing them with giant squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 04 Nov 2011 10:05:09 UTC

Weaponized UAV Drones in the Hands of Local Police

Posted By Bruce Schneier

Why does anyone think this is a good idea? The police in Montgomery County  and area north of Houston, Texas  is the first local police in the united States to deploy a drone that can carry weapons. [...] He said they are designed to carry weapons for local law enforcement. "The aircraft has the capability to have a...

Thu, 03 Nov 2011 18:22:43 UTC

Journal Article on Cyberwar

Posted By Bruce Schneier

From the Journal of Strategic Studies: "Cyber War Will Not Take Place" (full article is behind a paywall): Abstract: For almost two decades, experts and defense establishments the world over have been predicting that cyber war is coming. But is it? This article argues in three steps that cyber war has never happened in the past, that cyber war does...

Thu, 03 Nov 2011 12:03:54 UTC

Underage Children on Facebook

Posted By Bruce Schneier

Interesting research on how parents help their children lie about their age to get onto Facebook. One reaction to our data might be that companies should not be allowed to restrict access to children on their sites. Unfortunately, getting the parental permission required by COPPA is technologically difficult, financially costly, and ethically problematic. Sites that target children take on this...

Tue, 01 Nov 2011 18:41:55 UTC

DARPA Cyber Colloquium

Posted By Bruce Schneier

I note that the three "industry leaders" speaking at the DARPA Cyber Colloquium next week have about 75 years of government experience between them....

Tue, 01 Nov 2011 11:14:29 UTC

The Economist on Lying

Posted By Bruce Schneier

Two articles. And this is the cited work....

Mon, 31 Oct 2011 17:29:59 UTC

Cell Phone Surveillance System

Posted By Bruce Schneier

I was not surprised that police forces are buying this system, but at its capabilities. Britain's largest police force is operating covert surveillance technology that can masquerade as a mobile phone network, transmitting a signal that allows authorities to shut off phones remotely, intercept communications and gather data about thousands of users in a targeted area. The surveillance system has...

Mon, 31 Oct 2011 13:18:01 UTC

Another ATM Theft Tactic

Posted By Bruce Schneier

This brazen tactic is from Malaysia. Robbers sabotage the machines, and then report the damage to the bank. When the banks send repair technicians to open and repair the machines, the robbers take the money at gunpoint. It's hardly a technology-related attack. But from what I know about ATM machines, the security of the money safe inside the machine is...

Fri, 28 Oct 2011 21:25:00 UTC

Friday Squid Blogging: Video of Kid Eating Squid

Posted By Bruce Schneier

It's hard to tell if he likes it. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 28 Oct 2011 20:21:04 UTC

Full Extent of the Attack that Compromised RSA in March

Posted By Bruce Schneier

Brian Kerbs has done the analysis; it's something like 760 companies that were compromised. Among the more interesting names on the list are Abbott Labs, the Alabama Supercomputer Network, Charles Schwabb & Co., Cisco Systems, eBay, the European Space Agency, Facebook, Freddie Mac, Google, the General Services Administration, the Inter-American Development Bank, IBM, Intel Corp., the Internal Revenue Service (IRS),...

Fri, 28 Oct 2011 15:21:20 UTC

XKCD Today

Posted By Bruce Schneier

It's a good one. Be sure to read the hover-over text....

Thu, 27 Oct 2011 17:01:38 UTC

Secret Codes in Bacteria

Posted By Bruce Schneier

Neat: Researchers have invented a new form of secret messaging using bacteria that make glowing proteins only under certain conditions. In addition to being useful to spies, the new technique could also allow companies to encode secret identifiers into crops, seeds, or other living commodities. [...] The new scheme replaces the fuse with seven colonies of Escherichia coli bacteria, each...

Thu, 27 Oct 2011 11:45:40 UTC

The Security of SSL

Posted By Bruce Schneier

EFF reports on the security of SSL: The most interesting entry in that table is the "CA compromise" one, because those are incidents that could affect any or every secure web or email server on the Internet. In at least 248 cases, a CA chose to indicate that it had been compromised as a reason for revoking a cert. Such...

Wed, 26 Oct 2011 11:02:29 UTC

Cracking the Copiale Cipher

Posted By Bruce Schneier

I don't follow historical cryptography, so all of this comes as a surprise to me. But something called the Copiale Cipher from the 18th Century has been cracked....

Wed, 26 Oct 2011 10:54:11 UTC

Demands from Law Enforcement for Google Data

Posted By Bruce Schneier

Google releases statistics: Google received more than 15,600 requests in the January-June period, 10 percent more than the final six months of last year. The requests in the latest period spanned more than 25,400 individual accounts worldwide - a tiny fraction of Google's more than billion users. [...] The highest volume of government demands for user data came from the...

Tue, 25 Oct 2011 17:58:21 UTC

Twofish Mentioned in Thriller Novel

Posted By Bruce Schneier

I've been told that the Twofish encryption algorithm is mentioned in the book Abuse of Power, in the first paragraph of Chapter 3. Did rhe terrorists use it? Did our hero break it? I am unlikely to read it; can someone scan the page for me....

Tue, 25 Oct 2011 10:31:41 UTC

NSA Acronyms

Posted By Bruce Schneier

The second document in this file is the recently unclassified "Guide to Historical Cryptologic Acronyms and Abbreviations, 1940-1980," from the NSA Note that there are still some redactions....

Mon, 24 Oct 2011 18:39:01 UTC

Blue Coat Products Enable Web Censorship in Syria

Posted By Bruce Schneier

It's illegal for Blue Coat to sell its technology for this purpose, but there are lots of third-parties who are willing to act as middlemen: "Blue Coat does not sell to Syria. We comply with US export laws and we do not allow our partners to sell to embargoed countries," [Blue Coat spokesman Steve] Schick told the Bureau. "In addition,...

Mon, 24 Oct 2011 11:42:36 UTC

Facebook Patent to Track Users Even When They are Not Logged In to Facebook

Posted By Bruce Schneier

Patent number 2,011,023,240: Communicating Information in a Social Network System about Activities from Another Domain Abstract: In one embodiment, a method is described for tracking information about the activities of users of a social networking system while on another domain. The method includes maintaining a profile for each of one or more users of the social networking system, each profile...

Fri, 21 Oct 2011 21:10:06 UTC

Friday Squid Blogging: Squid T-Shirt

Posted By Bruce Schneier

Pretty design....

Fri, 21 Oct 2011 11:23:31 UTC

Google Enables SSL by Default for Search

Posted By Bruce Schneier

This is a good thing....

Thu, 20 Oct 2011 11:25:43 UTC

Random Passwords in the Wild

Posted By Bruce Schneier

Interesting analysis: the hacktivist group Anonymous hacked into several BART servers. They leaked part of a database of users from myBART, a website which provides frequent BART riders with email updates about activities near BART stations. An interesting aspect of the leak is that 1,346 of the 2,002 accounts seem to have randomly-generated passwords-a rare opportunity to study this approach...

Wed, 19 Oct 2011 16:05:34 UTC

New Malware: Duqu

Posted By Bruce Schneier

A newly discovered piece of malware, Duqu, seems to be a precursor to the next Stuxnet-like worm and uses some of the same techniques as the original....

Tue, 18 Oct 2011 11:34:53 UTC

Discovering What Facebook Knows About You

Posted By Bruce Schneier

Things are getting interesting in Europe: Max is a 24 year old law student from Vienna with a flair for the interview and plenty of smarts about both technology and legal issues. In Europe there is a requirement that entities with data about individuals make it available to them if they request it. That's how Max ended up with a...

Mon, 17 Oct 2011 11:12:32 UTC

Criminal Uses of Crowdsourcing

Posted By Bruce Schneier

Interesting article....

Fri, 14 Oct 2011 21:07:24 UTC

Friday Squid Blogging: Prehistoric Sentient SquidOr Not

Posted By Bruce Schneier

There's big news in the world of giant squid: Researchers initially thought that this strange grouping of 45-foot-long marine reptiles had either died en masse from a poisonous plankton bloom or had become stranded in shallow water. But recent geological analysis of the fossil site indicates that the park was deep underwater when these shonisaurs swam the prehistoric seas. So...

Fri, 14 Oct 2011 17:34:10 UTC

Burglars Tip Off Police About Bigger Crime

Posted By Bruce Schneier

I find this fascinating: A central California man has been arrested for possession of child pornography, thanks to a tip from burglars who robbed the man's property, authorities said. I am reminded of the UK story of a burglar finding some military secrets on a laptop -- or perhaps a USB drive -- that he stole, and returning them with...

Fri, 14 Oct 2011 11:38:20 UTC

Weird World War II Security Puzzle

Posted By Bruce Schneier

Read this. Anyone have any ideas?...

Thu, 13 Oct 2011 11:03:47 UTC

Official Malware from the German Police

Posted By Bruce Schneier

The Chaos Computer Club has disassembled and analyzed the Trojan used by the German police for legal intercept. In its default mode, it takes regular screenshots of the active window and sends it to the police. It encrypts data in AES Electronic Codebook mode with -- are you ready? -- a fixed key across all versions. There's no authentication built...

Wed, 12 Oct 2011 11:57:43 UTC

New Attacks on CAPTCHAs

Posted By Bruce Schneier

Nice research: Abstract: We report a novel attack on two CAPTCHAs that have been widely deployed on the Internet, one being Google's home design and the other acquired by Google (i.e. reCAPTCHA). With a minor change, our attack program also works well on the latest ReCAPTCHA version, which uses a new defence mechanism that was unknown to us when we...

Mon, 10 Oct 2011 11:38:22 UTC

U.S. Drones Have a Computer Virus

Posted By Bruce Schneier

You'd think we would be more careful than this: A computer virus has infected the cockpits of Americas Predator and Reaper drones, logging pilots every keystroke as they remotely fly missions over Afghanistan and other warzones. [...] "We keep wiping it off, and it keeps coming back," says a source familiar with the network infection, one of three that told...

Fri, 07 Oct 2011 21:51:11 UTC

Friday Squid Blogging: Hundreds of Squid Wash Up on Southern California Beaches

Posted By Bruce Schneier

Humboldt squid are washing up on beaches across Southern California. Seems like it's no big deal; the squid just swam too close to shore....

Fri, 07 Oct 2011 18:11:05 UTC

Security Seals on Voting Machines

Posted By Bruce Schneier

Related to this blog post from Wednesday, here's a paper that looks at security seals on voting machines. Andrew W. Appel, "Security Seals on Voting Machines: A Case Study," ACM Transactions on Information and System Security, 14 (2011): 129. Abstract: Tamper-evident seals are used by many states' election officials on voting machines and ballot boxes, either to protect the computer...

Fri, 07 Oct 2011 11:26:38 UTC

Dilbert on Security Standards

Posted By Bruce Schneier

So true (the predecessor)....

Fri, 07 Oct 2011 11:01:56 UTC

FBI-Sponsored Backdoors

Posted By Bruce Schneier

From a review of Susan Landau's Surveillance or Security?: To catch up with the new technologies of malfeasance, FBI director Robert Mueller traveled to Silicon Valley last November to persuade technology companies to build "backdoors" into their products. If Muellers wish were granted, the FBI would gain undetected real-time access to suspects Skype calls, Facebook chats, and other online communications­and...

Thu, 06 Oct 2011 00:38:25 UTC

Status Report: Liars and Outliers

Posted By Bruce Schneier

Last weekend, I completely reframed the book. I realized that the book isn't about security. It's about trust. I'm writing about how society induces people to behave in the group interest instead of some competing personal interest. It's obvious that society needs to do this; otherwise, it can never solve collective action problems. And as a social species, we have...

Wed, 05 Oct 2011 11:58:17 UTC

Insider Attack Against Diebold Voting Machines

Posted By Bruce Schneier

This is both news and not news: Indeed, the Argonne team's attack required no modification, reprogramming, or even knowledge, of the voting machine's proprietary source code. It was carried out by inserting a piece of inexpensive "alien electronics" into the machine. It's not news because we already know that if you have access to the internals of a voting machine,...

Tue, 04 Oct 2011 18:29:09 UTC

Security Cartoon

Posted By Bruce Schneier

Nice cartoon on the problems of content filtering....

Tue, 04 Oct 2011 11:31:01 UTC

National Cybersecurity Awareness Month

Posted By Bruce Schneier

October is National Cybersecurity Awareness Month, sponsored by the Department of Homeland Security. The website has some sample things you can do to to celebrate, but they're all pretty boring. Surely we can do better. Post your suggestions in comments....

Mon, 03 Oct 2011 18:20:09 UTC

Isaac Asimov on Security Theater

Posted By Bruce Schneier

A great find: In his 1956 short story, "Let's Get Together," Isaac Asimov describes security measures proposed to counter a terrorist threat: "Consider further that this news will leak out as more and more people become involved in our countermeasures and more and more people begin to guess what we're doing. Then what? The panic might do us more harm...

Mon, 03 Oct 2011 11:35:25 UTC

HTC Android Vulnerability

Posted By Bruce Schneier

Custom HTC firmware breaks standard permissions and allows rogue apps to access location, address book, and account info without authorization....

Fri, 30 Sep 2011 21:42:44 UTC

Friday Squid Blogging: Interesting Squid Recipes

Posted By Bruce Schneier

Plus a slide show of pretty dishes....

Thu, 29 Sep 2011 12:07:03 UTC

Insecure Chrome Extensions

Posted By Bruce Schneier

An analysis of extensions to the Chrome browser shows that 25% of them are insecure: We reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web...

Wed, 28 Sep 2011 11:03:31 UTC

Making Fake ATMs Using 3D Printers

Posted By Bruce Schneier

One group stole $400K....

Tue, 27 Sep 2011 12:12:39 UTC

Problems with Mac OS X Lion Passwords

Posted By Bruce Schneier

Seems like some dumb mistakes. News article....

Mon, 26 Sep 2011 11:41:23 UTC

Tor Arms Race

Posted By Bruce Schneier

Iran blocks Tor, and Tor releases a workaround on the same day. How did the filter work technically? Tor tries to make its traffic look like a web browser talking to an https web server, but if you look carefully enough you can tell some differences. In this case, the characteristic of Tor's SSL handshake they looked at was the...

Fri, 23 Sep 2011 21:28:35 UTC

Friday Squid Blogging: Sex Life of Deep-Sea Squid

Posted By Bruce Schneier

There's evidence of indiscriminate fertilization in deep-sea squid. They mate with any other squid the encounter, male or female. This unusual behaviour, they said, may be explained by the fact the squid is boosting its chances of successfully passing on its genes in the challenging environment it lives in. In the Royal Society paper the team writes: "In the deep,...

Fri, 23 Sep 2011 18:37:26 UTC

Man-in-the-Middle Attack Against SSL 3.0/TLS 1.0

Posted By Bruce Schneier

It's the Browser Exploit Against SSL/TLS Tool, or BEAST: The tool is based on a blockwise-adaptive chosen-plaintext attack, a man-in-the-middle approach that injects segments of plain text sent by the target's browser into the encrypted request stream to determine the shared key. The code can be injected into the user's browser through JavaScript associated with a malicious advertisement distributed through...

Fri, 23 Sep 2011 11:53:36 UTC

Three Emerging Cyber Threats

Posted By Bruce Schneier

On Monday I participated a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal: The Rise of Big Data. By this I mean industries that trade on our data. These include traditional...

Fri, 23 Sep 2011 10:22:43 UTC

An Interesting Software Liability Proposal

Posted By Bruce Schneier

This proposal is worth thinking about. Clause 1. If you deliver software with complete and buildable source code and a license that allows disabling any functionality or code by the licensee, then your liability is limited to a refund. This clause addresses how to avoid liability: license your users to inspect and chop off any and all bits of your...

Thu, 22 Sep 2011 12:09:42 UTC

U.S.-Australia Cyberwar Treaty

Posted By Bruce Schneier

The long-standing ANZUS military treaty now includes cyberspace attacks: According to Reuters, the decision was made in discussions between the two countries this week. The extension of the treaty would mean that a cyber-attack on either country would be considered an attack on both. Exactly what this means in practice is less clear: practically every government with a connection to...

Wed, 21 Sep 2011 11:58:19 UTC

Shifting Risk Instead of Reducing Risk

Posted By Bruce Schneier

Risks of teen driving: For more than a decade, California and other states have kept their newest teen drivers on a tight leash, restricting the hours when they can get behind the wheel and whom they can bring along as passengers. Public officials were confident that their get-tough policies were saving lives. Now, though, a nationwide analysis of crash data...

Tue, 20 Sep 2011 11:36:38 UTC

Complex Electronic Banking Fraud in Malaysia

Posted By Bruce Schneier

The interesting thing about this attack is how it abuses a variety of different security systems. Investigations revealed that the syndicate members had managed to retrieve personal particulars including the usernames, passwords from an online banking kiosk at a bank in Petaling Jaya and even obtained the transaction authorisation code (TAC) which is sent out by the bank to the...

Mon, 19 Sep 2011 18:35:15 UTC

Pretty Creepy Type of Cyberstalking

Posted By Bruce Schneier

Luis "Guicho" Mijangos, "sextortionist."...

Mon, 19 Sep 2011 11:35:57 UTC

The Effectiveness of Plagiarism Detection Software

Posted By Bruce Schneier

As you'd expect, it's not very good: But this measure [Turnitin] captures only the most flagrant form of plagiarism, where passages are copied from one document and pasted unchanged into another. Just as shoplifters slip the goods they steal under coats or into pocketbooks, most plagiarists tinker with the passages they copy before claiming them as their own. In other...

Fri, 16 Sep 2011 21:52:39 UTC

Friday Squid Blogging: Squid Street Art

Posted By Bruce Schneier

Nice....

Fri, 16 Sep 2011 17:31:09 UTC

Identifying Speakers in Encrypted Voice Communication

Posted By Bruce Schneier

I've already written how it is possible to detect words and phrases in encrypted VoIP calls. Turns out it's possible to detect speakers as well: Abstract: Most of the voice over IP (VoIP) traffic is encrypted prior to its transmission over the Internet. This makes the identity tracing of perpetrators during forensic investigations a challenging task since conventional speaker recognition...

Fri, 16 Sep 2011 10:22:54 UTC

Domain-in-the-Middle Attacks

Posted By Bruce Schneier

It's an easy attack. Register a domain that's like your target except for a typo. So it would be countrpane.com instead of counterpane.com, or mailcounterpane.com instead of mail.counterpane.com. Then, when someone mistypes an e-mail address to someone at that company and you receive it, just forward it on as if nothing happened. These are called "doppleganger domains." To test the...

Thu, 15 Sep 2011 17:45:30 UTC

Sharing Security Information and the Prisoner's Dilemma

Posted By Bruce Schneier

New paper: Dengpan Liu, Yonghua Ji, and Vijay Mookerjee (2011), "Knowledge Sharing and Investment Decisions in Information Security," Decision Support Systems, in press. Abstract: We study the relationship between decisions made by two similar firms pertaining to knowledge sharing and investment in information security. The analysis shows that the nature of information assets possessed by the two firms, either complementary...

Thu, 15 Sep 2011 11:52:01 UTC

A Status Report: "Liars and Outliers"

Posted By Bruce Schneier

It's been a long hard year, but the book is almost finished. It's certainly the most difficult book I've ever written, mostly because I've had to learn academic fields I don't have a lot of experience in. But the book is finally coming together as a coherent whole, and I am optimistic that the results will prove to be worth...

Wed, 14 Sep 2011 19:02:38 UTC

Risk Tolerance and Culture

Posted By Bruce Schneier

This is an interesting study on cultural differences in risk tolerance. The Cultures of Risk Tolerance Abstract: This study explores the links between culture and risk tolerance, based on surveys conducted in 23 countries. Altogether, more than 4,000 individuals participated in the surveys. Risk tolerance is associated with culture. Risk tolerance is relatively low in countries where uncertainty avoidance is...

Wed, 14 Sep 2011 11:55:14 UTC

TSA Administrator John Pistole on the Future of Airport Security

Posted By Bruce Schneier

There's a lot here that's worth watching. He talks about expanding behavioral detection. He talks about less screening for "trusted travelers." So, what do the next 10 years hold for transportation security? I believe it begins with TSA's continued movement toward developing and implementing a more risk-based security system, a phrase you may have heard the last few months. When...

Tue, 13 Sep 2011 18:46:52 UTC

Human Pattern-Matching Failures in Airport Screening

Posted By Bruce Schneier

I've written about this before: the human brain just isn't suited to finding rare anomalies in a screening situation. The Role of the Human Operator in Image-Based Airport Security Technologies Abstract: Heightened international concerns relating to security and identity management have led to an increased interest in security applications, such as face recognition and baggage and passenger screening at airports....

Tue, 13 Sep 2011 11:38:57 UTC

Risk Perception and Terrorism

Posted By Bruce Schneier

I've been posting about a lot of academic articles of late, because that's what I'm reading. Here's another. Clinton M. Jenkin (2006), Risk Perception and Terrorism, Homeland Security Affairs....

Mon, 12 Sep 2011 18:27:27 UTC

More 9/11 Retrospectives

Posted By Bruce Schneier

Joseph Stiglitz on the price of 9/11. How 9/11 changed surveillance. New scientific research as a result of 9/11. A good controversial piece. The day we lost our privacy and power. The probability of another 9/11-magnitude terrorist attack. To justify the current U.S. spending on homeland security -- not including our various official and unofficial wars -- we'd have to...

Mon, 12 Sep 2011 14:20:07 UTC

ACLU Report on the War on Terror

Posted By Bruce Schneier

This report is really good: "A Call to Courage: Reclaiming Our Liberties Ten Years After 9/11."...

Fri, 09 Sep 2011 21:30:51 UTC

Friday Squid Blogging: Beautiful Squid Drawings

Posted By Bruce Schneier

From Italy. As before, use the comments to this post to write about and discuss security stories that don't have their own post....

Thu, 08 Sep 2011 11:14:58 UTC

New Lows in Secret Questions

Posted By Bruce Schneier

I've already written about secret questions, the easier-to-guess low-security backup password that sites want you to have in case you forget your harder-to-remember higher-security password. Here's a new one, courtesey of the National Archives: "What is your preferred internet password?" I have been told that Priceline has the same one, which implies that this is some third-party login service or...

Wed, 07 Sep 2011 19:32:16 UTC

The Legality of Government Critical Infrastructure Monitoring

Posted By Bruce Schneier

Mason Rice, Robert Miller, and Sujeet Shenoi (2011), "May the US Government Monitor Private Critical Infrastructure Assets to Combat Foreign Cyberspace Threats?" International Journal of Critical Infrastructure Protection, 4 (April 2011): 313. Abstract: The government owns the entire US airspace­it can install radar systems, enforce no-fly zones and interdict hostile aircraft. Since the critical infrastructure and the associated cyberspace are...

Wed, 07 Sep 2011 11:17:11 UTC

Outing a CIA Agent

Posted By Bruce Schneier

Interesting article on how difficult it is to keep an identity secret in the information age....

Tue, 06 Sep 2011 20:29:48 UTC

Optimizing Airport Security

Posted By Bruce Schneier

New research: Adrian J. Lee and Sheldon H. Jacobson (2011), "The Impact of Aviation Checkpoint Queues on Optimizing Security Screening Effectiveness," Reliability Engineering & System Safety, 96 (August): 900911. Abstract: Passenger screening at aviation security checkpoints is a critical component in protecting airports and aircraft from terrorist threats. Recent developments in screening device technology have increased the ability to detect...

Tue, 06 Sep 2011 12:03:13 UTC

Where Are All the Terrorists?

Posted By Bruce Schneier

From Foreign Policy: "Why Is It So Hard to Find a Suicide Bomber These Days?" And from Stratfor: "Why al Qaeda is Unlikely to Execute Another 9/11." Me from May 2010: "Where Are All the Terrorist Attacks?"...

Fri, 02 Sep 2011 21:44:58 UTC

Friday Squid Blogging: SQUIDS Game

Posted By Bruce Schneier

It's coming to the iPhone and iPad, then to other platforms: In SQUIDS, players will command a small army of stretchy, springy sea creatures to protect an idyllic underwater kingdom from a sinister emerging threat. An infectious black ooze is spreading through the lush seascape, turning ordinary crustaceans into menacing monsters. Now a plucky team of Squids­each with unique personalities,...

Fri, 02 Sep 2011 18:34:36 UTC

The Efficacy of Post-9/11 Counterterrorism

Posted By Bruce Schneier

This is an interesting article. The authors argue that the whole war-on-terror nonsense is useless -- that's not new -- but that the security establishment knows it doesn't work and abandoned many of the draconian security measures years ago, long before Obama became president. All that's left of the war on terror is political, as lawmakers fund unwanted projects in...

Fri, 02 Sep 2011 11:38:35 UTC

A Professional ATM Theft

Posted By Bruce Schneier

Fidelity National Information Services Inc. (FIS) lost $13M to an ATM theft earlier this year: KrebsOnSecurity recently discovered previously undisclosed details of the successful escapade. According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform's "open-loop" prepaid debit cards. The balances on these prepaid cards aren't stored on the cards themselves;...

Thu, 01 Sep 2011 17:56:05 UTC

Unredacted U.S. Diplomatic WikiLeaks Cables Published

Posted By Bruce Schneier

It looks as if the entire mass of U.S. diplomatic cables that WikiLeaks had is available online somewhere. How this came about is a good illustration of how security can go wrong in ways you don't expect. Near as I can tell, this is what happened: In order to send the Guardian the cables, WikiLeaks encrypted them and put them...

Thu, 01 Sep 2011 10:46:48 UTC

Forged Google Certificate

Posted By Bruce Schneier

There's been a forged Google certificate out in the wild for the past month and a half. Whoever has it -- evidence points to the Iranian government -- can, if they're in the right place, launch man-in-the-middle attacks against Gmail users and read their mail. This isn't Google's mistake; the certificate was issued by a Dutch CA that has nothing...

Wed, 31 Aug 2011 17:30:52 UTC

Job Opening: TSA Public Affairs Specialist

Posted By Bruce Schneier

This job can't be fun: This Public Affairs Specialist position is located in the Office of Strategic Communications and Public Affairs (SCPA), Transportation Security Administration (TSA), Department of Homeland Security (DHS). If selected for this position, you will serve as the Press Secretary and senior representative/liaison working with Federal and stakeholder partners. You will utilize your expert knowledge and mastery...

Wed, 31 Aug 2011 11:21:26 UTC

The Effects of Social Media on Undercover Policing

Posted By Bruce Schneier

Social networking sites make it very difficult, if not impossible, to have undercover police officers: "The results found that 90 per cent of female officers were using social media compared with 81 per cent of males." The most popular site was Facebook, followed by Twitter. Forty seven per cent of those surveyed used social networking sites daily while another 24...

Tue, 30 Aug 2011 17:24:09 UTC

Facebook Privacy Guide

Posted By Bruce Schneier

It's actually pretty good. Also note that the site is redesigning its privacy. As we learned from Microsoft, nothing motivates a company to improve its security like competition....

Tue, 30 Aug 2011 11:25:41 UTC

Details of the RSA Hack

Posted By Bruce Schneier

We finally have some, even though the company isn't talking: So just how well crafted was the e-mail that got RSA hacked? Not very, judging by what F-Secure found. The attackers spoofed the e-mail to make it appear to come from a "web master" at Beyond.com, a job-seeking and recruiting site. Inside the e-mail, there was just one line of...

Mon, 29 Aug 2011 11:20:29 UTC

Screenshots of Chinese Hacking Tool

Posted By Bruce Schneier

It's hard to know how serious this really is: The screenshots appear as B-roll footage in the documentary for six seconds­between 11:04 and 11:10 minutes -- showing custom built Chinese software apparently launching a cyber-attack against the main website of the Falun Gong spiritual practice, by using a compromised IP address belonging to a United States university. As of Aug....

Fri, 26 Aug 2011 20:40:30 UTC

Friday Squid Blogging: Squid Fishing in Ulleungdo, Korea

Posted By Bruce Schneier

The industry is in decline: A generation ago, most of the island's 10,000 residents worked in the squid industry, either as sellers like Kim or as farmer-fishermen who toiled in the fields each winter and went to sea during summer. Ulleungdo developed a reputation for large, tasty squid that were once exported to the mainland and Japan. The volcanic island,...

Fri, 26 Aug 2011 20:07:47 UTC

Preventing the Theft of Wire Cutters

Posted By Bruce Schneier

This is a picture of a pair of wire cutters secured to a table with a wire. Someone isn't thinking this through.......

Fri, 26 Aug 2011 18:58:33 UTC

The Problem with Using the Cold War Metaphor to Describe Cyberspace Risks

Posted By Bruce Schneier

Nice essay on the problems with talking about cyberspace risks using "Cold War" metaphors: The problem with threat inflation and misapplied history is that there are extremely serious risks, but also manageable responses, from which they steer us away. Massive, simultaneous, all-encompassing cyberattacks on the power grid, the banking system, transportation networks, etc. along the lines of a Cold War...

Fri, 26 Aug 2011 11:26:15 UTC

Terrorism in the U.S. Since 9/11

Posted By Bruce Schneier

John Mueller and his students analyze the 33 cases of attempted terrorism in the U.S. since 9/11. So few of them are actually real, and so many of them were created or otherwise facilitated by law enforcement....

Thu, 25 Aug 2011 21:08:40 UTC

Funniest Joke at the Edinburgh Fringe Festival

Posted By Bruce Schneier

Nick Helm won an award for the funniest joke at the Edinburgh Fringe Festival: Nick Helm: "I needed a password with eight characters so I picked Snow White and the Seven Dwarves." Note that two other jokes were about security: Tim Vine: "Crime in multi-storey car parks. That is wrong on so many different levels." Andrew Lawrence: "I admire these...

Thu, 25 Aug 2011 17:43:47 UTC

Moving 211 Tons of Gold

Posted By Bruce Schneier

The security problems associated with moving $12B in gold from London to Venezuela. It seems to me that Chávez has four main choices here. He can go the FTs route, and just fly the gold to Caracas while insuring each shipment for its market value. He can go the Spanish route, and try to transport the gold himself, perhaps making...

Thu, 25 Aug 2011 11:22:36 UTC

The Security Risks of Not Teaching Malware

Posted By Bruce Schneier

Essay by George Ledin on the security risks of not teaching students malware....

Wed, 24 Aug 2011 12:13:15 UTC

Stealing ATM PINs with a Thermal Camera

Posted By Bruce Schneier

It's easy: Researchers from UCSD pointed thermal cameras towards plastic ATM PIN pads and metal ATM PIN pads to test how effective they were at stealing PIN numbers. The thermal cams didn't work against metal pads but on plastic pads the success rate of detecting all the digits was 80% after 10 seconds and 60% after 45 seconds. If you...

Tue, 23 Aug 2011 19:09:48 UTC

Smartphone Keystroke Logging Using the Motion Sensor

Posted By Bruce Schneier

Clever: "When the user types on the soft keyboard on her smartphone (especially when she holds her phone by hand rather than placing it on a fixed surface), the phone vibrates. We discover that keystroke vibration on touch screens are highly correlated to the keys being typed." Applications like TouchLogger could be significant because they bypasses protections built into both...

Tue, 23 Aug 2011 11:56:19 UTC

Security for Implanted Medical Devices

Posted By Bruce Schneier

Worried about someone hacking your implanted medical devices? Here's a signal-jamming device you can wear....

Tue, 23 Aug 2011 10:44:58 UTC

Cheating at Casinos with Hidden Cameras

Posted By Bruce Schneier

Sleeve cameras aren't new, but they're now smaller than ever and the cheaters are getting more sophisticated: In January, at the newly opened $4-billion Cosmopolitan casino in Las Vegas, a gang called the Cutters cheated at baccarat. Before play began, the dealer offered one member of the group a stack of eight decks of cards for a pre-game cut. The...

Mon, 22 Aug 2011 18:30:22 UTC

Movie-Plot Threat: Open Airplane Cockpit Doors During Bathroom Breaks

Posted By Bruce Schneier

James Fallows has a nice debunking of a movie-plot threat....

Mon, 22 Aug 2011 17:19:10 UTC

How Microsoft Develops Security Patches

Posted By Bruce Schneier

I thought this was an interesting read....

Mon, 22 Aug 2011 11:01:19 UTC

Pseudonymity

Posted By Bruce Schneier

Long essay on the value of pseudonymity. From the conclusions: Here lies the huge irony in this discussion. Persistent pseudonyms aren't ways to hide who you are. They provide a way to be who you are. You can finally talk about what you really believe; your real politics, your real problems, your real sexuality, your real family, your real self....

Fri, 19 Aug 2011 21:20:52 UTC

Friday Squid Blogging: Squid Forks

Posted By Bruce Schneier

Squid forks....

Fri, 19 Aug 2011 18:57:59 UTC

Looking Backward at Terrorism

Posted By Bruce Schneier

Nice essay on the danger of too much security: The great lie of the war on terror is not that we can sacrifice a little liberty for greater security. It is that fear can be eliminated, and that all we need to do to improve our society is defeat terrorism, rather than look at the other causes of our social,...

Fri, 19 Aug 2011 13:55:30 UTC

The Dilemma of Counterterrorism Policy

Posted By Bruce Schneier

Any institution delegated with the task of preventing terrorism has a dilemma: they can either do their best to prevent terrorism, or they can do their best to make sure they're not blamed for any terrorist attacks. I've talked about this dilemma for a while now, and it's nice to see some research results that demonstrate its effects. A. Peter...

Thu, 18 Aug 2011 18:32:04 UTC

Steven Pinker on Terrorism

Posted By Bruce Schneier

It's almost time for a deluge of "Ten Years After 9/11" essays. Here's Steven Pinker: The discrepancy between the panic generated by terrorism and the deaths generated by terrorism is no accident. Panic is the whole point of terrorism, as the root of the word makes clear: "Terror" refers to a psychological state, not an enemy or an event. The...

Thu, 18 Aug 2011 11:12:14 UTC

New Attack on AES

Posted By Bruce Schneier

"Biclique Cryptanalysis of the Full AES," by Andrey Bogdanov, Dmitry Khovratovich, and Christian Rechberger. Abstract. Since Rijndael was chosen as the Advanced Encryption Standard, improving upon 7-round attacks on the 128-bit key variant or upon 8-round attacks on the 192/256-bit key variants has been one of the most difficult challenges in the cryptanalysis of block ciphers for more than a...

Wed, 17 Aug 2011 18:51:43 UTC

Alarm Geese

Posted By Bruce Schneier

A prison in Brazil uses geese as part of its alarm system. There's a long tradition of this. Circa 400 BC, alarm geese alerted a Roman citadel to a Gaul attack....

Wed, 17 Aug 2011 11:13:34 UTC

Security by Default

Posted By Bruce Schneier

Nice essay by Christopher Soghoian on why cell phone and Internet providers need to enable security options by default....

Tue, 16 Aug 2011 15:47:42 UTC

Search Redirection and the Illicit Online Prescription Drug Trade

Posted By Bruce Schneier

Really interesting research. Search-redirection attacks combine several well-worn tactics from black-hat SEO and web security. First, an attacker identifies high-visibility websites (e.g., at universities) that are vulnerable to code-injection attacks. The attacker injects code onto the server that intercepts all incoming HTTP requests to the compromised page and responds differently based on the type of request: Requests from search-engine crawlers...

Mon, 15 Aug 2011 09:48:54 UTC

New, Undeletable, Web Cookie

Posted By Bruce Schneier

A couple of weeks ago Wired reported the discovery of a new, undeletable, web cookie: Researchers at U.C. Berkeley have discovered that some of the nets most popular sites are using a tracking service that cant be evaded -- even when users block cookies, turn off storage in Flash, or use browsers incognito functions. The Wired article was very short...

Sat, 13 Aug 2011 20:55:10 UTC

Interview with Me

Posted By Bruce Schneier

Here's an interview with me from the Homeland Security News Wire....

Fri, 12 Aug 2011 21:28:39 UTC

Friday Squid Blogging: Giant Squid Painted on Canal Narrowboat

Posted By Bruce Schneier

Pretty. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

Fri, 12 Aug 2011 19:09:32 UTC

Liars and Outliers Cover

Posted By Bruce Schneier

My new book, Liars and Outliers, has a cover. Publication is still scheduled for the end of February -- in time for the RSA Conference -- assuming I finish the manuscript in time....

Fri, 12 Aug 2011 16:13:24 UTC

Rat that Applies Poison to its Fur

Posted By Bruce Schneier

The African crested rat applies tree poison to its fur to make itself more deadly. The researchers made their discovery after presenting a wild-caught crested rat with branches and roots of the Acokanthera tree, whose bark includes the toxin ouabain. The animal gnawed and chewed the tree's bark but avoided the nontoxic leaves and fruit. The rat then applied the...

Fri, 12 Aug 2011 11:59:23 UTC

Counterfeit Pilot IDs and Uniforms Will Now Be Sufficient to Bypass Airport Security

Posted By Bruce Schneier

This seems like a really bad idea: ...the Transportation Security Administration began a program Tuesday allowing pilots to skirt the security-screening process. The TSA has deployed approximately 500 body scanners to airports nationwide in a bid to prevent terrorists from boarding domestic flights, but pilots don't have to go through the controversial nude body scanners or other forms of screening....

Thu, 11 Aug 2011 11:19:24 UTC

Security Flaws in Encrypted Police Radios

Posted By Bruce Schneier

"Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System," by Sandy Clark, Travis Goodspeed, Perry Metzger, Zachary Wasserman, Kevin Xu, and Matt Blaze. Abstract: APCO Project 25a (P25) is a suite of wireless communications protocols used in the US and elsewhere for public safety two-way (voice) radio systems. The protocols include...

Wed, 10 Aug 2011 21:48:19 UTC

Friday Squid Blogging: Smaller Male Squid Have Bigger Sperm

Posted By Bruce Schneier

Loligo bleekeri males have two different reproductive strategies, depending on their size. It's kind of like a covert channel....

Wed, 10 Aug 2011 21:11:54 UTC

GPRS Hacked

Posted By Bruce Schneier

Just announced: Nohl's group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren't encrypted at all. When they were encrypted, Nohl adds, the ciphers were often...

Wed, 10 Aug 2011 11:39:03 UTC

"Taxonomy of Operational Cyber Security Risks"

Posted By Bruce Schneier

I'm a big fan of taxonomies, and this -- from Carnegie Mellon -- seems like a useful one: The taxonomy of operational cyber security risks, summarized in Table 1 and detailed in this section, is structured around a hierarchy of classes, subclasses, and elements. The taxonomy has four main classes: actions of people -- action, or lack of action, taken...

Tue, 09 Aug 2011 18:09:14 UTC

Free-Riding on Plant Security Countermeasures

Posted By Bruce Schneier

There's a security story from biology I've used a few times: plants that use chemicals to call in airstrikes by wasps on the herbivores attacking them. This is a new variation: a species of orchid that emits the same signals as a trick, to get pollinated....

Tue, 09 Aug 2011 10:45:31 UTC

MRI Lie Detectors

Posted By Bruce Schneier

An article from Salon -- lots of interesting research. My previous blog post on the topic....

Mon, 08 Aug 2011 17:47:21 UTC

New Bank-Fraud Trojan

Posted By Bruce Schneier

Nasty: The German Federal Criminal Police (the Bundeskriminalamt or BKA for short) recently warned consumers about a new Windows malware strain that waits until the victim logs in to his bank account. The malware then presents the customer with a message stating that a credit has been made to his account by mistake, and that the account has been frozen...

Mon, 08 Aug 2011 11:13:58 UTC

Business Week on The Cyberwar Arms Race

Posted By Bruce Schneier

I've been using the phrase "arms race" to describe the world's militaries' rush into cyberspace for a couple of years now. Here's a good article on the topic that uses the same phrase....

Fri, 05 Aug 2011 21:24:59 UTC

Friday Squid Blogging: Severed Hand is Actually A Dried Squid

Posted By Bruce Schneier

I just can't make this stuff up: A report of a severed hand found at an Oahu seabird sanctuary has turned out to be dried squid. Remember: if you see something, say something. Again this week, please use the squid post to talk about the security stories in the news that I didn't cover....

Fri, 05 Aug 2011 19:58:20 UTC

XKCD on the CIA Hack

Posted By Bruce Schneier

So true....

Fri, 05 Aug 2011 17:25:26 UTC

Zodiac Cipher Cracked

Posted By Bruce Schneier

I admit I don't pay much attention to pencil-and-paper ciphers, so I knew nothing about the Zodiac cipher. Seems it has finally been broken: The Zodiac Killer was a serial killer who preyed on couples in Northern California in the years between 1968 and 1970. Of his seven confirmed victims, five died. More victims and attacks are suspected. The killer...

Fri, 05 Aug 2011 11:22:02 UTC

German Police Call Airport Full-Body Scanners Useless

Posted By Bruce Schneier

I'm not surprised: The weekly Welt am Sonntag, quoting a police report, said 35 percent of the 730,000 passengers checked by the scanners set off the alarm more than once despite being innocent. The report said the machines were confused by several layers of clothing, boots, zip fasteners and even pleats, while in 10 percent of cases the passenger's posture...

Thu, 04 Aug 2011 19:10:54 UTC

Home-Made Wi-Fi Hacking, Phone Snooping, UAV

Posted By Bruce Schneier

Impressive....

Thu, 04 Aug 2011 12:36:26 UTC

Hacking Lotteries

Posted By Bruce Schneier

Two items on hacking lotteries. The first is about someone who figured out how to spot winner in a scratch-off tic-tac-toe style game, and a daily draw style game where expcted payout can exceed the ticket price. The second -- behind a paywall, sorry -- is about someone who has won the lottery four times, with speculation that she had...

Wed, 03 Aug 2011 17:57:19 UTC

New Information on the Inventor of the One-Time Pad

Posted By Bruce Schneier

Seems that the one-time pad was not first invented by Vernam: He could plainly see that the document described a technique called the one-time pad fully 35 years before its supposed invention during World War I by Gilbert Vernam, an AT&T engineer, and Joseph Mauborgne, later chief of the Army Signal Corps. [...] The 1882 monograph that Dr. Bellovin stumbled...

Wed, 03 Aug 2011 11:08:28 UTC

Identifying People by their Writing Style

Posted By Bruce Schneier

The article is in the context of the big Facebook lawsuit, but the part about identifying people by their writing style is interesting: Recently, a team of computer scientists at Concordia University in Montreal took advantage of an unusual set of data to test another method of determining e-mail authorship. In 2003, the Federal Energy Regulatory Commission, as part of...

Tue, 02 Aug 2011 18:33:50 UTC

Developments in Facial Recognition

Posted By Bruce Schneier

Eventually, it will work. You'll be able to wear a camera that will automatically recognize someone walking towards you, and a earpiece that will relay who that person is and maybe something about him. None of the technologies required to make this work are hard; it's just a matter of getting the error rate down low enough for it to...

Tue, 02 Aug 2011 11:23:42 UTC

Attacking PLCs Controlling Prison Doors

Posted By Bruce Schneier

Embedded system vulnerabilities in prisons: Some of the same vulnerabilities that the Stuxnet superworm used to sabotage centrifuges at a nuclear plant in Iran exist in the countrys top high-security prisons, according to security consultant and engineer John Strauchs, who plans to discuss the issue and demonstrate an exploit against the systems at the DefCon hacker conference next week in...

Mon, 01 Aug 2011 17:29:29 UTC

Breaking the Xilinx Virtex-II FPGA Bitstream Encryption

Posted By Bruce Schneier

It's a power-analysis attack, which makes it much harder to defend against. And since the attack model is an engineer trying to reverse-engineer the chip, it's a valid attack. Abstract: Over the last two decades FPGAs have become central components for many advanced digital systems, e.g., video signal processing, network routers, data acquisition and military systems. In order to protect...

Mon, 01 Aug 2011 11:03:28 UTC

Using Science Fiction to Teach Computer Security

Posted By Bruce Schneier

Interesting paper: "Science Fiction Prototyping and Security Education: Cultivating Contextual and Societal Thinking in Computer Security Education and Beyond," by Tadayoshi Kohno and Brian David Johnson. Abstract: Computer security courses typically cover a breadth of technical topics, including threat modeling, applied cryptography, software security, and Web security. The technical artifacts of computer systems -- and their associated computer security risks...

Fri, 29 Jul 2011 11:54:32 UTC

Hacking Apple Laptop Batteries

Posted By Bruce Schneier

Interesting: Security researcher Charlie Miller, widely known for his work on Mac OS X and Apple's iOS, has discovered an interesting method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries...

Thu, 28 Jul 2011 19:02:46 UTC

ShareMeNot

Posted By Bruce Schneier

ShareMeNot is a Firefox add-on for preventing tracking from third-party buttons (like the Facebook "Like" button or the Google "+1" button) until the user actually chooses to interact with them. That is, ShareMeNot doesn't disable/remove these buttons completely. Rather, it allows them to render on the page, but prevents the cookies from being sent until the user actually clicks on...

Thu, 28 Jul 2011 11:27:55 UTC

Data Privacy as a Prisoner's Dilemma

Posted By Bruce Schneier

Good analysis: Companies would be better off if they all provided meaningful privacy protections for consumers, but privacy is a collective action problem for them: many companies would love to see the ecosystem fixed, but no one wants to put themselves at a competitive disadvantage by imposing unilateral limitations on what they can do with user data. The solution --...

Wed, 27 Jul 2011 19:10:00 UTC

Cryptography and Wiretapping

Posted By Bruce Schneier

Matt Blaze analyzes the 2010 U.S. Wiretap Report. In 2000, government policy finally reversed course, acknowledging that encryption needed to become a critical part of security in modern networks, something that deserved to be encouraged, even if it might occasionally cause some trouble for law enforcement wiretappers. And since that time the transparent use of cryptography by everyday people (and...

Wed, 27 Jul 2011 11:44:59 UTC

Ars Technica on Liabilities and Computer Security

Posted By Bruce Schneier

Good article: Halderman argued that secure software tends to come from companies that have a culture of taking security seriously. But it's hard to mandate, or even to measure, "security consciousness" from outside a company. A regulatory agency can force a company to go through the motions of beefing up its security, but it's not likely to be effective unless...

Tue, 26 Jul 2011 18:28:58 UTC

Duplicating Physical Keys from Photographs (Sneakey)

Posted By Bruce Schneier

In this demonstration, researchers photographed keys from 200 feet away and then made working copies. From the paper: The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private -- that duplication should require either possession of the key or a priori knowledge of how it was cut....

Tue, 26 Jul 2011 11:51:45 UTC

iPhone Iris Scanning Technology

Posted By Bruce Schneier

No indication about how well it works: The smartphone-based scanner, named Mobile Offender Recognition and Information System, or MORIS, is made by BI2 Technologies in Plymouth, Massachusetts, and can be deployed by officers out on the beat or back at the station. An iris scan, which detects unique patterns in a person's eyes, can reduce to seconds the time it...

Mon, 25 Jul 2011 18:06:12 UTC

Revenge Effects of Too-Safe Playground Equipment

Posted By Bruce Schneier

Sometimes too much security isn't good. After observing children on playgrounds in Norway, England and Australia, Dr. Sandseter identified six categories of risky play: exploring heights, experiencing high speed, handling dangerous tools, being near dangerous elements (like water or fire), rough-and-tumble play (like wrestling), and wandering alone away from adult supervision. The most common is climbing heights. "Climbing equipment needs...

Mon, 25 Jul 2011 10:59:08 UTC

Smuggling Drugs in Unwitting People's Car Trunks

Posted By Bruce Schneier

This is clever: A few miles away across the Rio Grande, the FBI determined that Chavez and Gomez were using lookouts to monitor the SENTRI Express Lane at the border. The lookouts identified "targets" -- people with regular commutes who primarily drove Ford vehicles. According to the FBI affidavit, the smugglers would follow their targets and get the vehicle identification...

Fri, 22 Jul 2011 21:11:08 UTC

Friday Squid Blogging: Glass Squid

Posted By Bruce Schneier

Pretty....

Thu, 21 Jul 2011 11:07:40 UTC

Is There a Hacking Epidemic?

Posted By Bruce Schneier

Freakonomics asks: "Why has there been such a spike in hacking recently? Or is it merely a function of us paying closer attention and of institutions being more open about reporting security breaches?" They posted five answers, including mine: The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school...

Wed, 20 Jul 2011 11:23:21 UTC

Google Detects Malware in its Search Data

Posted By Bruce Schneier

This is interesting: As we work to protect our users and their information, we sometimes discover unusual patterns of activity. Recently, we found some unusual search traffic while performing routine maintenance on one of our data centers. After collaborating with security engineers at several companies that were sending this modified traffic, we determined that the computers exhibiting this behavior were...

Tue, 19 Jul 2011 19:50:59 UTC

Members of "Anonymous" Hacker Group Arrested

Posted By Bruce Schneier

The police arrested sixteen suspected members of the Anonymous hacker group. Whatever you may think of their politics, the group committed crimes and their members should be arrested and prosecuted. I just hope we don't get a media flurry about how they were some sort of cyber super criminals. Near as I can tell, they were just garden variety hackers...

Tue, 19 Jul 2011 14:59:03 UTC

Telex Anti-Censorship System

Posted By Bruce Schneier

This is really clever: Many anticensorship systems work by making an encrypted connection (called a tunnel) from the user's computer to a trusted proxy server located outside the censor's network. This server relays requests to censored websites and returns the responses to the user over the encrypted tunnel. This approach leads to a cat-and-mouse game, where the censor attempts to...

Mon, 18 Jul 2011 14:42:43 UTC

British Phone Hacking Scandal

Posted By Bruce Schneier

Ross Anderson discusses the technical and policy details....

Fri, 15 Jul 2011 21:49:25 UTC

Friday Squid Blogging: Giant School of Squid

Posted By Bruce Schneier

Neat pictures....

Fri, 15 Jul 2011 19:33:00 UTC

Interview in Infosecurity Magazine

Posted By Bruce Schneier

I think I gave this interview at the RSA Conference in February....

Fri, 15 Jul 2011 11:31:38 UTC

Degree Plans of the Future

Posted By Bruce Schneier

You can now get a Master of Science in Strategic Studies in Weapons of Mass Destruction. Well, maybe you can't: "It's not going to be open enrollment (or) traditional students," Giever said. "You worry about whether you might be teaching the wrong person this stuff." At first, the FBI will select students from within its ranks, though Giever wants to...

Thu, 14 Jul 2011 18:47:10 UTC

My Next Book Title: Liars and Outliers

Posted By Bruce Schneier

Thank you for all your comments and suggestions regarding my next book title. It will be:      Liars and Outliers:      How Security Holds Society Together We're still deciding on a cover, but it won't be any of the five from the above link. Vaguely ominous crowd scenes are not what I want....

Thu, 14 Jul 2011 11:38:24 UTC

Physical Key Escrow

Posted By Bruce Schneier

This creates far more security risks than it solves: The city council in Cedar Falls, Iowa has absolutely crossed the line. They voted 6-1 in favor of expanding the use of lock boxes on commercial property. Property owners would be forced to place the keys to their businesses in boxes outside their doors so that firefighters, in that one-in-a-million chance,...

Wed, 13 Jul 2011 11:30:19 UTC

Interview with Evgeny Kaspersky

Posted By Bruce Schneier

Interesting....

Tue, 12 Jul 2011 12:13:16 UTC

Insurgent Groups Exhibit Learning Curve

Posted By Bruce Schneier

Interesting research: After analyzing reams of publicly available data on casualties from Iraq, Afghanistan, Pakistan and decades of terrorist attacks, the scientists conclude that "insurgents pretty much seemed to be following a progress curve–or a learning curve–that's very common in the manufacturing literature," says physicist Neil Johnson of the University of Miami in Florida and lead author of the study....

Mon, 11 Jul 2011 21:48:10 UTC

History of Stuxnet

Posted By Bruce Schneier

Nice article....

Fri, 08 Jul 2011 21:55:59 UTC

Friday Squid Blogging: Giant Squid Egg

Posted By Bruce Schneier

Interesting pictures. Article is in Italian, though. Google Translate translation....

Fri, 08 Jul 2011 11:19:54 UTC

Organized Crime in Ireland Evolves As Security Increases

Posted By Bruce Schneier

The whole article is interesting, but here's just one bit: The favoured quick-fix money-making exercise of the average Irish organised crime gang had, for decades, been bank robberies. But a massive investment by banks in branch security has made the traditional armed hold-up raids increasingly difficult. The presence of CCTV cameras in most banks means any raider would need to...

Thu, 07 Jul 2011 11:36:23 UTC

Comparing al Qaeda and the IRA

Posted By Bruce Schneier

A really interesting article: Al Qaeda played all out, spent all its assets in a few years. In my dumb-ass 2005 article, I called the Al Qaeda method "real war" and the IRA's slow-perc campaign "nerf war." That was ignorance talking, boyish war-loving ignorance. I wanted more action, that was all. I saw what an easy target the London transport...

Wed, 06 Jul 2011 10:53:54 UTC

Man Flies with Someone Else's Ticket and No Legal ID

Posted By Bruce Schneier

Last week, I got a bunch of press calls about Olajide Oluwaseun Noibi, who flew from New York to Los Angeles using an expired ticket in someone else's name and a university ID. They all wanted to know what this says about airport security. It says that airport security isn't perfect, and that people make mistakes. But it's not something...

Tue, 05 Jul 2011 11:14:19 UTC

Research in Secure Chips

Posted By Bruce Schneier

Unsuprisingly, the U.S. military is funding reseach in this....

Fri, 01 Jul 2011 21:26:03 UTC

Friday Squid Blogging: Giant Squid as an Emblem for Ocean Conservation

Posted By Bruce Schneier

It's a proposal....

Fri, 01 Jul 2011 17:08:05 UTC

TDSS Rootkit

Posted By Bruce Schneier

There's a new version: The latest TDL-4 version of the rootkit, which is used as a persistent backdoor to install other types of malware, infected 4.52 million machines in the first three months of this year, according to a detailed technical analysis published Wednesday by antivirus firm Kaspersky Lab. Almost a third of the compromised machines were located in the...

Fri, 01 Jul 2011 13:52:23 UTC

Menwith Hill

Posted By Bruce Schneier

Article on the NSA's Menwith Hill listening station in the UK....

Thu, 30 Jun 2011 13:15:00 UTC

Chinese Army Developed Online Wargame

Posted By Bruce Schneier

This is a really weird story: After setting up its own cyber-warfare team, China's military has now developed its first online war game aimed at improving combat skills and battle awareness, state press said on Wednesday. After setting up its own cyber-warfare team, China's military has now developed its first online war game aimed at improving combat skills and battle...

Wed, 29 Jun 2011 14:13:20 UTC

Yet Another "People Plug in Strange USB Sticks" Story

Posted By Bruce Schneier

I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers. And if the drive or CD had an official logo on it, 90% were installed. Of course people plugged in UBS...

Mon, 27 Jun 2011 11:15:52 UTC

Common PINs

Posted By Bruce Schneier

There's some great data on common iPhone passwords. I'm sure the results also apply to banking PINs....

Fri, 24 Jun 2011 21:19:38 UTC

Friday Squid Blogging: Eating Humboldt Squid

Posted By Bruce Schneier

Chris Cosentino, chef at Incanto in San Francisco, wants to serve you Humboldt squid....

Fri, 24 Jun 2011 18:59:57 UTC

Selling a Good Reputation on eBay

Posted By Bruce Schneier

Here's someone who is selling positive feedback on eBay: Hello, for sale is a picture of a tree. This tree is an original and was taken by me. I have gotten nothing but 100% feedback from people from this picture. Great Picture! Once payment is made I will send you picture via email. Once payment is made and I send...

Fri, 24 Jun 2011 16:40:28 UTC

Assisting a Hostage Taker via Facebook

Posted By Bruce Schneier

It's a new world: An armed Valdez, 36, held a woman hostage at a motel in a tense 16-hour, overnight standoff with SWAT teams, all while finding time to keep his family and friends updated on Facebook. [...] In all, Valdez made six posts and added at least a dozen new friends. His family and friends responded with 100 comments....

Fri, 24 Jun 2011 11:37:53 UTC

Protecting Private Information on Smart Phones

Posted By Bruce Schneier

AppFence is a technology -- with a working prototype -- that protects personal information on smart phones. It does this by either substituting innocuous information in place of sensitive information or blocking attempts by the application to send the sensitive information over the network. The significance of systems like AppFence is that they have the potential to change the balance...

Thu, 23 Jun 2011 18:16:57 UTC

NSA Style Manual

Posted By Bruce Schneier

National Security Agency (NSA) SIGINT Reporter's Style and Usage Manual, 2010....

Thu, 23 Jun 2011 11:29:24 UTC

Insider Attack Against M&A Information in Document Titles

Posted By Bruce Schneier

Protecting against insiders is hard. Kluger and two accomplices -- a Wall Street trader and a mortgage broker -- allegedly stole and traded on material nonpublic information about M&A deals over a period of 17 years, according to federal authorities. The trio, facing charges from the U.S. Securities and Exchange Commission and the Department of Justice, allegedly made at least...

Wed, 22 Jun 2011 18:40:52 UTC

Did Reason Evolve as a Persuasion Tool?

Posted By Bruce Schneier

Many of our informal security systems involve convincing others to do what we want them to. Here's a theory that says human reasoning evolved not as a tool to better understand the world or solve problems, but to win arguments and persuade other humans. (Paper here.)...

Wed, 22 Jun 2011 11:23:33 UTC

Firesheep in Use

Posted By Bruce Schneier

Nice article on Firesheep in action....

Tue, 21 Jun 2011 16:20:05 UTC

My Next Book: Title and Cover

Posted By Bruce Schneier

As my regular readers already know, I'm in the process of writing my next book. It's a book about why security exists: specifically, how a group of people protects itself from individuals within that group. My working title has been The Dishonest Minority. The idea behind the title is that "honesty" is defined by social convention, then those that don't...

Tue, 21 Jun 2011 10:58:12 UTC

The Problem with Cyber-crime Surveys

Posted By Bruce Schneier

Good paper: "Sex, Lies and Cyber-crime Surveys," Dinei Florêncio and Cormac Herley, Microsoft Research. Abstract: Much of the information we have on cyber-crime losses is derived from surveys. We examine some of the difficulties of forming an accurate estimate by survey. First, losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the...

Mon, 20 Jun 2011 17:12:58 UTC

The Life Cycle of Cryptographic Hash Functions

Posted By Bruce Schneier

Nice chart....

Mon, 20 Jun 2011 12:01:32 UTC

RAND Corporation on Trusted Traveler

Posted By Bruce Schneier

New paper: "Assessing the Security Benefits of a Trusted Traveler Program in the Presence of Attempted Attacker Exploitation and Compromise": Current aviation security procedures screen all passengers uniformly. Varying the amount of screening individuals receive based on an assessment of their relative risk has the potential to reduce the security burdens on some travelers, while improving security overall. This paper...

Sat, 18 Jun 2011 18:06:58 UTC

Fourth SHB Workshop

Posted By Bruce Schneier

I'm at SHB 2011, the fourth Interdisciplinary Workshop on Security and Human Behavior, at Carnegie Mellon University. This is a two-day invitational gathering of computer security researchers, psychologists, behavioral economists, sociologists, political scientists, anthropologists, philosophers, and others -- all of whom are studying the human side of security -- organized by Alessandro Acquisti, Ross Anderson, and me. It's not just...

Fri, 17 Jun 2011 21:35:09 UTC

Friday Squid Blogging: Beautiful Deep-Sea Squid Picture

Posted By Bruce Schneier

From the Telegraph (also here)....

Fri, 17 Jun 2011 19:32:33 UTC

Horse "No Ride" List

Posted By Bruce Schneier

Excellent satire....

Fri, 17 Jun 2011 17:09:39 UTC

Court Ruling on "Reasonable" Electronic Banking Security

Posted By Bruce Schneier

One of the pleasant side effects of being too busy to write longer blog posts is that -- if I wait long enough -- someone else writes what I would have wanted to. The ruling in the Patco Construction vs. People's United Bank case is important, because the judge basically ruled that the bank's substandard security was good enough --...

Fri, 17 Jun 2011 11:34:52 UTC

The Decline of al Qaeda

Posted By Bruce Schneier

Interesting essay....

Thu, 16 Jun 2011 12:33:35 UTC

Threat Models Colliding at Movie-Theater Projectors

Posted By Bruce Schneier

Interesting....

Wed, 15 Jun 2011 18:19:14 UTC

WEIS 2011

Posted By Bruce Schneier

I'm at the Tenth Workshop on Economics of Information Security (WEIS 2011) , at George Mason University. Most of the papers are online, and Ross Anderson is liveblogging the talks....

Wed, 15 Jun 2011 17:03:12 UTC

Malware in Google's Android

Posted By Bruce Schneier

This is not a good development....

Wed, 15 Jun 2011 11:22:00 UTC

The Non-Anonymity of Bubble Forms

Posted By Bruce Schneier

It turns out that "fill-in-the-bubble" forms are not so anonymous....

Tue, 14 Jun 2011 18:45:13 UTC

Status Report on the War on Photography

Posted By Bruce Schneier

Worth reading: Morgan Leigh Manning, "Less than Picture Perfect: The Legal Relationship between Photographers' Rights and Law Enforcement," Tennessee Law Review, Vol. 78, p. 105, 2010. Abstract: Threats to national security and public safety, whether real or perceived, result in an atmosphere conducive to the abuse of civil liberties. History is littered with examples: The Alien and Sedition Acts of...

Tue, 14 Jun 2011 12:54:26 UTC

Yet Another Way to Evade TSA's Full-Body Scanners

Posted By Bruce Schneier

Last night, at the Third EPIC Champion of Freedom Awards Dinner, we gave an award to Susie Castillo, whose blog post and video of her treatment in the hands of the TSA has inspired thousands to complain about the agency and their treatment of travellers. Sitting with her at dinner, I learned yet another way to evade the TSA's full...

Mon, 13 Jun 2011 11:52:50 UTC

Why it's So Difficult to Trace Cyber-Attacks

Posted By Bruce Schneier

I've been asked this question by countless reporters in the past couple of weeks. Here's a good explanation. Shorter answer: it's easy to spoof source destination, and it's easy to hijack unsuspecting middlemen and use them as proxies. No, mandating attribution won't solve the problem. Any Internet design will necessarily include anonymity....

Fri, 10 Jun 2011 21:14:18 UTC

Friday Squid Blogging: Squid Cartoon

Posted By Bruce Schneier

Savage Chickens....

Fri, 10 Jun 2011 17:59:49 UTC

Two Good Rants

Posted By Bruce Schneier

Patrick Gray on why we secretly love LulzSec, and Robert Cringely on why we openly hate RSA....

Fri, 10 Jun 2011 11:14:54 UTC

New Airport Scanning Technology

Posted By Bruce Schneier

Interesting: Iscon's patented, thermo-conductive technology combines infrared (IR) and heat transfer, for high-resolution imaging without using any radiation. The core of this is state of the art imaging which detects and processes a break in the established thermal balance between the clothes and a hidden object. The IR camera detects the heat radiating from even a tiny object, producing a...

Thu, 09 Jun 2011 18:53:27 UTC

Spam as a Business

Posted By Bruce Schneier

Interesting research: Kirill Levchenko, et al. (2010), "Click Trajectories -- End-to-End Analysis of the Spam Value Chain," IEEE Symposium on Security and Privacy 2011, Oakland, California, 24 May 2011. Abstract: Spam-based advertising is a business. While it has engendered both widespread antipathy and a multi-billion dollar anti-spam industry, it continues to exist because it fuels a profitable enterprise. We lack,...

Wed, 08 Jun 2011 20:46:13 UTC

25% of U.S. Criminal Hackers are Police Informants

Posted By Bruce Schneier

I have no idea if this is true: In some cases, popular illegal forums used by cyber criminals as marketplaces for stolen identities and credit card numbers have been run by hacker turncoats acting as FBI moles. In others, undercover FBI agents posing as "carders" ­ hackers specialising in ID theft ­ have themselves taken over the management of crime...

Tue, 07 Jun 2011 10:32:48 UTC

Tennessee Makes Password Sharing Illegal

Posted By Bruce Schneier

Here's a new law that won't work: State lawmakers in country music's capital have passed a groundbreaking measure that would make it a crime to use a friend's login -- even with permission -- to listen to songs or watch movies from services such as Netflix or Rhapsody. [...] The legislation was aimed at hackers and thieves who sell passwords...

Mon, 06 Jun 2011 19:59:17 UTC

Fighting Terrorism with Cupcakes

Posted By Bruce Schneier

MI6 hacked into an online al-Qaeda magazine and replaced bomb-making instructions with a cupcake recipe. It's a more polite hack than subtly altering the recipe so it blows up during the making process. (I've been told, although I don't know for sure, that the 1971 Anarchist's Cookbook has similarly flawed recipes.)...

Mon, 06 Jun 2011 12:06:54 UTC

Analysis of Redaction Failures

Posted By Bruce Schneier

Redaction failures are so common that I stopped blogging about them years ago. This is the first analysis I have seen of technical redaction failures. And here's the NSA on how to redact....

Fri, 03 Jun 2011 21:13:48 UTC

Friday Squid Blogging: LOLCat and Squid Toy

Posted By Bruce Schneier

Cute....

Fri, 03 Jun 2011 18:49:20 UTC

World War II Tunny Cryptanalysis Machine Rebuilt at Bletchley Park

Posted By Bruce Schneier

Neat: The rebuild team had only a few photographs, partial circuit diagrams and the fading memories of a few original Tunny operators to go on. Nonetheless a team led by John Pether and John Whetter was able to complete this restoration work. Pether explained that getting the electronics to work proved to be the most difficult part of the restoration...

Fri, 03 Jun 2011 11:41:21 UTC

Security vs. Privacy

Posted By Bruce Schneier

Daniel Solove on the security vs. privacy debate....

Thu, 02 Jun 2011 17:11:51 UTC

Open-Source Software Feels Insecure

Posted By Bruce Schneier

At first glance, this seems like a particularly dumb opening line of an article: Open-source software may not sound compatible with the idea of strong cybersecurity, but.... But it's not. Open source does sound like a security risk. Why would you want the bad guys to be able to look at the source code? They'll figure out how it works....

Thu, 02 Jun 2011 14:48:51 UTC

Spear Phishing Attacks from China Against Gmail Accounts

Posted By Bruce Schneier

Reporters have been calling me pretty much constantly about this story, but I can't figure out why in the world this is news. Attacks from China -- old news; attacks from China against Google -- old news; attacks from China against Google Gmail accounts -- old news. Spear phishing attacks from China against senior government officials -- old news. There's...

Thu, 02 Jun 2011 12:32:24 UTC

Man-in-the-Middle Attack Against the MCAT Exam

Posted By Bruce Schneier

In Applied Cryptography, I wrote about the "Chess Grandmaster Problem," a man-in-the-middle attack. Basically, Alice plays chess remotely with two grandmasters. She plays Grandmaster 1 as white and Grandmaster 2 as black. After the standard opening of 1. e4, she just replays the moves from one game to the other, and convinces both of them that she's a grandmaster in...

Wed, 01 Jun 2011 13:59:08 UTC

Three-Volume History of Counterintelligence

Posted By Bruce Schneier

CI Reader: An American Revolution Into the New Millennium, Volumes I, II, and III is published by the U.S. Office of the National Counterintelligence Executive. (No, I've never heard of them, either.)...

Tue, 31 May 2011 18:12:42 UTC

The U.S. Seems to Have a Secret Stealth Helicopter

Posted By Bruce Schneier

That's what the U.S. destroyed after a malfunction in Pakistan during the Bin Laden assassination. (For helicopters, "stealth" is less concerned with radar signatures and more concerned with acoustical quiet.) There was some talk about Pakistan sending it to China, but they're returning it to the U.S. I presume that the Chinese got everything they needed quickly....

Tue, 31 May 2011 11:34:35 UTC

Keeping Sensitive Information Out of the Hands of Terrorists Through Self-Restraint

Posted By Bruce Schneier

In my latest book (available February), I talk about various mechanisms for societal security: how we as a group protect ourselves from the "dishonest minority" within us. I have four types of societal security systems: moral systems -- any internal rewards and punishments; reputational systems -- any informal external rewards and punishments; rule-based systems -- any formal system of rewards...

Mon, 30 May 2011 12:17:20 UTC

Lockheed Martin Hack Linked to RSA's SecurID Breach

Posted By Bruce Schneier

All I know is what I read in the news....

Mon, 30 May 2011 11:58:47 UTC

Aggressive Social Engineering Against Consumers

Posted By Bruce Schneier

Cyber criminals are getting aggressive with their social engineering tactics. Val Christopherson said she received a telephone call last Tuesday from a man stating he was with an online security company who was receiving error messages from the computer at her Charleswood home. “He said he wanted to fix my problem over the phone,” Christopherson said. She said she was...

Fri, 27 May 2011 21:15:27 UTC

Friday Squid Blogging: Hand-Cut Paper Silhouette

Posted By Bruce Schneier

Surprisingly pretty....

Fri, 27 May 2011 11:04:55 UTC

Apple's iOS 4 Hardware Encryption Cracked

Posted By Bruce Schneier

All I know is what's in these two blog posts from Elcomsoft. Note that they didn't break AES-256; they figured out how to extract the keys from the hardware (iPhones, iPads). The company "will be releasing the product implementing this functionality for the exclusive use of law enforcement, forensic and intelligence agencies."...

Thu, 26 May 2011 18:57:44 UTC

U.S. Presidential Limo Defeated by Steep-Grade Parking Ramp

Posted By Bruce Schneier

It's not something I know anything about -- actually, it's not something many people know about -- but I've posted some links about the security features of the U.S. presidential limousine. So it's amusing to watch the limo immobilized by a steep grade at the U.S. embassy in Dublin. (You'll get a glimpse of how thick the car doors are...

Thu, 26 May 2011 11:02:58 UTC

Black Box Records in Automobiles

Posted By Bruce Schneier

Proposed new rules in the U.S....

Wed, 25 May 2011 16:55:48 UTC

Blackhole Exploit Kit

Posted By Bruce Schneier

It's now available as a free download: A free version of the Blackhole exploit kit has appeared online in a development that radically reduces the entry-level costs of getting into cybercrime. The Blackhole exploit kit, which up until now would cost around $1,500 for an annual licence, creates a handy way to plant malicious scripts on compromised websites. Surfers visiting...

Tue, 24 May 2011 10:50:30 UTC

New Siemens SCADA Vulnerabilities Kept Secret

Posted By Bruce Schneier

SCADA systems -- computer systems that control industrial processes -- are one of the ways a computer hack can directly affect the real world. Here, the fears multiply. It's not bad guys deleting your files, or getting your personal information and taking out credit cards in your name; it's bad guys spewing chemicals into the atmosphere and dumping raw sewage...

Mon, 23 May 2011 11:47:18 UTC

Dropbox Security

Posted By Bruce Schneier

I haven't written about Dropbox's security problems; too busy with the book. But here's an excellent summary article from The Economist. The meta-issue is pretty simple. If you expect a cloud provider to do anything more interesting than simply store your files for you and give them back to you at a later date, they are going to have to...

Fri, 20 May 2011 21:27:20 UTC

Friday Squid Blogging: Plush Squid

Posted By Bruce Schneier

Very cute....

Fri, 20 May 2011 21:00:05 UTC

CDC on the Zombie Apocalypse

Posted By Bruce Schneier

The Centers for Disease Control and Prevention weigh in on preparations for the zombie apocalypse....

Fri, 20 May 2011 19:43:36 UTC

The Normalization of Security

Posted By Bruce Schneier

TSA-style security is now so normal that it's part of a Disney ride: The second room of the queue is now a security check area, similar to a TSA checkpoint. The two G-series droids are still there, G2-9T scanning luggage and G2-4T scanning passengers. For those attraction junkies, you'll remember that the G-series droids are so named because in the...

Fri, 20 May 2011 12:44:46 UTC

Forged Subway Passes in Boston

Posted By Bruce Schneier

For years, an employee of Cubic Corp -- the company who makes the automatic fair card systems for most of the subway systems around the world -- forged forged and then sold monthly passes for the Boston MBTA system. The scheme was discovered by accident: Coakley said the alleged scheme was only discovered after a commuter rail operator asked a...

Thu, 19 May 2011 11:01:24 UTC

BIOS Protection

Posted By Bruce Schneier

NIST has released "BIOS Protection Guidelines."...

Wed, 18 May 2011 13:45:55 UTC

Bin Laden Maintained Computer Security with an Air Gap

Posted By Bruce Schneier

From the Associated Ptress: Bin Laden's system was built on discipline and trust. But it also left behind an extensive archive of email exchanges for the U.S. to scour. The trove of electronic records pulled out of his compound after he was killed last week is revealing thousands of messages and potentially hundreds of email addresses, the AP has learned....

Tue, 17 May 2011 18:35:07 UTC

Mobile Phone Privacy App Contest

Posted By Bruce Schneier

Entries due by the end of the month....

Tue, 17 May 2011 12:46:45 UTC

Fingerprint Scanner that Works at a Distance

Posted By Bruce Schneier

Scanning fingerprints from six feet away. Slightly smaller than a square tissue box, AIRprint houses two 1.3 megapixel cameras and a source of polarized light. One camera receives horizontally polarized light, while the other receives vertically polarized light. When light hits a finger, the ridges of the fingerprint reflect one polarization of light, while the valleys reflect another. "That's where...

Mon, 16 May 2011 11:31:05 UTC

The Inner Workings of an FBI Surveillance Device

Posted By Bruce Schneier

This FBI surveillance device, designed to be attached to a car, has been taken apart and analyzed. A recent ruling by the 9th U.S. Circuit Court of Appeals affirms that it's legal for law enforcement to secretly place a tracking device on your car without a warrant, even if it's parked in a private driveway....

Fri, 13 May 2011 21:54:45 UTC

Friday Squid Blogging: Squid Sous Vide

Posted By Bruce Schneier

Yum: We learned to cook squid sous vide at 59°C when we were at Atelier in Canada. The cooking time and temperature we picked up produce squid which is meaty, juicy and rich in texture. Here we marinated the squid with mango pickle and then cooked them for three hours at 59°C. Then we cooled them down in an ice...

Fri, 13 May 2011 16:29:02 UTC

Interview with Me About the Sony Hack

Posted By Bruce Schneier

These are what I get for giving interviews when I'm in a bad mood. For the record, I think Sony did a terrible job with its customers' security. I also think that most companies do a terrible job with customers' security, simply because there isn't a financial incentive to do better. And that most of us are pretty secure, despite...

Fri, 13 May 2011 12:11:26 UTC

Drugging People and Then Robbing Them

Posted By Bruce Schneier

This is a pretty scary criminal tactic from Turkey. Burglars dress up as doctors, and ring doorbells handing out pills under some pretense or another. They're actually powerful sedatives, and when people take them they pass out, and the burglars can ransack the house. According to the article, when the police tried the same trick with placebos, they got an...

Thu, 12 May 2011 11:24:22 UTC

FBI Surveillance Tools

Posted By Bruce Schneier

Interesting blog post from EFF....

Wed, 11 May 2011 16:01:59 UTC

RFID Tags Protecting Hotel Towels

Posted By Bruce Schneier

The stealing of hotel towels isn't a big problem in the scheme of world problems, but it can be expensive for hotels. Sure, we have moral prohibitions against stealing -- that'll prevent most people from stealing the towels. Many hotels put their name or logo on the towels. That works as a reputational societal security system; most people don't want...

Wed, 11 May 2011 11:12:23 UTC

"Resilience of the Internet Interconnection Ecosystem"

Posted By Bruce Schneier

This blog post by Richard Clayton is worth reading. If you have more time, there's 238-page report and a 31-page executive summary....

Tue, 10 May 2011 18:47:14 UTC

Medieval Tally Stick Discovered in Germany

Posted By Bruce Schneier

Interesting: The well-preserved tally stick was used in the Middle Ages to count the debts owed by the holder in a time when most people were unable to read or write. "Debts would have been carved into the stick in the form of small notches. Then the stick would have been split lengthways, with the creditor and the borrower each...

Tue, 10 May 2011 11:20:33 UTC

The Era of "Steal Everything"

Posted By Bruce Schneier

Good comment: "We're moving into an era of 'steal everything'," said David Emm, a senior security researcher for Kaspersky Labs. He believes that cyber criminals are now no longer just targeting banks or retailers in the search for financial details, but instead going after social and other networks which encourage the sharing of vast amounts of personal information. As both...

Mon, 09 May 2011 18:50:00 UTC

Vulnerabilities in Online Payment Systems

Posted By Bruce Schneier

This hack was conducted as a research project. It's unlikely it's being done in the wild: In one attack, Wang and colleagues used a plug-in for the Firefox web browser to examine data being sent and received by the online retailer Buy.com. When users make a purchase, Buy.com directs them to PayPal. Once they have paid, PayPal sends Buy.com a...

Mon, 09 May 2011 12:02:54 UTC

Status Report: The Dishonest Minority

Posted By Bruce Schneier

Three months ago, I announced that I was writing a book on why security exists in human societies. This is basically the book's thesis statement: All complex systems contain parasites. In any system of cooperative behavior, an uncooperative strategy will be effective -- and the system will tolerate the uncooperatives -- as long as they're not too numerous or too...

Fri, 06 May 2011 21:31:01 UTC

Friday Squid Blogging: Noise Pollution and Squid

Posted By Bruce Schneier

It literally blows holes in their heads: In the study, led by Michel André of the Technical University of Catalonia in Barcelona, biologists exposed 87 individual cephalopods of four species -- Loligo vulgaris, Sepia officinalis, Octopus vulgaris and Illex coindeti -- to short sweeps of relatively low intensity, low frequency sound between 50 and 400 Hertz (Hz). Then they examined...

Fri, 06 May 2011 21:11:09 UTC

Friday Squid Blogging: Squids in Space

Posted By Bruce Schneier

There are live squids on the last Endeavor mission....

Fri, 06 May 2011 17:32:20 UTC

Forged Memory

Posted By Bruce Schneier

A scary development in rootkits: Rootkits typically modify certain areas in the memory of the running operating system (OS) to hijack execution control from the OS. Doing so forces the OS to present inaccurate results to detection software (anti-virus, anti-rootkit). For example rootkits may hide files, registries, processes, etc., from detection software. So rootkits typically modify memory. And anti-rootkit tools...

Fri, 06 May 2011 12:01:15 UTC

Stolen Camera Finder

Posted By Bruce Schneier

Here's a clever Web app that locates your stolen camera by searching the EXIF data on public photo databases for your camera's serial number....

Thu, 05 May 2011 17:52:16 UTC

Extreme Authentication

Posted By Bruce Schneier

Exactly how did they confirm it was Bin Laden's body? Officials compared the DNA of the person killed at the Abbottabad compound with the bin Laden "family DNA" to determine that the 9/11 mastermind had in fact been killed, a senior administration official said. It was not clear how many different family members' samples were compared or whose DNA was...

Thu, 05 May 2011 11:43:40 UTC

Osama's Death Causes Spike in Suspicious Package Reports

Posted By Bruce Schneier

It's not that the risk is greater, it's that the fear is greater. Data from New York: There were 10,566 reports of suspicious objects across the five boroughs in 2010. So far this year, the total was 2,775 as of Tuesday compared with 2,477 through the same period last year. [...] The daily totals typically spike when terrorist plot makes...

Wed, 04 May 2011 17:15:57 UTC

"Operation Pumpkin"

Posted By Bruce Schneier

Wouldn't it be great if this were not a joke: the security contingency that was in place in the event that Kate Middleton tried to run away just before the wedding. After protracted, top-secret negotiations between royal staff from Clarence House and representatives from the Metropolitan Police, MI5 and elements of the military, a compromise was agreed. In the event...

Wed, 04 May 2011 11:40:09 UTC

Unintended Security Consequences of the New Pyrex Recipe

Posted By Bruce Schneier

This is interesting: When World Kitchen took over the Pyrex brand, it started making more products out of prestressed soda-lime glass instead of borosilicate. With pre-stressed, or tempered, glass, the surface is under compression from forces inside the glass. It is stronger than borosilicate glass, but when it's heated, it still expands as much as ordinary glass does. It doesn't...

Tue, 03 May 2011 19:25:25 UTC

Decline in Cursive Writing Leads to Increase in Forgery Risk?

Posted By Bruce Schneier

According to this article, students are no longer learning how to write in cursive. And, if they are learning it, they're forgetting how. Certainly the ubiquity of keyboards is leading to a decrease in writing by hand. Relevant to this blog, the article claims that this is making signtatures easier to forge. While printing might be legible, the less complex...

Tue, 03 May 2011 12:54:03 UTC

Nikon Image Authentication System Cracked

Posted By Bruce Schneier

Not a lot of details: ElcomSoft research shows that image metadata and image data are processed independently with a SHA-1 hash function. There are two 160-bit hash values produced, which are later encrypted with a secret (private) key by using an asymmetric RSA-1024 algorithm to create a digital signature. Two 1024-bit (128-byte) signatures are stored in EXIF MakerNote tag 0×0097...

Mon, 02 May 2011 14:09:55 UTC

LiveBlogging the Bin Ladin Assassination

Posted By Bruce Schneier

"VirtualReality" tweeted the Bin Ladin assassination without realizing it....

Mon, 02 May 2011 11:52:53 UTC

Hijacking the Coreflood Botnet

Posted By Bruce Schneier

Earlier this month, the FBI seized control of the Coreflood botnet and shut it down: According to the filing, ISC, under law enforcement supervision, planned to replace the servers with servers that it controlled, then collect the IP addresses of all infected machines communicating with the criminal servers, and send a remote "stop" command to infected machines to disable the...

Fri, 29 Apr 2011 21:43:16 UTC

Friday Squid Blogging: Giant Squid Eye Preserved in a Jar

Posted By Bruce Schneier

Great picture from the Smithsonian Institution....

Fri, 29 Apr 2011 19:45:59 UTC

TED Talk

Posted By Bruce Schneier

This is a surprise. My TED talk made it to the website. It's a surprise because I didn't speak at TED. I spoke last year at a regional TED event, TEDxPSU. And not all talks from the regional events get on the main site, only the good ones....

Thu, 28 Apr 2011 11:56:17 UTC

The Cyberwar Arms Race

Posted By Bruce Schneier

Good paper: "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," by Jerry Brito and Tate Watkins. Over the past two years there has been a steady drumbeat of alarmist rhetoric coming out of Washington about potential catastrophic cyber threats. For example, at a Senate Armed Services Committee hearing last year, Chairman Carl Levin said that "cyberweapons...

Wed, 27 Apr 2011 14:10:53 UTC

Social Solidarity as an Effect of the 9/11 Terrorist Attacks

Posted By Bruce Schneier

It's standard sociological theory that a group experiences social solidarity in response to external conflict. This paper studies the phenomenon in the United States after the 9/11 terrorist attacks. Conflict produces group solidarity in four phases: (1) an initial few days of shock and idiosyncratic individual reactions to attack; (2) one to two weeks of establishing standardized displays of solidarity...

Tue, 26 Apr 2011 11:59:16 UTC

Security Risks of Running an Open WiFi Network

Posted By Bruce Schneier

As I've written before, I run an open WiFi network. It's stories like these that may make me rethink that. The three stories all fall along the same theme: a Buffalo man, Sarasota man, and Syracuse man all found themselves being raided by the FBI or police after their wireless networks were allegedly used to download child pornography. "You're a...

Mon, 25 Apr 2011 21:15:15 UTC

Friday Squid Blogging: Squid Fabric Designs

Posted By Bruce Schneier

Some of these are actually nice....

Mon, 25 Apr 2011 10:24:43 UTC

Hard-Drive Steganography through Fragmentation

Posted By Bruce Schneier

Clever: Khan and his colleagues have written software that ensures clusters of a file, rather than being positioned at the whim of the disc drive controller chip, as is usually the case, are positioned according to a code. All the person at the other end needs to know is which file's cluster positions have been encoded. The code depends on...

Fri, 22 Apr 2011 21:30:26 UTC

Friday Squid Blogging: Squid Prints

Posted By Bruce Schneier

Okay, this is a little weird: This year's Earth Day will again include the celebrated "squid printing" activity with two big, beautiful Pacific Humboldt squid donated from the Gulf of the Farallones National Marine Sanctuary. We'll be inking them up and laying them out on paper to create fascinating one-of-a- kind imprints of their bodies. I don't know what's worse:...

Thu, 21 Apr 2011 11:38:39 UTC

Declassified World War I Security Documents

Posted By Bruce Schneier

The CIA has just declassified six (1, 2, 3, 4, 5, and 6) documents about World War I security techniques. (The media is reporting they're CIA documents, but the CIA didn't exist before 1947.) Lots of stuff about secret writing and pre-computer tradecraft....

Wed, 20 Apr 2011 11:52:50 UTC

Large-Scale Food Theft

Posted By Bruce Schneier

A criminal gang is stealing truckloads of food: Late last month, a gang of thieves stole six tractor-trailer loads of tomatoes and a truck full of cucumbers from Florida growers. They also stole a truckload of frozen meat. The total value of the illegal haul: about $300,000. The thieves disappeared with the shipments just after the price of Florida tomatoes...

Wed, 20 Apr 2011 11:31:54 UTC

Costs of Security

Posted By Bruce Schneier

Interesting blog post on the security costs for the $50B Air Force bomber program -- estimated to be $8B. This isn't all computer security, but the original article specifically calls out Chinese computer espionage as a primary threat....

Tue, 19 Apr 2011 11:47:53 UTC

Software as Evidence

Posted By Bruce Schneier

Increasingly, chains of evidence include software steps. It's not just the RIAA suing people -- and getting it wrong -- based on automatic systems to detect and identify file sharers. It's forensic programs used to collect and analyze data from computers and smart phones. It's audit logs saved and stored by ISPs and websites. It's location data from cell phones....

Mon, 18 Apr 2011 14:33:49 UTC

WikiLeaks Cable about Chinese Hacking of U.S. Networks

Posted By Bruce Schneier

We know it's prevelent, but there's some new information: Secret U.S. State Department cables, obtained by WikiLeaks and made available to Reuters by a third party, trace systems breaches -- colorfully code-named "Byzantine Hades" by U.S. investigators -- to the Chinese military. An April 2009 cable even pinpoints the attacks to a specific unit of China's People's Liberation Army. Privately,...

Fri, 15 Apr 2011 21:49:51 UTC

Friday Squid Blogging: Omega 3 Oil from Squid

Posted By Bruce Schneier

New health supplement....

Fri, 15 Apr 2011 18:45:47 UTC

"Schneier's Law"

Posted By Bruce Schneier

Back in 1998, I wrote: Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break. In 2004, Cory Doctorow called this Schneier's law: ...what I think of as Schneier's Law: "any person can invent a security system so clever that she or he can't think of how to break it." The...

Fri, 15 Apr 2011 11:49:54 UTC

Unanticipated Security Risk of Keeping Your Money in a Home Safe

Posted By Bruce Schneier

In Japan, lots of people -- especially older people -- keep their life savings in cash in their homes. (The country's banks pay very low interest rates, so the incentive to deposit that money into bank accounts is lower than in other countries.) This is all well and good, until a tsunami destroys your home and washes your money out...

Thu, 14 Apr 2011 11:36:43 UTC

Changing Incentives Creates Security Risks

Posted By Bruce Schneier

One of the things I am writing about in my new book is how security equilibriums change. They often change because of technology, but they sometimes change because of incentives. An interesting example of this is the recent scandal in the Washington, DC, public school system over teachers changing their students' test answers. In the U.S., under the No Child...

Wed, 13 Apr 2011 18:14:57 UTC

Security Fears of Wi-Fi in London Underground

Posted By Bruce Schneier

The London Underground is getting Wi-Fi. Of course there are security fears: But Will Geddes, founder of ICP Group which specialises in reducing terror or technology-related threats, said the plan was problematic. He said: "There are lots of implications in terms of terrorism and security. "This will enable people to use their laptop on the Tube as if it was...

Wed, 13 Apr 2011 11:25:07 UTC

Euro Coin Recycling Scam

Posted By Bruce Schneier

This story is just plain weird. Regularly, damaged coins are taken out of circulation. They're destroyed and then sold to scrap metal dealers. That makes sense, but it seems that one- and two-euro coins aren't destroyed very well. They're both bi-metal designs, and they're just separated into an inner core and an outer ring and then sold to Chinese scrap...

Tue, 12 Apr 2011 19:06:27 UTC

Israel's Counter-Cyberterrorism Unit

Posted By Bruce Schneier

You'd think the country would already have one of these: Israel is mulling the creation of a counter-cyberterrorism unit designed to safeguard both government agencies and core private sector firms against hacking attacks. The proposed unit would supplement the efforts of Mossad and other agencies in fighting cyberespionage and denial of service attacks....

Tue, 12 Apr 2011 11:03:25 UTC

How did the CIA and FBI Know that Australian Government Computers were Hacked?

Posted By Bruce Schneier

Newspapers are reporting that, for about a month, hackers had access to computers "of at least 10 federal ministers including the Prime Minister, Foreign Minister and Defence Minister." That's not much of a surprise. What is odd is the statement that "Australian intelligence agencies were tipped off to the cyber-spy raid by US intelligence officials within the Central Intelligence Agency...

Mon, 11 Apr 2011 18:20:35 UTC

New French Law Reduces Website Security

Posted By Bruce Schneier

I didn't know about this: The law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded. Police, the fraud office, customs, tax and social security bodies...

Mon, 11 Apr 2011 11:33:50 UTC

The CIA and Assassinations

Posted By Bruce Schneier

The former CIA general counsel, John A. Rizzo, talks about his agency's assassination program, which has increased dramatically under the Obama administration: The hub of activity for the targeted killings is the CIA's Counterterrorist Center, where lawyers­there are roughly 10 of them, says Rizzo -- write a cable asserting that an individual poses a grave threat to the United States....

Fri, 08 Apr 2011 21:08:44 UTC

Friday Squid Blogging: A New Book About Squid

Posted By Bruce Schneier

Wendy Williams, Kraken: The Curious, Exciting, and Slightly Disturbing Science of Squid. Kraken is the traditional name for gigantic sea monsters, and this book introduces one of the most charismatic, enigmatic, and curious inhabitants of the sea: the squid. The pages take the reader on a wild narrative ride through the world of squid science and adventure, along the way...

Fri, 08 Apr 2011 18:23:27 UTC

Get Your Terrorist Alerts on Facebook and Twitter

Posted By Bruce Schneier

Colors are so last decade: The U.S. government's new system to replace the five color-coded terror alerts will have two levels of warnings ­ elevated and imminent ­ that will be relayed to the public only under certain circumstances for limited periods of time, sometimes using Facebook and Twitter, according to a draft Homeland Security Department plan obtained by The...

Fri, 08 Apr 2011 11:22:20 UTC

Pinpointing a Computer to Within 690 Meters

Posted By Bruce Schneier

This is impressive, and scary: Every computer connected to the web has an internet protocol (IP) address, but there is no simple way to map this to a physical location. The current best system can be out by as much as 35 kilometres. Now, Yong Wang, a computer scientist at the University of Electronic Science and Technology of China in...

Thu, 07 Apr 2011 18:10:52 UTC

Detecting Cheaters

Posted By Bruce Schneier

Our brains are specially designed to deal with cheating in social exchanges. The evolutionary psychology explanation is that we evolved brain heuristics for the social problems that our prehistoric ancestors had to deal with. Once humans became good at cheating, they then had to become good at detecting cheating -- otherwise, the social group would fall apart. Perhaps the most...

Thu, 07 Apr 2011 11:29:48 UTC

Optical Stun Ray

Posted By Bruce Schneier

It's been patented; no idea if it actually works. ...newly patented device can render an assailant helpless with a brief flash of high-intensity light. It works by overloading the neural networks connected to the retina, saturating the target's world in a blinding pool of white light. "It's the inverse of blindness–the technical term is a loss of contrast sensitivity," says...

Wed, 06 Apr 2011 11:03:42 UTC

Counterterrorism Security Cost-Benefit Analysis

Posted By Bruce Schneier

"Terror, Security, and Money: Balancing the Risks, Benefits, and Costs of Homeland Security," by John Mueller and Mark Stewart: Abstract:The cumulative increase in expenditures on US domestic homeland security over the decade since 9/11 exceeds one trillion dollars. It is clearly time to examine these massive expenditures applying risk assessment and cost-benefit approaches that have been standard for decades. Thus...

Tue, 05 Apr 2011 17:58:21 UTC

Epsilon Hack

Posted By Bruce Schneier

I have no idea why the Epsilon hack is getting so much press. Yes, millions of names and e-mail addresses might have been stolen. Yes, other customer information might have been stolen, too. Yes, this personal information could be used to create more personalized and better targeted phishing attacks. So what? These sorts of breaches happen all the time, and...

Tue, 05 Apr 2011 13:46:28 UTC

Reducing Bribery by Legalizing the Giving of Bribes

Posted By Bruce Schneier

Here's some very clever thinking from India's chief economic adviser. In order to reduce bribery, he proposes legalizing the giving of bribes: Under the current law, discussed in some detail in the next section, once a bribe is given, the bribe giver and the bribe taker become partners in crime. It is in their joint interest to keep this fact...

Mon, 04 Apr 2011 14:18:06 UTC

Ebook Fraud

Posted By Bruce Schneier

Interesting post -- and discussion -- on Making Light about ebook fraud. Currently there are two types of fraud. The first is content farming, discussed in these two interesting blog posts. People are creating automatically generated content, web-collected content, or fake content, turning it into a book, and selling it on an ebook site like Amazon.com. Then they use multiple...

Fri, 01 Apr 2011 21:26:56 UTC

Friday Squid Blogging: Shower Squid

Posted By Bruce Schneier

Neat....

Fri, 01 Apr 2011 11:58:27 UTC

34 SCADA Vulnerabilities Published

Posted By Bruce Schneier

It's hard to tell how serious this is. Computer security experts who examined the code say the vulnerabilities are not highly dangerous on their own, because they would mostly just allow an attacker to crash a system or siphon sensitive data, and are targeted at operator viewing platforms, not the backend systems that directly control critical processes. But experts caution...

Thu, 31 Mar 2011 12:00:19 UTC

Comodo Group Issues Bogus SSL Certificates

Posted By Bruce Schneier

This isn't good: The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com. The certificates would have allowed the attacker to craft fake pages that would have...

Wed, 30 Mar 2011 18:48:27 UTC

FBI Asks for Cryptanalysis Help

Posted By Bruce Schneier

Could be interesting....

Wed, 30 Mar 2011 12:14:48 UTC

How Peer Review Doesn't Work

Posted By Bruce Schneier

In this amusing story of a terrorist plotter using pencil-and-paper cryptography instead of actually secure cryptography, there's this great paragraph: Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim also rejected the use of a sophisticated code program called "Mujhaddin Secrets", which implements all the AES candidate cyphers, "because 'kaffirs', or non-believers, know about it so it...

Tue, 29 Mar 2011 11:43:04 UTC

Federated Authentication

Posted By Bruce Schneier

New paper by Ross Anderson: "Can We Fix the Security Economics of Federated Authentication?": There has been much academic discussion of federated authentication, and quite some political manoeuvring about `e-ID'. The grand vision, which has been around for years in various forms but was recently articulated in the US National Strategy for Trustworthy Identities in Cyberspace (NSTIC), is that a...

Mon, 28 Mar 2011 18:10:13 UTC

Detecting Liars

Posted By Bruce Schneier

Nice infographic....

Mon, 28 Mar 2011 11:08:41 UTC

Biliteral Ciphers

Posted By Bruce Schneier

Interesting article on William Friedman and biliteral ciphers....

Fri, 25 Mar 2011 21:15:15 UTC

Friday Squid Blogging: Squid Fabric Designs

Posted By Bruce Schneier

Some of these are actually nice....

Fri, 25 Mar 2011 17:22:47 UTC

Authenticating the Authenticators

Posted By Bruce Schneier

This is an interesting read: It was a question that changed his life, and changed mine, and may have changed -- even saved -- all of ours by calling attention to flaws in our nuclear command and control system at the height of the Cold War. It was a question that makes Maj. Hering an unsung hero of the nuclear...

Fri, 25 Mar 2011 11:38:05 UTC

Identifying Tor Users Through Insecure Applications

Posted By Bruce Schneier

Interesting research: "One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users": Abstract: Tor is a popular low-latency anonymity network. However, Tor does not protect against the exploitation of an insecure application to reveal the IP address of, or trace, a TCP stream. In addition, because of the linkability of Tor streams sent together over...

Thu, 24 Mar 2011 17:46:16 UTC

Detecting Words and Phrases in Encrypted VoIP Calls

Posted By Bruce Schneier

Interesting: Abstract: Although Voice over IP (VoIP) is rapidly being adopted, its security implications are not yet fully understood. Since VoIP calls may traverse untrusted networks, packets should be encrypted to ensure confidentiality. However, we show that it is possible to identify the phrases spoken within encrypted VoIP calls when the audio is encoded using variable bit rate codecs. To...

Thu, 24 Mar 2011 12:37:25 UTC

Transmitting Data Through Steel

Posted By Bruce Schneier

This is cool: Tristan Lawry, doctoral candidate in electrical and computer engineering, has developed equipment which can transmit data at high rates through thick, solid steel or other barriers. Significantly, Lawry's kit also transmits power. One obvious application here would be transmission through the steel pressure hull of a submarine: at the moment such hulls must have hundreds of penetrations...

Wed, 23 Mar 2011 11:34:58 UTC

Threats vs. Vulnerabilities

Posted By Bruce Schneier

I found this article on the difference between threats and vulnerabilities to be very interesting. I like his taxonomy....

Tue, 22 Mar 2011 12:12:29 UTC

Folk Models in Home Computer Security

Posted By Bruce Schneier

This is a really interesting paper: "Folk Models of Home Computer Security," by Rick Wash. It was presented at SOUPS, the Symposium on Usable Privacy and Security, last year. Abstract: Home computer systems are frequently insecure because they are administered by untrained, unskilled users. The rise of botnets has amplified this problem; attackers can compromise these computers, aggregate them, and...

Mon, 21 Mar 2011 17:57:44 UTC

Times Square Video Screen Hacked with an iPhone

Posted By Bruce Schneier

I didn't post about it when I first saw it because I suspected a hoax. Turns out, I was right. It wasn't even two guys faking hacking a Times Square video screen. It was a movie studio faking two guys faking hacking a Times Square video screen....

Mon, 21 Mar 2011 11:52:45 UTC

RSA Security, Inc Hacked

Posted By Bruce Schneier

The company, not the algorithm. Here's the corporate spin. Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at...

Sat, 19 Mar 2011 14:12:31 UTC

Zombie Fungus

Posted By Bruce Schneier

The security connection is pretty tenuous, so I figured I'd blog this on a Saturday. Once it infects an ant, the fungus uses as-yet-unidentified chemicals to control the ant's behavior, Hughes told LiveScience. It directs the ant to leave its colony (a very un-ant-like thing to do) and bite down on the underside of a leaf – the ant's soon-to-be...

Thu, 17 Mar 2011 11:50:21 UTC

Hacking ATM Users by Gluing Down Keys

Posted By Bruce Schneier

Clever hack: The thieves glue down the "enter," "cancel" and "clear" buttons on the keypad and wait until the customer goes into the bank for help before withdrawing money from their account. The robbed customers have already punched in their PINs when they realize the keypad buttons are stuck. The unwitting customers either do not know that they can use...

Wed, 16 Mar 2011 11:14:07 UTC

Hacking Cars with MP3 Files

Posted By Bruce Schneier

Impressive research: By adding extra code to a digital music file, they were able to turn a song burned to CD into a Trojan horse. When played on the car's stereo, this song could alter the firmware of the car's stereo system, giving attackers an entry point to change other components on the car....

Mon, 14 Mar 2011 10:04:45 UTC

Using Language Patterns to Identify Anonymous E-Mail

Posted By Bruce Schneier

Interesting research. It only works when there's a limited number of potential authors: To test the accuracy of their technique, Fung and his colleagues examined the Enron Email Dataset, a collection which contains over 200,000 real-life emails from 158 employees of the Enron Corporation. Using a sample of 10 emails written by each of 10 subjects (100 emails in all),...

Fri, 11 Mar 2011 19:11:52 UTC

Video Interview with Me

Posted By Bruce Schneier

This three-part video interview with me was conducted at the RSA Conference last month....

Fri, 11 Mar 2011 12:06:56 UTC

FBI and the Future of Wiretapping

Posted By Bruce Schneier

Last month I posted Susan Landau's testimony before the House Judiciary Committee, Subcommittee on Crime, Terrorism, and Homeland Security on government eavesdropping. In fairness to the other side, here's testimony of Valerie Caproni, General Counsel of the FBI....

Thu, 10 Mar 2011 12:05:26 UTC

Full Body Scanners

Posted By Bruce Schneier

Wired.com has a good three-part story on full-body scanners....

Wed, 09 Mar 2011 12:38:09 UTC

Malware as Job Security

Posted By Bruce Schneier

A programmer installed malware into the Whack-a-Mole arcade game as a form of job security. It didn't work....

Tue, 08 Mar 2011 12:35:34 UTC

Criminals Stealing Cars by Calling Tow Trucks

Posted By Bruce Schneier

It's a clever hack, but an old problem: the authentication in these sorts of normal operations isn't good enough to prevent abuse....

Mon, 07 Mar 2011 12:47:52 UTC

Recently Declassified NSA History Document

Posted By Bruce Schneier

"American Cryptography During the Cold War 1945-1989; Book IV: Cryptologic Rebirth 1981-1989." Document was first declassified in 2009. Here are some newly declassified pages....

Fri, 04 Mar 2011 22:36:05 UTC

Friday Squid Blogging: Giant Squid Washes Ashore

Posted By Bruce Schneier

A giant squid washed ashore in New South Wales....

Fri, 04 Mar 2011 13:07:17 UTC

Interesting Research in Using Animals to Detect Substances

Posted By Bruce Schneier

Fascinating research summarized in The Economist. Basically, detecting dogs respond to unconscious cues from their handlers, and generate false alarms because of them. It makes sense, as dogs are so attuned to humans. I'll bet bomb-sniffing bees don't make the same mistakes....

Thu, 03 Mar 2011 12:35:09 UTC

Pickpockets are a Dying Breed

Posted By Bruce Schneier

Pickpockets in America are dying out. This is the bit I found interesting: And perhaps most important, the centuries-old apprenticeship system underpinning organized pickpocketing has been disrupted. Pickpocketing has always perpetuated itself by having older hooks­ -- nicknamed "Fagins," after the crime boss in Oliver Twist -- teach younger ones the art, and then absorbing them into canons. But due...

Wed, 02 Mar 2011 13:53:24 UTC

NIST SHA-3 News

Posted By Bruce Schneier

NIST has finally published its rationale for selecting the five finalists....

Tue, 01 Mar 2011 12:29:40 UTC

Erasing Data from Flash Drives

Posted By Bruce Schneier

"Reliably Erasing Data From Flash-Based Solid State Drives," by Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson. Abstract: Reliably erasing data from storage media (sanitizing the media) is a critical component of secure data management. While sanitizing entire disks and individual files is well-understood for hard drives, flash-based solid state disks have a very different internal architecture,...

Mon, 28 Feb 2011 11:58:38 UTC

Anonymous vs HBGary

Posted By Bruce Schneier

One of the effects of writing a book is that I don't have the time to devote to other writing. So while I've been wanting to write about Anonymous vs HBGary, I don't think I will have time. Here's an excellent series of posts on the topic from ArsTechnica. In cyberspace, the balance of power is on the side of...

Fri, 25 Feb 2011 22:00:13 UTC

Friday Squid Blogging: Squid Tattoo

Posted By Bruce Schneier

Impressive, even if it isn't real....

Fri, 25 Feb 2011 21:17:12 UTC

Interview with Me

Posted By Bruce Schneier

I was interviewed on chomp.fm....

Fri, 25 Feb 2011 12:14:14 UTC

HBGary and the Future of the IT Security Industry

Posted By Bruce Schneier

This is a really good piece by Paul Roberts on Anonymous vs. HBGary: not the tactics or the politics, but what HBGary demonstrates about the IT security industry. But I think the real lesson of the hack - and of the revelations that followed it - is that the IT security industry, having finally gotten the attention of law makers,...

Thu, 24 Feb 2011 12:44:14 UTC

Good Article About the Terrorist Non-Threat

Posted By Bruce Schneier

From Reason: Know thy enemy is an ancient principle of warfare. And if America had heeded it, it might have refrained from a full-scale "war" on terrorism whose price tag is touching $2 TRILLION. That's because the Islamist enemy it is confronting is not some hyper-power capable of inflicting existential -- or even grave -- harm. It is, rather, a...

Wed, 23 Feb 2011 11:53:29 UTC

Susan Landau on Government Surveillance of the Internet

Posted By Bruce Schneier

Excellent House testimony....

Tue, 22 Feb 2011 13:21:30 UTC

Terrorist-Catching Con Man

Posted By Bruce Schneier

Interesting story about a con man who conned the U.S. government, and how the government is trying to hide its dealings with him. For eight years, government officials turned to Dennis Montgomery, a California computer programmer, for eye-popping technology that he said could catch terrorists. Now, federal officials want nothing to do with him and are going to extraordinary lengths...

Fri, 18 Feb 2011 22:17:39 UTC

Friday Squid Blogging: Research into Squid Hearing

Posted By Bruce Schneier

Interesting: Squid can hear, scientists have confirmed. But they don't detect the changes in pressure associated with sound waves, like we do. They have another, more primitive, technique for listening: They sense the motion generated by sound waves. [...] Squid have two sac-like organs called statocysts near the base of their brains. Hair cells line the sac and project into...

Fri, 18 Feb 2011 19:45:23 UTC

Biometric Wallet

Posted By Bruce Schneier

Not an electronic wallet, a physical one: Virtually indestructible, the dunhill Biometric Wallet will open only with touch of your fingerprint. It can be linked via Bluetooth to the owner's mobile phone ­ sounding an alarm if the two are separated by more than 5 metres! This provides a brilliant warning if either the phone or wallet is stolen or...

Fri, 18 Feb 2011 12:22:35 UTC

NIST Defines New Versions of SHA-512

Posted By Bruce Schneier

NIST has just defined two new versions of SHA-512. They're SHA-512/224 and SHA-512/256: 224- and 256-bit truncations of SHA-512 with a new IV. They've done this because SHA-512 is faster than SHA-256 on 64-bit CPUs, so these new SHA variants will be faster. This is a good thing, and exactly what we did in the design of Skein. We defined...

Thu, 17 Feb 2011 14:38:40 UTC

Historical Study of the NSA Scientific Advisory Board

Posted By Bruce Schneier

Recently declassified: "Historical Study: The National Security Agency Scientific Advisory Board 1952¿1963."...

Wed, 16 Feb 2011 12:26:16 UTC

Romanian Hackers

Posted By Bruce Schneier

Interesting article from Wired: "How a Remote Town in Romania Has Become Cybercrime Central."...

Tue, 15 Feb 2011 19:11:39 UTC

The Seven Types of Hackers

Posted By Bruce Schneier

Roger Grimes has an article describing "the seven types of malicious hackers." I generally like taxonomies, and this one is pretty good. He says the seven types are: Cyber criminals Spammers and adware spreaders Advanced persistent threat (APT) agents Corporate spies Hactivists Cyber warriors Rogue hackers...

Tue, 15 Feb 2011 11:43:03 UTC

Societal Security

Posted By Bruce Schneier

Humans have a natural propensity to trust non-kin, even strangers. We do it so often, so naturally, that we don't even realize how remarkable it is. But except for a few simplistic counterexamples, it's unique among life on this planet. Because we are intelligently calculating and value reciprocity (that is, fairness), we know that humans will be honest and nice:...

Mon, 14 Feb 2011 12:37:24 UTC

Credit Card Fraud Ring

Posted By Bruce Schneier

It amazes me that credit card fraud is so easy that you can run it from prison....

Fri, 11 Feb 2011 22:52:48 UTC

Friday Squid Blogging: Squid Pheromone

Posted By Bruce Schneier

A newly discovered female squid pheromone sparks aggression in male squids. Article....

Fri, 11 Feb 2011 18:48:54 UTC

Julian Sanchez on Balancing Privacy and Security

Posted By Bruce Schneier

From a blog post: In my own area of study, the familiar trope of "balancing privacy and security" is a source of constant frustration to privacy advocates, because while there are clearly sometimes tradeoffs between the two, it often seems that the zero-sum rhetoric of "balancing" leads people to view them as always in conflict. This is, I suspect, the...

Fri, 11 Feb 2011 13:05:19 UTC

How Feed-Over-Email Circumvents Chinese Censorship

Posted By Bruce Schneier

Neat article, both the technology and the hacker who created it....

Thu, 10 Feb 2011 12:42:18 UTC

Hacking Scratch Lottery Tickets

Posted By Bruce Schneier

Design failure means you can pick winning tickets before scratching the coatings off. Most interesting is that there's statistical evidence that this sort of attack has been occurring in the wild: not necessarily this particular attack, but some way to separate winners from losers without voiding the tickets. Since this article was published in Wired, another technique of hacking scratch...

Wed, 09 Feb 2011 17:39:01 UTC

Bomb-Sniffing Mice

Posted By Bruce Schneier

I was interviewed for this story on a mouse-powered explosives detector. Animal senses are better than any detection machine current technology can build, which makes it a good idea. But the challenges of using animals in this sort of situation are considerable. The neat thing about the technology profiled in the article, which the article didn't make as clear as...

Tue, 08 Feb 2011 11:46:46 UTC

Micromorts

Posted By Bruce Schneier

I'd never heard the term "micromort" before. It's a probability: a one-in-a-million probability of death. For example, one-micromort activities are "travelling 230 miles (370 km) by car (accident)," and "living 2 days in New York or Boston (air pollution)." I don't know if that data is accurate; it's from the Wikipedia entry. In any case, I think it's a useful...

Mon, 07 Feb 2011 14:45:31 UTC

Scareware: How Crime Pays

Posted By Bruce Schneier

Scareware is fraudulent software that uses deceptive advertising to trick users into believing they're infected with some variety of malware, then convinces them to pay money to protect themselves. The infection isn't real, and the software they buy is fake, too. It's all a scam. Here's one scareware operator who sold "more than 1 million software products" at "$39.95 or...

Fri, 04 Feb 2011 22:33:16 UTC

Friday Squid Blogging: Reducing Squid Odor

Posted By Bruce Schneier

Research from Japan: "Improvement of 'kurozukuri ika-shiokara' (fermented squid meat with ink) odor with Staphylococcus nepalensis isolated from the fish sauce mush of frigate mackerel Auxis rochei."...

Fri, 04 Feb 2011 19:35:37 UTC

UK Immigration Officer Puts Wife on the No-Fly List

Posted By Bruce Schneier

A UK immigration officer decided to get rid of his wife by putting her on the no-fly list, ensuring that she could not return to the UK from abroad. This worked for three years, until he put in for a promotion and -- during the routine background check -- someone investigated why his wife was on the no-fly list. Okay,...

Fri, 04 Feb 2011 12:00:05 UTC

Terrorist Targets of Choice

Posted By Bruce Schneier

This makes sense. Generally, militants prefer to attack soft targets where there are large groups of people, that are symbolic and recognizable around the world and that will generate maximum media attention when attacked. Some past examples include the World Trade Center in New York, the Taj Mahal Hotel in Mumbai and the London Underground. The militants' hope is that...

Thu, 03 Feb 2011 11:54:05 UTC

ATM Skimmer on Bank Door Lock

Posted By Bruce Schneier

This is a clever development in ATM skimming technology. It's a skimmer that attaches to the ATM-room door lock, not the ATM itself. Combined with a hidden camera, it's an ATM skimmer that requires no modification to the ATM....

Wed, 02 Feb 2011 20:26:22 UTC

Hacking HTTP Status Codes

Posted By Bruce Schneier

One website can learn if you're logged into other websites. When you visit my website, I can automatically and silently determine if you're logged into Facebook, Twitter, GMail and Digg. There are almost certainly thousands of other sites with this issue too, but I picked a few vulnerable well known ones to get your attention. You may not care that...

Wed, 02 Feb 2011 12:42:30 UTC

Kip Hawley Comments on the Domodedovo Airport Bombing

Posted By Bruce Schneier

This is the first piece of writing I've seen from Kip Hawley since he left the TSA in 2009. It's mostly generalities and platitudes....

Tue, 01 Feb 2011 13:40:59 UTC

Me on Color-Coded Terrorist Threat Levels

Posted By Bruce Schneier

I wrote an op-ed for CNN.com on the demise of the color-coded terrorist theat level system. It's nothing I haven't said before, so I won't reprint it here. The best thing about the system was the jokes it inspired late-night comedians, and others, to make. In memoriam, people should post the funniest of those jokes here....

Mon, 31 Jan 2011 12:56:31 UTC

Jury Says it's Okay to Record the TSA

Posted By Bruce Schneier

The Seattle man who refused to show ID to the TSA and recorded the whole incident has been cleared of all charges: [The jury] returned not guilty verdicts for charges that included concealing his identity, refusing to obey a lawful order, trespassing, and disorderly conduct. Papers, Please! says the acquittal proves what TSA critics have said all along: That checkpoint...

Sat, 29 Jan 2011 13:45:49 UTC

Trojan Steals Credit Card Numbers

Posted By Bruce Schneier

It's only a proof of concept, but it's scary nonetheless. It's a Trojan for Android phones that looks for credit-card numbers, either typed or spoken, and relays them back to its controller. Software released for Android devices has to request permissions for each system function it accesses–with apps commonly requesting access to the network, phone call functionality, internal and external...

Fri, 28 Jan 2011 21:15:44 UTC

Domodedovo Airport Bombing

Posted By Bruce Schneier

I haven't written anything about the suicide bombing at Moscow's Domodedovo Airport because I didn't think there was anything to say. The bomber was outside the security checkpoint, in the area where family and friends wait for arriving passengers. From a security perspective, the bombing had nothing to do with airport security. He could have just as easily been in...

Fri, 28 Jan 2011 19:40:05 UTC

$100 to Put a Bomb on an Airplane

Posted By Bruce Schneier

An undercover TSA agent successfully bribed JetBlue ticket agent to check a suitcase under a random passenger's name and put it on an airplane. As with a lot of these tests, I'm not that worried because it's not a reliable enough tactic to build a plot around. But untrustworthy airline personnel -- or easily bribeable airline personal -- could be...

Fri, 28 Jan 2011 11:02:05 UTC

Whitelisting vs. Blacklisting

Posted By Bruce Schneier

The whitelist/blacklist debate is far older than computers, and it's instructive to recall what works where. Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock. We do it this way not because it's easier -- although it is generally much easier...

Thu, 27 Jan 2011 19:11:01 UTC

Security Theater, Illustrated

Posted By Bruce Schneier

Security theater, illustrated....

Thu, 27 Jan 2011 12:22:15 UTC

U.S. Strategy to Prevent Leaks is Leaked

Posted By Bruce Schneier

As the article says, it doesn't get any more ironic than that. More importantly, it demonstrates how hard it is to keep secrets in the age of the Internet. Me: I think the government is learning what the music and movie industries were forced to learn years ago: it's easy to copy and distribute digital files. That's what's different between...

Wed, 26 Jan 2011 19:42:55 UTC

Security Theater in the Theater

Posted By Bruce Schneier

This is a bit surreal: Additional steps are needed to prepare Broadway theaters in New York City for a potential WMD attack or other crisis, a New York state legislature subcommittee said yesterday. [...] Broadway district personnel did not know "what to do in case of an emergency as well as the unique problems that a theater workplace poses in...

Wed, 26 Jan 2011 12:28:08 UTC

Unsecured IP Security Cameras

Posted By Bruce Schneier

It's amazing how many security cameras are on the Internet, accessible by anyone. And it's not just for viewing; a lot of these cameras can be reprogrammed by anyone....

Tue, 25 Jan 2011 19:40:21 UTC

Bioencryption

Posted By Bruce Schneier

A group of students at the Chinese University in Hong Kong have figured out how to store data in bacteria. The article talks about how secure it is, and the students even coined the term "bioencryption," but I don't see any encryption. It's just storage. Another article: They have also developed a three-tier security fence to encode the data, which...

Tue, 25 Jan 2011 12:16:14 UTC

REAL-ID Implementation

Posted By Bruce Schneier

According to this study, REAL-ID has not only been cheaper to implement than the states estimated, but also helpful in reducing fraud. States are finding that implementation of the 2005 REAL ID Act is much easier and less expensive than previously thought, and is a significant factor in reducing fraud. In cases like Indiana, REAL ID has significantly improved customer...

Mon, 24 Jan 2011 19:20:39 UTC

Hacking Tamper-Evident Devices

Posted By Bruce Schneier

At the Black Hat conference lasts week, Jamie Schwettmann and Eric Michaud presented some great research on hacking tamper-evident seals. Jamie Schwettmann and Eric Michaud of i11 Industries went through a long list of tamper evident devices at the conference here and explained, step-by-step, how each seal can be circumvented with common items, such as various solvents, hypodermic needles, razors,...

Mon, 24 Jan 2011 12:15:09 UTC

Brute-Force Safecracking

Posted By Bruce Schneier

This safecracking robot tries every possible combination, one after another: Combination space optimization is the key. By exploiting of the mechanical tolerances of the lock and certain combination "forbidden zones", we reduced the number of possible combinations by about an order of magnitude. Opening the safe took "just a few hours." Along the same lines, here's a Lego robot that...

Fri, 21 Jan 2011 20:36:56 UTC

Blowfish in Good Time Max

Posted By Bruce Schneier

This screen shot is from the movie "Good Time Max." 17 minutes and 52 seconds into the movie, it shows Blowfish being used as an encryption algorithm....

Fri, 21 Jan 2011 17:59:23 UTC

Cyberwar is Overhyped

Posted By Bruce Schneier

A new report from the OECD says the threat of cyberwar has been grossly exaggerated. (Hey, that's what I said.) There are lots of news articles. Also worth reading is this article on cyberwar hype and how it isn't serving our national interests, with some good policy guidelines....

Fri, 21 Jan 2011 11:31:04 UTC

The Legality of the Certificate Authority Trust Model

Posted By Bruce Schneier

Interesting research: We looked at the standard legal documents issued by the certificate authorities or "CAs," including exemplar Subscriber Agreements (agreements between CAs and website operators); "Certification Practice Statements" (statements by CAs outlining their business practices); and Relying Party Agreements (purported agreements between CAs and "relying parties," such as end-users). What we found was surprising: "Relying Party Agreements" purport to...

Thu, 20 Jan 2011 19:39:58 UTC

Cost-Benefit Analysis of Full-Body Scanners

Posted By Bruce Schneier

Research paper from Mark Stewart and John Mueller: The Transportation Security Administration (TSA) has been deploying Advanced Imaging Technologies (AIT) that are full-body scanners to inspect a passenger's body for concealed weapons, explosives, and other prohibited items. The terrorist threat that AITs are primarily dedicated to is preventing the downing of a commercial airliner by an IED (Improvised Explosive Device)...

Thu, 20 Jan 2011 12:44:34 UTC

Do Corporations Have a Right to Privacy?

Posted By Bruce Schneier

This week, the U.S. Supreme Court will hear arguments about whether or not corporations have the same rights to "personal privacy" that individuals do. This is a good analysis of the case. I signed on to a "friend of the court" brief put together by EPIC, arguing that they do not. More background here. And an editorial from The Washington...

Wed, 19 Jan 2011 13:02:40 UTC

Odd Art Forger

Posted By Bruce Schneier

He's not in it for the money: Mr. Landis...has been one of the most prolific forgers American museums have encountered in years, writing, calling and presenting himself at their doors, where he tells well-concocted stories about his family's collection and donates small, expertly faked works, sometimes in honor of nonexistent relatives. Unlike most forgers, he does not seem to be...

Tue, 18 Jan 2011 12:29:06 UTC

Movie-Plot Threats at the U.S. Capitol

Posted By Bruce Schneier

This would make a great movie: Rep. Dan Burton, R-Ind., renewed his call for the installation of an impenetrable, see-through security shield around the viewing gallery overlooking the House floor. Burton points out that, while guns and some bombs would be picked up by metal detectors, a saboteur could get into the Capitol concealing plastic explosives. The House floor, he...

Mon, 17 Jan 2011 18:31:04 UTC

More Stuxnet News

Posted By Bruce Schneier

This long New York Times article includes some interesting revelations. The article claims that Stuxnet was a joint Israeli-American project, and that its effectiveness was tested on live equipment: "Behind Dimona's barbed wire, the experts say, Israel has spun nuclear centrifuges virtually identical to Iran's at Natanz, where Iranian scientists are struggling to enrich uranium." The worm itself now appears...

Mon, 17 Jan 2011 11:47:56 UTC

New Revelations in the Mahmoud al-Mabhouh Assassination

Posted By Bruce Schneier

I wrote a lot last year about the assassination of Mahmoud al-Mabhouh in Dubai. There's a new article by an Israeli investigative journalist that tells the story we already knew, and adds a bunch of interesting details. Well worth reading....

Fri, 14 Jan 2011 22:27:42 UTC

Friday Squid Blogging: Deep-Sea Squid Video

Posted By Bruce Schneier

"Anthology of Deep-Sea Squids," from the Monterey Bay Aquarium....

Fri, 14 Jan 2011 20:11:07 UTC

Me on Airport Security

Posted By Bruce Schneier

Last week, I spoke at an airport security conference hosted by EPIC: The Stripping of Freedom: A Careful Scan of TSA Security Procedures. Here's the video of my half-hour talk....

Fri, 14 Jan 2011 17:03:23 UTC

Loaded Gun Slips Past TSA

Posted By Bruce Schneier

I'm not really worried about mistakes like this. Sure, a gun slips through occasionally, and a knife slips through even more often. (I'm sure the TSA doesn't catch 100% of all bombs in tests, either.) But these items are caught by the TSA often enough, and when the TSA does catch someone, they're going to call the police and totally...

Fri, 14 Jan 2011 13:07:26 UTC

Surviving a Terrorist's Nuclear Attack

Posted By Bruce Schneier

Interesting reading, mostly for the probable effects of a terrorist-sized nuclear bomb. A terrorist bomb is likely to be relatively small -- possibly only a fraction of the Hiroshima bomb's explosive power -- and likely exploded at ground level. This means that the area totally destroyed by the explosion is likely to be much smaller than the area exposed to...

Thu, 13 Jan 2011 18:54:53 UTC

Stealing SIM Cards from Traffic Lights

Posted By Bruce Schneier

Johannesburg installed hundreds of networked traffic lights on its streets. The lights use a cellular modem and a SIM card to communicate. Those lights introduced a security risk I'll bet no one gave a moment's thought to: that criminals might steal the SIM cards from the traffic lights and use them to make free phone calls. But that's exactly what...

Thu, 13 Jan 2011 14:00:12 UTC

The Security Threat of Forged Law-Enforcement Credentials

Posted By Bruce Schneier

Here's a U.S. Army threat assessment of forged law-enforcement credentials. The authors bought a bunch of fake badges: Between November 2009 and March 2010, undercover investigators were able to purchase nearly perfect counterfeit badges for all of the Department of Defense's military criminal investigative organizations to include the Army Criminal Investigation Command (Army CID), Naval Criminal Investigative Service (NCIS), Air...

Wed, 12 Jan 2011 12:59:19 UTC

Attacking High-Frequency Trading Networks

Posted By Bruce Schneier

Turns out you can make money by manipulating the network latency. cPacket has developed a proof of concept showing that these side-channel attacks can be used to create tiny delays in the transmission of market data and trades. By manipulating specific trading activities by several microseconds, an attacker could gain unfair trading advantage. And because the operation occurs outside the...

Tue, 11 Jan 2011 13:47:25 UTC

"Homeland Security Hasn't Made Us Safer"

Posted By Bruce Schneier

This will be nothing new to readers of this blog, but it's nice to read other people saying it too....

Mon, 10 Jan 2011 13:04:51 UTC

James Fallows on Political Shootings

Posted By Bruce Schneier

Interesting: So the train of logic is: anything that can be called an "assassination" is inherently political; very often the "politics" are obscure, personal, or reflecting mental disorders rather than "normal" political disagreements. But now a further step, the political tone of an era can have some bearing on violent events. The Jonestown/Ryan and Fromme/Ford shootings had no detectable source...

Fri, 07 Jan 2011 22:08:13 UTC

Friday Squid Blogging: Biggest Squid Ever

Posted By Bruce Schneier

It's an oil field: Brazil's state-run Petrobras confirmed Wednesday that oil fields recently discovered offshore contained 8.3 billion barrels of recoverable crude and gas -- and said the biggest field was being renamed "Lula." That nomenclature happens to be the nickname of President Luiz Inacio Lula da Silva, who steps down on Saturday after overseeing eight years of prosperity in...

Fri, 07 Jan 2011 12:30:54 UTC

The Social Dynamics of Terror

Posted By Bruce Schneier

Good essay: Nineteenth-century anarchists promoted what they called the "propaganda of the deed," that is, the use of violence as a symbolic action to make a larger point, such as inspiring the masses to undertake revolutionary action. In the late 1960s and early 1970s, modern terrorist organizations began to conduct operations designed to serve as terrorist theater, an undertaking greatly...

Thu, 06 Jan 2011 19:13:34 UTC

SMS of Death

Posted By Bruce Schneier

This will be hard to fix: Using only Short Message Service (SMS) communications–messages that can be sent between mobile phones–a pair of security researchers were able to force low-end phones to shut down abruptly and knock them off a cellular network. As well as text messages, the SMS protocol can be used to transmit small programs, called "binaries," that run...

Thu, 06 Jan 2011 11:52:23 UTC

Sony PS3 Security Broken

Posted By Bruce Schneier

Sony used an ECDSA signature scheme to protect the PS3. Trouble is, they didn't pay sufficient attention to their random number generator....

Wed, 05 Jan 2011 12:20:05 UTC

Eavesdropping on GSM Calls

Posted By Bruce Schneier

It's easy and cheap: Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network "sniffers," a laptop computer, and a variety of open source software. The encryption is lousy: Several of the individual...

Tue, 04 Jan 2011 15:34:58 UTC

Guard Towers at WalMart

Posted By Bruce Schneier

This feels very creepy and police-state-like. What on earth could WalMart be worried about?...

Mon, 03 Jan 2011 15:07:27 UTC

Polar Bears Destroying Hidden Cameras

Posted By Bruce Schneier

Watch the video. What valuable security lessons does this teach? EDITED TO ADD (1/3): And why aren't the polar bears destroying the hidden cameras that are filming the polar bears destroying the hidden cameras?...

Fri, 31 Dec 2010 22:08:41 UTC

Friday Squid Blogging: Research into Squid Skin

Posted By Bruce Schneier

DoD awarded a $6M grant to study squid skin: "Our internal nickname for this project is 'squid skin,' but it is really about fundamental research," said Naomi Halas, a nano-optics pioneer at Rice and the principal investigator on the four-year grant. "Our deliverable is knowledge -- the basic discoveries that will allow us to make materials that are observant, adaptive...

Fri, 31 Dec 2010 12:14:21 UTC

Tor Routers

Posted By Bruce Schneier

Home routers that automatically run Tor....

Thu, 30 Dec 2010 12:55:10 UTC

Civil War Message Decoded

Posted By Bruce Schneier

Interesting....

Wed, 29 Dec 2010 17:09:45 UTC

TSA Inspecting Thermoses

Posted By Bruce Schneier

This is new: Adm. James Winnefeld told The Associated Press Friday that the Transportation Security Administration is "always trying to think ahead." Winnefeld is the head of the U.S. Northern Command, which is charged with protecting the homeland. TSA officials had said Thursday that in coming days, passengers flying within and to the U.S. may notice additional security measures related...

Tue, 28 Dec 2010 18:52:53 UTC

Terrorism Reading List

Posted By Bruce Schneier

Interesting interview, discussing five books (none of which I've read, by the way)....

Mon, 27 Dec 2010 19:04:19 UTC

An Honest Privacy Policy

Posted By Bruce Schneier

Funny: The data we collect is strictly anonymous, unless you've been kind enough to give us your name, email address, or other identifying information. And even if you have been that kind, we promise we won't sell that information to anyone else, unless of course our impossibly obtuse privacy policy says otherwise and/or we change our minds tomorrow. There's a...

Mon, 27 Dec 2010 12:12:29 UTC

This Suspicious Photography Stuff Is Confusing

Posted By Bruce Schneier

See: Last week, Metro Transit Police received a report from a rider about suspicious behavior at the L'Enfant Plaza station and on an Orange Line train to Vienna. The rider told Metro he saw two men acting suspiciously and videotaping platforms, trains and riders. "The men, according to the citizen report, were trying to be inconspicuous, holding the cameras at...

Sat, 25 Dec 2010 12:51:25 UTC

Garfield Comic

Posted By Bruce Schneier

Merry Christmas....

Fri, 24 Dec 2010 22:50:51 UTC

Friday Squid Blogging: Great Flying Squid Photo

Posted By Bruce Schneier

Great photo....

Fri, 24 Dec 2010 22:29:44 UTC

Friday Squid Blogging: Squid Nativity

Posted By Bruce Schneier

Merry Christmas....

Fri, 24 Dec 2010 19:14:25 UTC

PlugBot

Posted By Bruce Schneier

Interesting: PlugBot is a hardware bot. It's a covert penetration testing device designed for use during physical penetration tests. PlugBot is a tiny computer that looks like a power adapter; this small size allows it to go physically undetected all the while powerful enough to scan, collect and deliver test results externally. How do you use it? Gain access to...

Fri, 24 Dec 2010 11:39:59 UTC

Cyberwar Movie Plot from an Actual Thriller Writer

Posted By Bruce Schneier

It could make a good movie....

Thu, 23 Dec 2010 11:59:55 UTC

Interview with the European Union Privacy Chief

Posted By Bruce Schneier

Interesting interview with Viviane Reding, the vice president of the EU Justice Commission and head of privacy regulation: The basic values in Europe are that we have the right to our own private, personal data. It's mine. And if one agrees to give that data,then it is available. That is known as opt-in consent and we've had that as law...

Wed, 22 Dec 2010 13:15:23 UTC

Adam Shostack on TSA Threat Modeling

Posted By Bruce Schneier

Good commentary: I've said before and I'll say again, there are lots of possible approaches to threat modeling, and they all involve tradeoffs. I've commented that much of the problem is the unmeetable demands TSA labors under, and suggested fixes. If TSA is trading planned responses to Congress for effective security, I think Congress ought to be asking better questions....

Tue, 21 Dec 2010 19:39:09 UTC

Recording the Police

Posted By Bruce Schneier

I've written a lot on the "War on Photography," where normal people are harassed as potential terrorists for taking pictures of things in public. This article is different; it's about recording the police: Allison's predicament is an extreme example of a growing and disturbing trend. As citizens increase their scrutiny of law enforcement officials through technologies such as cell phones,...

Tue, 21 Dec 2010 13:23:24 UTC

Book Review: Cyber War

Posted By Bruce Schneier

Cyber War: The Next Threat to National Security and What to do About It by Richard Clarke and Robert Knake, HarperCollins, 2010. Cyber War is a fast and enjoyable read. This means you could give the book to your non-techy friends, and they'd understand most of it, enjoy all of it, and learn a lot from it. Unfortunately, while there's...

Mon, 20 Dec 2010 17:48:52 UTC

Computational Forensics

Posted By Bruce Schneier

Interesting article from IEEE Spectrum: During two years of deliberation by the National Academy's forensic science committee (of which I was a member), a troubling picture emerged. A large part of current forensics practice is skill and art rather than science, and the influences present in a typical law-enforcement setting are not conducive to doing the best science. Also, many...

Mon, 20 Dec 2010 11:55:53 UTC

"Architecture of Fear"

Posted By Bruce Schneier

I like the phrase: Németh said the zones not only affect the appearance of landmark buildings but also reflect an 'architecture of fear' as evidenced, for example, by the bunker-like appearance of embassies and other perceived targets. Ultimately, he said, these places impart a dual message -- simultaneously reassuring the public while causing a sense of unease. And in the...

Fri, 17 Dec 2010 22:48:14 UTC

Friday Squid Blogging: Prosthetic Tentacle

Posted By Bruce Schneier

Impressive: Designed for a class project while getting her degree at the Industrial Design Department at the University of Washington, Kaylene Kau has not only exploded perceptions of how prosthetic arms should look, but sent an entire subset of Japanese Hentai fans to their feet, cheering her on. If that's not worth an employer's attention, I don't know what is....

Fri, 17 Dec 2010 20:13:59 UTC

Hiding PETN from Full-Body Scanners

Posted By Bruce Schneier

From the Journal of Transporation Security, "An evaluation of airport x-ray backscatter units based on image characteristics," by Leon Kaufman and Joseph W. Carlson: Abstract: Little information exists on the performance of x-ray backscatter machines now being deployed through UK, US and other airports. We implement a Monte Carlo simulation using as input what is known about the x-ray spectra...

Fri, 17 Dec 2010 16:49:07 UTC

Did the FBI Plant Backdoors in OpenBSD?

Posted By Bruce Schneier

It has been accused of it. I doubt this is true. One, it's a very risky thing to do. And two, there are more than enough exploitable security vulnerabilities in a piece of code that large. Finding and exploiting them is a much better strategy than planting them. But maybe someone at the FBI is that dumb. Further information is...

Fri, 17 Dec 2010 12:28:05 UTC

Fake Amazon Receipt Generators

Posted By Bruce Schneier

They can be used to scam Amazon Marketplace merchants: What happens once our scammer is armed with his fake receipt? Well, many sellers on Amazon will ask you to send them a copy of your receipt should you run into trouble, have orders go missing, lose your license key for a piece of software and so on. The gag here...

Thu, 16 Dec 2010 12:27:09 UTC

Security in 2020

Posted By Bruce Schneier

There's really no such thing as security in the abstract. Security can only be defined in relation to something else. You're secure from something or against something. In the next 10 years, the traditional definition of IT security–­that it protects you from hackers, criminals, and other bad guys–­will undergo a radical shift. Instead of protecting you from the bad guys,...

Wed, 15 Dec 2010 12:14:19 UTC

Open Source Digital Forensics

Posted By Bruce Schneier

A good resource....

Tue, 14 Dec 2010 19:12:10 UTC

Realistic Masks

Posted By Bruce Schneier

They're causing problems: A white bank robber in Ohio recently used a "hyper-realistic" mask manufactured by a small Van Nuys company to disguise himself as a black man, prompting police there to mistakenly arrest an African American man for the crimes. In October, a 20-year-old Chinese man who wanted asylum in Canada used one of the same company's masks to...

Tue, 14 Dec 2010 11:35:04 UTC

Evan Kohlmann

Posted By Bruce Schneier

Interesting profile of Evan Kohlmann: Evan Kohlmann spends his days lurking in the darkest corners of the Internet, where jihadists recruit sympathizers from across the globe. He has testified in over two dozen terrorism trials -- and sees danger everywhere he looks. Is he prescient or naïve?...

Mon, 13 Dec 2010 20:02:47 UTC

Proprietary Encryption in Car Immobilizers Cracked

Posted By Bruce Schneier

This shouldn't be a surprise: Karsten Nohl's assessment of dozens of car makes and models found weaknesses in the way immobilisers are integrated with the rest of the car's electronics. The immobiliser unit should be connected securely to the vehicle's electronic engine control unit, using the car's internal data network. But these networks often use weaker encryption than the immobiliser...

Mon, 13 Dec 2010 20:01:29 UTC

Sometimes CCTV Cameras Work

Posted By Bruce Schneier

Sex attack caught on camera. Hamilton police have arrested two men after a sex attack on a woman early today was caught on the city's closed circuit television (CCTV) cameras. CCTV operators contacted police when they became concerned about the safety of a woman outside an apartment block near the intersection of Victoria and Collingwood streets about 5am today. Remember,...

Mon, 13 Dec 2010 12:42:21 UTC

CRB Check Backlash

Posted By Bruce Schneier

Against stupid CRB checks: Last January, Annabel Hayter, chairwoman of Gloucester Cathedral Flower Guild, received an email saying that she and her 60 fellow flower arrangers would have to undergo a CRB check. CRB stands for Criminal Records Bureau, and a CRB check is a time-consuming, sometimes expensive, pretty much always pointless vetting procedure that you must go through if...

Sun, 12 Dec 2010 18:27:06 UTC

Interview with TSA Administrator John Pistole

Posted By Bruce Schneier

He's more realistic than one normally hears: So if they get through all those defenses, they get to Reagan [National Airport] over here, and they've got an underwear bomb, they got a body cavity bomb -- what's reasonable to expect TSA to do? Hopefully our behavior detection people will see somebody sweating, or they're dancing on their shoes or something,...

Fri, 10 Dec 2010 22:24:35 UTC

Friday Squid Blogging: Glowing Squid

Posted By Bruce Schneier

Recent research. And an older video....

Fri, 10 Dec 2010 20:11:59 UTC

New TSA Security Test

Posted By Bruce Schneier

I experienced a new TSA security check at Phoenix Airport last Thursday. The agent took my over-three-ounce bottle of saline, put a drop of it on a white cardboard strip, and then put a drop of another liquid on top of that. Nothing changed color, and she let me go. Anyone know what the test is, and what it's testing...

Fri, 10 Dec 2010 18:04:18 UTC

NIST Announces SHA-3 Finalists (Skein is One of Them)

Posted By Bruce Schneier

Yesterday, NIST announced the five hash functions to advance to the third (and final) round in the SHA-3 selection process: BLAKE, Grøstl, JH, Keccak, and Skein. Not really a surprise; my predictions -- which I did not publish -- listed ECHO instead of JH, but correctly identified the other four. (Most of the predictions I saw guessed BLAKE, Grøstl, Keccak,...

Fri, 10 Dec 2010 12:22:59 UTC

Alternate Scanning Technologies

Posted By Bruce Schneier

Iscon uses infrared light rather than X-rays. I have no idea how well it works. And Rapiscan has a new patent: Abstract: The present invention is directed towards an X-ray people screening system capable of rapidly screening people for detection of metals, low Z materials (plastics, ceramics and illicit drugs) and other contraband which might be concealed beneath the person's...

Thu, 09 Dec 2010 18:22:19 UTC

Department of Homeland Security Getting a Little too 1984ish

Posted By Bruce Schneier

A DHS video message, reminding people to look out for and report suspicious activity, will be displayed at WalMart stores around the country....

Thu, 09 Dec 2010 11:50:10 UTC

WikiLeaks

Posted By Bruce Schneier

I don't have a lot to say about WikiLeaks, but I do want to make a few points. 1. Encryption isn't the issue here. Of course the cables were encrypted, for transmission. Then they were received and decrypted, and -- so it seems -- put into an archive on SIPRNet, where lots of people had access to them. 2. Secrets...

Wed, 08 Dec 2010 20:27:21 UTC

Never Let the Terrorists Know How We're Storing Road Salt

Posted By Bruce Schneier

This seems not to be a joke: The American Civil Liberties Union has filed a lawsuit against the state after it refused to release the construction plans for a barn used to store road salt, on the basis that doing so would be a security risk. [...] Chiaffarano filed an OPRA request for the state's building plans, but was denied...

Wed, 08 Dec 2010 13:10:20 UTC

Sane Comments on Terrorism

Posted By Bruce Schneier

From Michael Leiter, the director of the National Counterterrorism Center: Ultimately, Leiter said, it'll be the "quiet, confident resilience" of Americans after a terrorist attack that will "illustrate ultimately the futility of terrorism." That doesn't mean not to hit back: Leiter quickly added that "we will hold those accountable [and] we will be ready to respond to those attacks." But...

Tue, 07 Dec 2010 12:43:58 UTC

Profiling Lone Terrorists

Posted By Bruce Schneier

Masters Thesis from the Naval Postgraduate School: "Patterns of Radicalization: Identifying the Markers and Warning Signs of Domestic Lone Wolf Terrorists in Our Midst." Abstract: This thesis will scrutinize the histories of our nation's three most prolific domestic lone wolf terrorists: Tim McVeigh, Ted Kaczynski, and Eric Rudolph. It will establish a chronological pattern to their radicalization and reveal that...

Mon, 06 Dec 2010 19:52:50 UTC

FTC Privacy Report

Posted By Bruce Schneier

The U.S. Federal Trade Commission released its privacy report: "Protecting Consumer Privacy in an Era of Rapid Change." From the press release: One method of simplified choice the FTC staff recommends is a "Do Not Track" mechanism governing the collection of information about consumer's Internet activity to deliver targeted advertisements and for other purposes. Consumers and industry both support increased...

Mon, 06 Dec 2010 12:42:06 UTC

Cyberwar and the Future of Cyber Conflict

Posted By Bruce Schneier

The world is gearing up for cyberwar. The U.S. Cyber Command became operational in November. NATO has enshrined cyber security among its new strategic priorities. The head of Britain's armed forces said recently that boosting cyber capability is now a huge priority for the UK. And we know China is already engaged in broad cyber espionage attacks against the west....

Fri, 03 Dec 2010 22:25:26 UTC

Friday Squid Blogging: New Species of Squid Discovered

Posted By Bruce Schneier

New species of squid discovered in the Southern Indian Ocean....

Fri, 03 Dec 2010 18:41:56 UTC

Football Match Fixing

Posted By Bruce Schneier

Detecting fixed football (soccer) games. There is a certain buzz of expectation, because Oscar, one of the fraud analysts, has spotted a game he is sure has been fixed. "We've been watching this for a couple of weeks now," he says. "The odds have gone to a very suspicious level. We believe that this game will finish in an away...

Fri, 03 Dec 2010 12:20:23 UTC

Full Body Scanners: What's Next?

Posted By Bruce Schneier

Organizers of National Opt Out Day, the Wednesday before Thanksgiving when air travelers were urged to opt out of the full-body scanners at security checkpoints and instead submit to full-body patdowns -- were outfoxed by the TSA. The government pre-empted the protest by turning off the machines in most airports during the Thanksgiving weekend. Everyone went through the metal...

Thu, 02 Dec 2010 16:41:33 UTC

Close the Washington Monument

Posted By Bruce Schneier

Securing the Washington Monument from terrorism has turned out to be a surprisingly difficult job. The concrete fence around the building protects it from attacking vehicles, but there's no visually appealing way to house the airport-level security mechanisms the National Park Service has decided are a must for visitors. It is considering several options, but I think we should close...

Thu, 02 Dec 2010 13:06:16 UTC

Brian Snow Sows Cyber Fears

Posted By Bruce Schneier

That's no less sensational than the Calgary Herald headline: "Total cyber-meltdown almost inevitable, expert tells Calgary audience." That's former NSA Technical Director Brian Snow talking to a university audience. "It's long weeks to short months at best before there's a security meltdown," said Snow, as a guest lecturer for the Institute for Security, Privacy and Information Assurance, an interdisciplinary group...

Wed, 01 Dec 2010 19:27:52 UTC

Risk Reduction Strategies on Social Networking Sites

Posted By Bruce Schneier

By two teenagers: Mikalah uses Facebook but when she goes to log out, she deactivates her Facebook account. She knows that this doesn't delete the account ­ that's the point. She knows that when she logs back in, she'll be able to reactivate the account and have all of her friend connections back. But when she's not logged in, no...

Wed, 01 Dec 2010 11:55:53 UTC

Software Monoculture

Posted By Bruce Schneier

In 2003, a group of security experts -- myself included -- published a paper saying that 1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous. Marcus Ranum responded with an essay that basically said we were full of it. Now, eight years later, Marcus and I thought it would...

Tue, 30 Nov 2010 18:09:42 UTC

The Constitutionality of Full-Body Scanners

Posted By Bruce Schneier

Jeffrey Rosen opines: Although the Supreme Court hasn't evaluated airport screening technology, lower courts have emphasized, as the U.S. Court of Appeals for the 9th Circuit ruled in 2007, that "a particular airport security screening search is constitutionally reasonable provided that it 'is no more extensive nor intensive than necessary, in the light of current technology, to detect the presence...

Tue, 30 Nov 2010 11:54:49 UTC

Mohamed Osman Mohamud

Posted By Bruce Schneier

I agree with Glenn Greenwald. I don't know if it's an actual terrorist that the FBI arrested, or if it's another case of entrapment. All of the information about this episode -- all of it -- comes exclusively from an FBI affidavit filed in connection with a Criminal Complaint against Mohamud. As shocking and upsetting as this may be to...

Mon, 29 Nov 2010 18:32:46 UTC

Zoo Security

Posted By Bruce Schneier

From a study on zoo security: Among other measures, the scientists recommend not allowing animals to walk freely within the zoo grounds, and ensuring there is a physical barrier marking the zoo boundaries, and preventing individuals from escaping through drains, sewers or any other channels. Isn't all that sort of obvious?...

Mon, 29 Nov 2010 12:52:36 UTC

Causing Terror on the Cheap

Posted By Bruce Schneier

Total cost for the Yemeni printer cartridge bomb plot: $4200. "Two Nokia mobiles, $150 each, two HP printers, $300 each, plus shipping, transportation and other miscellaneous expenses add up to a total bill of $4,200. That is all what Operation Hemorrhage cost us," the magazine said. Even if you add in costs for training, recruiting, logistics, and everything else, that's...

Fri, 26 Nov 2010 22:58:17 UTC

Friday Squid Blogging: Studying Squid Hearing

Posted By Bruce Schneier

At Woods Hole: It is known now, through the work of Mooney and others, that the squid hearing system has some similarities and some differences compared to human hearing. Squid have a pair of organs called statocysts, balance mechanisms at the base of the brain that contain a tiny grain of calcium, which maintains its position as the animal maneuvers...

Fri, 26 Nov 2010 19:52:38 UTC

Psychopaths and Security

Posted By Bruce Schneier

I have been thinking a lot about security against psychopaths. Or, at least, how we have traditionally secured social systems against these sorts of people, and how we can secure our socio-technical systems against them. I don't know if I have any conclusions yet, only a short reading list....

Fri, 26 Nov 2010 11:51:06 UTC

The Withdrawal of the A5/2 Encryption Algorithm

Posted By Bruce Schneier

Interesting story of the withdrawal of the A5/2 encryption algorithm from GSM phones....

Thu, 25 Nov 2010 12:39:34 UTC

The DHS is Getting Rid of the Color-Coded Terrorism Alert System

Posted By Bruce Schneier

Good. It was always a dumb idea: The color-coded threat levels were doomed to fail because "they don't tell people what they can do --­ they just make people afraid," said Bruce Schneier, an author on security issues. He said the system was "a relic of our panic after 9/11" that "never served any security purpose." I wrote this in...

Wed, 24 Nov 2010 19:33:19 UTC

New ATM Skimming Attack

Posted By Bruce Schneier

In Europe, although the article doesn't say where: Many banks have fitted ATMs with devices that are designed to thwart criminals from attaching skimmers to the machines. But it now appears in some areas that those devices are being successfully removed and then modified for skimming, according to the latest report from the European ATM Security Team (EAST), which collects...

Wed, 24 Nov 2010 13:21:32 UTC

David Kahn Donates his Cryptography Collection to the National Cryptologic Museum

Posted By Bruce Schneier

Good for him. I think that's where my collection will be going, too....

Tue, 23 Nov 2010 19:08:59 UTC

Spoofing Geolocation

Posted By Bruce Schneier

How to spoof your location on Facebook with your BlackBerry....

Tue, 23 Nov 2010 12:11:52 UTC

Me on Airport Security

Posted By Bruce Schneier

Yesterday I participated in a New York Times "Room for Debate" discussion on airline security. My contribution is nothing I haven't said before, so I won't reprint it here. The other participants are worth reading too. I also did an interview in -- or all places -- Popular Mechanics....

Mon, 22 Nov 2010 19:08:24 UTC

Defeating al Qaeda

Posted By Bruce Schneier

Rare common sense: But Gen Richards told the BBC it was not possible to defeat the Taliban or al-Qaeda militarily. "You can't. We've all said this. David Petraeus has said it, I've said it. "The trick is the balance of things that you're doing and I say that the military are just about, you know, there. "The biggest problem's been...

Mon, 22 Nov 2010 12:19:02 UTC

Stuxnet News

Posted By Bruce Schneier

Another piece of the puzzle: New research, published late last week, has established that Stuxnet searches for frequency converter drives made by Fararo Paya of Iran and Vacon of Finland. In addition, Stuxnet is only interested in frequency converter drives that operate at very high speeds, between 807 Hz and 1210 Hz. The malware is designed to change the output...

Fri, 19 Nov 2010 22:19:05 UTC

Friday Squid Blogging: Flying Squid

Posted By Bruce Schneier

Photographic evidence from Jamaica....

Fri, 19 Nov 2010 19:13:34 UTC

Me on Cyberwar

Posted By Bruce Schneier

Last week, I gave a talk on cyberwar and cyberconflict at the Institute for International and European Affairs in Dublin. Here's the video. It was only the second time I've given the talk. About three quarters in, I noticed that I didn't have my fourth and final page of notes. So if the ending feels a bit scattered, that's why....

Fri, 19 Nov 2010 11:37:44 UTC

TSA Backscatter X-ray Backlash

Posted By Bruce Schneier

Things are happening so fast that I don't know if I should bother. But here are some links and observations. The head of the Allied Pilots Association is telling its members to avoid both the full body scanners and the patdowns. This first-hand report, from a man who refused to fly rather than subject himself to a full-body scan or...

Thu, 18 Nov 2010 18:19:09 UTC

Airplane Terrorism Twenty Years Ago

Posted By Bruce Schneier

Excellent: Here's a scenario: Middle Eastern terrorists hijack a U.S. jetliner bound for Italy. A two-week drama ensues in which the plane's occupants are split into groups and held hostage in secret locations in Lebanon and Syria. While this drama is unfolding, another group of terrorists detonates a bomb in the luggage hold of a 747 over the North Atlantic,...

Thu, 18 Nov 2010 12:13:53 UTC

Unsolicited Terrorism Tips to the U.S. Government

Posted By Bruce Schneier

Adding them all up, the U.S. government "receives between 8,000 and 10,000 pieces of information per day, fingering just as many different people as potential threats. They also get information about 40 supposed plots against the United States or its allies daily." All of this means that first-time suspects and isolated pieces of information are less likely to be exhaustively...

Wed, 17 Nov 2010 13:13:25 UTC

New Biometric

Posted By Bruce Schneier

Eye movements instead of eye structures. The new system tracks the way a person's eye moves as he watches an icon roam around a computer screen. The way the icon moves can be different every time, but the user's eye movements include "kinetic features" -- slight variations in trajectory -- that are unique, making it possible to identify him....

Tue, 16 Nov 2010 19:22:52 UTC

Security Haiku

Posted By Bruce Schneier

These could surely be better. Anyone?...

Tue, 16 Nov 2010 12:36:44 UTC

Term Paper Writing for Hire

Posted By Bruce Schneier

This recent essay (commentary here) reminded me of this older essay, both by people who write student term papers for hire. There are several services that do automatic plagiarism detection -- basically, comparing phrases from the paper with general writings on the Internet and even caches of previously written papers -- but detecting this kind of custom plagiarism work is...

Mon, 15 Nov 2010 10:55:22 UTC

Internet Quarantines

Posted By Bruce Schneier

Last month, Scott Charney of Microsoft proposed that infected computers be quarantined from the Internet. Using a public health model for Internet security, the idea is that infected computers spreading worms and viruses are a risk to the greater community and thus need to be isolated. Internet service providers would administer the quarantine, and would also clean up and update...

Fri, 12 Nov 2010 22:23:17 UTC

Friday Squid Blogging: Tentacle Pot Pie

Posted By Bruce Schneier

Nice....

Fri, 12 Nov 2010 18:49:38 UTC

Albert Gonzalez

Posted By Bruce Schneier

Long article on convicted hacker Albert Gonzalez from The New York Times Magazine....

Fri, 12 Nov 2010 12:28:41 UTC

Camouflaging Test Cars

Posted By Bruce Schneier

Interesting: In an effort to shield their still-secret products from prying eyes, automakers testing prototype models, often in the desert and at other remote locales, have long covered the grilles and headlamps with rubber, vinyl and tape ­ the perfunctory equivalent of masks and hats. Now the old materials are being replaced or supplemented with patterned wrappings applied like wallpaper....

Thu, 11 Nov 2010 18:45:55 UTC

Bulletproof Service Providers

Posted By Bruce Schneier

From Brian Krebs: Hacked and malicious sites designed to steal data from unsuspecting users via malware and phishing are a dime a dozen, often located in the United States, and are a key target for takedown by ISPs and security researchers. But when online miscreants seek stability in their Web projects, they often turn to so-called "bulletproof hosting" providers, mini-ISPs...

Thu, 11 Nov 2010 12:45:17 UTC

Changing Passwords

Posted By Bruce Schneier

How often should you change your password? I get asked that question a lot, usually by people annoyed at their employer's or bank's password expiration policy: people who finally memorized their current password and are realizing they'll have to write down their new password. How could that possibly be more secure, they want to know. The answer depends on what...

Wed, 10 Nov 2010 19:41:57 UTC

Removing Belts at Airport Security

Posted By Bruce Schneier

The TSA is making us remove our belts even when we don't have to. European airports have made us remove our belts for years. My normal tactic is to pull my shirt tails out of my pants and over my belt. Then I flash my waist and tell them I'm not wearing a belt. It doesn't set off the metal...

Wed, 10 Nov 2010 13:09:31 UTC

Securing the Washington Monument

Posted By Bruce Schneier

Good article on security options for the Washington Monument: Unfortunately, the bureaucratic gears are already grinding, and what will be presented to the public Monday doesn't include important options, including what became known as the "tunnel" in previous discussions of the issue. Nor does it include the choice of more minimal visitor screening -- simple wanding or visual bag inspection...

Tue, 09 Nov 2010 18:59:11 UTC

Crowdsourcing Surveillance

Posted By Bruce Schneier

Internet Eyes is a U.K. startup designed to crowdsource digital surveillance. People pay a small fee to become a "Viewer." Once they do, they can log onto the site and view live anonymous feeds from surveillance cameras at retail stores. If they notice someone shoplifting, they can alert the store owner. Viewers get rated on their ability to differentiate real...

Tue, 09 Nov 2010 12:01:25 UTC

Kahn, Diffie, Clark, and Me at Bletchley Park

Posted By Bruce Schneier

Saturday, I visited Bletchley Park to speak at the Annual ACCU Security Fundraising Conference. They had a stellar line of speakers this year, and I was pleased to be a part of the day. Talk #1: "The Art of Forensic Warfare," Andy Clark. Riffing on Sun Tzu's The Art of War, Clark discussed the war -- the back and forth...

Mon, 08 Nov 2010 20:55:56 UTC

Young Man in "Old Man" Mask Boards Plane in Hong Kong

Posted By Bruce Schneier

It's kind of an amazing story. A young Asian man used a rubber mask to disguise himself as an old Caucasian man and, with a passport photo that matched his disguise, got through all customs and airport security checks and onto a plane to Canada. The fact that this sort of thing happens occasionally doesn't surprise me. It's human nature...

Mon, 08 Nov 2010 16:21:08 UTC

The End of In-Flight Wi-Fi?

Posted By Bruce Schneier

Okay, now the terrorists have really affected me personally: they're forcing us to turn off airplane Wi-Fi. No, it's not that the Yemeni package bombs had a Wi-Fi triggering mechanism -- they seem to have had a cell phone triggering mechanism, dubious at best -- but we can imagine an Internet-based triggering mechanism. Put together a sloppy and unsuccessful package...

Fri, 05 Nov 2010 21:39:37 UTC

Friday Squid Blogging: Squid Costume

Posted By Bruce Schneier

Just in time for Halloween....

Fri, 05 Nov 2010 11:56:53 UTC

"A Social Network Approach to Understanding an Insurgency"

Posted By Bruce Schneier

Interesting....

Thu, 04 Nov 2010 12:04:15 UTC

The Business of Botnets

Posted By Bruce Schneier

It can be lucrative: Avanesov allegedly rented and sold part of his botnet, a common business model for those who run the networks. Other cybercriminals can rent the hacked machines for a specific time for their own purposes, such as sending a spam run or mining the PCs for personal details and files, among other nefarious actions. Dutch prosecutors believe...

Wed, 03 Nov 2010 12:06:34 UTC

Did the FBI Invent the D.C. Bomb Plot?

Posted By Bruce Schneier

Last week the police arrested Farooque Ahmed for plotting a terrorist attack on the D.C. Metro system. However, it's not clear how much of the plot was his idea and how much was the idea of some paid FBI informants: The indictment offers some juicy tidbits -- Ahmed allegedly proposed using rolling suitcases instead of backpacks to bomb the Metro...

Tue, 02 Nov 2010 10:51:40 UTC

Dan Geer on "Cybersecurity and National Policy"

Posted By Bruce Schneier

Worth reading: Those with either an engineering or management background are aware that one cannot optimize everything at once ­ that requirements are balanced by constraints. I am not aware of another domain where this is as true as it is in cybersecurity and the question of a policy response to cyber insecurity at the national level. In engineering, this...

Mon, 01 Nov 2010 11:02:56 UTC

Control Fraud

Posted By Bruce Schneier

I had never heard the term "control fraud" before: Control fraud theory was developed in the savings and loan debacle. It explained that the person controlling the S&L (typically the CEO) posed a unique risk because he could use it as a weapon. The theory synthesized criminology (Wheeler and Rothman 1982), economics (Akerlof 1970), accounting, law, finance, and political science....

Sun, 31 Oct 2010 15:02:29 UTC

Halloween and the Irational Fear of Stranger Danger

Posted By Bruce Schneier

From the Wall Street Journal: Take "stranger danger," the classic Halloween horror. Even when I was a kid, back in the "Bewitched" and "Brady Bunch" costume era, parents were already worried about neighbors poisoning candy. Sure, the folks down the street might smile and wave the rest of the year, but apparently they were just biding their time before stuffing...

Sat, 30 Oct 2010 14:41:06 UTC

Cargo Security

Posted By Bruce Schneier

The New York Times writes: "Despite the increased scrutiny of people and luggage on passenger planes since 9/11, there are far fewer safeguards for packages and bundles, particularly when loaded on cargo-only planes." Well, of course. We've always known this. We've not worried about terrorism on cargo planes because it isn't very terrorizing. Packages aren't people. If a passenger plane...

Fri, 29 Oct 2010 21:17:28 UTC

Friday Squid Blogging: Dissecting a Giant Squid

Posted By Bruce Schneier

Interesting television program from UK Channel 4....

Fri, 29 Oct 2010 19:31:45 UTC

Me at TED

Posted By Bruce Schneier

Okay, it's not TED. It's one of the independent regional TED events: TEDxPSU. My talk was "Reconceptualizing Security," a condensation of the hour-long talk into 18 minutes....

Fri, 29 Oct 2010 11:48:26 UTC

The Militarization of the Internet

Posted By Bruce Schneier

Good blog post....

Thu, 28 Oct 2010 11:09:37 UTC

New Orleans Scrapping Surveillance Cameras

Posted By Bruce Schneier

They're not worth it: In seven years, New Orleans' crime camera program has yielded six indictments: three for crimes caught on video and three for bribes and kickbacks a vendor is accused of paying a former city official to sell the cameras to City Hall....

Wed, 27 Oct 2010 20:24:49 UTC

FBI Bugging Embassies in 1940

Posted By Bruce Schneier

Old -- but recently released -- document discussing the bugging of the Russian embassy in 1940. The document also mentions bugging the embassies of France, Germany, Italy, and Japan....

Wed, 27 Oct 2010 12:53:03 UTC

Firesheep

Posted By Bruce Schneier

Firesheep is a new Firefox plugin that makes it easy for you to hijack other people's social network connections. Basically, Facebook authenticates clients with cookies. If someone is using a public WiFi connection, the cookies are sniffable. Firesheep uses wincap to capture and display the authentication information for accounts it sees, allowing you to hijack the connection. Slides from the...

Tue, 26 Oct 2010 11:40:53 UTC

Seymour Hersh on Cyberwar

Posted By Bruce Schneier

Excellent article from The New Yorker....

Mon, 25 Oct 2010 11:21:13 UTC

Declassified NSA Documents

Posted By Bruce Schneier

It's a long list. These items are not online; they're at the National Archives and Records Administration in College Park, MD. You can either ask for copies by mail under FOIA (at a 75 cents per page) or come in in person. There, you can read and scan them for free, or photocopy them for about 20 cents a page....

Fri, 22 Oct 2010 21:31:20 UTC

Steganography in the Longfin Inshore Squid

Posted By Bruce Schneier

Really: While the notion that a few animals produce polarization signals and use them in communication is not new, Mäthger and Hanlon's findings present the first anatomical evidence for a “hidden communication channel” that can remain masked by typical camouflage patterns. Their results suggest that it might be possible for squid to send concealed polarized signals to one another while...

Fri, 22 Oct 2010 19:29:28 UTC

Video Interview with Me from RSA Europe

Posted By Bruce Schneier

I was interviewed this week at RSA Europe....

Fri, 22 Oct 2010 10:45:21 UTC

FaceTime for Mac Security Hole

Posted By Bruce Schneier

Once a user has logged into FaceTime, anyone with access to the machine can change the user's Apple ID password without knowing the old password....

Thu, 21 Oct 2010 19:07:08 UTC

Electronic Car Lock Denial-of-Service Attack

Posted By Bruce Schneier

Clever: Inspector Richard Haycock told local newspapers that the possible use of the car lock jammers would help explain a recent spate of thefts from vehicles that have occurred without leaving any signs of forced entry. "We do get quite a lot of car crime in the borough where there's no sign of a break-in and items have been taken...

Thu, 21 Oct 2010 00:11:54 UTC

Workshop on the Economics of Information Security

Posted By Bruce Schneier

I am the program chair for WEIS 2011, which is to be held next June in Washington, DC. Submissions are due at the end of February. Please forward and repost the call for papers....

Wed, 20 Oct 2010 12:21:20 UTC

Predator Software Pirated?

Posted By Bruce Schneier

This isn't good: Intelligent Integration Systems (IISi), a small Boston-based software development firm, alleges that their Geospatial Toolkit and Extended SQL Toolkit were pirated by Massachusetts-based Netezza for use by a government client. Subsequent evidence and court proceedings revealed that the "government client" seeking assistance with Predator drones was none other than the Central Intelligence Agency. IISi is seeking an...

Tue, 19 Oct 2010 12:34:38 UTC

Hiding in Plain Sight

Posted By Bruce Schneier

Ha! When he's out and about near his Denver home, former Broncos quarterback John Elway has come up with a novel way to travel incognito–­he wears his own jersey. "I do that all the time here," the 50-year-old Hall of Famer told me. "I go to the mall that way. They know it's not me because they say there's no...

Mon, 18 Oct 2010 11:23:10 UTC

Fingerprinting Telephone Calls

Posted By Bruce Schneier

This is clever: The tool is called PinDr0p, and works by analysing the various characteristic noise artifacts left in audio by the different types of voice network -- cellular, VoIP etc. For instance, packet loss leaves tiny gaps in audio signals, too brief for the human ear to detect, but quite perceptible to the PinDr0p algorithms. Vishers and others wishing...

Fri, 15 Oct 2010 08:12:59 UTC

Indian OS

Posted By Bruce Schneier

India is writing its own operating system so it doesn't have to rely on Western technology: India's Defence Research and Development Organisation (DRDO) wants to build an OS, primarily so India can own the source code and architecture. That will mean the country won't have to rely on Western operating systems that it thinks aren't up to the job of...

Thu, 14 Oct 2010 17:10:14 UTC

Picking a Single Voice out of a Crowd

Posted By Bruce Schneier

Interesting new technology. Squarehead's new system is like bullet-time for sound. 325 microphones sit in a carbon-fiber disk above the stadium, and a wide-angle camera looks down on the scene from the center of this disk. All the operator has to do is pinpoint a spot on the court or field using the screen, and the Audioscope works out how...

Thu, 14 Oct 2010 11:35:00 UTC

Pen-and-Paper SQL Injection Attack Against Swedish Election

Posted By Bruce Schneier

Some copycat imitated this xkcd cartoon in Sweden, hand writing an SQL injection attack onto a paper ballot. Even though the ballot was manually entered into the vote database, the attack (and the various other hijinks) failed. This time. Three news links, in Swedish....

Wed, 13 Oct 2010 11:20:02 UTC

The FBI is Tracking Whom?

Posted By Bruce Schneier

They're tracking a college student in Silicon Valley. He's 20, partially Egyptian, and studying marketing at Mission College. He found the tracking device attached to his car. Near as he could tell, what he did to warrant the FBI's attention is be the friend of someone who did something to warrant the FBI's attention. Afifi retrieved the device from his...

Tue, 12 Oct 2010 11:12:16 UTC

The Mahmoud al-Mabhouh Assassination

Posted By Bruce Schneier

Remember the Mahmoud al-Mabhouh assassination last January? The police identified 30 suspects, but haven't been able to find any of them. Police spent about 10,000 hours poring over footage from some 1,500 security cameras around Dubai. Using face-recognition software, electronic-payment records, receipts and interviews with taxi drivers and hotel staff, they put together a list of suspects and publicized it....

Mon, 11 Oct 2010 11:54:40 UTC

The Economist on Biometrics

Posted By Bruce Schneier

Good article. Here's my essay on biometrics, from 1999....

Fri, 08 Oct 2010 21:23:39 UTC

Friday Squid Blogging: Squid's Restaurant

Posted By Bruce Schneier

In Chapel Hill, NC....

Fri, 08 Oct 2010 17:49:36 UTC

The Ineffectiveness of Vague Security Warnings

Posted By Bruce Schneier

From Slate: We do nothing, first and foremost, because there is nothing we can do. Unless the State Department gets specific–­e.g., "don't go to the Eiffel Tower tomorrow"–information at that level of generality is completely meaningless. Unless we are talking about weapons of mass destruction, the chances of being hit by a car while crossing the street are still greater...

Fri, 08 Oct 2010 11:23:09 UTC

Hacking Trial Breaks D.C. Internet Voting System

Posted By Bruce Schneier

Sounds like it was easy: Last week, the D.C. Board of Elections and Ethics opened a new Internet-based voting system for a weeklong test period, inviting computer experts from all corners to prod its vulnerabilities in the spirit of "give it your best shot." Well, the hackers gave it their best shot -- and midday Friday, the trial period was...

Thu, 07 Oct 2010 14:56:59 UTC

Stuxnet

Posted By Bruce Schneier

Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes it's obvious. In the case of Stuxnet, there's a great story. As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and...

Thu, 07 Oct 2010 12:03:37 UTC

The Politics of Allocating Homeland Security Money to States

Posted By Bruce Schneier

From the Journal of Homeland Security and Emergency Management: "Politics or Risks? An Analysis of Homeland Security Grant Allocations to the States." Abstract: In the days following the September 11 terrorist attacks on the United States, the nation's elected officials created the USA Patriot Act. The act included a grant program for the 50 states that was intended to assist...

Wed, 06 Oct 2010 11:59:18 UTC

Putting Unique Codes on Objects to Detect Counterfeiting

Posted By Bruce Schneier

This will help some. At least two rival systems plan to put unique codes on packages containing antimalarials and other medications. Buyers will be able to text the code to a phone number on the package and get an immediate reply of "NO" or "OK," with the drug's name, expiration date, and other information. To defeat the system, the counterfeiter...

Tue, 05 Oct 2010 12:22:12 UTC

Analyzing CAPTCHAs

Posted By Bruce Schneier

New research: "Attacks and Design of Image Recognition CAPTCHAs." Abstract. We systematically study the design of image recognition CAPTCHAs (IRCs) in this paper. We first review and examine all IRCs schemes known to us and evaluate each scheme against the practical requirements in CAPTCHA applications, particularly in large-scale real-life applications such as Gmail and Hotmail. Then we present a security...

Mon, 04 Oct 2010 18:55:35 UTC

Sky Marshals Flying First Class

Posted By Bruce Schneier

I regularly say that security decisions are primarily made for non-security reasons. This article about the placement of sky marshals on airplanes is an excellent example. Basically, the airlines would prefer they fly coach instead of first class. Airline CEOs met recently with TSA administrator John Pistole and officials from the Federal Air Marshal Service requesting the TSA to reconsider...

Mon, 04 Oct 2010 11:31:13 UTC

Monitoring Employees' Online Behavior

Posted By Bruce Schneier

Not their online behavior at work, but their online behavior in life. Using automation software that slogs through Facebook, Twitter, Flickr, YouTube, LinkedIn, blogs, and "thousands of other sources," the company develops a report on the "real you" --- not the carefully crafted you in your resume. The service is called Social Intelligence Hiring. The company promises a 48-hour turn-around....

Fri, 01 Oct 2010 21:01:13 UTC

Friday Squid Blogging: Beautiful Squid Sketches

Posted By Bruce Schneier

The Cephalopoda....

Fri, 01 Oct 2010 19:43:31 UTC

My Recording Debut

Posted By Bruce Schneier

Okay, so this isn't a normal blog post. It's not about security. I've been playing doumbek with a band at the Minneapolis Renaissance Festival called Brother Seamus. They've released a CD, "Hale and Sound," where I play on three of the tracks. If you're interested in a copy, it's only $15 -- including shipping anywhere in the world. If you're...

Fri, 01 Oct 2010 17:10:11 UTC

Me on Cyberwar

Posted By Bruce Schneier

During the cyberwar debate a few months ago, I said this: If we frame this discussion as a war discussion, then what you do when there's a threat of war is you call in the military and you get military solutions. You get lockdown; you get an enemy that needs to be subdued. If you think about these threats in...

Fri, 01 Oct 2010 11:34:31 UTC

Master's Theses in Homeland Security

Posted By Bruce Schneier

This is a list of master's theses from the Naval Postgraduate School's Center for Homeland Defense and Security, this year. Some interesting stuff in there....

Thu, 30 Sep 2010 11:02:14 UTC

Wiretapping the Internet

Posted By Bruce Schneier

On Monday, The New York Times reported that President Obama will seek sweeping laws enabling law enforcement to more easily eavesdrop on the internet. Technologies are changing, the administration argues, and modern digital systems aren't as easy to monitor as traditional telephones. The government wants to force companies to redesign their communications systems and information networks to facilitate surveillance, and...

Wed, 29 Sep 2010 12:18:40 UTC

NSA Publications

Posted By Bruce Schneier

There is an interesting list of NSA publications in this document, pages 30¿36. This document is a bunch of pages from the NSA intranet....

Tue, 28 Sep 2010 19:42:51 UTC

Stealing Money from a Safe with a Vacuum

Posted By Bruce Schneier

Clever: The burglars broke into their latest store near Paris and drilled a hole in the "pneumatic tube" that siphons money from the checkout to the strong-room. They then sucked rolls of cash totalling £60,000 from the safe without even having to break its lock. I like attacks that bypass the defender's threat model....

Tue, 28 Sep 2010 11:33:02 UTC

Cultural Cognition of Risk

Posted By Bruce Schneier

This is no surprise: The people behind the new study start by asking a pretty obvious question: "Why do members of the public disagree–­sharply and persistently–­about facts on which expert scientists largely agree?" (Elsewhere, they refer to the "intense political contestation over empirical issues on which technical experts largely agree.") In this regard, the numbers from the Pew survey are...

Mon, 27 Sep 2010 17:00:59 UTC

Isolating Terrorist Cells as a Security Countermeasure

Posted By Bruce Schneier

It's better to try to isolate parts of a terrorist network than to attempt to destroy it as a whole, at least according to this model: Vos Fellman explains how terrorist networks are "typical of the structures encountered in the study of conflict, in that they possess multiple, irreducible levels of complexity and ambiguity." "This complexity is compounded by the...

Mon, 27 Sep 2010 11:51:10 UTC

New Attack Against ASP.NET

Posted By Bruce Schneier

It's serious: The problem lies in the way that ASP.NET, Microsoft's popular Web framework, implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. A common mistake is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie...

Fri, 24 Sep 2010 21:12:38 UTC

Friday Squid Blogging: "Truck Carrying Squid Crashes In Broccoli Field"

Posted By Bruce Schneier

You can't make up a headline like that....

Fri, 24 Sep 2010 18:23:45 UTC

Real-Time NSA Eavesdropping

Posted By Bruce Schneier

In an article about Robert Woodward's new book, Obama's Wars, this is listed as one of the book's "disclosures": A new capability developed by the National Security Agency has dramatically increased the speed at which intercepted communications can be turned around into useful information for intelligence analysts and covert operators. "They talk, we listen. They move, we observe. Given the...

Fri, 24 Sep 2010 11:34:21 UTC

Analysis of Image File Metadata

Posted By Bruce Schneier

As a photographer, I've wondered about this....

Thu, 23 Sep 2010 16:48:32 UTC

Evercookies

Posted By Bruce Schneier

Extremely persistent browser cookies: evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others. evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local...

Thu, 23 Sep 2010 12:19:28 UTC

Details Removed from Book at Request of U.S. Department of Defense

Posted By Bruce Schneier

From the AFP: A publisher has agreed to remove US intelligence details from a memoir by a former army officer in Afghanistan after the Pentagon raised last-minute objections, officials said Friday. The book, "Operation Dark Heart," had been printed and prepared for release in August but St. Martin's Press will now issue a revised version of the spy memoir after...

Wed, 22 Sep 2010 11:25:55 UTC

The Stuxnet Worm

Posted By Bruce Schneier

It's impressive: The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals. "It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with...

Tue, 21 Sep 2010 18:42:03 UTC

Prepaid Electricity Meter Fraud

Posted By Bruce Schneier

New attack: Criminals across the UK have hacked the new keycard system used to top up pre-payment energy meters and are going door-to-door, dressed as power company workers, selling illegal credit at knock-down prices. The pre-paid power meters use a key system. Normally people visit a shop to put credit on their key, which they then take home and slot...

Tue, 21 Sep 2010 11:55:25 UTC

Haystack

Posted By Bruce Schneier

I stayed clear of Haystack -- the anonymity program that was going to protect the privacy of dissidents the world over -- because I didn't have enough details about the program to have an intelligent opinion. The project has since imploded, and here are two excellent essays about the program and the hype surrounding it....

Mon, 20 Sep 2010 18:58:32 UTC

Statistical Distribution of Combat Wounds to the Head

Posted By Bruce Schneier

This is interesting: The study, led by physician Yuval Ran, looked at Israeli combat deaths from 2000 to 2004 and tracked where bullet entries appeared on the skull (illustrated above), finding that the lower back (occipital region) and front of the temple areas (anterior-temporal regions) were most likely. I'm not sure it's useful, but it is interesting....

Mon, 20 Sep 2010 11:20:44 UTC

Four Irrefutable Security Laws

Posted By Bruce Schneier

This list is from Malcolm Harkins, Intel's chief information security officer, and it's a good one (from a talk at Forrester's Security Forum): Users want to click on things. Code wants to be wrong. Services want to be on. Security features can be used to harm. His dig at open source software is just plain dumb, though: Harkins cited mobile...

Sat, 18 Sep 2010 11:05:06 UTC

Questioning Terrorism Policy

Posted By Bruce Schneier

Worth reading: ...what if we chose to accept the fact that every few years, despite all reasonable precautions, some hundreds or thousands of us may die in the sort of ghastly terrorist attack that a democratic republic cannot 100-percent protect itself from without subverting the very principles that make it worth protecting? Is this thought experiment monstrous? Would it be...

Fri, 17 Sep 2010 21:34:50 UTC

Friday Squid Blogging: Squid Eyes

Posted By Bruce Schneier

Squid eyes....

Fri, 17 Sep 2010 18:57:42 UTC

Master HDCP Key Cracked

Posted By Bruce Schneier

The master key for the High-Bandwidth Digital Content Protection standard -- that's what encrypts digital television between set-top boxes and digital televisions -- has been cracked and published. (Intel confirmed that the key is real.) The ramifications are unclear: But even if the code is real, it might not immediately foster piracy as the cracking of CSS on DVDs did...

Fri, 17 Sep 2010 15:15:28 UTC

Automatic Document Declassification

Posted By Bruce Schneier

DARPA is looking for something that can automatically declassify documents: I'll be honest: I'm not exactly sure what kind of technological solution you can build to facilitate declassification. From the way the challenge is structured, it sounds like a semantic-search problem: Plug in keywords that help you comb through deserts of stored information in the bowels of the Pentagon and...

Thu, 16 Sep 2010 11:34:33 UTC

DHS Still Worried About Terrorists Using Internet Surveillance

Posted By Bruce Schneier

Profound analysis from the Department of Homeland Security: Detailed video obtained through live Web-based camera feeds combined with street-level and direct overhead imagery views from Internet imagery sites allow terrorists to conduct remote surveillance of multiple potential targets without exposing themselves to detection. Cameras, too. Remember, anyone who searches for anything on the Internet may be a terrorist. Report him...

Wed, 15 Sep 2010 17:50:12 UTC

Popular Usernames and Passwords

Posted By Bruce Schneier

Graphical representation....

Wed, 15 Sep 2010 11:12:47 UTC

Highway Honeypot

Posted By Bruce Schneier

Police set up a highway sign warning motorists that there are random stops for narcotics checks ahead, but actually search people who take the next exit....

Tue, 14 Sep 2010 17:58:53 UTC

Not Answering Questions at U.S. Customs

Posted By Bruce Schneier

Interesting story: I was detained last night by federal authorities at San Francisco International Airport for refusing to answer questions about why I had travelled outside the United States. The end result is that, after waiting for about half an hour and refusing to answer further questions, I was released ­ because U.S. citizens who have produced proof of citizenship...

Tue, 14 Sep 2010 11:45:53 UTC

Vulnerabilities in US-CERT Network

Posted By Bruce Schneier

You'd think US-CERT would do somewhat better....

Mon, 13 Sep 2010 11:46:20 UTC

Kenzero

Posted By Bruce Schneier

Kenzero is a Japanese Trojan that collects and publishes users' porn surfing habits, and then blackmails them to remove the information....

Fri, 10 Sep 2010 21:52:54 UTC

Friday Squid Blogging: Cephalopod Consciousness

Posted By Bruce Schneier

"Three Arguments for the Consciousness of Cephalopods."...

Fri, 10 Sep 2010 18:03:47 UTC

The Onion on National Security

Posted By Bruce Schneier

"Smart, Qualified People Behind the Scenes Keeping America Safe: 'We Don't Exist'"...

Fri, 10 Sep 2010 11:22:35 UTC

Problems with Twitter's OAuth Authentication System

Posted By Bruce Schneier

Interesting case study....

Thu, 09 Sep 2010 18:32:05 UTC

Orange Balls as an Anti-Robbery Device

Posted By Bruce Schneier

In Japan: These balls full of orange paint are anti-theft devices. When someone robs a store, the clerk can throw the ball at the perp (or at the perp's feet) so they're easily identified after they escape. Seems to me the best way to escape from a robbery would be to throw a bunch of orange balls at a crowd....

Thu, 09 Sep 2010 12:15:37 UTC

New German ID Card Hackable

Posted By Bruce Schneier

No surprise....

Wed, 08 Sep 2010 11:06:39 UTC

Parental Fears vs. Realities

Posted By Bruce Schneier

From NPR: Based on surveys Barnes collected, the top five worries of parents are, in order: Kidnapping School snipers Terrorists Dangerous strangers Drugs But how do children really get hurt or killed? Car accidents Homicide (usually committed by a person who knows the child, not a stranger) Abuse Suicide Drowning Why such a big discrepancy between worries and reality? Barnes...

Tue, 07 Sep 2010 12:25:10 UTC

Consumerization and Corporate IT Security

Posted By Bruce Schneier

If you're a typical wired American, you've got a bunch of tech tools you like and a bunch more you covet. You have a cell phone that can easily text. You've got a laptop configured just the way you want it. Maybe you have a Kindle for reading, or an iPad. And when the next new thing comes along, some...

Mon, 06 Sep 2010 12:24:50 UTC

Terrorism Entrapment

Posted By Bruce Schneier

Back in 2007, I wrote an essay, "Portrait of the Modern Terrorist as an Idiot," where I said: The JFK Airport plotters seem to have been egged on by an informant, a twice-convicted drug dealer. An FBI informant almost certainly pushed the Fort Dix plotters to do things they wouldn't have ordinarily done. The Miami gang's Sears Tower plot was...

Fri, 03 Sep 2010 21:58:03 UTC

Friday Squid Blogging: Squid Car

Posted By Bruce Schneier

Squid car....

Fri, 03 Sep 2010 11:27:05 UTC

UAE Man-in-the-Middle Attack Against SSL

Posted By Bruce Schneier

Interesting: Who are these certificate authorities? At the beginning of Web history, there were only a handful of companies, like Verisign, Equifax, and Thawte, that made near-monopoly profits from being the only providers trusted by Internet Explorer or Netscape Navigator. But over time, browsers have trusted more and more organizations to verify Web sites. Safari and Firefox now trust more...

Thu, 02 Sep 2010 18:46:00 UTC

Successful Attack Against a Quantum Cryptography System

Posted By Bruce Schneier

Clever: Quantum cryptography is often touted as being perfectly secure. It is based on the principle that you cannot make measurements of a quantum system without disturbing it. So, in theory, it is impossible for an eavesdropper to intercept a quantum encryption key without disrupting it in a noticeable way, triggering alarm bells. Vadim Makarov at the Norwegian University of...

Thu, 02 Sep 2010 12:33:08 UTC

Cyber-Offence is the New Cyber-Defense

Posted By Bruce Schneier

This is beyond stupid: The Pentagon is contemplating an aggressive approach to defending its computer systems that includes preemptive actions such as knocking out parts of an adversary's computer network overseas–but it is still wrestling with how to pursue the strategy legally. The department is developing a range of weapons capabilities, including tools that would allow "attack and exploitation of...

Wed, 01 Sep 2010 18:17:40 UTC

Wanted: Skein Hardware Help

Posted By Bruce Schneier

As part of NIST's SHA-3 selection process, people have been implementing the candidate hash functions on a variety of hardware and software platforms. Our team has implemented Skein in Intel's 32 nm ASIC process, and got some impressive performance results (presentation and paper). Several other groups have implemented Skein in FPGA and ASIC, and have seen significantly poorer performance. We...

Wed, 01 Sep 2010 11:01:50 UTC

More Skein News

Posted By Bruce Schneier

Skein is my new hash function. Well, "my" is an overstatement; I'm one of the eight designers. It was submitted to NIST for their SHA-3 competition, and one of the 14 algorithms selected to advance to the second round. Here's the Skein paper; source code is here. The Skein website is here. Last week was the Second SHA-3 Candidate Conference....

Tue, 31 Aug 2010 17:39:14 UTC

Eavesdropping on Smart Homes with Distributed Wireless Sensors

Posted By Bruce Schneier

"Protecting your daily in-home activity information from a wireless snooping attack," by Vijay Srinivasan, John Stankovic, and Kamin Whitehouse: Abstract: In this paper, we first present a new privacy leak in residential wireless ubiquitous computing systems, and then we propose guidelines for designing future systems to prevent this problem. We show that we can observe private activities in the home...

Tue, 31 Aug 2010 11:42:54 UTC

High School Teacher Assigns Movie-Plot Threat Contest Problem

Posted By Bruce Schneier

In Australia: A high school teacher who assigned her class to plan a terrorist attack that would kill as many innocent people as possible had no intent to promote terrorism, the school principal said yesterday. The Year-10 students at Kalgoorlie-Boulder Community High School were asked to pretend they were terrorists making a political statement by releasing a chemical or biological...

Mon, 30 Aug 2010 17:05:09 UTC

Misidentification and the Court System

Posted By Bruce Schneier

Chilling: How do most wrongful convictions come about? The primary cause is mistaken identification. Actually, I wouldn't call it mistaken identification; I'd call it misidentification, because you often find that there was some sort of misconduct by the police. In a lot of cases, the victim initially wasn't so sure. And then the police say, "Oh, no, you got the...

Mon, 30 Aug 2010 10:31:35 UTC

Security Theater on the Boston T

Posted By Bruce Schneier

Since a fatal crash a few years ago, Boston T (their subway) operators have been forbidden from using -- or even having -- cell phones while on the job. Passengers are encouraged to report violators. But sometimes T operators need to use their official radios on the job, and passengers can't tell the difference. The solution: orange tape: The solution?...

Fri, 27 Aug 2010 21:28:37 UTC

Friday Squid Blogging: Jewel of the Sea

Posted By Bruce Schneier

Pretty....

Fri, 27 Aug 2010 17:47:25 UTC

Me at the EastWest Institute

Posted By Bruce Schneier

Back in May, I attended the EastWest Institute's First Worldwide Cybersecurity Summit in Dallas. I only had eight minutes to speak, and tried to turn the dialog to security, privacy, and the individual....

Fri, 27 Aug 2010 12:58:50 UTC

Is the Whole Country an Airport Security Zone?

Posted By Bruce Schneier

Full-body scanners in roving vans: American Science & Engineering, a company based in Billerica, Massachusetts, has sold U.S. and foreign government agencies more than 500 backscatter x-ray scanners mounted in vans that can be driven past neighboring vehicles to see their contents, Joe Reiss, a vice president of marketing at the company told me in an interview. This should be...

Thu, 26 Aug 2010 11:15:11 UTC

Detecting Deception in Conference Calls

Posted By Bruce Schneier

Research paper: Detecting Deceptive Discussions in Conference Calls, by David F. Larcker and Anastasia A. Zakolyukina. Abstract: We estimate classification models of deceptive discussions during quarterly earnings conference calls. Using data on subsequent financial restatements (and a set of criteria to identify especially serious accounting problems), we label the Question and Answer section of each call as "truthful" or "deceptive"....

Wed, 25 Aug 2010 11:20:52 UTC

Social Steganography

Posted By Bruce Schneier

From danah boyd: Carmen is engaging in social steganography. She's hiding information in plain sight, creating a message that can be read in one way by those who aren't in the know and read differently by those who are. She's communicating to different audiences simultaneously, relying on specific cultural awareness to provide the right interpretive lens. While she's focused primarily...

Tue, 24 Aug 2010 11:56:07 UTC

Skeletal Identification

Posted By Bruce Schneier

And you thought fingerprints were intrusive. The Wright State Research Institute is developing a ground-breaking system that would scan the skeletal structures of people at airports, sports stadiums, theme parks and other public places that could be vulnerable to terrorist attacks, child abductions or other crimes. The images would then quickly be matched with potential suspects using a database of...

Mon, 23 Aug 2010 11:03:35 UTC

Malware Contributory Cause of Air Crash

Posted By Bruce Schneier

This is a first, I think: The airline's central computer which registered technical problems on planes was infected by Trojans at the time of the fatal crash and this resulted in a failure to raise an alarm over multiple problems with the plane, according to Spanish daily El Pais (report here). The plane took off with flaps and slats retracted,...

Fri, 20 Aug 2010 21:02:39 UTC

Friday Squid Blogging: Flying Squid

Posted By Bruce Schneier

Who knew? "Hulse was shooting with burst mode on his camera, so I know exactly what the interval is between the frames and I can calculate velocity of squid flying though the air," O'Dor says. "We now think there are dozens of species that do it. Squid are used to gliding in the water, so the same physiology probably allows...

Thu, 19 Aug 2010 15:44:16 UTC

Intel Buys McAfee

Posted By Bruce Schneier

Intel McAfee. It's another example of a large non-security company buying a security company. I've been talking about this sort of thing for two and a half years: It's not consolidation as we're used to. In the security industry, there are waves of consolidation, you know, big companies scoop up little companies and then there's lots of consolidation. You've got...

Wed, 18 Aug 2010 20:48:02 UTC

"The Fear Tax"

Posted By Bruce Schneier

Good essay by Seth Godin: We pay the fear tax every time we spend time or money seeking reassurance. We pay it twice when the act of seeking that reassurance actually makes us more anxious, not less. We pay the tax when we cover our butt instead of doing the right thing, and we pay the tax when we take...

Tue, 17 Aug 2010 17:29:51 UTC

Crypto 2010 Proceedings

Posted By Bruce Schneier

The Crypto 2010 Conference is going on right now at the University of California, Santa Barbara. Springer-Verlag publishes the proceedings, but they're available as a free download for the next few days....

Tue, 17 Aug 2010 11:42:47 UTC

Hacking Cars Through Wireless Tire-Pressure Sensors

Posted By Bruce Schneier

Still minor, but this kind of thing is only going to get worse: The new research shows that other systems in the vehicle are similarly insecure. The tire pressure monitors are notable because they're wireless, allowing attacks to be made from adjacent vehicles. The researchers used equipment costing $1,500, including radio sensors and special software, to eavesdrop on, and interfere...

Mon, 16 Aug 2010 11:51:50 UTC

Breaking into a Garage

Posted By Bruce Schneier

In seconds. Garage doors with automatic openers have always seemed like a lot of security theater to me....

Fri, 13 Aug 2010 21:23:35 UTC

Friday Squid Blogging: Squid Computer Virus

Posted By Bruce Schneier

It wasn't me: A hardened computer hacker has been arrested on suspicion of writing a computer virus that systematically destroys all the files on victims' PCs and replaces them with homemade manga images of squid, octopuses and sea urchins....

Fri, 13 Aug 2010 12:36:15 UTC

Cloning Retail Gift Cards

Posted By Bruce Schneier

Clever attack. After researching how gift cards work, Zepeda purchased a magnetic card reader online, began stealing blank gift cards, on display for purchase, from Fred Meyer and scanning them with his reader. He would then return some of the scanned cards to the store and wait for a computer program to alert him when the cards were activated and...

Thu, 12 Aug 2010 11:48:55 UTC

Security Analysis of Smudges on Smart Phone Touch Screens

Posted By Bruce Schneier

"Smudge Attacks on Smartphone Touch Screens": Abstract: Touch screens are an increasingly common feature on personal computing devices, especially smartphones, where size and user interface advantages accrue from consolidating multiple hardware components (keyboard, number pad, etc.) into a single software definable user interface. Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which...

Wed, 11 Aug 2010 11:00:45 UTC

Late Teens and Facebook Privacy

Posted By Bruce Schneier

Facebook Privacy Settings: Who Cares?" by danah boyd and Eszter Hargittai. Abstract: With over 500 million users, the decisions that Facebook makes about its privacy settings have the potential to influence many people. While its changes in this domain have often prompted privacy advocates and news media to critique the company, Facebook has continued to attract more users to its...

Tue, 10 Aug 2010 17:12:21 UTC

Apple JailBreakMe Vulnerability

Posted By Bruce Schneier

Good information from Mikko Hyppönen. It doesn't look good. Q: What is this all about? A: It's about a site called jailbreakme.com that enables you to Jailbreak your iPhones and iPads just by visiting the site. Q: So what's the problem? A: The problem is that the site uses a zero-day vulnerability to execute code on the device. Q: How...

Tue, 10 Aug 2010 11:51:13 UTC

A Revised Taxonomy of Social Networking Data

Posted By Bruce Schneier

Lately I've been reading about user security and privacy -- control, really -- on social networking sites. The issues are hard and the solutions harder, but I'm seeing a lot of confusion in even forming the questions. Social networking sites deal with several different types of user data, and it's essential to separate them. Below is my taxonomy of social...

Mon, 09 Aug 2010 19:46:08 UTC

P ¿ NP?

Posted By Bruce Schneier

There's a new paper circulating that claims to prove that P ¿ NP. The paper has not been refereed, and I haven't seen any independent verifications or refutations. Despite the fact that the paper is by a respected researcher -- HP Lab's Vinay Deolalikar -- and not a crank, my bet is that the proof is flawed....

Mon, 09 Aug 2010 12:12:50 UTC

Ant Warfare

Posted By Bruce Schneier

Interesting: According to Moffett, we might actually learn a thing or two from how ants wage war. For one, ant armies operate with precise organization despite a lack of central command. "We're accustomed to being told what to do,” Moffett says. “I think there's something to be said for fewer layers of control and oversight." Which, according to Moffett, is...

Fri, 06 Aug 2010 21:23:55 UTC

Friday Squid Blogging: Canadian Squid Stamp

Posted By Bruce Schneier

It's a giant fiberglass squid from Newfoundland....

Fri, 06 Aug 2010 16:01:43 UTC

Yet Another Way to Sneak Liquids onto an Airplane

Posted By Bruce Schneier

Coffee cup disguised as a camera lens....

Fri, 06 Aug 2010 10:36:44 UTC

More Brain Scans to Detect Future Terrorists

Posted By Bruce Schneier

Worked well in a test: For the first time, the Northwestern researchers used the P300 testing in a mock terrorism scenario in which the subjects are planning, rather than perpetrating, a crime. The P300 brain waves were measured by electrodes attached to the scalp of the make-believe "persons of interest" in the lab. The most intriguing part of the study...

Thu, 05 Aug 2010 11:36:05 UTC

NSA and the National Cryptologic Museum

Posted By Bruce Schneier

Most people might not be aware of it, but there's a National Cryptologic Museum at Ft. Meade, at NSA Headquarters. It's hard to know its exact relationship with the NSA. Is it part of the NSA, or is it a separate organization? Can the NSA reclassify things in its archives? David Kahn has given his papers to the museum; is...

Wed, 04 Aug 2010 12:52:20 UTC

WikiLeaks Insurance File

Posted By Bruce Schneier

Now this is an interesting development: In the wake of strong U.S. government statements condemning WikiLeaks' recent publishing of 77,000 Afghan War documents, the secret-spilling site has posted a mysterious encrypted file labeled "insurance." The huge file, posted on the Afghan War page at the WikiLeaks site, is 1.4 GB and is encrypted with AES256. The file's size dwarfs the...

Tue, 03 Aug 2010 16:08:21 UTC

UAE to Ban BlackBerrys

Posted By Bruce Schneier

The United Arab Emirates -- Dubai, etc. -- is threatening to ban BlackBerrys because they can't eavesdrop on them. At the heart of the battle is access to the data transmitted by BlackBerrys. RIM processes the information through a handful of secure Network Operations Centers around the world, meaning that most governments can't access the data easily on their own....

Tue, 03 Aug 2010 11:25:30 UTC

Location-Based Quantum Encryption

Posted By Bruce Schneier

Location-based encryption -- a system by which only a recipient in a specific location can decrypt the message -- fails because location can be spoofed. Now a group of researchers has solved the problem in a quantum cryptography setting: The research group has recently shown that if one sends quantum bits -- the quantum equivalent of a bit -- instead...

Tue, 03 Aug 2010 02:21:42 UTC

Eavesdropping Smartphone Apps

Posted By Bruce Schneier

Seems there are a lot of them. They do it for marketing purposes. Really, they seem to do it because the code base they use does it automatically or just because they can. (Initial reports that an Android wallpaper app was malicious seems to have been an overstatement; they're just incompetent: inadvertently collecting more data than necessary.) Meanwhile, there's now...

Mon, 02 Aug 2010 11:38:06 UTC

Book Review: How Risky Is It, Really?

Posted By Bruce Schneier

David Ropeik is a writer and consultant who specializes in risk perception and communication. His book, How Risky Is It, Really?: Why Our Fears Don't Always Match the Facts, is a solid introduction to the biology, psychology, and sociology of risk. If you're well-read on the topic already, you won't find much you didn't already know. But if this is...

Fri, 30 Jul 2010 21:17:10 UTC

Friday Squid Blogging: Squid Launcher from "Despicable Me"

Posted By Bruce Schneier

Don't squid me, bro....

Fri, 30 Jul 2010 17:47:15 UTC

Doomsday Shelters

Posted By Bruce Schneier

Selling fear: The Vivos network, which offers partial ownerships similar to a timeshare in underground shelter communities, is one of several ventures touting escape from a surface-level calamity. Radius Engineering in Terrell, Texas, has built underground shelters for more than three decades, and business has never been better, says Walton McCarthy, company president. The company sells fiberglass shelters that can...

Fri, 30 Jul 2010 13:55:12 UTC

Hacking ATMs

Posted By Bruce Schneier

Hacking ATMs to spit out money, demonstrated at the Black Hat conference: The two systems he hacked on stage were made by Triton and Tranax. The Tranax hack was conducted using an authentication bypass vulnerability that Jack found in the system's remote monitoring feature, which can be accessed over the Internet or dial-up, depending on how the owner configured the...

Thu, 29 Jul 2010 11:16:19 UTC

Security Vulnerabilities of Smart Electricity Meters

Posted By Bruce Schneier

"Who controls the off switch?" by Ross Anderson and Shailendra Fuloria. Abstract: We're about to acquire a significant new cybervulnerability. The world's energy utilities are starting to install hundreds of millions of 'smart meters' which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay...

Wed, 28 Jul 2010 16:12:04 UTC

DNSSEC Root Key Split Among Seven People

Posted By Bruce Schneier

The DNSSEC root key has been divided among seven people: Part of ICANN's security scheme is the Domain Name System Security, a security protocol that ensures Web sites are registered and "signed" (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate...

Tue, 27 Jul 2010 17:33:33 UTC

Pork-Filled Counter-Islamic Bomb Device

Posted By Bruce Schneier

Okay, this is just weird: Mark S. Price, a specialist in public security, and his privately held company, Paradise Lost Antiterrorism Network of America (www.plan-a.us), have recently applied to the United States Patent and Trademark Office for a Utility Patent on their Suicide Bomb Deterrent, a security device designed, manufactured and distributed by PLAN-A. This device has been designed to...

Tue, 27 Jul 2010 11:43:01 UTC

WPA Cracking in the Cloud

Posted By Bruce Schneier

It's a service: The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. For the more “premium” price of $35,...

Mon, 26 Jul 2010 17:30:27 UTC

1921 Book on Profiling

Posted By Bruce Schneier

Here's a book from 1921 on how to profile people....

Mon, 26 Jul 2010 11:12:14 UTC

Technology is Making Life Harder for Spies

Posted By Bruce Schneier

An article from The Economist makes a point that I have been thinking about for a while: the modern technology makes life harder for spies, not easier. It used to be the technology favored spycraft -- think James Bond gadgets -- but more and more, technology favors spycatchers. The ubiquitous collection of personal data makes it harder to maintain a...

Fri, 23 Jul 2010 21:19:55 UTC

Friday Squid Blogging: Squidbillies

Posted By Bruce Schneier

Where do these TV shows come from? Follows the adventures of the Cuylers, an impoverished and dysfunctional family of anthropomorphic, air-breathing, redneck squids who live in a rural Appalachian community in the US state of Georgia....

Fri, 23 Jul 2010 17:46:27 UTC

The Washington Post on the U.S. Intelligence Industry

Posted By Bruce Schneier

The Washington Post has published a phenomenal piece of investigative journalism: a long, detailed, and very interesting expose on the U.S. intelligence industry (overall website; parts 1, 2, and 3; blog; Washington reactions; top 10 revelations; many many many blog comments and reactions; and so on). It's a truly excellent piece of investigative journalism. Pity people don't care much about...

Fri, 23 Jul 2010 13:59:52 UTC

Internet Worm Targets SCADA

Posted By Bruce Schneier

Stuxnet is a new Internet worm that specifically targets Siemens WinCC SCADA systems: used to control production at industrial plants such as oil rigs, refineries, electronics production, and so on. The worm seems to uploads plant info (schematics and production information) to an external website. Moreover, owners of these SCADA systems cannot change the default password because it would cause...

Thu, 22 Jul 2010 11:41:42 UTC

More Research on the Effectiveness of Terrorist Profiling

Posted By Bruce Schneier

Interesting: The use of profiling by ethnicity or nationality to trigger secondary security screening is a controversial social and political issue. Overlooked is the question of whether such actuarial methods are in fact mathematically justified, even under the most idealized assumptions of completely accurate prior probabilities, and secondary screenings concentrated on the highest-probablity individuals. We show here that strong profiling...

Wed, 21 Jul 2010 17:56:54 UTC

Book on GCHQ

Posted By Bruce Schneier

A book on GCHQ, and two reviews....

Wed, 21 Jul 2010 10:50:46 UTC

EU Counterterrorism Strategy

Posted By Bruce Schneier

Interesting journal article evaluating the EU's counterterrorism efforts....

Tue, 20 Jul 2010 18:52:53 UTC

Economic Considerations of Website Password Policies

Posted By Bruce Schneier

Two interesting research papers on website password policies. "Where Do Security Policies Come From?": Abstract: We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics...

Tue, 20 Jul 2010 11:43:07 UTC

New GAO Cybersecurity Report

Posted By Bruce Schneier

From the U.S. Government Accountability Office: "Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development." Thirty-six pages; I haven't read it....

Mon, 19 Jul 2010 18:11:16 UTC

Violating Terms of Service Possibly a Crime

Posted By Bruce Schneier

From Wired News: The four Wiseguy defendants, who also operated other ticket-reselling businesses, allegedly used sophisticated programming and inside information to bypass technological measures -- including CAPTCHA -- at Ticketmaster and other sites that were intended to prevent such bulk automated purchases. This violated the sites' terms of service, and according to prosecutors constituted unauthorized computer access under the anti-hacking...

Mon, 19 Jul 2010 11:53:53 UTC

Embedded Code in U.S. Cyber Command Logo

Posted By Bruce Schneier

This is excellent. And it's been cracked already....

Fri, 16 Jul 2010 21:34:42 UTC

Friday Squid Blogging: Hawaiian Bobtail Squid

Posted By Bruce Schneier

Symbiotic relationship between the Hawaiian bobtail squid and bioluminescent bacteria, with bonus security implications....

Fri, 16 Jul 2010 17:08:14 UTC

Skype's Cryptography Reverse-Engineered

Posted By Bruce Schneier

Someone claims to have reverse-engineered Skype's proprietary encryption protocols, and has published pieces of it. If the crypto is good, this is less of a big deal than you might think. Good cryptography is designed to be made public; it's only for business reasons that it remains secret....

Fri, 16 Jul 2010 10:19:56 UTC

The NSA's Perfect Citizen

Posted By Bruce Schneier

In what creepy back room do they come up with these names? The federal government is launching an expansive program dubbed "Perfect Citizen" to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program. The surveillance by the National Security Agency, the government's...

Thu, 15 Jul 2010 19:32:49 UTC

Russian Intelligence Gets Source Code to Windows 7

Posted By Bruce Schneier

I don't think this is a good idea....

Thu, 15 Jul 2010 12:17:23 UTC

Random Numbers from Quantum Noise

Posted By Bruce Schneier

Not that we need more ways to get random numbers, but the research is interesting....

Wed, 14 Jul 2010 17:54:04 UTC

Burglary Detection through Video Analytics

Posted By Bruce Schneier

This is interesting: Some of the scenarios where we have installed video analytics for our clients include: to detect someone walking in an area of their yard (veering off of the main path) that they are not supposed to be; to send an alarm if someone is standing too close to the front of a store window/front door after hours;...

Wed, 14 Jul 2010 11:51:51 UTC

Caller ID Spoofing on the Android

Posted By Bruce Schneier

It's easy to access someone else's voicemail by spoofing the caller ID. This isn't new; what is new is that many people now have easy access to caller ID spoofing. The spoofing only works for voicemail accounts that don't have a password set up, but AT&T has no password as the default....

Tue, 13 Jul 2010 17:42:45 UTC

Hemingway Authentication Scheme

Posted By Bruce Schneier

From 1955, intended as humor: In the future when I should ever call on the telephone to make a request or issue an order I will identify myself as follows: This is Hemingway, Ernest M. Hemingway speaking and my serial number is 0-363. That is an easy number to remember and is not the correct one which a con man...

Tue, 13 Jul 2010 12:21:08 UTC

The Chaocipher

Posted By Bruce Schneier

The Chaocipher is a mechanical encryption algorithm invented in 1918. No one was able to reverse-engineer the algorithm, given sets of plaintexts and ciphertexts -- at least, nobody publicly. On the other hand, I don't know how many people tried, or even knew about the algorithm. I'd never heard of it before now. Anyway, for the first time, the algorithm...

Mon, 12 Jul 2010 17:54:40 UTC

Serial Killers Are Now Terrorists

Posted By Bruce Schneier

Try to keep up: Leslie Van Houten, a one-time member of Charles Manson's infamous 'family' is up for parole for the 17th time today.... "These are serial killers," she said. "These would be domestic terrorists if it was today. So these are very dangerous people."...

Mon, 12 Jul 2010 12:07:13 UTC

Internet Kill Switch

Posted By Bruce Schneier

Last month, Sen. Joe Lieberman, I-Conn., introduced a bill that might -- we're not really sure -- give the president the authority to shut down all or portions of the Internet in the event of an emergency. It's not a new idea. Sens. Jay Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, proposed the same thing last year, and some argue that...

Fri, 09 Jul 2010 21:02:13 UTC

Friday Squid Blogging: Squid Sex Organs

Posted By Bruce Schneier

Riddles of squid sex: All cephalopods are hindered by their body shape, which comprises a closed hood-type structure called a mantle, which forms most of what appear to be a cephalopod's body and head. The animals use this mantle to move via jet propulsion, they must ventilate it to breathe, and they must also hide their excretory and sexual organs...

Fri, 09 Jul 2010 18:08:25 UTC

TSA Blocks Access to Websites with "Controversial Opinions"

Posted By Bruce Schneier

I wonder if my blog counts....

Fri, 09 Jul 2010 11:34:31 UTC

Detecting Cheating at Colleges

Posted By Bruce Schneier

The measures used to prevent cheating during tests remind me of casino security measures: No gum is allowed during an exam: chewing could disguise a student's speaking into a hands-free cellphone to an accomplice outside. The 228 computers that students use are recessed into desk tops so that anyone trying to photograph the screen–using, say, a pen with a hidden...

Thu, 08 Jul 2010 17:17:41 UTC

The Toronto 18

Posted By Bruce Schneier

Long and interesting article from The Toronto Star on the Toronto 18, a terrorist cell arrested in 2006. Lots of stuff in this article I had not read before....

Thu, 08 Jul 2010 12:07:11 UTC

Surveillance and Morality

Posted By Bruce Schneier

"Does Surveillance Make Us Morally Better?": Conclusion The upshot of these reflections is that the relation between surveillance and moral edification is complicated. In some contexts, surveillance helps keep us on track and thereby reinforces good habits that become second nature. In other contexts, it can hinder moral development by steering us away from or obscuring the saintly ideal of...

Wed, 07 Jul 2010 17:58:11 UTC

The Threat of Cyberwar Has Been Grossly Exaggerated

Posted By Bruce Schneier

There's a power struggle going on in the U.S. government right now. It's about who is in charge of cyber security, and how much control the government will exert over civilian networks. And by beating the drums of war, the military is coming out on top. "The United States is fighting a cyberwar today, and we are losing," said former...

Wed, 07 Jul 2010 14:20:49 UTC

"Don't Commit Crime"

Posted By Bruce Schneier

This sign is from a gas station in the U.K. My first reaction was to laugh, but then I started thinking about it. We know that signs like "No Shoplifting" reduce shoplifting in the area around the sign, but those are warnings against a specific crime. Could a sign this general be effective? Clearly some comparative studies are needed....

Tue, 06 Jul 2010 11:00:32 UTC

Research Report on Cyberattack Capabilities

Posted By Bruce Schneier

From the National Academies in 2009: Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities. It's 390 pages....

Mon, 05 Jul 2010 15:00:30 UTC

Tracking Location Based on Water Isotope Ratios

Posted By Bruce Schneier

Interesting: ...water molecules differ slightly in their isotope ratios depending on the minerals at their source. ...researchers found that water samples from 33 cities across the United State could be reliably traced back to their origin based on their isotope ratios. And because the human body breaks down water's constituent atoms of hydrogen and oxygen to construct the proteins that...

Fri, 02 Jul 2010 21:21:54 UTC

Friday Squid Blogging: Squid Robots

Posted By Bruce Schneier

Two of them; one was blogged about last year....

Fri, 02 Jul 2010 11:32:44 UTC

Secret Stash

Posted By Bruce Schneier

Hiding objects in everyday objects....

Thu, 01 Jul 2010 18:05:23 UTC

Vigilant Citizens: Then vs. Now

Posted By Bruce Schneier

This is from Atomic Bombing: How to Protect Yourself, published in 1950: Of course, millions of us will go through our lives never seeing a spy or a saboteur going about his business. Thousands of us may, at one time or another, think we see something like that. Only hundreds will be right. It would be foolish for all of...

Thu, 01 Jul 2010 12:35:47 UTC

Cryptography Failure Story

Posted By Bruce Schneier

By Russian spies: Ricci said the steganographic program was activated by pressing control-alt-E and then typing in a 27-character password, which the FBI found written down on a piece of paper during one of its searches....

Wed, 30 Jun 2010 17:53:10 UTC

Data at Rest vs. Data in Motion

Posted By Bruce Schneier

For a while now, I've pointed out that cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on. Cryptography was invented to protect communications: data in motion. This is how cryptography was used throughout most of...

Wed, 30 Jun 2010 14:16:32 UTC

Cryptography Success Story

Posted By Bruce Schneier

From Brazil: the moral, of course, is to choose a strong key and to encrypt the entire drive, not just key files....

Tue, 29 Jun 2010 16:42:54 UTC

Space Terrorism

Posted By Bruce Schneier

Space terrorism? Yes, space terrorism. This article, by someone at the European Space Policy Institute, hypes a terrorst threat I've never seen hyped before. The author waves a bunch of scare stories around, and then concludes that "the threat of 'Space Terrorism' is both real and latent," then talks about countermeasures. Certainly securing our satellites is a good idea, but...

Tue, 29 Jun 2010 11:28:06 UTC

Baby Terrorists

Posted By Bruce Schneier

This, from Congressman Louie Gohmert of Texas, is about as dumb as it gets: I talked to a retired FBI agent who said that one of the things they were looking at were terrorist cells overseas who had figured out how to game our system. And it appeared they would have young women, who became pregnant, would get them into...

Mon, 28 Jun 2010 09:02:07 UTC

Third SHB Workshop

Posted By Bruce Schneier

I'm at SHB 2010, the Third Interdisciplinary Workshop on Security and Human Behavior, at Cambridge University. This is a two-day gathering of computer security researchers, psychologists, behavioral economists, sociologists, philosophers, and others -- all of whom are studying the human side of security -- organized by Ross Anderson, Alessandro Acquisti, and myself. Here is the program. The list of attendees...

Fri, 25 Jun 2010 21:08:19 UTC

Friday Squid Blogging: Vampire Squid

Posted By Bruce Schneier

The vampire squid can turn itself inside out to avoid predators....

Fri, 25 Jun 2010 18:47:51 UTC

Hacker Scare Story

Posted By Bruce Schneier

"10 Everyday Items Hackers Are Targeting Right Now" 5. Your Blender. Yes, Your Blender That's right: your blender is under attack! Most mixers are self-contained and not hackable, but Siciliano says many home automation systems tap into appliances such as blenders and coffee machines. These home networks are then open to attack in surprising ways: A hacker might turn on...

Fri, 25 Jun 2010 11:53:08 UTC

Security Trade-Offs in Crayfish

Posted By Bruce Schneier

Interesting: The experiments offered the crayfish stark decisions -- a choice between finding their next meal and becoming a meal for an apparent predator. In deciding on a course of action, they carefully weighed the risk of attack against the expected reward, Herberholz says. Using a non-invasive method that allowed the crustaceans to freely move, the researchers offered juvenile Louisiana...

Thu, 24 Jun 2010 18:21:50 UTC

TacSat-3 "Hyperspectral" Spy Satellite

Posted By Bruce Schneier

It's operational: The idea of hyperspectral sensing is not, however, merely to "see" in the usual sense of optical telescopes, infrared nightscopes and/or thermal imagers. This kind of detection is used on spy satellites and other surveillance systems, but it suffers from the so-called "drinking straw effect" -- that is, you can only view a small area in enough detail...

Thu, 24 Jun 2010 18:13:30 UTC

WikiLeaks

Posted By Bruce Schneier

Long, but interesting, profile of WikiLeaks's Julian Assange from The New Yorker. Assange is an international trafficker, of sorts. He and his colleagues collect documents and imagery that governments and other institutions regard as confidential and publish them on a Web site called WikiLeaks.org. Since it went online, three and a half years ago, the site has published an extensive...

Wed, 23 Jun 2010 18:16:55 UTC

Popsicle Makers a Security Threat

Posted By Bruce Schneier

Chicago chef Rick Bayless photographed this security sign, posted before airport security as people were returning home from the Aspen Food & Wine Festival: No popsicle makers are allowed through security. Anyone have any idea why something like this is so dangerous? Is the TSA prohibiting random things to toy with us? Their blog is silent on this question....

Wed, 23 Jun 2010 11:00:26 UTC

How Much Counterterrorism Can We Afford?

Posted By Bruce Schneier

In an article on using terahertz rays (is that different from terahertz radar?) to detect biological agents, we find this quote: "High-tech, low-tech, we can't afford to overlook any possibility in dealing with mass casualty events," according to center head Donald Sebastian. "You need multiple methods of detection and response. Terrorism comes in many forms; you have to see, smell,...

Tue, 22 Jun 2010 16:50:19 UTC

The Real Risk: Traffic Deaths

Posted By Bruce Schneier

The New York Times Room for Debate blog did the topic: "Do We Tolerate Too Many Traffic Deaths?"...

Tue, 22 Jun 2010 11:49:37 UTC

Buying an ATM Skimmer

Posted By Bruce Schneier

Interesting: TM skimmers -- or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data -- are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can...

Mon, 21 Jun 2010 17:01:56 UTC

Cheating on Tests, by the Teachers

Posted By Bruce Schneier

If you give people enough incentive to cheat, people will cheat: Of all the forms of academic cheating, none may be as startling as educators tampering with children's standardized tests. But investigations in Georgia, Indiana, Massachusetts, Nevada, Virginia and elsewhere this year have pointed to cheating by educators. Experts say the phenomenon is increasing as the stakes over standardized testing...

Mon, 21 Jun 2010 10:27:40 UTC

AT&T's iPad Security Breach

Posted By Bruce Schneier

I didn't write about the recent security breach that disclosed tens of thousands of e-mail addresses and ICC-IDs of iPad users because, well, there was nothing terribly interesting about it. It was yet another web security breach. Right after the incident, though, I was being interviewed by a reporter that wanted to know what the ramifications of the breach were....

Fri, 18 Jun 2010 21:33:38 UTC

Friday Squid Blogging: LOLSquid

Posted By Bruce Schneier

It's supposed to be a classic, but I've never seen it before....

Fri, 18 Jun 2010 18:37:27 UTC

Remote Printing to an E-Mail Address

Posted By Bruce Schneier

This is cool technology from HP: Each printer with the ePrint capability will be assigned its own e-mail address. If someone wants to print a document from an iPhone, the document will go to HP's data center, where it is rendered into the correct format, and then sent to the person's printer. The process takes about 25 seconds. Maybe this...

Fri, 18 Jun 2010 10:49:08 UTC

The Continuing Incompetence of Terrorists

Posted By Bruce Schneier

The Atlantic on stupid terrorists: Nowhere is the gap between sinister stereotype and ridiculous reality more apparent than in Afghanistan, where it's fair to say that the Taliban employ the world's worst suicide bombers: one in two manages to kill only himself. And this success rate hasn't improved at all in the five years they've been using suicide bombers, despite...

Thu, 17 Jun 2010 19:28:11 UTC

Hot Dog Security

Posted By Bruce Schneier

A nice dose of risk reality: Last week, the American Academy of Pediatrics issued a statement calling for large-type warning labels on the foods that kids most commonly choke on–grapes, nuts, carrots, candy and public enemy No. 1: the frank. Then the lead author of the report, pediatric emergency room doctor Gary Smith, went one step further. He called for...

Thu, 17 Jun 2010 11:57:15 UTC

Patrolling the U.S./Canada Border

Posted By Bruce Schneier

Doesn't the DHS have anything else to do? As someone who believes that our nation has a right to enforce its borders, I should have been gratified when the Immigrations official at the border saw the canoe on our car and informed us that anyone who crossed the nearby international waterway illegally would be arrested and fined as much as...

Wed, 16 Jun 2010 18:36:34 UTC

Filming the Police

Posted By Bruce Schneier

In at least three U.S. states, it is illegal to film an active duty policeman: The legal justification for arresting the "shooter" rests on existing wiretapping or eavesdropping laws, with statutes against obstructing law enforcement sometimes cited. Illinois, Massachusetts, and Maryland are among the 12 states in which all parties must consent for a recording to be legal unless, as...

Wed, 16 Jun 2010 12:00:59 UTC

Dating Recordings by Power Line Interference

Posted By Bruce Schneier

Interesting: The capability, called "electrical network frequency analysis" (ENF), is now attracting interest from the FBI and is considered the exciting new frontier in digital forensics, with power lines acting as silent witnesses to crime. In the "high profile" murder trial, which took place earlier this year, ENF meant prosecutors were able to show that a seized voice recording that...

Tue, 15 Jun 2010 18:05:14 UTC

Reading Me

Posted By Bruce Schneier

The number of different ways to read my essays, commentaries, and links has grown recently. Here's the rundown: You can read my writings daily on my blog. These are reprinted on my Facebook page. They are also reprinted on my LiveJournal feed. You can follow them on Twitter. And you can subscribe to the RSS feed, both full text and...

Tue, 15 Jun 2010 11:02:15 UTC

Fifth Annual Movie-Plot Threat Contest Winner

Posted By Bruce Schneier

On April 1, I announced the Fifth Annual Movie Plot Threat Contest: Your task, ye Weavers of Tales, is to create a fable of fairytale suitable for instilling the appropriate level of fear in children so they grow up appreciating all the lords do to protect them. On May 15, I announced the five semi-finalists. Voting continued through the end...

Mon, 14 Jun 2010 18:46:48 UTC

Protecting Cars with The Club

Posted By Bruce Schneier

From the Freakonomics blog: At some point, the Club was mentioned. The professional thieves laughed and exchanged knowing glances. What we knew was that the Club is a hardened steel device that attaches to the steering wheel and the brake pedal to prevent steering and/or braking. What we found out was that a pro thief would carry a short piece...

Mon, 14 Jun 2010 11:23:41 UTC

Behavioral Profiling at Airports

Posted By Bruce Schneier

There's a long article in Nature on the practice: It remains unclear what the officers found anomalous about George's behaviour, and why he was detained. The TSA's parent agency, the Department of Homeland Security (DHS), has declined to comment on his case because it is the subject of a federal lawsuit that was filed on George's behalf in February by...

Fri, 11 Jun 2010 21:32:03 UTC

Friday Squid Blogging: Polymer Clay Squid Ornament

Posted By Bruce Schneier

Cute....

Fri, 11 Jun 2010 19:12:55 UTC

Security Cartoon

Posted By Bruce Schneier

Hi and Lois, no less....

Fri, 11 Jun 2010 17:08:35 UTC

Mainstream Cost-Benefit Security Analysis

Posted By Bruce Schneier

This essay in The New York Times is refreshingly cogent: You've seen it over and over. At a certain intersection in a certain town, there'll be an unfortunate accident. A child is hit by a car. So the public cries out, the town politicians band together, and the next thing you know, they've spent $60,000 to install speed bumps, guardrails...

Fri, 11 Jun 2010 11:58:54 UTC

Botox as a Terrorist Threat

Posted By Bruce Schneier

From Scientific American, no less....

Thu, 10 Jun 2010 17:56:02 UTC

Ninth Workshop on Economics and Information Security

Posted By Bruce Schneier

Earlier this week, the Ninth Workshop on Economics and Information Security (WEIS 2010) was held at Harvard. As always, it was a great workshop with some very interesting papers. Ross Anderson liveblogged the event....

Thu, 10 Jun 2010 12:10:57 UTC

The "Quake" Simulation and Risk Perception

Posted By Bruce Schneier

Read this....

Thu, 10 Jun 2010 11:34:43 UTC

Hiring Hackers

Posted By Bruce Schneier

Any essay on hiring hackers quickly gets bogged down in definitions. What is a hacker, and how is he different from a cracker? I have my own definitions, but I'd rather define the issue more specifically: Would you hire someone convicted of a computer crime to fill a position of trust in your computer network? Or, more generally, would you...

Wed, 09 Jun 2010 17:59:21 UTC

DARPA Research into Clean-Slate Network Security Redesign

Posted By Bruce Schneier

This looks like a good research direction: Is it possible that given a clean slate and likely millions of dollars, engineers could come up with the ultimate in secure network technology? The scientists at the Defense Advanced Research Projects Agency (DARPA) think so and this week announced the Clean Slate Design of Resilient, Adaptive, Secure Hosts (CRASH) program that looks...

Wed, 09 Jun 2010 11:24:37 UTC

Terrorists Placing Fake Bombs in Public Places

Posted By Bruce Schneier

Supposedly, the latest terrorist tactic is to place fake bombs -- suspicious looking bags, backpacks, boxes, and coolers -- in public places in an effort to paralyze the city and probe our defenses. The article is unclear about whether or not this has actually ever happened, only that the FBI is warning of the tactic. Citing an FBI informational document,...

Tue, 08 Jun 2010 18:04:15 UTC

Fear in a Political Ad

Posted By Bruce Schneier

Carly Fiorina wants to scare Californians into voting for her. Yes, terrorists kill -- about as often as home appliances....

Tue, 08 Jun 2010 11:30:27 UTC

Bletchley Park Archives to Go Online

Posted By Bruce Schneier

This is good: Simon Greenish, chief executive officer of the Bletchley Park Trust, said the plan was for the centre's entire archive to be digitised. [...] He said since the archive is so big nobody knows exactly what each individual document stored there contains. However, the information they expect to dig out will definitely include communication transcripts, communiques, memoranda, photographs,...

Mon, 07 Jun 2010 10:43:35 UTC

How to Spot a CIA Officer

Posted By Bruce Schneier

How to spot a CIA officer, at least in the mid 1970s. The reason the CIA office was located in the embassy -- as it is in most of the other countries in the world -- is that by presidential order the State Department is responsible for hiding and housing the CIA. Like the intelligence services of most other countries,...

Fri, 04 Jun 2010 21:20:31 UTC

Friday Squid Blogging: Kid vs. Squid

Posted By Bruce Schneier

A book. Also, read this....

Fri, 04 Jun 2010 20:30:44 UTC

The Four Stages of Fear

Posted By Bruce Schneier

Interesting: In the throes of intense fear, we suddenly find ourselves operating in a different and unexpected way. The psychological tools that we normally use to navigate the world­reasoning and planning before we act­get progressively shut down. In the grip of the brain's subconscious fear centers, we behave in ways that to our rational mind seem nonsensical or worse. We...

Thu, 03 Jun 2010 11:44:24 UTC

World War II Sabotage Field Manual

Posted By Bruce Schneier

The OSS Simple Sabotage Field Manual from 1944....

Wed, 02 Jun 2010 11:39:20 UTC

Intelligence Can Never Be Perfect

Posted By Bruce Schneier

Go read this article -- "Setting impossible standards on intelligence" -- on laying blame for the intelligence "failure" that allowed the Underwear Bomber to board an airplane on Christmas Day. Although the CIA, FBI, and Defense, State, Treasury and Homeland Security departments have counterterrorism analytic units -- some even with information-gathering operations -- the assumption is that all of the...

Tue, 01 Jun 2010 18:00:56 UTC

Voluntary Security Inspections

Posted By Bruce Schneier

What could possibly be the point of this? Cars heading to Austin-Bergstrom International Airport will see random, voluntary inspections Monday. The searches are part of an increase in security at the airport. It's a joint operation between the U.S. Department of Homeland Security, Austin Police, and airport security. The enhancements are not a response to specific threats, and the security...

Tue, 01 Jun 2010 10:54:30 UTC

Terrorizing Ourselves

Posted By Bruce Schneier

Who needs actual terrorists? How's this for an ill-conceived emergency preparedness drill? An off-duty cop pretending to be a terrorist stormed into a hospital intensive care unit brandishing a handgun, which he pointed at nurses while herding them down a corridor and into a room. There, after harrowing moments, he explained that the whole caper was a training exercise. [...]...

Mon, 31 May 2010 13:58:29 UTC

Canada Spending $1B on Security for G8/G20 Summit in June

Posted By Bruce Schneier

Amazing: The Canadian government disclosed Tuesday that the total price tag to police the elite Group of Eight meeting in Muskoka, as well as the bigger-tent Group of 20 summit starting a day later in downtown Toronto, has already climbed to more than $833-million. It said it's preparing to spend up to $930-million for the three days of meetings that...

Fri, 28 May 2010 21:52:27 UTC

Friday Squid Blogging: 500-Million-Year-Old Squid

Posted By Bruce Schneier

Early squid: New Canadian research into 500 million-year-old carnivore fossils has revealed an early ancestor of modern-day squids and octopuses, solving the mystery surrounding a previously unclassifiable creature. "This is significant because it means that primitive cephalopods were around much earlier than we thought, and offers a reinterpretation of the long-held origins of this important group of marine animals," Martin...

Fri, 28 May 2010 21:21:50 UTC

Friday Squid Blogging: The Contents of Squid Stomachs

Posted By Bruce Schneier

Not that interesting, really. Preliminarily, I can tell you that within my sample, cannibalism seems to be on the rise, myctophid consumption is falling, and a lot more squid may be dying hungry....

Fri, 28 May 2010 17:00:58 UTC

Another Scene from an Airport

Posted By Bruce Schneier

I've gotten to the front of the security line at a different airport, and handed a different TSA officer my ID and ticket. TSA Officer: (Looks everything over. Reads the name on my passport.) The Bruce Schneier? Me: (Nods, managing not to say: "No no, just a Bruce Schneier; didn't you hear I come in six-packs?") TSA Officer: The security...

Fri, 28 May 2010 11:24:37 UTC

Low-Tech Burglars to Get Lighter Sentences in Louisiana

Posted By Bruce Schneier

This is the kind of law that annoys me: A Senate bill to toughen penalties for crimes committed with the aid of Internet-generated "virtual maps," including acts of terrorism, won quick approval Monday in the House. [...] Adley's bill defines a "virtual street-level map" as one that is available on the Internet and can generate the location or picture of...

Thu, 27 May 2010 11:50:15 UTC

End-to-End Encrypted Cell Phone Calls

Posted By Bruce Schneier

Android app. (Slashdot thread.)...

Wed, 26 May 2010 14:16:30 UTC

If You See Something, Think Twice About Saying Something

Posted By Bruce Schneier

"If you see something, say something." Or, maybe not: The Travis County Criminal Justice Center was closed for most of the day on Friday, May 14, after a man reported that a "suspicious package" had been left in the building. The court complex was evacuated, and the APD Explosive Ordinance Disposal Unit was called in for a look-see. The package...

Tue, 25 May 2010 13:20:43 UTC

Infosec Television Commercial

Posted By Bruce Schneier

LIGATT Security certainly hopes to scare people....

Mon, 24 May 2010 19:29:42 UTC

Scene from an Airport

Posted By Bruce Schneier

I've gotten to the front of the security line and handed the TSA officer my ID and ticket. TSA Officer: (Looks at my ticket. Looks at my ID. Looks at me. Smiles.) Me: (Smiles back.) TSA Officer: (Looks at my ID. Looks at me. Smiles.) Me: (Tips hat. Smiles back.) TSA Officer: A beloved name from the blogosphere. Me: And...

Mon, 24 May 2010 12:32:50 UTC

Alerting Users that Applications are Using Cameras, Microphones, Etc.

Posted By Bruce Schneier

Interesting research: "What You See is What They Get: Protecting users from unwanted use of microphones, cameras, and other sensors," by Jon Howell and Stuart Schechter. Abstract: Sensors such as cameras and microphones collect privacy-sensitive data streams without the user's explicit action. Conventional sensor access policies either hassle users to grant applications access to sensors or grant with no approval...

Fri, 21 May 2010 21:26:05 UTC

Friday Squid Blogging: Squid Desktop

Posted By Bruce Schneier

Pretty....

Fri, 21 May 2010 18:17:39 UTC

Applications Disclosing Required Authority

Posted By Bruce Schneier

This is an interesting piece of research evaluating different user interface designs by which applications disclose to users what sort of authority they need to install themselves. Given all the recent concerns about third-party access to user data on social networking sites (particularly Facebook), this is particularly timely research. We have provided evidence of a growing trend among application platforms...

Fri, 21 May 2010 11:56:00 UTC

Automobile Security Analysis

Posted By Bruce Schneier

"Experimental Security Analysis of a Modern Automobile," by a whole mess of authors: Abstract: Modern automobiles are no longer mere mechanical devices; they are pervasively monitored and controlled by dozens of digital computers coordinated via internal vehicular networks. While this transformation has driven major advancements in efficiency and safety, it has also introduced a range of new potential risks. In...

Thu, 20 May 2010 18:28:11 UTC

Detecting Browser History

Posted By Bruce Schneier

Interesting research. Main results: [...] We analyzed the results from over a quarter of a million people who ran our tests in the last few months, and found that we can detect browsing histories for over 76% of them. All major browsers allow their users' history to be detected, but it seems that users of the more modern browsers such...

Thu, 20 May 2010 11:50:45 UTC

Militarized Marine Mammals

Posted By Bruce Schneier

Dolphine and sea lions: A Navy seal - actually a sea lion - took less than a minute to find a fake mine under a pier near San Francisco's AT&T Park. A dolphin quickly located a terrorist lurking in the black water before another sea lion, using a device carried in its mouth, cuffed the pretend saboteur's ankle so authorities...

Tue, 18 May 2010 18:16:07 UTC

History of NSA Computers

Posted By Bruce Schneier

A recently declassified history through 1964....

Tue, 18 May 2010 12:29:13 UTC

Outsourcing to an Indian Jail

Posted By Bruce Schneier

This doesn't seem like the best idea: Authorities in the southern Indian state of Andhra Pradesh are planning to set up an outsourcing unit in a jail. The unit will employ 200 educated convicts who will handle back office operations like data entry, and process and transmit information. It's not necessarily a bad idea, as long as misuable information isn't...

Mon, 17 May 2010 18:30:18 UTC

Insect-Based Terrorism

Posted By Bruce Schneier

Sounds like fearmongering to me. How real is the threat? Many of the world's most dangerous pathogens already are transmitted by arthropods, the animal phylum that includes mosquitoes. But so far the United States has not been exposed to a large-scale spread of vector-borne diseases like Rift Valley, chikungunya fever or Japanese encephalitis. But terrorists with a cursory knowledge of...

Mon, 17 May 2010 11:18:06 UTC

Software Liabilities in the UK

Posted By Bruce Schneier

The British High Court ruled that a software vendor's EULA -- which denied all liability for poor software -- was not reasonable. I wrote about software liabilities back in 2003....

Fri, 14 May 2010 21:41:51 UTC

Friday Squid Blogging: Squid T-Shirts

Posted By Bruce Schneier

Some nice ones (ignore the dinosaurs)....

Fri, 14 May 2010 19:36:47 UTC

I Won a CSO Compass Award

Posted By Bruce Schneier

And CSO published a Q&A with me....

Fri, 14 May 2010 16:50:23 UTC

New Windows Attack

Posted By Bruce Schneier

It's still only in the lab, but nothing detects it right now: The attack is a clever "bait-and-switch" style move. Harmless code is passed to the security software for scanning, but as soon as it's given the green light, it's swapped for the malicious code. The attack works even more reliably on multi-core systems because one thread doesn't keep an...

Fri, 14 May 2010 11:51:42 UTC

Fifth Annual Movie-Plot Threat Contest Semi-Finalists

Posted By Bruce Schneier

On April 1, I announced the Fifth Annual Movie Plot Threat Contest: Your task, ye Weavers of Tales, is to create a fable of fairytale suitable for instilling the appropriate level of fear in children so they grow up appreciating all the lords do to protect them. Submissions are in, and here are the semifinalists. Untitled story about polar bears,...

Thu, 13 May 2010 11:53:31 UTC

Worst-Case Thinking

Posted By Bruce Schneier

At a security conference recently, the moderator asked the panel of distinguished cybersecurity leaders what their nightmare scenario was. The answers were the predictable array of large-scale attacks: against our communications infrastructure, against the power grid, against the financial system, in combination with a physical attack. I didn't get to give my answer until the afternoon, which was: "My nightmare...

Wed, 12 May 2010 12:08:02 UTC

"If You See Something, Say Something"

Posted By Bruce Schneier

That slogan is owned by New York's Metropolitan Transit Authority (the MTA). Since obtaining the trademark in 2007, the authority has granted permission to use the phrase in public awareness campaigns to 54 organizations in the United States and overseas, like Amtrak, the Chicago Transit Authority, the emergency management office at Stony Brook University and three states in Australia. Of...

Tue, 11 May 2010 17:27:14 UTC

Biometric Wallet

Posted By Bruce Schneier

Cool idea, or dumb idea? Its features include: Fingerprint access only Bluetooth enabled for notification alerts–automated notification via bluetooth if your wallet strays more than 10 feet from your body Protected against RFID electronic theft–the case shields all contents from RFID scanners...

Tue, 11 May 2010 11:29:15 UTC

Reflections of a Former U-2 Pilot

Posted By Bruce Schneier

Interesting....

Mon, 10 May 2010 19:11:28 UTC

SnapScouts

Posted By Bruce Schneier

I sure hope this is a parody: SnapScouts Keep America Safe! Want to earn tons of cool badges and prizes while competing with you friends to see who can be the best American? Download the SnapScouts app for your Android phone (iPhone app coming soon) and get started patrolling your neighborhood. It's up to you to keep America safe! If...

Mon, 10 May 2010 11:15:12 UTC

9/11 Made us Safer?

Posted By Bruce Schneier

There's an essay on the Computerworld website that claims I implied, and believe, so: OK, so strictly-speaking, he doesn't use those exact words, but the implication is certainly clear. In a discussion about why there aren't more terrorist attacks, he argues that 'minor' terrorist plots like the Times Square car bomb are counter-productive for terrorist groups, because "9/11 upped the...

Fri, 07 May 2010 21:26:09 UTC

Friday Squid Blogging: The Colossal Squid isn't a Vicious Predator

Posted By Bruce Schneier

New research shows that, even though it's 15 meters long, it's not the kraken of myth: Its large size and predatory nature fuelled the ancient myth of the underwater "kraken" seamonster and modern speculation that the colossal squid must be aggressive and fast, attributes that allow it to prey on fish and even give sperm whales a hard time. Yet...

Fri, 07 May 2010 18:35:36 UTC

I Was Named as One of the Top 10 Science and Technology Writers

Posted By Bruce Schneier

Someone named me as one of the top 10 science and technology writers of all time. Flattering though it is, I don't think I belong in the company of Einstein, Newton, Darwin, and Asimov....

Fri, 07 May 2010 11:56:43 UTC

Cory Doctorow Gets Phished

Posted By Bruce Schneier

It can happen to anyone: Here's how I got fooled. On Monday, I unlocked my Nexus One phone, installing a new and more powerful version of the Android operating system that allowed me to do some neat tricks, like using the phone as a wireless modem on my laptop. In the process of reinstallation, I deleted all my stored passwords...

Thu, 06 May 2010 18:13:55 UTC

WiFi Cracking Kits

Posted By Bruce Schneier

WiFi cracking kits are being sold in China....

Thu, 06 May 2010 12:06:17 UTC

Nobody Encrypts their Phone Calls

Posted By Bruce Schneier

From the Forbes blog: In an annual report published Friday by the U.S. judicial system on the number of wiretaps it granted over the past year ..., the courts revealed that there were 2,376 wiretaps by law enforcement agencies in 2009, up 26% from 1,891 the year before, and up 76% from 1999. (Those numbers, it should be noted, don't...

Wed, 05 May 2010 12:09:26 UTC

Why Aren't There More Terrorist Attacks?

Posted By Bruce Schneier

As the details of the Times Square car bomb attempt emerge in the wake of Faisal Shahzad's arrest Monday night, one thing has already been made clear: Terrorism is fairly easy. All you need is a gun or a bomb, and a crowded target. Guns are easy to buy. Bombs are easy to make. Crowded targets -- not only in...

Tue, 04 May 2010 18:31:18 UTC

Preventing Terrorist Attacks in Crowded Areas

Posted By Bruce Schneier

On the New York Times Room for Debate Blog, I -- along with several other people -- was asked about how to prevent terrorist attacks in crowded areas. This is my response. In the wake of Saturday's failed Times Square car bombing, it's natural to ask how we can prevent this sort of thing from happening again. The answer is...

Tue, 04 May 2010 11:45:38 UTC

Malcom Gladwell on Spies

Posted By Bruce Schneier

Good quote: Translation: the proper function of spies is to remind those who rely on spies that the kinds of thing found out by spies can't be trusted. Nice article on the British Operation Mincemeat in World War II....

Mon, 03 May 2010 14:32:29 UTC

Security Analysis of India's Electronic Voting Machines

Posted By Bruce Schneier

They're vulnerable to fraud....

Fri, 30 Apr 2010 21:04:16 UTC

Friday Squid Blogging: Squid Purity Test

Posted By Bruce Schneier

I didn't know this: A Squid is a motorcycle rider who, experienced or not, rides outside his abilities and sets poor examples by attire, propriety, and general behavior on the motorcycle. 115 questions in the test....

Fri, 30 Apr 2010 19:28:17 UTC

Homeopathic Bomb

Posted By Bruce Schneier

This is funny: The world has been placed on a heightened security alert following reports that New Age terrorists have harnessed the power of homeopathy for evil. "Homeopathic weapons represent a major threat to world peace," said President Barack Obama, "they might not cause any actual damage but the placebo effect could be quite devastating." [...] Homeopathic bombs are comprised...

Fri, 30 Apr 2010 12:24:01 UTC

Fun with Secret Questions

Posted By Bruce Schneier

Ally Bank wants its customers to invent their own personal secret questions and answers; the idea is that an operator will read the question over the phone and listen for an answer. Ignoring for the moment the problem of the operator now knowing the question/answer pair, what are some good pairs? Some suggestions: Q: Do you know why I think...

Thu, 29 Apr 2010 18:28:04 UTC

Hypersonic Cruise Missiles

Posted By Bruce Schneier

The U.S. is developing a weapon capable of striking anywhere on the planet within an hour. The article talks about the possibility of modifying Trident missiles -- problematic because they would be indistinguishable from nuclear weapons -- and using the Mach 5¿capable X-51 hypersonic cruise missile. Interesting technology, but we really need to think through the political ramifications of this...

Thu, 29 Apr 2010 11:40:57 UTC

Frank Furedi on Worst-Case Thinking

Posted By Bruce Schneier

Nice essay by sociologist Frank Furedi on worse-case thinking, exemplified by our reaction to the Icelandic volcano: I am not a natural scientist, and I claim no authority to say anything of value about the risks posed by volcanic ash clouds to flying aircraft. However, as a sociologist interested in the process of decision-making, it is evident to me that...

Wed, 28 Apr 2010 18:21:20 UTC

Can Safes

Posted By Bruce Schneier

Hiding your valuables in common household containers is an old trick. Diversion safes look like containers designed to hide your valuables in plain sight. Common diversion safes include fake brand name containers for soda pop, canned fruit, home cleaners, or even novels. Diversion can safes have removable tops or bottoms so that you can put your goods in them, and...

Wed, 28 Apr 2010 12:39:09 UTC

Seat Belt Use and Lessons for Security Awareness

Posted By Bruce Schneier

From Lance Spitzner: In January of this year the National Highway Traffic Safety Administration released a report called "Analyzing the First Years Of the Ticket or Click It Mobilizations"... While the report is focused on the use of seat belts, it has fascinating applications to the world of security awareness. The report focuses on 2000 - 2006, when most states...

Tue, 27 Apr 2010 18:26:13 UTC

Attack Against Apache.org

Posted By Bruce Schneier

This blog entry should serve as a model for open and transparent security self-reporting. I'm impressed. More news reports....

Tue, 27 Apr 2010 11:27:02 UTC

New York Police Protect Obama from Bicycles

Posted By Bruce Schneier

They were afraid that they might contain pipe bombs. This is the correct reaction: In any case, I suspect someone somewhere just panicked at the possibility that something might explode near the President on his watch, since the whole operation has the finesse of a teenage stoner shoving his pot paraphernalia under the bed and desperately trying to clear the...

Mon, 26 Apr 2010 17:55:31 UTC

ICPP Pre-Trial Settlement Scam

Posted By Bruce Schneier

Nasty scam, where the user is pressured into accepting a "pre-trial settlement" for copyright violations. The level of detail is impressive....

Mon, 26 Apr 2010 12:20:41 UTC

Punishing Security Breaches

Posted By Bruce Schneier

The editor of the Freakonomics blog asked me to write about this topic. The idea was that they would get several opinions, and publish them all. They spiked the story, but I already wrote my piece. So here it is. In deciding what to do with Gray Powell, the Apple employee who accidentally left a secret prototype 4G iPhone in...

Fri, 23 Apr 2010 21:30:57 UTC

Friday Squid Blogging: SquidSquid.com

Posted By Bruce Schneier

SquidSquid.com....

Fri, 23 Apr 2010 19:48:16 UTC

Video Interviews with Me

Posted By Bruce Schneier

Mike Mimoso interviewed me at the RSA Conference last month....

Fri, 23 Apr 2010 18:39:31 UTC

Two Security Cartoons

Posted By Bruce Schneier

One, and two....

Fri, 23 Apr 2010 12:43:04 UTC

The Doghouse: Lock My PC

Posted By Bruce Schneier

Lock My PC 4 has a master password....

Thu, 22 Apr 2010 18:31:03 UTC

Booby-trapping a PDF File

Posted By Bruce Schneier

Interesting....

Thu, 22 Apr 2010 11:19:45 UTC

NIST on Protecting Personally Identifiable Information

Posted By Bruce Schneier

Just published: Special Publication (SP) 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)." It's 60 pages long; I haven't read it....

Wed, 21 Apr 2010 17:55:34 UTC

Security Fog

Posted By Bruce Schneier

An odd burglary prevention tool: If a burglar breaks in, the system floods the business with a dense fog similar to what's used in theaters and nightclubs. An intense strobe light blinds and disorients the crook. [..] Mazrouei said the cost to install the system starts at around $3,000. Police point out that the system blinds interior security cameras as...

Wed, 21 Apr 2010 11:07:40 UTC

Personal Code Ink

Posted By Bruce Schneier

Remember SmartWater: liquid imbued with a uniquely identifiable DNA-style code? Well, Mont Blanc is selling a pen with uniquely identifiable ink....

Tue, 20 Apr 2010 18:50:21 UTC

Young People, Privacy, and the Internet

Posted By Bruce Schneier

There's a lot out there on this topic. I've already linked to danah boyd's excellent SXSW talk (and her work in general), my essay on privacy and control, and my talk -- "Security, Privacy, and the Generation Gap" -- which I've given four times in the past two months. Last week, two new papers were published on the topic. "Youth,...

Tue, 20 Apr 2010 11:14:32 UTC

The Effectiveness of Political Assassinations

Posted By Bruce Schneier

This is an excellent read: I wouldn't have believed you if you'd told me 20 years ago that America would someday be routinely firing missiles into countries it's not at war with. For that matter, I wouldn't have believed you if you'd told me a few months ago that America would soon be plotting the assassination of an American citizen...

Mon, 19 Apr 2010 18:26:37 UTC

Lt. Gen. Alexander and the U.S. Cyber Command

Posted By Bruce Schneier

Lt. Gen. Keith Alexander, the current Director of NSA, has been nominated to head the US Cyber Command. Last week Alexander appeared before the Senate Armed Services Committee to answer questions. The Chairman of the Armed Services Committee, Senator Carl Levin (D Michigan) began by posing three scenarios to Lieutenant General Alexander: Scenario 1. A traditional operation against an adversary,...

Mon, 19 Apr 2010 11:30:23 UTC

Life Recorder

Posted By Bruce Schneier

In 2006, writing about future threats on privacy, I described a life recorder: A "life recorder" you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video. It'll be sold as a security device, so that no one can attack you without being recorded. I can't find...

Fri, 16 Apr 2010 21:20:51 UTC

Friday Squid Blogging: Tentacle Tie

Posted By Bruce Schneier

Very nice....

Fri, 16 Apr 2010 17:46:13 UTC

Fake CCTV Cameras

Posted By Bruce Schneier

CCTV cameras in Moscow have been accused of streaming prerecorded video instead of live images. What I can't figure out is why? To me, it seems easier for the cameras to stream live video than prerecorded images....

Fri, 16 Apr 2010 11:28:32 UTC

Guns Painted to Look Like Toys

Posted By Bruce Schneier

Last weekend I was in New York, and saw posters on the subways warning people about real guns painted to look like toys. And today I find these pictures from the Baltimore police department. Seaching, I find this article from 2006 New York. I had no idea this was a thing....

Thu, 15 Apr 2010 18:55:29 UTC

Security for Implantable Medical Devices

Posted By Bruce Schneier

Interesting study: "Patients, Pacemakers, and Implantable Defibrillators: Human Values and Security for Wireless Implantable Medical Devices," Tamara Denning, Alan Borning, Batya Friedman, Brian T. Gill, Tadayoshi Kohno, and William H. Maisel. Abstract: Implantable medical devices (IMDs) improve patients' quality of life and help sustain their lives. In this study, we explore patient views and values regarding their devices to inform...

Thu, 15 Apr 2010 11:43:46 UTC

Storing Cryptographic Keys with Invisible Tattoos

Posted By Bruce Schneier

This idea, by Stuart Schechter at Microsoft Research, is -- I think -- clever: Abstract: Implantable medical devices, such as implantable cardiac defibrillators and pacemakers, now use wireless communication protocols vulnerable to attacks that can physically harm patients. Security measures that impede emergency access by physicians could be equally devastating. We propose that access keys be written into patients' skin...

Wed, 14 Apr 2010 18:30:41 UTC

Matt Blaze Comments on his 15-Year-Old "Afterword"

Posted By Bruce Schneier

Fifteen years ago, Matt Blaze wrote an Afterword to my book Applied Cryptography. Here are his current thoughts on that piece of writing....

Wed, 14 Apr 2010 11:57:07 UTC

Externalities and Identity Theft

Posted By Bruce Schneier

Chris Hoofnagle has a new paper: "Internalizing Identity Theft." Basically, he shows that one of the problems is that lenders extend credit even when credit applications are sketchy. From an article on the work: Using a 2003 amendment to the Fair Credit Reporting Act that allows victims of ID theft to ask creditors for the fraudulent applications submitted in their...

Tue, 13 Apr 2010 18:18:28 UTC

Terrorist Attacks and Comparable Risks, Part 2

Posted By Bruce Schneier

John Adams argues that our irrationality about comparative risks depends on the type of risk: With "pure" voluntary risks, the risk itself, with its associated challenge and rush of adrenaline, is the reward. Most climbers on Mount Everest know that it is dangerous and willingly take the risk. With a voluntary, self-controlled, applied risk, such as driving, the reward is...

Tue, 13 Apr 2010 11:07:02 UTC

Terrorist Attacks and Comparable Risks, Part 1

Posted By Bruce Schneier

Nice analysis by John Mueller and Mark G. Stewart: There is a general agreement about risk, then, in the established regulatory practices of several developed countries: risks are deemed unacceptable if the annual fatality risk is higher than 1 in 10,000 or perhaps higher than 1 in 100,000 and acceptable if the figure is lower than 1 in 1 million...

Mon, 12 Apr 2010 18:32:08 UTC

Man-in-the-Middle Attacks Againt SSL

Posted By Bruce Schneier

Says Matt Blaze: A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don't even do that much. Scary research by Christopher Soghoian and Sid Stamm: Abstract: This paper introduces a new attack, the compelled certificate creation attack, in which government agencies...

Mon, 12 Apr 2010 11:08:40 UTC

Makeup to Fool Face Recognition Software

Posted By Bruce Schneier

An NYU student has been reverse-engineering facial recognition algorithms to devise makeup patterns to confuse face recognition software....

Fri, 09 Apr 2010 21:21:22 UTC

Friday Squid Blogging: Another Squid T-Shirt

Posted By Bruce Schneier

Cute.....

Fri, 09 Apr 2010 18:58:48 UTC

Me in CRN

Posted By Bruce Schneier

CRN Magazine named me as one of its security superstars of 2010....

Fri, 09 Apr 2010 17:55:23 UTC

Schneier on "Security, Privacy, and the Generation Gap"

Posted By Bruce Schneier

Last month at the RSA Conference, I gave a talk titled "Security, Privacy, and the Generation Gap." It was pretty good, but it was the first time I gave that talk in front of a large audience -- and its newness showed. Last week, I gave the same talk again, at the CACR Higher Education Security Summit at Indiana University....

Fri, 09 Apr 2010 11:49:40 UTC

The Economics of Dueling

Posted By Bruce Schneier

Dueling has a rational economic basis....

Thu, 08 Apr 2010 18:05:21 UTC

Cryptanalysis of the DECT

Posted By Bruce Schneier

New cryptanalysis of the proprietrary encryption algorithm used in the Digital Enhanced Cordless Telecommunications (DECT) standard for cordless phones. Abstract. The DECT Standard Cipher (DSC) is a proprietary 64-bit stream cipher based on irregularly clocked LFSRs and a non-linear output combiner. The cipher is meant to provide confidentiality for cordless telephony. This paper illustrates how the DSC was reverse-engineered from...

Thu, 08 Apr 2010 11:22:04 UTC

The Effectiveness of Air Marshals

Posted By Bruce Schneier

Air marshals are being arrested faster than air marshals are making arrests. Actually, there have been many more arrests of Federal air marshals than that story reported, quite a few for felony offenses. In fact, more air marshals have been arrested than the number of people arrested by air marshals. We now have approximately 4,000 in the Federal Air Marshals...

Wed, 07 Apr 2010 18:37:52 UTC

Cryptography Broken on American Military Attack Video

Posted By Bruce Schneier

Any ideas? At a news conference at the National Press Club, WikiLeaks said it had acquired the video from whistle-blowers in the military and viewed it after breaking the encryption code. WikiLeaks released the full 38-minute video as well as a 17-minute edited version. And this quote from the WikiLeaks Twitter feed on Feb 20th: Finally cracked the encryption to...

Wed, 07 Apr 2010 13:52:56 UTC

New York and the Moscow Subway Bombing

Posted By Bruce Schneier

People intent on preventing a Moscow-style terrorist attack against the New York subway system are proposing a range of expensive new underground security measures, some temporary and some permanent. They should save their money - and instead invest every penny they're considering pouring into new technologies into intelligence and old-fashioned policing. Intensifying security at specific stations only works against terrorists...

Tue, 06 Apr 2010 18:40:47 UTC

Bypassing the Chain on Hotel-Room Doors

Posted By Bruce Schneier

Technique, plus video....

Tue, 06 Apr 2010 12:47:27 UTC

Privacy and Control

Posted By Bruce Schneier

In January, Facebook Chief Executive, Mark Zuckerberg, declared the age of privacy to be over. A month earlier, Google Chief Eric Schmidt expressed a similar sentiment. Add Scott McNealy's and Larry Ellison's comments from a few years earlier, and you've got a whole lot of tech CEOs proclaiming the death of privacy--especially when it comes to young people. It's just...

Mon, 05 Apr 2010 18:30:38 UTC

Detecting Being Watched

Posted By Bruce Schneier

This seems like science fiction to me: The camera uses the same "red eye" effect of from camera flashes to project it hundreds of meters, allowing it to identify binoculars, sniper scopes, cameras and even human eyeballs that are staring at you.......

Mon, 05 Apr 2010 13:31:30 UTC

"Protecting Europe Against Large-Scale Cyber-Attacks"

Posted By Bruce Schneier

Report from the House of Lords in the UK (pdf version)....

Fri, 02 Apr 2010 21:44:05 UTC

Friday Squid Blogging: Squid Confit

Posted By Bruce Schneier

Looks tasty....

Fri, 02 Apr 2010 17:30:29 UTC

iPhone Secret Decoder Ring

Posted By Bruce Schneier

It'll protect your secrets from your kid sister, unless she's smarter than that. Looks cool, though....

Fri, 02 Apr 2010 11:14:36 UTC

DHS Cybersecurity Awareness Campaign Challenge

Posted By Bruce Schneier

This is a little hokey, but better them than the NSA: The National Cybersecurity Awareness Campaign Challenge Competition is designed to solicit ideas from industry and individuals alike on how best we can clearly and comprehensively discuss cybersecurity with the American public. Key areas that should be factored into the competition are the following: Teamwork Ability to quantify the distribution...

Thu, 01 Apr 2010 18:33:46 UTC

Explosive Breast Implants -- Not an April Fool's Joke

Posted By Bruce Schneier

Is MI5 playing a joke on us? Female homicide bombers are being fitted with exploding breast implants which are almost impossible to detect, British spies have reportedly discovered. [...] MI5 has also discovered that extremists are inserting the explosives into the buttocks of some male bombers. "Women suicide bombers recruited by Al Qaeda are known to have had the explosives...

Thu, 01 Apr 2010 11:24:16 UTC

Fifth Annual Movie-Plot Threat Contest

Posted By Bruce Schneier

Once upon a time, men and women throughout the land lived in fear. This caused them to do foolish things that made them feel better temporarily, but didn't make them any safer. Gradually, some people became less fearful, and less tolerant of the foolish things they were told to submit to. The lords who ruled the land tried to revive...

Wed, 31 Mar 2010 18:24:39 UTC

Security Cameras in the New York City Subways

Posted By Bruce Schneier

The New York Times has an article about cameras in the subways. The article is all about how horrible it is that the cameras don't work: Moreover, nearly half of the subway system's 4,313 security cameras that have been installed – in stations and tunnels throughout the system – do not work, because of either shoddy software or construction problems,...

Wed, 31 Mar 2010 11:54:05 UTC

Should the Government Stop Outsourcing Code Development?

Posted By Bruce Schneier

Information technology is increasingly everywhere, and it's the same technologies everywhere. The same operating systems are used in corporate and government computers. The same software controls critical infrastructure and home shopping. The same networking technologies are used in every country. The same digital infrastructure underpins the small and the large, the important and the trivial, the local and the global;...

Tue, 30 Mar 2010 18:59:16 UTC

Leaders Make Better Liars

Posted By Bruce Schneier

According to new research: The researchers found that subjects assigned leadership roles were buffered from the negative effects of lying. Across all measures, the high-power liars -- the leaders -- resembled truthtellers, showing no evidence of cortisol reactivity (which signals stress), cognitive impairment or feeling bad. In contrast, low-power liars -- the subordinates -- showed the usual signs of stress...

Tue, 30 Mar 2010 11:06:05 UTC

Jeremy Clarkson on Security Guards

Posted By Bruce Schneier

Nice essay: Of course, we know why he's really there. He's really there so that if the bridge is destroyed by terrorists, the authorities can appear on the television news and say they had taken all possible precautions. Plus, if you employ a security guard, then I should imagine that your insurance premiums are going to be significantly lower. This...

Mon, 29 Mar 2010 18:48:27 UTC

Master Thief

Posted By Bruce Schneier

The amazing story of Gerald Blanchard. Thorough as ever, Blanchard had spent many previous nights infiltrating the bank to do recon or to tamper with the locks while James acted as lookout, scanning the vicinity with binoculars and providing updates via a scrambled-band walkie-talkie. He had put a transmitter behind an electrical outlet, a pinhole video camera in a thermostat,...

Mon, 29 Mar 2010 12:15:17 UTC

Identifying People by their Bacteria

Posted By Bruce Schneier

A potential new forensic: To determine how similar a person's fingertip bacteria are to bacteria left on computer keys, the team took swabs from three computer keyboards and compared bacterial gene sequences with those from the fingertips of the keyboard owners. Today in the Proceedings of the National Academy of Sciences, they conclude that enough bacteria can be collected from...

Fri, 26 Mar 2010 21:01:22 UTC

Friday Squid Blogging: Sexing Squid

Posted By Bruce Schneier

Tips and tricks....

Fri, 26 Mar 2010 18:16:54 UTC

Schneier Blogging Template

Posted By Bruce Schneier

Eerily accurate: Catchy one-liner ("interesting," with link): In this part of the blog post, Bruce quotes something from the article he links to in the catchy phrase. It might be the abstract to an academic article, or the key points in a subject he's trying to get across. To get the post looking right, you have to include at least...

Fri, 26 Mar 2010 16:27:53 UTC

Hard Drives in Photocopy Machines

Posted By Bruce Schneier

Modern photocopy machines contain hard drives that often have scans of old documents. This matters when an office disposes of an old copier. It also matters if you make your copies at a commercial copy center like Kinko's....

Fri, 26 Mar 2010 11:04:39 UTC

Side-Channel Attacks on Encrypted Web Traffic

Posted By Bruce Schneier

Nice paper: "Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow," by Shuo Chen, Rui Wang, XiaoFeng Wang, and Kehuan Zhang. Abstract. With software-as-a-service becoming mainstream, more and more applications are delivered to the client through the Web. Unlike a desktop application, a web application is split into browser-side and server-side components. A subset of the application's internal...

Thu, 25 Mar 2010 21:48:59 UTC

I'll be in Second Life Tonight

Posted By Bruce Schneier

James Fallows and I are being interviewed in Second Life tonight, 9:00 PM Eastern Time....

Thu, 25 Mar 2010 17:36:22 UTC

How to Become a Nuclear Power

Posted By Bruce Schneier

Sarcastic, yet a bit too close to the truth....

Thu, 25 Mar 2010 12:16:47 UTC

Natural Language Shellcode

Posted By Bruce Schneier

Nice: In this paper we revisit the assumption that shellcode need be fundamentally different in structure than non-executable data. Specifically, we elucidate how one can use natural language generation techniques to produce shellcode that is superficially similar to English prose. We argue that this new development poses significant challenges for inline payloadbased inspection (and emulation) as a defensive measure, and...

Wed, 24 Mar 2010 18:51:27 UTC

Acrobatic Thieves

Posted By Bruce Schneier

Some movie-plot attacks actually happen: They never touched the floor–that would have set off an alarm. They didn't appear on store security cameras. They cut a hole in the roof and came in at a spot where the cameras were obscured by advertising banners. And they left with some $26,000 in laptop computers, departing the same way they came in–down...

Wed, 24 Mar 2010 11:38:56 UTC

Dead on the No-Fly List

Posted By Bruce Schneier

Such "logic": If a person on the no-fly list dies, his name could stay on the list so that the government can catch anyone trying to assume his identity. But since a terrorist might assume anyone's identity, by the same logic we should put everyone on the no-fly list. Otherwise, it's an interesting article on how the no-fly list works....

Tue, 23 Mar 2010 19:42:10 UTC

New Book: Cryptography Engineering

Posted By Bruce Schneier

I have a new book, sort of. Cryptography Engineering is really the second edition of Practical Cryptography. Niels Ferguson and I wrote Practical Cryptography in 2003. Tadayoshi Kohno did most of the update work–and added exercises to make it more suitable as a texbook–and is the third author on Cryptography Engineering. (I didn't like it that Wiley changed the title;...

Tue, 23 Mar 2010 17:23:04 UTC

Electronic Health Record Security Analysis

Posted By Bruce Schneier

In British Columbia: When Auditor-General John Doyle and his staff investigated the security of electronic record-keeping at the Vancouver Coastal Health Authority, they found trouble everywhere they looked. "In every key area we examined, we found serious weaknesses," wrote Doyle. "Security controls throughout the network and over the database were so inadequate that there was a high risk of external...

Tue, 23 Mar 2010 11:13:47 UTC

Back Door in Battery Charger

Posted By Bruce Schneier

Amazing: The United States Computer Emergency Response Team (US-CERT) has warned that the software included in the Energizer DUO USB battery charger contains a backdoor that allows unauthorized remote system access. That's actually misleading. Even though the charger is an USB device, it does not contain the harmful installer described in the article–it has no storage capacity. The software has...

Mon, 22 Mar 2010 18:03:45 UTC

PDF the Most Common Malware Vector

Posted By Bruce Schneier

MS Word has been dethroned: Files based on Reader were exploited in almost 49 per cent of the targeted attacks of 2009, compared with about 39 per cent that took aim at Microsoft Word. By comparison, in 2008, Acrobat was targeted in almost 29 per cent of attacks and Word was exploited by almost 35 per cent. Details....

Mon, 22 Mar 2010 14:10:38 UTC

Even More on the al-Mabhouh Assassination

Posted By Bruce Schneier

This, from a former CIA chief of station: The point is that in this day and time, with ubiquitous surveillance cameras, the ability to comprehensively analyse patterns of cell phone and credit card use, computerised records of travel documents which can be shared in the blink of an eye, the growing use of biometrics and machine-readable passports, and the ability...

Fri, 19 Mar 2010 21:47:31 UTC

Friday Squid Blogging: Preserving Your Giant Squid

Posted By Bruce Schneier

Plastination: For several years von Hagens and his team experimented using smaller squid, and found that the fragility of the skin needed a slower replacement process than other animal specimens. Some 1500 litres of silicone later, the plastination of the giant cephalopods was completed in January....

Fri, 19 Mar 2010 17:58:49 UTC

Bringing Lots of Liquids on a Plane at Schiphol

Posted By Bruce Schneier

This would worry me, if the liquid ban weren't already useless. The reporter found the security flaw in the airport's duty-free shopping system. At Schiphol airport, passengers flying to countries outside the Schengan Agreement Area can buy bottles of alcohol at duty-free shops before going through security. They are then permitted to take these bottles onto flights, provided that they...

Fri, 19 Mar 2010 11:58:00 UTC

Security Trade-Offs and Sacred Values

Posted By Bruce Schneier

Interesting research: Psychologist Jeremy Ginges and his colleagues identified this backfire effect in studies of the Israeli-Palestinian conflict in 2007. They interviewed both Israelis and Palestinians who possessed sacred values toward key issues such as ownership over disputed territories like the West Bank or the right of Palestinian refugees to return to villages they were forced to leave–these people viewed...

Thu, 18 Mar 2010 12:41:13 UTC

Disabling Cars by Remote Control

Posted By Bruce Schneier

Who didn't see this coming? More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments. [...] Ramos-Lopez's account had been closed when he was terminated from Texas Auto Center...

Wed, 17 Mar 2010 11:33:42 UTC

Casino Hack

Posted By Bruce Schneier

Nice hack: Using insider knowledge the two hacked into software that controlled remote betting machines on live roulette wheels, the report said. The machines would print out winning betting slips regardless of the results on the wheel, Peterborough Today said. I'd like to know how they got caught....

Tue, 16 Mar 2010 11:44:37 UTC

Secret Questions

Posted By Bruce Schneier

Interesting research: Analysing our data for security, though, shows that essentially all human-generated names provide poor resistance to guessing. For an attacker looking to make three guesses per personal knowledge question (for example, because this triggers an account lock-down), none of the name distributions we looked at gave more than 8 bits of effective security except for full names. That...

Mon, 15 Mar 2010 18:59:46 UTC

USB Combination Lock

Posted By Bruce Schneier

Here's a promotional security product designed by someone who knows nothing about security. The USB drive is "protected" by a combination lock. There are only two dials, so there are only 100 possible combinations. And when the drive is "locked" and the connector is retracted, the contact are still accessible. Maybe it should be given away by companies that sell...

Mon, 15 Mar 2010 11:13:37 UTC

Typosquatting

Posted By Bruce Schneier

"Measuring the Perpetrators and Funders of Typosquatting," by Tyler Moore and Benjamin Edelman: Abstract. We describe a method for identifying "typosquatting", the intentional registration of misspellings of popular website addresses. We estimate that at least 938 000 typosquatting domains target the top 3 264 .com sites, and we crawl more than 285 000 of these domains to analyze their revenue...

Fri, 12 Mar 2010 22:21:58 UTC

Friday Squid Blogging: Cipherlopods

Posted By Bruce Schneier

This makes no sense to me, even though -- I suppose -- it's a squid cryptography joke....

Fri, 12 Mar 2010 19:19:30 UTC

Another Schneier Interview

Posted By Bruce Schneier

This one on simple-talk.com....

Fri, 12 Mar 2010 17:31:20 UTC

Why DRM Doesn't Work

Posted By Bruce Schneier

Funny comic....

Fri, 12 Mar 2010 12:58:19 UTC

More Hollow Coins

Posted By Bruce Schneier

A hollowed-out U.S. nickel can hold a microSD card. Pound and euro coins are also available. I blogged about this about a year ago as well....

Thu, 11 Mar 2010 18:26:36 UTC

Wikibooks Cryptography Textbook

Posted By Bruce Schneier

Over at Wikibooks, they're trying to write an open source cryptography textbook....

Thu, 11 Mar 2010 12:17:12 UTC

Wanted: Trust Detector

Posted By Bruce Schneier

It's good to dream: IARPA's five-year plan aims to design experiments that can measure trust with high certainty -- a tricky proposition for a psychological study. Developing such experimental protocols could prove very useful for assessing levels of trust within one-on-one talks, or even during group interactions. A second part of the IARPA proposal might involve using new types of...

Wed, 10 Mar 2010 19:47:12 UTC

Nose Biometrics

Posted By Bruce Schneier

Really: Since they are hard to conceal, the study says, noses would work well for identification in covert surveillance. The researchers say noses have been overlooked in the growing field of biometrics, studies into ways of identifying distinguishing traits in people. "Noses are prominent facial features and yet their use as a biometric has been largely unexplored," said the University...

Wed, 10 Mar 2010 13:09:08 UTC

The Limits of Identity Cards

Posted By Bruce Schneier

Good legal paper on the limits of identity cards: Stephen Mason and Nick Bohm, "Identity and its Verification," in Computer Law & Security Review, Volume 26, Number 1, Jan 2010. Those faced with the problem of how to verify a person's identity would be well advised to ask themselves the question, 'Identity with what?' An enquirer equipped with the answer...

Tue, 09 Mar 2010 18:36:00 UTC

Marc Rotenberg on Google's Italian Privacy Case

Posted By Bruce Schneier

Interesting commentary: I don't think this is really a case about ISP liability at all. It is a case about the use of a person's image, without their consent, that generates commercial value for someone else. That is the essence of the Italian law at issue in this case. It is also how the right of privacy was first established...

Tue, 09 Mar 2010 12:59:01 UTC

Guide to Microsoft Police Forensic Services

Posted By Bruce Schneier

The "Microsoft Online Services Global Criminal Compliance Handbook (U.S. Domestic Version)" (also can be found here, here, and here) outlines exactly what Microsoft will do upon police request. Here's a good summary of what's in it: The Global Criminal Compliance Handbook is a quasi-comprehensive explanatory document meant for law enforcement officials seeking access to Microsoft's stored user information. It also...

Mon, 08 Mar 2010 20:24:03 UTC

Google in The Onion

Posted By Bruce Schneier

Funny: MOUNTAIN VIEW, CA–Responding to recent public outcries over its handling of private data, search giant Google offered a wide-ranging and eerily well-informed apology to its millions of users Monday. "We would like to extend our deepest apologies to each and every one of you," announced CEO Eric Schmidt, speaking from the company's Googleplex headquarters. "Clearly there have been some...

Mon, 08 Mar 2010 17:00:50 UTC

Eating a Flash Drive

Posted By Bruce Schneier

How not to destroy evidence: In a bold and bizarre attempt to destroy evidence seized during a federal raid, a New York City man grabbed a flash drive and swallowed the data storage device while in the custody of Secret Service agents, records show. The article wasn't explicit about this -- odd, as it's the main question any reader would...

Mon, 08 Mar 2010 12:13:56 UTC

De-Anonymizing Social Network Users

Posted By Bruce Schneier

Interesting paper: "A Practical Attack to De-Anonymize Social Network Users." Abstract. Social networking sites such as Facebook, LinkedIn, and Xing have been reporting exponential growth rates. These sites have millions of registered users, and they are interesting from a security and privacy point of view because they store large amounts of sensitive personal user data. In this paper, we introduce...

Fri, 05 Mar 2010 22:32:06 UTC

Friday Squid Blogging: Squid Teapot

Posted By Bruce Schneier

Squid teapot. Could be squiddier....

Fri, 05 Mar 2010 18:53:54 UTC

Another Interview with Me

Posted By Bruce Schneier

I gave this one two days ago, at the RSA Conference....

Fri, 05 Mar 2010 12:02:07 UTC

Mariposa Botnet Shut Down

Posted By Bruce Schneier

The Spanish police arrested three people in connection with the 13-million-computer Mariposa botnet....

Thu, 04 Mar 2010 18:55:46 UTC

Comprehensive National Cybersecurity Initiative

Posted By Bruce Schneier

On Tuesday, the White House published an unclassified summary of its Comprehensive National Cybersecurity Initiative (CNCI). Howard Schmidt made the announcement at the RSA Conference. These are the 12 initiatives in the plan: Initiative #1. Manage the Federal Enterprise Network as a single network enterprise with Trusted Internet. Initiative #2. Deploy an intrusion detection system of sensors across the Federal...

Thu, 04 Mar 2010 12:05:56 UTC

Crypto Implementation Failure

Posted By Bruce Schneier

Look at this new AES-encrypted USB memory stick. You enter the key directly into the stick via the keypad, thereby bypassing any eavesdropping software on the computer. The problem is that in order to get full 256-bit entropy in the key, you need to enter 77 decimal digits using the keypad. I can't imagine anyone doing that; they'll enter an...

Wed, 03 Mar 2010 12:12:36 UTC

Tom Engelhardt on Fear on Terrorism

Posted By Bruce Schneier

Nice essay. Similar sentiment from Newsweek....

Tue, 02 Mar 2010 11:55:07 UTC

More on the Al-Madhouh Assassination

Posted By Bruce Schneier

Interesting essay by a former CIA field officer on the al-Mabhouh assassination: The truth is that Mr. Mabhouh's assassination was conducted according to the book -- a military operation in which the environment is completely controlled by the assassins. At least 25 people are needed to carry off something like this. You need "eyes on" the target 24 hours a...

Mon, 01 Mar 2010 13:18:30 UTC

Breaking in to Hotel Rooms

Posted By Bruce Schneier

Is this how the al-Mabhouh assassins got in?...

Fri, 26 Feb 2010 22:21:22 UTC

Friday Squid Blogging: Squid Homophone Lessons

Posted By Bruce Schneier

Squids make great examples....

Fri, 26 Feb 2010 12:22:31 UTC

Me on Surveillance Cameras

Posted By Bruce Schneier

My fourth essay for CNN.com, on surveillance cameras. The Al-Mabhouh assassination made a nice news hook....

Thu, 25 Feb 2010 18:59:46 UTC

Hitler and Cloud Computing

Posted By Bruce Schneier

Funny video by Marcus Ranum and Gunnar Peterson....

Thu, 25 Feb 2010 11:46:20 UTC

Small Planes and Lone Terrorist Nutcases

Posted By Bruce Schneier

A Washington Post article concludes that small planes are not the next terror threat: Pilots of private planes fly about 200,000 small and medium-size aircraft in the United States, using 19,000 airports, most of them small. The planes' owners say the aircraft have little in common with airliners. "I don't see a gaping security hole here," said Tom Walsh, an...

Wed, 24 Feb 2010 19:56:13 UTC

Remotely Spying on Kids with School Laptops

Posted By Bruce Schneier

It's a really creepy story. A school issues laptops to students, and then remotely and surreptitiously turns on the camera. (Here's the lawsuit. This is an excellent technical investivation of what actually happened. This investigation into the remote spying allegedly being conducted against students at Lower Merion represents an attempt to find proof of spying and a look into the...

Wed, 24 Feb 2010 12:07:11 UTC

NSA Historical Documents

Posted By Bruce Schneier

Just declassified: "A Reference Guide to Selected Historical Documents Relating to the National Security Agency/Central Security Service, 1931¿1985." Formerly "Top Secret UMBRA." From my quick scan, there are minimal redactions....

Tue, 23 Feb 2010 19:47:42 UTC

The Doghouse: Demiurge Consulting

Posted By Bruce Schneier

They claim to be "one of the nation's only and most respected security and intelligence providers" -- I've never heard of them -- but their blog consists entirely of entries copied from my blog since December 24. They don't even cull the ones that are obviously me: posts about interviews I've given, for example. I contacted them last week and...

Tue, 23 Feb 2010 13:16:21 UTC

Mark Twain on Risk Analysis

Posted By Bruce Schneier

From 1871: I hunted up statistics, and was amazed to find that after all the glaring newspaper headings concerning railroad disasters, less than three hundred people had really lost their lives by those disasters in the preceding twelve months. The Erie road was set down as the most murderous in the list. It had killed forty-six–or twenty-six, I do not...

Mon, 22 Feb 2010 20:00:00 UTC

TSA Logo Contest Winner

Posted By Bruce Schneier

In January I announced a contest to redesign the TSA logo. Last week I announced the five finalists -- chosen by Patrick Smith from "Ask the Pilot" and myself -- and asked you all to vote on the winner. Four hundred and seven votes later, we have a tie. No really; we have a tie. Rhys Gibson and "I love...

Mon, 22 Feb 2010 13:09:20 UTC

Another Debit Card Skimmer

Posted By Bruce Schneier

This one is installed inside gas pumps. There's nothing the customer can detect....

Fri, 19 Feb 2010 22:57:08 UTC

Friday Squid Blogging: Squid Socks

Posted By Bruce Schneier

Cute, but not really for me....

Fri, 19 Feb 2010 19:33:33 UTC

Cyber Shockwave Test

Posted By Bruce Schneier

There was a big U.S. cyberattack exercise this week. We didn't do so well: In a press release issued today, the Bipartisan Policy Center (BPC) -- which organized "Cyber Shockwave" using a group of former government officials and computer simulations -- concluded the U.S is "unprepared for cyber threats." [...] ...the U.S. defenders had difficulty identifying the source of the...

Fri, 19 Feb 2010 12:49:29 UTC

Al-Mabhouh Assassination

Posted By Bruce Schneier

It reads like a very professional operation: Security footage of the killers' movements during the afternoon, released by police in Dubai yesterday, underlines the professionalism of the operation. The group switched hotels several times and wore disguises including false beards and wigs, while surveillance teams rotated in pairs through the hotel lobby, never hanging around for too long and paying...

Thu, 18 Feb 2010 12:21:14 UTC

Opening Locks with Foil Impressioning

Posted By Bruce Schneier

Interesting blog post, with video demonstration, about an improved tool to open high security locks with a key that will just "form itself" if you insert it into the lock and wiggle it a little. The basic technique is a few years old, but the improvements discussed here allow the tool to open a wider variety of locks than before....

Wed, 17 Feb 2010 20:38:45 UTC

Bruce Schneier Facebook Page

Posted By Bruce Schneier

I finally have control of my Facebook page. There'll be nothing on it that isn't on my blog, but some of you might prefer following my writing from there. (I also have a Twitter account, although I've never posted.)...

Wed, 17 Feb 2010 13:45:00 UTC

Botnets Attacking Each Other

Posted By Bruce Schneier

A new Trojan Horse named Spy Eye has code that kills Zeus, a rival botnet....

Tue, 16 Feb 2010 12:26:50 UTC

Detecting Cheating by Analyzing Erased Answers

Posted By Bruce Schneier

I had no idea this was being done, but erased answers are now analyzed on standardized tests. Schools with a high number of wrong-to-right changes across multiple tests are presumed to have cheated: teachers changing the answers after the students are done....

Mon, 15 Feb 2010 12:58:46 UTC

James Fallows on the Chinese Cyber Threat

Posted By Bruce Schneier

Interesting. I wrote this about Chinese cyberattacks in 2008....

Sun, 14 Feb 2010 21:28:32 UTC

TSA Logo Contest Finalists

Posted By Bruce Schneier

Last month I announced a contest to redesign the TSA logo. Here are the finalists. Clicking on them will bring up a larger, and easier to read, version. Travis McHale Will Imholte Rhys Gibson Kurushio I love to fly and it shows Vote in the comments. The winner will receive a copy of each of our books, a fake boarding...

Sat, 13 Feb 2010 14:33:06 UTC

Radio Interview

Posted By Bruce Schneier

I was interviewed on the New Horizons radio show in Boise....

Fri, 12 Feb 2010 22:32:21 UTC

Friday Squid Blogging: Squid Record

Posted By Bruce Schneier

I don't know which is more exciting: that someone is trying to break the squid record, or that there is a squid record in the first place. An Auckland scientist is attempting to break his own world record for rearing deep sea squid in captivity. Neither, actually. This is what's exciting: The project is a warm-up for Dr Steve O'Shea...

Fri, 12 Feb 2010 19:48:50 UTC

Crypto Comic Book

Posted By Bruce Schneier

I have no idea....

Fri, 12 Feb 2010 17:21:59 UTC

Homebrew Cryptography

Posted By Bruce Schneier

Nice article about a would-be spy and his homebrew pencil-and-paper cryptography....

Fri, 12 Feb 2010 12:23:21 UTC

Car-Key Copier

Posted By Bruce Schneier

This The Impressioner consists of a sensor that goes into the lock and sends information back to a computer via USB about the location of the lock's tumblers–a corresponding computer program comes up with the code, depending on the make of car you've entered beforehand. Once you know the code, a key-cutting machine can use it to carve up a...

Thu, 11 Feb 2010 22:18:03 UTC

Man-in-the-Middle Attack Against Chip and PIN

Posted By Bruce Schneier

Nice attack against the EMV -- Eurocard Mastercard Visa -- the "chip and PIN" credit card payment system. The attack allows a criminal to use a stolen card without knowing the PIN. The flaw is that when you put a card into a terminal, a negotiation takes place about how the cardholder should be authenticated: using a PIN, using a...

Thu, 11 Feb 2010 13:19:54 UTC

Interview with a Nigerian Internet Scammer

Posted By Bruce Schneier

Really interesting reading. Scam-Detective: How did you find victims for your scams? John: First you need to understand how the gangs work. At the bottom are the "foot soldiers", kids who spend all of their time online to find email addresses and send out the first emails to get people interested. When they receive a reply, the victim is passed...

Wed, 10 Feb 2010 18:39:54 UTC

Terrorists Prohibited from Using iTunes

Posted By Bruce Schneier

The iTunes Store Terms and Conditions prohibits it: Notice, as I read this clause not only are terrorists -- or at least those on terrorist watch lists -- prohibited from using iTunes to manufacture WMD, they are also prohibited from even downloading and using iTunes. So all the Al-Qaeda operatives holed up in the Northwest Frontier Provinces of Pakistan, dodging...

Wed, 10 Feb 2010 12:43:59 UTC

Dahlia Lithwick on Terrorism Derangement Syndrome

Posted By Bruce Schneier

In Slate....

Tue, 09 Feb 2010 18:09:11 UTC

All Subversive Organizations Now Must Register in South Carolina

Posted By Bruce Schneier

This appears not to be a joke: The state's "Subversive Activities Registration Act," passed last year and now officially on the books, states that "every member of a subversive organization, or an organization subject to foreign control, every foreign agent and every person who advocates, teaches, advises or practices the duty, necessity or propriety of controlling, conducting, seizing or overthrowing...

Tue, 09 Feb 2010 12:07:48 UTC

Outguessing the Terrorists

Posted By Bruce Schneier

Isn't it a bit embarrassing for an "expert on counter-terrorism" to be quoted as saying this? Bill Tupman, an expert on counter-terrorism from Exeter University, told BBC News: "The problem is trying to predict the mind of the al-Qaeda planner; there are so many things they might do. "And it is also necessary to reassure the public that we are...

Mon, 08 Feb 2010 19:54:20 UTC

The Limits of Visual Inspection

Posted By Bruce Schneier

Interesting research: Target prevalence powerfully influences visual search behavior. In most visual search experiments, targets appear on at least 50% of trials. However, when targets are rare (as in medical or airport screening), observers shift response criteria, leading to elevated miss error rates. Observers also speed target-absent responses and may make more motor errors. This could be a speed/accuracy tradeoff...

Mon, 08 Feb 2010 12:03:05 UTC

More Details on the Chinese Attack Against Google

Posted By Bruce Schneier

Three weeks ago, Google announced a sophisticated attack against them from China. There have been some interesting technical details since then. And the NSA is helping Google analyze the attack. The rumor that China used a system Google put in place to enable lawful intercepts, which I used as a news hook for this essay, has not been confirmed. At...

Sun, 07 Feb 2010 14:06:59 UTC

New Attack on Threefish

Posted By Bruce Schneier

At FSE 2010 this week, Dmitry Khovratovich and Ivica Nikolic presented a paper where they cryptanalyze ARX algorithms (algorithms that use only addition, rotation, and exclusive-OR operations): "Rotational Cryptanalysis of ARX." In the paper, they demonstrate their attack against Threefish. Their attack breaks 39 (out of 72) rounds of Threefish-256 with a complexity of 2252.4, 42 (out of 72) rounds...

Fri, 05 Feb 2010 22:15:52 UTC

Friday Squid Blogging: Squid Cookie

Posted By Bruce Schneier

I wonder if it's tasty....

Fri, 05 Feb 2010 19:52:48 UTC

10 Cartoons about Airport Security

Posted By Bruce Schneier

A slide show....

Fri, 05 Feb 2010 17:59:38 UTC

Scaring the Senate Intelligence Committee

Posted By Bruce Schneier

This is unconscionable: At Tuesday's hearing, Senator Dianne Feinstein, Democrat of California and chairwoman of the Senate Intelligence Committee, asked Mr. Blair [the Director of National Intelligence] to assess the possibility of an attempted attack in the United States in the next three to six months. He replied, "The priority is certain, I would say" -- a response that was...

Fri, 05 Feb 2010 12:02:27 UTC

World's Largest Data Collector Teams Up With Word's Largest Data Collector

Posted By Bruce Schneier

Does anyone think this is a good idea? Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users...

Thu, 04 Feb 2010 12:35:11 UTC

Security and Function Creep

Posted By Bruce Schneier

Security is rarely static. Technology changes both security systems and attackers. But there's something else that changes security's cost/benefit trade-off: how the underlying systems being secured are used. Far too often we build security for one purpose, only to find it being used for another purpose -- one it wasn't suited for in the first place. And then the security...

Wed, 03 Feb 2010 12:16:01 UTC

Anonymity and the Internet

Posted By Bruce Schneier

Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We'll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks,...

Mon, 01 Feb 2010 12:34:49 UTC

More Movie Plot Terrorist Threats

Posted By Bruce Schneier

The Foreign Policy website has its own list of movie-plot threats: machine-gun wielding terrorists on paragliders, disease-laden insect swarms, a dirty bomb made from smoke detector parts, planning via online games, and botulinum in the food supply. The site fleshes these threats out a bit, but it's nothing regular readers of this blog can't imagine for themselves. Maybe they should...

Mon, 01 Feb 2010 12:26:00 UTC

Online Credit/Debit Card Security Failure

Posted By Bruce Schneier

Ross Anderson reports: Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as "Verified by VISA" and "MasterCard SecureCode". This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It's getting hard to shop online without being forced to use it. In a paper...

Fri, 29 Jan 2010 22:25:10 UTC

Friday Squid Blogging: Harrowgate's 1886 Giant Squid

Posted By Bruce Schneier

I have no idea how to explain this....

Fri, 29 Jan 2010 19:13:04 UTC

Deconfliction

Posted By Bruce Schneier

This is well worth watching....

Fri, 29 Jan 2010 13:06:29 UTC

Tracking your Browser Without Cookies

Posted By Bruce Schneier

How unique is your browser? Can you be tracked simply by its characteristics? The EFF is trying to find out. Their site Panopticlick will measure the characteristics of your browser setup and tell you how unique it is. I just ran the test on myself, and my browser is unique amongst the 120,000 browsers tested so far. It's my browser...

Thu, 28 Jan 2010 12:21:01 UTC

World Privacy Day and the Madrid Privacy Declaration

Posted By Bruce Schneier

Today is World Privacy Day. (I know; it's odd to me, too.) You can celebrate by signing on to the Madrid Privacy Declaration, either as an individual or as an organization. Me, I'm celebrating -- but I'm not going to tell you how....

Wed, 27 Jan 2010 12:53:58 UTC

Scanning Cargo for Nuclear Material and Conventional Explosives

Posted By Bruce Schneier

Still experimental: The team propose using a particle accelerator to alternately smash ionised hydrogen molecules and deuterium ions into targets of carbon and boron respectively. The collisions produce beams of gamma rays of various energies as well as neutrons. These beams are then passed through the cargo. By measuring the way the beams are absorbed, Goldberg and company say they...

Tue, 26 Jan 2010 13:16:16 UTC

More Surveillance in the UK

Posted By Bruce Schneier

This seems like a bad idea: Police in the UK are planning to use unmanned spy drones, controversially deployed in Afghanistan, for the "routine" monitoring of antisocial motorists, protesters, agricultural thieves and fly-tippers, in a significant expansion of covert state surveillance. Once again, laws and technologies deployed against terrorism are used against much more mundane crimes....

Mon, 25 Jan 2010 18:37:41 UTC

Penny Shooter Business Card

Posted By Bruce Schneier

Nice. Of course, this means that the TSA will start banning wallets on airplanes....

Mon, 25 Jan 2010 13:09:52 UTC

The Abdulmutallab that Should Have Been Connected

Posted By Bruce Schneier

The notion that U.S. intelligence should have "connected the dots," and caught Abdulmutallab, isn't going away. This is a typical example: So you'd need come "articulable facts" which could "reasonably warrant a determination" that the guy may be a terrorist based on his behavior. And one assumes his behavior would have to catch the attention of the authorities, correct? Well...

Sun, 24 Jan 2010 14:43:52 UTC

Me on Chinese Hacking and Enabling Surveillance

Posted By Bruce Schneier

CNN.com just published an essay of mine on China's hacking of Google, an update of this essay....

Fri, 22 Jan 2010 22:26:24 UTC

Friday Squid Blogging: Stuffed Giant Squid

Posted By Bruce Schneier

Nice....

Fri, 22 Jan 2010 19:56:33 UTC

Transport Canada on its New Security Regulations

Posted By Bruce Schneier

Okay, it's really the Rick Mercer Report....

Fri, 22 Jan 2010 13:28:59 UTC

German TV on the Failure of Full-Body Scanners

Posted By Bruce Schneier

The video is worth watching, even if you don't speak German. The scanner caught a subject's cell phone and Swiss Army knife -- and the microphone he was wearing -- but missed all the components to make a bomb that he hid on his body. Admittedly, he only faced the scanner from the front and not from the side. But...

Thu, 21 Jan 2010 20:25:05 UTC

Web Security

Posted By Bruce Schneier

Nice article....

Thu, 21 Jan 2010 13:28:51 UTC

ATM Skimmer

Posted By Bruce Schneier

Neat pictures. I would never have noticed it, which is precisely the point....

Wed, 20 Jan 2010 19:26:59 UTC

Wrasse Punish Cheaters

Posted By Bruce Schneier

Interesting: The bluestreak cleaner wrasse (Labroides dimidiatus) operates an underwater health spa for larger fish. It advertises its services with bright colours and distinctive dances. When customers arrive, the cleaner eats parasites and dead tissue lurking in any hard-to-reach places. Males and females will sometimes operate a joint business, working together to clean their clients. The clients, in return, dutifully...

Wed, 20 Jan 2010 12:41:49 UTC

The Problems of Profiling at Security Checkpoints

Posted By Bruce Schneier

Good article....

Tue, 19 Jan 2010 17:25:24 UTC

Privacy Violations by Facebook Employees

Posted By Bruce Schneier

I don't know if this is real, but it seems perfectly reasonable that all of Facebook is stored in a huge database that someone with the proper permissions can access and modify. And it also makes sense that developers and others would need the ability to assume anyone's identity. Rumpus: You've previously mentioned a master password, which you no longer...

Tue, 19 Jan 2010 12:03:40 UTC

Eavesdropping in the Former Soviet Union

Posted By Bruce Schneier

Interesting story: The phone's ringer is a pretty simple thing: there's a coil, a magnet and a hammer controlled by the magnet that hits the gongs when there is AC current in the coil. The ringer system is connected directly to the phone line when the phone is on hook. (Actually through a capacitor that protects the ringer system from...

Mon, 18 Jan 2010 19:34:29 UTC

Security vs. Sustainability in Building Construction

Posted By Bruce Schneier

Interesting: Any facility executive involved in the design of a new building would agree that security is one important goal for the new facility. These days, facility executives are likely to say that green design is another priority. Unfortunately, these two goals are often in conflict. Consider the issues that arise when even a parking lot is being designed. From...

Mon, 18 Jan 2010 18:39:30 UTC

Google vs. China

Posted By Bruce Schneier

I'm not sure what I can add to this: politically motivated attacks against Gmail from China. I've previously written about hacking from China. Shishir Nagaraja and Ross Anderson wrote a report specifically describing how the Chinese have been hacking groups that are politically opposed to them. I've previously written about censorship, Chinese and otherwise. I've previously written about broad government...

Mon, 18 Jan 2010 12:57:36 UTC

Prison Escape Artist

Posted By Bruce Schneier

Clever ruse: When he went to court for hearings, he could see the system was flawed. He would arrive on the twelfth floor in handcuffs and attached at the waist to a dozen other inmates. A correction officer would lead them into the bull pen, an area where inmates wait for their lawyers. From the bull pen, the inmates would...

Sat, 16 Jan 2010 13:13:06 UTC

Fixing Intelligence Failures

Posted By Bruce Schneier

President Obama, in his speech last week, rightly focused on fixing the intelligence failures that resulted in Umar Farouk Abdulmutallab being ignored, rather than on technologies targeted at the details of his underwear-bomb plot. But while Obama's instincts are right, reforming intelligence for this new century and its new threats is a more difficult task than he might like. We...

Fri, 15 Jan 2010 19:39:35 UTC

Loretta Napoleoni on the Economics of Terrorism

Posted By Bruce Schneier

Interesting TED talk: Loretta Napoleoni details her rare opportunity to talk to the secretive Italian Red Brigades -- an experience that sparked a lifelong interest in terrorism. She gives a behind-the-scenes look at its complex economics, revealing a surprising connection between money laundering and the US Patriot Act....

Fri, 15 Jan 2010 13:22:32 UTC

Ray McGovern on Intelligence Failures

Posted By Bruce Schneier

Good commentary from former CIA analyst Ray McGovern: The short answer to the second sentence is: Yes, it is inevitable that "certain plots will succeed." A more helpful answer would address the question as to how we might best minimize their prospects for success. And to do this, sorry to say, there is no getting around the necessity to address...

Thu, 14 Jan 2010 18:43:05 UTC

$3.2 Million Jewelry Store Theft

Posted By Bruce Schneier

I've written about this sort of thing before: A robber bored a hole through the wall of jewelry shop and walked off with about 200 luxury watches worth 300 million yen ($3.2 million) in Tokyo's upscale Ginza district, police said Saturday. From Secrets and Lies, p. 318: Threat modeling is, for the most part, ad hoc. You think about the...

Thu, 14 Jan 2010 12:00:38 UTC

Body Cavity Scanners

Posted By Bruce Schneier

At least one company is touting its technology: Nesch, a company based in Crown Point, Indiana, may have a solution. It's called diffraction-enhanced X-ray imaging or DEXI, which employs proprietary diffraction enhanced imaging and multiple image radiography Rather than simply shining X-rays through the subject and looking at the amount that passes through (like a conventional X-ray machine), DEXI analyzes...

Wed, 13 Jan 2010 20:55:44 UTC

Airplane Security Commentary

Posted By Bruce Schneier

Excellent commentary from The Register: As the smoke clears following the case of Umar Farouk Abdul Mutallab, the failed Christmas Day "underpants bomber" of Northwest Airlines Flight 253 fame, there are just three simple points for us Westerners to take away. First: It is completely impossible to prevent terrorists from attacking airliners. Second: This does not matter. There is no...

Wed, 13 Jan 2010 13:08:22 UTC

Op-ed on CIA's National Clandestine Service

Posted By Bruce Schneier

Interesting....

Tue, 12 Jan 2010 19:46:18 UTC

The Power Law of Terrorism

Posted By Bruce Schneier

Research result #1: "A Generalized Fission-Fusion Model for the Frequency of Severe Terrorist Attacks," by Aaron Clauset and Frederik W. Wiegel. Plot the number of people killed in terrorists attacks around the world since 1968 against the frequency with which such attacks occur and you'll get a power law distribution, that's a fancy way of saying a straight line when...

Tue, 12 Jan 2010 12:15:53 UTC

The Comparative Risk of Terrorism

Posted By Bruce Schneier

Good essay from the Wall Street Journal: It might be unrealistic to expect the average citizen to have a nuanced grasp of statistically based risk analysis, but there is nothing nuanced about two basic facts: (1) America is a country of 310 million people, in which thousands of horrible things happen every single day; and (2) The chances that one...

Mon, 11 Jan 2010 19:46:00 UTC

My Second CNN.com Essay on the Underwear Bomber

Posted By Bruce Schneier

This one is about our tendency to overreact to rare risks, and is an update of this 2007 essay. I think we should start calling them the "underpants of mass destruction."...

Mon, 11 Jan 2010 14:00:03 UTC

768-bit Number Factored

Posted By Bruce Schneier

News: On December 12, 2009, we factored the 768-bit, 232-digit number RSA-768 by the number field sieve. The number RSA-768 was taken from the now obsolete RSA Challenge list as a representative 768-bit RSA modulus. This result is a record for factoring general integers. Factoring a 1024-bit RSA modulus would be about a thousand times harder, and a 768-bit RSA...

Fri, 08 Jan 2010 22:54:38 UTC

Friday Squid Blogging: Squid Quilt

Posted By Bruce Schneier

Light-up squid quilt....

Fri, 08 Jan 2010 18:14:56 UTC

Cybersecurity Theater at FOSE

Posted By Bruce Schneier

FOSE, the big government IT conference, has a Cybersecurity Theater" this year. I wonder if they'll check the photo ID of everyone who tries to get in. On a similar note, I am pleased that my term "security theater" has finally hit the mainstream. It's everywhere. My favorite variant is "security theater of the absurd." And this great cartoon. And...

Fri, 08 Jan 2010 13:24:09 UTC

FIPS 140-2 Level 2 Certified USB Memory Stick Cracked

Posted By Bruce Schneier

Kind of a dumb mistake: The USB drives in question encrypt the stored data via the practically uncrackable AES 256-bit hardware encryption system. Therefore, the main point of attack for accessing the plain text data stored on the drive is the password entry mechanism. When analysing the relevant Windows program, the SySS security experts found a rather blatant flaw that...

Thu, 07 Jan 2010 23:40:53 UTC

Connecting the Dots

Posted By Bruce Schneier

I wrote about intelligence failures back in 2002....

Thu, 07 Jan 2010 19:18:16 UTC

Post-Underwear-Bomber Airport Security

Posted By Bruce Schneier

In the headlong rush to "fix" security after the Underwear Bomber's unsuccessful Christmas Day attack, there's far too little discussion about what worked and what didn't, and what will and will not make us safer in the future. The security checkpoints worked. Because we screen for obvious bombs, Umar Farouk Abdulmutallab -- or, more precisely, whoever built the bomb --...

Thu, 07 Jan 2010 11:46:31 UTC

Gift Cards and Employee Retail Theft

Posted By Bruce Schneier

Retail theft by employees has always been a problem, but gift cards make it easier: At the Saks flagship store in Manhattan, a 23-year-old sales clerk was caught recently ringing up $130,000 in false merchandise returns and siphoning the money onto a gift card. [...] Many of the gift card crimes are straightforward, frequently involving young sales clerks and smaller...

Wed, 06 Jan 2010 20:59:51 UTC

Nate Silver on the Risks of Airplane Terrorism

Posted By Bruce Schneier

Over at fivethirtyeight.com, Nate Silver crunches the numbers and concludes that, at least as far as terrorism is concerned, air travel is safer than it's ever been: In the 2000s, a total of 469 passengers (including crew and terrorists) were killed worldwide as the result of Violent Passenger Incidents, 265 of which were on 9/11 itself. No fatal incidents have...

Wed, 06 Jan 2010 16:53:05 UTC

Another Contest: Fixing Airport Security

Posted By Bruce Schneier

Slate is hosting an airport security suggestions contest: ideas "for making airport security more effective, more efficient, or more pleasant." Deadline is midday Friday. I had already submitted a suggestion before I was asked to be a judge. Since I'm no longer eligible, here's what I sent them: Reduce the TSA's budget, and spend the money on: 1. Intelligence. Security...

Wed, 06 Jan 2010 16:27:02 UTC

David Brooks on Resilience in the Face of Security Imperfection

Posted By Bruce Schneier

David Brooks makes some very good points in this New York Times op ed from last week: All this money and technology seems to have reduced the risk of future attack. But, of course, the system is bound to fail sometimes. Reality is unpredictable, and no amount of computer technology is going to change that. Bureaucracies are always blind because...

Wed, 06 Jan 2010 14:42:10 UTC

TSA Logo Contest

Posted By Bruce Schneier

Over at "Ask the Pilot," Patrick Smith has a great idea: Calling all artists: One thing TSA needs, I think, is a better logo and a snappy motto. Perhaps there's a graphic designer out there who can help with a new rendition of the agency's circular eagle-and-flag motif. I'm imagining a revised eagle, its talons clutching a box cutter and...

Wed, 06 Jan 2010 12:10:29 UTC

Breaching the Secure Area in Airports

Posted By Bruce Schneier

An unidentified man breached airport security at Newark Airport on Sunday, walking into the secured area through the exit, prompting an evacuation of a terminal and flight delays that continued into the next day. This problem isn't common, but it happens regularly. The result is always the same, and it's not obvious that fixing the problem is the right solution....

Tue, 05 Jan 2010 20:05:29 UTC

Me on Airport Security Profiling

Posted By Bruce Schneier

Yesterday I participated in a "Room for Debate" discussion on airport security profiling. Nothing I haven't said before....

Tue, 05 Jan 2010 17:41:32 UTC

Matt Blaze on the New "Unpredictable" TSA Screening Measures

Posted By Bruce Schneier

Interesting: "Unpredictable" security as applied to air passenger screening means that sometimes (perhaps most of the time), certain checks that might detect terrorist activity are not applied to some or all passengers on any given flight. Passengers can't predict or influence when or whether they are be subjected to any particular screening mechanism. And so, the strategy assumes, the would-be...

Tue, 05 Jan 2010 13:04:46 UTC

Adopting the Israeli Airport Security Model

Posted By Bruce Schneier

I've been reading a lot recently -- like this one on the Israeli airport security model, and how we should adopt more of the Israeli security model here in the U.S. This sums up the problem with that idea nicely: On the other hand, no matter how safe or how wonderful the flying experience on El Al, it is TINY...

Mon, 04 Jan 2010 19:15:36 UTC

Vatican Admits Perfect Security is Both Impossible and Undesirable

Posted By Bruce Schneier

This is refreshing: Father Lombardi said it was not realistic to think the Vatican could ensure 100% security for the Pope and that security guards appeared to have acted as quickly as possible. It seems that they intervened at the earliest possible moment in a situation in which zero risk cannot be achieved," he told the Associated Press news agency....

Mon, 04 Jan 2010 12:28:49 UTC

Christmas Bomber: Where Airport Security Worked

Posted By Bruce Schneier

With all the talk about the failure of airport security to detect the PETN that the Christmas bomber sewed into his underwear -- and to think I've been using the phrase "underwear bomber" as a joke all these years -- people forget that airport security played an important role in foiling the plot. In order to get through airport security,...

Fri, 01 Jan 2010 22:55:13 UTC

Friday Squid Blogging: Squid Ski Mask

Posted By Bruce Schneier

You probably can't walk into a bank wearing this....

Wed, 30 Dec 2009 12:04:24 UTC

Quantum Cryptography Cracked

Posted By Bruce Schneier

Impressive: This presentation will show the first experimental implementation of an eavesdropper for quantum cryptosystem. Although quantum cryptography has been proven unconditionally secure, by exploiting physical imperfections (detector vulnerability) we have successfully built an intercept-resend attack and demonstrated eavesdropping under realistic conditions on an installed quantum key distribution line. The actual eavesdropping hardware we have built will be shown during...

Tue, 29 Dec 2009 17:17:46 UTC

Me and the Christmas Underwear Bomber

Posted By Bruce Schneier

I spent a lot of yesterday giving press interviews. Nothing I haven't said before, but it's now national news and everyone wants to hear it. These are the most interesting bits. Rachel Maddow interviewed me last night on her show. Jeffrey Goldberg interviewed me for the Atlantic website. And CNN.com published a rewrite of an older article of mine on...

Tue, 29 Dec 2009 12:34:44 UTC

Change Blindness

Posted By Bruce Schneier

Interesting video demonstrating change blindness: the human brain's tendency to ignore major visual changes. The implications for security are pretty serious....

Mon, 28 Dec 2009 13:09:01 UTC

"The Behavioral Economics of Personal Information"

Posted By Bruce Schneier

Good survey article by Alessandro Acquisti in IEEE Computer....

Sat, 26 Dec 2009 23:43:57 UTC

Separating Explosives from the Detonator

Posted By Bruce Schneier

Chechen terrorists did it in 2004. I said this in an interview with then TSA head Kip Hawley in 2007: I don't want to even think about how much C4 I can strap to my legs and walk through your magnetometers. And what sort of magical thinking is behind the rumored TSA rule about keeping passengers seated during the last...

Fri, 25 Dec 2009 22:49:49 UTC

Friday Squid Blogging: Squid Creche

Posted By Bruce Schneier

Happy Squidmas, everybody....

Fri, 25 Dec 2009 22:22:05 UTC

Friday Squid Blogging: Madonna and Squid

Posted By Bruce Schneier

A painting....

Thu, 24 Dec 2009 11:24:58 UTC

Intercepting Predator Video

Posted By Bruce Schneier

Sometimes mediocre encryption is better than strong encryption, and sometimes no encryption is better still. The Wall Street Journal reported this week that Iraqi, and possibly also Afghan, militants are using commercial software to eavesdrop on U.S. Predators, other unmanned aerial vehicles, or UAVs, and even piloted planes. The systems weren't "hacked" -- the insurgents can't control them -- but...

Wed, 23 Dec 2009 13:50:37 UTC

Plant Security Countermeasures

Posted By Bruce Schneier

The essay is about veganism and plant eating, but I found the descriptions of plant security countermeasures interesting: Plants can't run away from a threat but they can stand their ground. “They are very good at avoiding getting eaten,” said Linda Walling of the University of California, Riverside. “It's an unusual situation where insects can overcome those defenses.” At the...

Tue, 22 Dec 2009 18:20:51 UTC

Luggage Locator

Posted By Bruce Schneier

Wow, is this a bad idea: The Luggage Locator is an innovative product that travellers or anyone can use to locate items. It has been specifically engineered to help people find their luggage quickly and can also be used around the home or office. A battery operated, two unit system, the Luggage Locator consists of a small transmitter about the...

Tue, 22 Dec 2009 15:28:31 UTC

Howard Schmidt to be Named U.S. Cybersecurity Czar

Posted By Bruce Schneier

I head this rumor two days ago, and The New York Times is reporting today. Reporters are calling me for reactions and opinions, but I just don't know. Schmidt is good, but I don't know if anyone can do well in a job with lots of responsibility but no actual authority. But maybe Obama will imbue the position with authority...

Mon, 21 Dec 2009 18:58:55 UTC

Santa's Naughty¿Nice Database Hacked

Posted By Bruce Schneier

This is very serious....

Mon, 21 Dec 2009 14:30:11 UTC

Defeating Microsoft BitLocker

Posted By Bruce Schneier

Defeating BitLocker, even with a TPM. Related....

Fri, 18 Dec 2009 22:33:30 UTC

Friday Squid Blogging: Squid Mosaic

Posted By Bruce Schneier

Neat....

Fri, 18 Dec 2009 20:25:31 UTC

Yet Another Schneier Interview

Posted By Bruce Schneier

This one for ZDNet.uk....

Fri, 18 Dec 2009 16:59:08 UTC

Live Face-Off with Marcus Ranum at ISD

Posted By Bruce Schneier

Here are the six links to the face-off Marcus Ranum and I did on stage at the Information Security Decisions conference in Chicago....

Fri, 18 Dec 2009 12:32:04 UTC

MagnePrint Technology for Credit/Debit Cards

Posted By Bruce Schneier

This seems like a solution in search of a problem: MagTek discovered that no two magnetic strips are identical. This is due to the manufacturing process. Similar to DNA, the structure of every magnetic stripe is different and the differences are distinguishable. Knowing that, MagTek pairs the card's magnetic strip signature with the card user's personal data to create a...

Thu, 17 Dec 2009 18:54:54 UTC

Australia Restores Some Sanity to Airport Screening

Posted By Bruce Schneier

Welcome news: Carry-on baggage rules will be relaxed under a shake-up of aviation security announced by the Federal Government today. The changes will see passengers again allowed to carry some sharp implements, such as nail files and clippers, umbrellas, crochet and knitting needles on board aircraft from July next year. Metal cutlery will return to return to cabin meals and...

Thu, 17 Dec 2009 12:10:57 UTC

The Politics of Power in Cyberspace

Posted By Bruce Schneier

Thoughful blog post by The Atlantic's Marc Ainbinder: We allow Google, Amazon.com, credit companies and all manner of private corporations to collect intimate information about our lives, but we reflexively recoil when the government proposes to monitor (and not even collect) a fraction of that information, even with legal safeguards. We carry in our wallets credit cards with RFID chips....

Wed, 16 Dec 2009 18:08:57 UTC

Facial Recognition Door Lock

Posted By Bruce Schneier

Only $456....

Wed, 16 Dec 2009 12:20:52 UTC

Telcoms Security

Posted By Bruce Schneier

A very good four-part series: "Risk and Security in the Telecommunications Industry."...

Tue, 15 Dec 2009 13:57:45 UTC

The U.S. Civil Rights Movement as an Insurgency

Posted By Bruce Schneier

This is interesting: Most Americans fail to appreciate that the Civil Rights movement was about the overthrow of an entrenched political order in each of the Southern states, that the segregationists who controlled this order did not hesitate to employ violence (law enforcement, paramilitary, mob) to preserve it, and that for nearly a century the federal government tacitly or overtly...

Mon, 14 Dec 2009 12:46:41 UTC

U.S./Russia Cyber Arms Control Talks

Posted By Bruce Schneier

Now this interesting: The United States has begun talks with Russia and a United Nations arms control committee about strengthening Internet security and limiting military use of cyberspace. [...] The Russians have held that the increasing challenges posed by military activities to civilian computer networks can be best dealt with by an international treaty, similar to treaties that have limited...

Sun, 13 Dec 2009 13:52:48 UTC

Me Speaking on "The Future of Privacy"

Posted By Bruce Schneier

Video of the talk I gave to the Open Right Group last week in London....

Fri, 11 Dec 2009 22:09:49 UTC

Friday Squid Blogging: Cephalopod Christmas Trees

Posted By Bruce Schneier

Christmas is coming....

Fri, 11 Dec 2009 20:35:51 UTC

Yet Another Schneier Interview

Posted By Bruce Schneier

This one from Gulf News....

Fri, 11 Dec 2009 18:33:21 UTC

Wondermark on Passwords

Posted By Bruce Schneier

Funny....

Fri, 11 Dec 2009 12:37:11 UTC

Obama's Cybersecurity Czar

Posted By Bruce Schneier

Rumors are that RSA president Art Coviello declined the job. No surprise: it has no actual authority but a lot of responsibility. Security experts have pointed out that previous cybersecurity positions, cybersecurity czars and directors at the Department of Homeland Security, have been unable to make any significant changes to lock down federal systems. Virtually nothing can get done without...

Thu, 10 Dec 2009 19:13:53 UTC

Reacting to Security Vulnerabilities

Posted By Bruce Schneier

Last month, researchers found a security flaw in the SSL protocol, which is used to protect sensitive web data. The protocol is used for online commerce, webmail, and social networking sites. Basically, hackers could hijack an SSL session and execute commands without the knowledge of either the client or the server. The list of affected products is enormous. If this...

Thu, 10 Dec 2009 12:47:11 UTC

TSA Publishes Standard Operating Procedures

Posted By Bruce Schneier

BoingBoing is pretty snarky: The TSA has published a "redacted" version of their s00per s33kr1t screening procedure guidelines (Want to know whether to frisk a CIA operative at the checkpoint? Now you can!). Unfortunately, the security geniuses at the DHS don't know that drawing black blocks over the words you want to eliminate from your PDF doesn't actually make the...

Wed, 09 Dec 2009 18:22:44 UTC

My Reaction to Eric Schmidt

Posted By Bruce Schneier

Schmidt said: I think judgment matters. If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines -- including Google -- do retain this information for some time and it's important, for example, that we are...

Wed, 09 Dec 2009 12:43:09 UTC

Emotional Epidemiology

Posted By Bruce Schneier

This, from The New England Journal of Medicine, sounds familiar: This is the story line for most headline-grabbing illnesses – HIV, Ebola virus, SARS, typhoid. These diseases capture our imagination and ignite our fears in ways that more prosaic illnesses do not. These dramatic stakes lend themselves quite naturally to thriller books and movies; Dustin Hoffman hasn't starred in any...

Tue, 08 Dec 2009 12:05:14 UTC

Using Fake Documents to Get a Valid U.S. Passport

Posted By Bruce Schneier

I missed this story: Since 2007, the U.S. State Department has been issuing high-tech "e-passports," which contain computer chips carrying biometric data to prevent forgery. Unfortunately, according to a March report from the Government Accountability Office (GAO), getting one of these supersecure passports under false pretenses isn't particularly difficult for anyone with even basic forgery skills. A GAO investigator managed...

Mon, 07 Dec 2009 13:53:16 UTC

Terrorists Targeting High-Profile Events

Posted By Bruce Schneier

In an AP story on increased security at major football (the American variety) events, this sentence struck me: "High-profile events are something that terrorist groups would love to interrupt somehow," said Anthony Mangione, chief of U.S. Immigration and Customs Enforcement's Miami office. This is certainly the conventional wisdom, but is there any actual evidence that it's true? The 9/11 terrorists...

Fri, 04 Dec 2009 22:57:06 UTC

Friday Squid Blogging: Squid Showerhead

Posted By Bruce Schneier

Neat....

Thu, 03 Dec 2009 13:18:17 UTC

Sprint Provides U.S. Law Enforcement with Cell Phone Customer Location Data

Posted By Bruce Schneier

Wired summarizes research by Christopher Soghoian: Sprint Nextel provided law enforcement agencies with customer location data more than 8 million times between September 2008 and October 2009, according to a company manager who disclosed the statistic at a non-public interception and wiretapping conference in October. The manager also revealed the existence of a previously undisclosed web portal that Sprint provides...

Wed, 02 Dec 2009 12:16:29 UTC

The Security Implications of Windows Volume Shadow Copy

Posted By Bruce Schneier

It can be impossible to securely delete a file: What are the security implications of Volume Shadow Copy? Suppose you decide to protect one of your documents from prying eyes. First, you create an encrypted copy using an encryption application. Then, you "wipe" (or "secure-delete") the original document, which consists of overwriting it several times and deleting it. (This is...

Tue, 01 Dec 2009 19:25:18 UTC

Fingerprinting RFID Chips

Posted By Bruce Schneier

This research centers on looking at the radio characteristics of individual RFID chips and creating a "fingerprint." It makes sense; fingerprinting individual radios based on their transmission characteristics is as old as WW II. But while the research centers on using this as an anti-counterfeiting measure, I think it would much more likely be used as an identification and surveillance...

Tue, 01 Dec 2009 12:59:05 UTC

Cyberwarfare Policy

Posted By Bruce Schneier

National Journal has an excellent article on cyberwar policy. I agree with the author's comments on The Atlantic blog: Would the United States ever use a more devastating weapon, perhaps shutting off the lights in an adversary nation? The answer is, almost certainly no, not unless America were attacked first. To understand why, forget about the cyber dimension for a...

Mon, 30 Nov 2009 12:17:56 UTC

The Psychology of Being Scammed

Posted By Bruce Schneier

This is a very interesting paper: "Understanding scam victims: seven principles for systems security," by Frank Stajano and Paul Wilson. Paul Wilson produces and stars in the British television show The Real Hustle, which does hidden camera demonstrations of con games. (There's no DVD of the show available, but there are bits of it on YouTube.) Frank Stajano is at...

Fri, 27 Nov 2009 22:38:55 UTC

Friday Squid Blogging: Two Squid T-Shirts

Posted By Bruce Schneier

From the Feed Store....

Fri, 27 Nov 2009 14:25:27 UTC

Fear and Public Perception

Posted By Bruce Schneier

This 1996 interview with psychiatrist Robert DuPont was part of a Frontline program called "Nuclear Reaction." He's talking about the role fear plays in the perception of nuclear power. It's a lot of the sorts of things I say, but particularly interesting is this bit on familiarity and how it reduces fear: You see, we sited these plants away from...

Thu, 26 Nov 2009 13:11:58 UTC

Leaked 9/11 Text Messages

Posted By Bruce Schneier

Wikileaks has published pager intercepts from New York on 9/11: WikiLeaks released half a million US national text pager intercepts. The intercepts cover a 24 hour period surrounding the September 11, 2001 attacks in New York and Washington. [...] Text pagers are usualy carried by persons operating in an official capacity. Messages in the archive range from Pentagon, FBI, FEMA...

Wed, 25 Nov 2009 19:52:01 UTC

Mumbai Terrorist Attacks

Posted By Bruce Schneier

Long, detailed, and very good story of the Mumbai terrorist attacks of last year. My own short commentary in the aftermath of the attacks....

Wed, 25 Nov 2009 12:36:44 UTC

Virtual Mafia in Online Worlds

Posted By Bruce Schneier

If you allow players in an online world to penalize each other, you open the door to extortion: One of the features that supported user socialization in the game was the ability to declare that another user was a trusted friend. The feature involved a graphical display that showed the faces of users who had declared you trustworthy outlined in...

Tue, 24 Nov 2009 18:40:27 UTC

Users Rationally Rejecting Security Advice

Posted By Bruce Schneier

This paper, by Cormac Herley at Microsoft Research, sounds like me: Abstract: It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certicates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers...

Tue, 24 Nov 2009 12:40:36 UTC

Norbt

Posted By Bruce Schneier

Norbt (no robot) is a low-security web application to encrypt web pages. You can create and encrypt a webpage. The key is an answer to a question; anyone who knows the answer can see the page. I'm not sure this is very useful....

Mon, 23 Nov 2009 20:36:46 UTC

Decertifying "Terrorist" Pilots

Posted By Bruce Schneier

This article reads like something written by the company's PR team. When it comes to sleuthing these days, knowing your way within a database is as valued a skill as the classic, Sherlock Holmes-styled powers of detection. Safe Banking Systems Software proved this very point in a demonstration of its algorithm acumen -- one that resulted in a disclosure that...

Mon, 23 Nov 2009 13:24:28 UTC

Al Qaeda Secret Code Broken

Posted By Bruce Schneier

I would sure like to know more about this: Top code-breakers at the Government Communications Headquarters in the United Kingdom have succeeded in breaking the secret language that has allowed imprisoned leaders of al-Qaida to keep in touch with other extremists in U.K. jails as well as 10,000 "sleeper agents" across the islands.... [...] For six months, the code-breakers worked...

Fri, 20 Nov 2009 22:57:09 UTC

Friday Squid Blogging: New Squid Discovered

Posted By Bruce Schneier

An expedition to study seamounts in the Indian Ocean has discovered some new species, including some squid....

Fri, 20 Nov 2009 19:21:14 UTC

Interview with Me

Posted By Bruce Schneier

Yet another interview with me. This one is audio, and was conducted in Rotterdam in October....

Fri, 20 Nov 2009 17:11:19 UTC

FailBlog on Security

Posted By Bruce Schneier

Funny: career fair fail....

Fri, 20 Nov 2009 12:11:17 UTC

Denial-of-Service Attack Against CALEA

Posted By Bruce Schneier

Interesting: The researchers say they've found a vulnerability in U.S. law enforcement wiretaps, if only theoretical, that would allow a surveillance target to thwart the authorities by launching what amounts to a denial-of-service (DoS) attack against the connection between the phone company switches and law enforcement. [...] The University of Pennsylvania researchers found the flaw after examining the telecommunication industry...

Thu, 19 Nov 2009 18:51:17 UTC

A Taxonomy of Social Networking Data

Posted By Bruce Schneier

At the Internet Governance Forum in Sharm El Sheikh this week, there was a conversation on social networking data. Someone made the point that there are several different types of data, and it would be useful to separate them. This is my taxonomy of social networking data. Service data. Service data is the data you need to give to a...

Thu, 19 Nov 2009 13:10:41 UTC

Stabbing People with Stuff You Can Get Through Airport Security

Posted By Bruce Schneier

"Use of a pig model to demonstrate vulnerability of major neck vessels to inflicted trauma from common household items," from the American Journal of Forensic Medical Pathology. Abstract. Commonly available items including a ball point pen, a plastic knife, a broken wine bottle, and a broken wine glass were used to inflict stab and incised wounds to the necks of...

Wed, 18 Nov 2009 19:45:32 UTC

How Smart are Islamic Terrorists?

Posted By Bruce Schneier

Organizational Learning and Islamic Militancy (May 2009) was written by Michael Kenney for the U.S. Department of Justice. It's long: 146 pages. From the executive summary: Organizational Learning and Islamic Militancy contains significant findings for counter-terrorism research and policy. Unlike existing studies, this report suggests that the relevant distinction in knowledge learned by terrorists is not between tacit and explicit...

Wed, 18 Nov 2009 12:22:26 UTC

Quantum Ghost Imaging

Posted By Bruce Schneier

This is cool: Ghost imaging is a technique that allows a high-resolution camera to produce an image of an object that the camera itself cannot see. It uses two sensors: one that looks at a light source and another that looks at the object. These sensors point in different directions. For example, the camera can face the sun and the...

Tue, 17 Nov 2009 20:00:25 UTC

Secret Knock Lock

Posted By Bruce Schneier

Door lock that opens if you tap a particular rhythm....

Tue, 17 Nov 2009 11:58:07 UTC

A Useful Side-Effect of Misplaced Fear

Posted By Bruce Schneier

A study in the British Journal of Criminology makes the point that drink-spiking date-raping is basically an urban legend: Abstract. There is a stark contrast between heightened perceptions of risk associated with drug-facilitated sexual assault (DFSA) and a lack of evidence that this is a widespread threat. Through surveys and interviews with university students in the United Kingdom and United...

Mon, 16 Nov 2009 19:09:45 UTC

Anti-Malware Detection and the Original Trojan Horse

Posted By Bruce Schneier

Funny....

Mon, 16 Nov 2009 12:39:11 UTC

Public Reactions to Terrorist Threats

Posted By Bruce Schneier

Interesting research: For the last five years we have researched the connection between times of terrorist threats and public opinion. In a series of tightly designed experiments, we expose subsets of research participants to a news story not unlike the type that aired last week. We argue that attitudes, evaluations, and behaviors change in at least three politically-relevant ways when...

Sun, 15 Nov 2009 16:22:03 UTC

Bruce Schneier Action Figure

Posted By Bruce Schneier

A month ago, ThatsMyFace.com approached me about making a Bruce Schneier action figure. It's $100. I'd like to be able to say something like "half the proceeds are going to EPIC and EFF," but they're not. That's the price for custom orders. I don't even get a royalty. The company is working on lowering the price, and they've said that...

Fri, 13 Nov 2009 22:03:44 UTC

Friday Squid Blogging: Sperm Whale Eating Giant Squid

Posted By Bruce Schneier

Rare photo....

Fri, 13 Nov 2009 20:43:16 UTC

Blowfish in Fiction

Posted By Bruce Schneier

The algorithm is mentioned in Von Neumann's War, by John Ringo and Travis Taylor. P. 495: The guy was using a fairly simple buffer overflow attack but with a very nice little fillip of an encryption packet designed to overcome Blowfish. The point seemed to be to create a zero day exploit, which he didn't have a chance of managing....

Fri, 13 Nov 2009 19:47:14 UTC

Video Interview with Me

Posted By Bruce Schneier

Here's an interview with me, conducted at the Information Security Decisions conference in Chicago in October....

Fri, 13 Nov 2009 12:52:56 UTC

Beyond Security Theater

Posted By Bruce Schneier

[I was asked to write this essay for the New Internationalist (n. 427, November 2009, pp. 10¿13). It's nothing I haven't said before, but I'm pleased with how this essay came together.] Terrorism is rare, far rarer than many people think. It's rare because very few people want to commit acts of terrorism, and executing a terrorist plot is much...

Thu, 12 Nov 2009 20:26:44 UTC

FBI/CIA/NSA Information Sharing Before 9/11

Posted By Bruce Schneier

It's conventional wisdom that the legal "wall" between intelligence and law enforcement was one of the reasons we failed to prevent 9/11. The 9/11 Comission evaluated that claim, and published a classified report in 2004. The report was released, with a few redactions, over the summer: "Legal Barriers to Information Sharing: The Erection of a Wall Between Intelligence and Law...

Thu, 12 Nov 2009 12:30:26 UTC

Security in a Reputation Economy

Posted By Bruce Schneier

In the past, our relationship with our computers was technical. We cared what CPU they had and what software they ran. We understood our networks and how they worked. We were experts, or we depended on someone else for expertise. And security was part of that expertise. This is changing. We access our email via the web, from any computer...

Wed, 11 Nov 2009 18:19:11 UTC

Hacking the Brazil Power Grid

Posted By Bruce Schneier

We've seen lots of rumors about attacks against the power grid, both in the U.S. and elsewhere, of people hacking the power grid. Seems like the source of these rumors has been Brazil: Several prominent intelligence sources confirmed that there were a series of cyber attacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three...

Wed, 11 Nov 2009 13:44:31 UTC

Thieves Prefer Stealing Black Luggage

Posted By Bruce Schneier

It's obvious why if you think about it: Thieves prefer to steal black luggage because so much of it looks alike. If the thief is caught red-handed by the bag's owner, he only has to say sorry, it looks just like mine. And he's out of there. Scott free. Read the news story that prompted this blog post. I had...

Tue, 10 Nov 2009 19:26:29 UTC

Protecting OSs from RootKits

Posted By Bruce Schneier

Interesting research: "Countering Kernel Rootkits with Lightweight Hook Protection," by Zhi Wang, Xuxian Jiang, Weidong Cui, and and Peng Ning. Abstract: Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits...

Tue, 10 Nov 2009 12:31:03 UTC

Is Antivirus Dead?

Posted By Bruce Schneier

Security is never black and white. If someone asks, "for best security, should I do A or B?" the answer almost invariably is both. But security is always a trade-off. Often it's impossible to do both A and B -- there's no time to do both, it's too expensive to do both, or whatever -- and you have to choose....

Mon, 09 Nov 2009 18:15:27 UTC

John Mueller on Zazi

Posted By Bruce Schneier

I have refrained from commenting on the case against Najibullah Zazi, simply because it's so often the case that the details reported in the press have very little do with reality. My suspicion was, that as in in so many other cases, he was an idiot who couldn't do any real harm and was turned into a bogeyman for political...

Mon, 09 Nov 2009 12:59:47 UTC

Laissez-Faire Access Control

Posted By Bruce Schneier

Recently I wrote about the difficulty of making role-based access control work, and how reasearch at Dartmouth showed that it was better to let people take the access control they need to do their jobs, and audit the results. This interesting paper, "Laissez-Faire File Sharing," tries to formalize the sort of access control. Abstract: When organizations deploy file systems with...

Fri, 06 Nov 2009 22:13:18 UTC

Friday Squid Blogging: Dentyne Ice Squid Ad

Posted By Bruce Schneier

Weird....

Fri, 06 Nov 2009 20:35:08 UTC

Interview with Me

Posted By Bruce Schneier

On CNet.com...

Fri, 06 Nov 2009 12:55:14 UTC

The Doghouse: ADE 651

Posted By Bruce Schneier

A divining rod to find explosives in Iraq: ATSC's promotional material claims that its device can find guns, ammunition, drugs, truffles, human bodies and even contraband ivory at distances up to a kilometer, underground, through walls, underwater or even from airplanes three miles high. The device works on “electrostatic magnetic ion attraction,” ATSC says. To detect materials, the operator puts...

Thu, 05 Nov 2009 18:48:51 UTC

Mossad Hacked Syrian Official's Computer

Posted By Bruce Schneier

It was unattended in a hotel room at the time: Israel's Mossad espionage agency used Trojan Horse programs to gather intelligence about a nuclear facility in Syria the Israel Defense Forces destroyed in 2007, the German magazine Der Spiegel reported Monday. According to the magazine, Mossad agents in London planted the malware on the computer of a Syrian official who...

Thu, 05 Nov 2009 12:11:27 UTC

The Problems with Unscientific Security

Posted By Bruce Schneier

From the Open Access Journal of Forensic Psychology, by a whole llist of authors: "A Call for Evidence-Based Security Tools": Abstract: Since the 2001 attacks on the twin towers, policies on security have changed drastically, bringing about an increased need for tools that allow for the detection of deception. Many of the solutions offered today, however, lack scientific underpinning. We...

Wed, 04 Nov 2009 13:12:52 UTC

Fear and Overreaction

Posted By Bruce Schneier

It's hard work being prey. Watch the birds at a feeder. They're constantly on alert, and will fly away from food -- from easy nutrition -- at the slightest movement or sound. Given that I've never, ever seen a bird plucked from a feeder by a predator, it seems like a whole lot of wasted effort against not very big...

Tue, 03 Nov 2009 17:17:46 UTC

Zero-Tolerance Policies

Posted By Bruce Schneier

Recent stories have documented the ridiculous effects of zero-tolerance weapons policies in a Delaware school district: a first-grader expelled for taking a camping utensil to school, a 13-year-old expelled after another student dropped a pocketknife in his lap, and a seventh-grader expelled for cutting paper with a utility knife for a class project. Where's the common sense? the editorials cry....

Tue, 03 Nov 2009 12:12:14 UTC

Detecting Terrorists by Smelling Fear

Posted By Bruce Schneier

Really: The technology relies on recognising a pheromone - or scent signal - produced in sweat when a person is scared. Researchers hope the 'fear detector' will make it possible to identify individuals at check points who are up to no good. Terrorists with murder in mind, drug smugglers, or criminals on the run are likely to be very fearful...

Mon, 02 Nov 2009 14:57:35 UTC

The FBI and Wiretaps

Posted By Bruce Schneier

To aid their Wall Street investigations, the FBI used DCSNet, their massive surveillance system. Prosecutors are using the FBI's massive surveillance system, DCSNet, which stands for Digital Collection System Network. According to Wired magazine, this system connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It can be used to instantly wiretap almost...

Fri, 30 Oct 2009 21:15:52 UTC

Friday Squid Blogging: Humboldt Squid in Canada

Posted By Bruce Schneier

They're washing ashore on Vancouver Island. Scientists have begun attaching tracking devices to squid off the coast of Vancouver Island to find out why the marine animals have wandered so far from their traditional territory. They also hope to find out why the squid have been beaching themselves and dying by the hundreds this summer near the town of Tofino...

Fri, 30 Oct 2009 19:30:30 UTC

Article on Me

Posted By Bruce Schneier

Article on me from a Luxembourg magazine....

Fri, 30 Oct 2009 17:36:29 UTC

Attacking U.S. Critical Infrastructure

Posted By Bruce Schneier

Squirrel terrorists. We have a cognitive bias to exaggerate risks caused by other humans, and downplay risks caused by animals (and, even more, by natural phenomena.)...

Fri, 30 Oct 2009 11:04:38 UTC

Report on Chinese Cyberwarfare Capability

Posted By Bruce Schneier

"Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation," prepared for the US-China Economic and Security Review Commission, Northrop Grumman Corporation, October 9, 2009. I have not read it yet. Post the interesting bits in comments, if there are any....

Thu, 29 Oct 2009 17:59:38 UTC

DDNI for Collection Press Conference

Posted By Bruce Schneier

The U.S. Deputy Director of National Intelligence for Collection gives a press conference on the new Utah data collection facility: video and transcript....

Thu, 29 Oct 2009 11:41:38 UTC

A Critical Essay on the TSA

Posted By Bruce Schneier

A critical essay on the TSA from a former assistant police chief: This is where I find myself now obsessing over TSA policy, or its apparent lack. Every one of us goes to work each day harboring prejudice. This is simply human nature. What I have witnessed in law enforcement over the course of the last two decades serves to...

Wed, 28 Oct 2009 18:28:48 UTC

Best Buy Sells Surveillance Tracker

Posted By Bruce Schneier

Only $99.99: Keep tabs on your child at all times with this small but sophisticated device that combines GPS and cellular technology to provide you with real-time location updates. The small and lightweight Little Buddy transmitter fits easily into a backpack, lunchbox or other receptacle, making it easy for your child to carry so you can check his or her...

Wed, 28 Oct 2009 11:48:11 UTC

Psychology and Security Resource Page

Posted By Bruce Schneier

Ross Anderson has put together a great resource page on security and psychology: At a deeper level, the psychology of security touches on fundamental scientific and philosophical problems. The 'Machiavellian Brain' hypothesis states that we evolved high intelligence not to make better tools, but to use other monkeys better as tools: primates who were better at deception, or at detecting...

Tue, 27 Oct 2009 12:42:00 UTC

2006 Wal-Mart Hack

Posted By Bruce Schneier

Interesting story of a 2006 Wal-Mart hack from, probably, Minsk....

Mon, 26 Oct 2009 11:53:13 UTC

CIA Invests in Social-Network Datamining

Posted By Bruce Schneier

From Wired: In-Q-Tel, the investment arm of the CIA and the wider intelligence community, is putting cash into Visible Technologies, a software firm that specializes in monitoring social media. It's part of a larger movement within the spy services to get better at using "open source intelligence" -- information that's publicly available, but often hidden in the flood of TV...

Fri, 23 Oct 2009 21:26:02 UTC

Friday Squid Blogging: Steampunk Squid Cake

Posted By Bruce Schneier

Impressive....

Fri, 23 Oct 2009 21:03:29 UTC

Friday Squid Blogging: Draw-a-Squid Contest

Posted By Bruce Schneier

Draw a squid, win Jeff Vandermeer`s Ambergris novels....

Fri, 23 Oct 2009 11:43:11 UTC

"Evil Maid" Attacks on Encrypted Hard Drives

Posted By Bruce Schneier

Earlier this month, Joanna Rutkowska implemented the "evil maid" attack against TrueCrypt. The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. Basically, the attack works like this: Step 1: Attacker gains access to your shut-down computer and boots it from a separate volume. The attacker writes a hacked bootloader onto your system, then...

Thu, 22 Oct 2009 11:10:21 UTC

James Bamford on the NSA

Posted By Bruce Schneier

James Bamford -- author of The Shadow Factory: The NSA from 9/11 to the Eavesdropping on America writes about the NSA's new data center in Utah as he reviews another book: The Secret Sentry: The Untold History of the National Security Agency: Just how much information will be stored in these windowless cybertemples? A clue comes from a recent report...

Wed, 21 Oct 2009 12:46:07 UTC

Ballmer Blames the Failure of Windows Vista on Security

Posted By Bruce Schneier

According to the Telegraph: Mr Ballmer said: "We got some uneven reception when [Vista] first launched in large part because we made some design decisions to improve security at the expense of compatibility. I don't think from a word-of-mouth perspective we ever recovered from that." Commentary: Vista's failure and Ballmer's faulting security is a bit of being careful for what...

Wed, 21 Oct 2009 12:19:24 UTC

Australia Man Receives Reduced Sentence Due to Encryption

Posted By Bruce Schneier

From the Courier-Mail: A man who established a sophisticated network of peepholes and cameras to spy on his flatmates has escaped a jail sentence after police were unable to crack an encryption code on his home computer. [...] They found a series of holes drilled in to walls and ceilings throughout the Surfers Paradise apartment with wires leading back to...

Tue, 20 Oct 2009 18:11:10 UTC

TSA Successfully Defends Itself

Posted By Bruce Schneier

Story here. Basically, a woman posts a horrible story of how she was mistreated by the TSA, and the TSA responds by releasing the video showing that she was lying. There was a similar story in 2007. Then, I wrote: Why is it that we all -- myself included -- believe these stories? Why are we so quick to assume...

Tue, 20 Oct 2009 11:16:02 UTC

Computer Card Counter Detects Human Card Counters

Posted By Bruce Schneier

All it takes is a computer that can track every card: The anti-card-counter system uses cameras to watch players and keep track of the actual "count" of the cards, the same way a player would. It also measures how much each player is betting on each hand, and it syncs up the two data points to look for patterns in...

Mon, 19 Oct 2009 20:38:02 UTC

Six Years of Patch Tuesdays

Posted By Bruce Schneier

Nice article summing up six years of Microsoft Patch Tuesdays: The total number of flaws disclosed and patched by the software maker so far this year stands at around 160, more than the 155 or so that Microsoft reported for all of 2008. The number of flaws reported in Microsoft products over the last two years is more than double...

Mon, 19 Oct 2009 12:55:42 UTC

Helpful Hint for Fugitives: Don't Update Your Location on Facebook

Posted By Bruce Schneier

"Fugitive caught after updating his status on Facebook." It's easy to say "so dumb," and it would be true, but what's interesting is how people just don't think through the privacy implications of putting their information on the Internet. Facebook is how we interact with friends, and we think of it in the frame of interacting with friends. We don't...

Fri, 16 Oct 2009 21:42:21 UTC

Friday Squid Blogging: Squid Robot

Posted By Bruce Schneier

Cool. It's from this page....

Fri, 16 Oct 2009 13:56:14 UTC

The Commercial Speech Arms Race

Posted By Bruce Schneier

A few years ago, a company began to sell a liquid with identification codes suspended in it. The idea was that you would paint it on your stuff as proof of ownership. I commented that I would paint it on someone else's stuff, then call the police. I was reminded of this recently when a group of Israeli scientists demonstrated...

Thu, 15 Oct 2009 18:06:35 UTC

Camouflaging a WWII Factory

Posted By Bruce Schneier

Great pictures....

Thu, 15 Oct 2009 12:34:53 UTC

The Bizarre Consequences of "Zero Tolerance" Weapons Policies at Schools

Posted By Bruce Schneier

Good article: Zachary's offense? [He's six years old.] Taking a camping utensil that can serve as a knife, fork and spoon to school. He was so excited about recently joining the Cub Scouts that he wanted to use it at lunch. School officials concluded that he had violated their zero-tolerance policy on weapons, and Zachary was suspended and now faces...

Wed, 14 Oct 2009 18:05:51 UTC

1777 Steganography

Posted By Bruce Schneier

Fascinating....

Wed, 14 Oct 2009 12:37:16 UTC

The Current Status of P Versus NP

Posted By Bruce Schneier

Excellent survey....

Tue, 13 Oct 2009 19:55:36 UTC

The Doghouse: Privacy Inside

Posted By Bruce Schneier

I'm just going to quote without comment: About the file: the text message file encrypted with a symmetric key combine 3 modes 1st changing the original text with random (white noise) and PHR (Pure Human Randomness) shuffle command , move and replace instruction combine with the key from mode 1 (white noise) and 2 (PHR) 2nd mode ­ xor PHR...

Tue, 13 Oct 2009 12:15:32 UTC

David Dittrich on Criminal Malware

Posted By Bruce Schneier

Good essay: "Malware to crimeware: How far have they gone, and how do we catch up?" ;login:, August 2009: I have survived over a decade of advances in delivery of malware. Over this period, attackers have shifted to using complex, multi-phase attacks based on subtle social engineering tactics, advanced cyptographic techniques to defeat takeover and analysis, and highly targeted attacks...

Mon, 12 Oct 2009 18:47:42 UTC

Wi-fi Blocking Paint

Posted By Bruce Schneier

I wrote about this in 2004. This is an improved product: While paints blocking lower frequencies have been available for some time, Mr Ohkoshi's technology is the first to absorb frequencies transmitting at 100GHz (gigahertz). Signals carrying a larger amount of data -- such as wireless internet -- travel at a higher frequency than, for example, FM radio....

Mon, 12 Oct 2009 11:14:43 UTC

Using Wi-fi to "See" Through Walls

Posted By Bruce Schneier

Impressive....

Fri, 09 Oct 2009 21:54:58 UTC

Friday Squid Blogging: Squidsoup

Posted By Bruce Schneier

Gallery of virtual art....

Fri, 09 Oct 2009 19:34:03 UTC

Pigs Defeating RFID-Enabled Feeding Systems

Posted By Bruce Schneier

Pretty clever (for a pig, that is)....

Fri, 09 Oct 2009 16:33:21 UTC

1,000 Cybersecurity Experts

Posted By Bruce Schneier

Yesterday, DHS Secretary Janet Napolitano said that the U.S. needed to hire 1,000 cybersecurity experts over the next three years. Bob Cringly doubts that there even are 1,000 cybersecurity experts out there to hire. I suppose it depends on what she meant by "expert."...

Fri, 09 Oct 2009 11:37:05 UTC

The Futility of Defending the Targets

Posted By Bruce Schneier

This is just silly: Beaver Stadium is a terrorist target. It is most likely the No. 1 target in the region. As such, it deserves security measures commensurate with such a designation, but is the stadium getting such security? [..] When the stadium is not in use it does not mean it is not a target. It must be watched...

Thu, 08 Oct 2009 11:43:25 UTC

Detecting Forged Signatures Using Pen Pressure and Angle

Posted By Bruce Schneier

Interesting: Songhua Xu presented an interesting idea for measuring pen angle and pressure to present beautiful flower-like visual versions of a handwritten signature. You could argue that signatures are already a visual form, nicely identifiable and universal. However, with the added data about pen pressure and angle, the authors were able to create visual signatures that offer potentially greater security,...

Wed, 07 Oct 2009 18:07:58 UTC

Hotel Safe Scam

Posted By Bruce Schneier

This is interesting: Since then, his scams have tended to take place in luxury hotels around the world. Typically, he would arrive at a hotel, claim to be a guest, and then tell security that he had forgotten the combination code to his safe. When hotel staff helped him to open the safe, he would pocket the contents and make...

Wed, 07 Oct 2009 17:54:00 UTC

Detecting People Who Want to Do Harm

Posted By Bruce Schneier

I'm dubious: At a demonstration of the technology this week, project manager Robert P. Burns said the idea is to track a set of involuntary physiological reactions that might slip by a human observer. These occur when a person harbors malicious intent–but not when someone is late for a flight or annoyed by something else, he said, citing years of...

Wed, 07 Oct 2009 12:12:15 UTC

Computer-Assisted Witness Identification

Posted By Bruce Schneier

Witnesses are much more accurate at identifying criminals when computers assist in the identification process, not police officers. A major cause of miscarriages of justice could be avoided if computers, rather than detectives, guided witnesses through the identification of suspects. That's according to Brent Daugherty at the University of North Carolina in Charlotte and colleagues, who say that too often...

Tue, 06 Oct 2009 19:32:23 UTC

Don't Let Hacker Inmates Reprogram Prison Computers

Posted By Bruce Schneier

You'd think this would be obvious: Douglas Havard, 27, serving six years for stealing up to £6.5million using forged credit cards over the internet, was approached after governors wanted to create an internal TV station but needed a special computer program written. He was left unguarded and hacked into the system's hard drive at Ranby Prison, near Retford, Notts. Then...

Tue, 06 Oct 2009 11:40:51 UTC

Malware that Forges Bank Statements

Posted By Bruce Schneier

This is brilliant: The sophisticated hack uses a Trojan horse program installed on the victim's machine that alters html coding before it's displayed in the user's browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances. Another article. If there's a moral here, it's that banks...

Mon, 05 Oct 2009 20:10:34 UTC

UK Defense Security Manual Leaked

Posted By Bruce Schneier

Wow. It's over 2,000 pages, so it'll take time to make any sense of. According to Ross Anderson, who's given it a quick look over, "it seems to be the bureaucratic equivalent of spaghetti code: a hodgepodge of things written by people from different backgrounds, and with different degrees of clue, in different decades." The computer security stuff starts at...

Mon, 05 Oct 2009 18:29:51 UTC

Moving Hippos in the Post-9/11 World

Posted By Bruce Schneier

It's a security risk: The crate was hoisted onto the flatbed with a 120-ton construction crane. For security reasons, there were no signs on the truck indicating that the cargo was a hippopotamus, the zoo said. The last thing you need is a hijacked hippo. Does this make any sense? Has there ever been a zoo animal hijacking anywhere?...

Mon, 05 Oct 2009 11:44:31 UTC

Actual DHS Travel Record

Posted By Bruce Schneier

If you were curious what the DHS knows about you....

Fri, 02 Oct 2009 21:08:00 UTC

Friday Squid Blogging: Squid Cartoon

Posted By Bruce Schneier

Lio....

Fri, 02 Oct 2009 17:23:21 UTC

"Security Theater in New York City"

Posted By Bruce Schneier

For the U.N. General Assembly: For those entranced by security theater, New York City is a sight to behold this week. A visit to one of the two centers of the action -- the Waldorf Astoria, where the presidents of China, Russia, the Prime Ministers of Israel and the Palestinian Authority, and the President of the United States -- are...

Fri, 02 Oct 2009 12:01:20 UTC

Proving a Computer Program's Correctness

Posted By Bruce Schneier

This is interesting: Professor Gernot Heiser, the John Lions Chair in Computer Science in the School of Computer Science and Engineering and a senior principal researcher with NICTA, said for the first time a team had been able to prove with mathematical rigour that an operating-system kernel–the code at the heart of any computer or microprocessor–was 100 per cent bug-free...

Thu, 01 Oct 2009 19:09:45 UTC

Reproducing Keys from Photographs

Posted By Bruce Schneier

Reproducing keys from distant and angled photographs: Abstract:The access control provided by a physical lock is based on the assumption that the information content of the corresponding key is private --- that duplication should require either possession of the key or a priori knowledge of how it was cut. However, the ever-increasing capabilities and prevalence of digital imaging technologies present...

Thu, 01 Oct 2009 12:01:33 UTC

Nice Use of Diversion During a Robbery

Posted By Bruce Schneier

During a daring bank robbery in Sweden that involved a helicopter, the criminals disabled a police helicopter by placing a package with the word "bomb" near the helicopter hangar, thus engaging the full caution/evacuation procedure while they escaped. I wrote about this exact sort of thing in Beyond Fear....

Wed, 30 Sep 2009 18:17:21 UTC

Immediacy Affects Risk Assessments

Posted By Bruce Schneier

New experiment demonstrates what we already knew: That's because people tend to view their immediate emotions, such as their perceptions of threats or risks, as more intense and important than their previous emotions. In one part of the study focusing on terrorist threats, using materials adapted from the U.S. Department of Homeland Security, Van Boven and his research colleagues presented...

Wed, 30 Sep 2009 10:52:24 UTC

The Doghouse: Crypteto

Posted By Bruce Schneier

Crypteto has a 49,152-bit symmetric key: The most important issue of any encryption product is the 'bit key strength'. To date the strongest known algorithm has a 448-bit key. Crypteto now offers a 49,152-bit key. This means that for every extra 1 bit increase that Crypteto has over its competition makes it 100% stronger. The security and privacy this offers...

Tue, 29 Sep 2009 18:08:56 UTC

The Problem of Vague Laws

Posted By Bruce Schneier

The average American commits three felonies a day: the title of a new book by Harvey Silverglate. More specifically, the problem is the intersection of vague laws and fast-moving technology: Technology moves so quickly we can barely keep up, and our legal system moves so slowly it can't keep up with itself. By design, the law is built up over...

Tue, 29 Sep 2009 12:13:29 UTC

Predicting Characteristics of People by the Company they Keep

Posted By Bruce Schneier

Turns out "gaydar" can be automated: Using data from the social network Facebook, they made a striking discovery: just by looking at a person's online friends, they could predict whether the person was gay. They did this with a software program that looked at the gender and sexuality of a person's friends and, using statistical analysis, made a prediction. The...

Mon, 28 Sep 2009 18:34:32 UTC

Unauthentication

Posted By Bruce Schneier

In computer security, a lot of effort is spent on the authentication problem. Whether it's passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated–and hopefully more secure–ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank...

Mon, 28 Sep 2009 11:19:14 UTC

Ass Bomber

Posted By Bruce Schneier

Nobody tell the TSA, but last month someone tried to assassinate a Saudi prince by exploding a bomb stuffed in his rectum. He pretended to be a repentant militant, when in fact he was a Trojan horse: The resulting explosion ripped al-Asiri to shreds but only lightly injured the shocked prince -- the target of al-Asiri's unsuccessful assassination attempt. Other...

Fri, 25 Sep 2009 19:46:40 UTC

A Stick Figure Guide to AES

Posted By Bruce Schneier

Nice....

Fri, 25 Sep 2009 18:04:38 UTC

Friday Squid Blogging: 20-Foot Squid Caught in the Gulf of Mexico

Posted By Bruce Schneier

First one sighted in the Gulf since 1954: The new specimen, weighing 103 pounds, was found during a preliminary survey of the Gulf during which scientists hope to identify the types of fish and squid that sperm whales feed on. The squid, like other deep catches, was dead when brought to the surface because the animals can't survive the rapid...

Fri, 25 Sep 2009 11:17:23 UTC

Texas Instruments Signing Keys Broken

Posted By Bruce Schneier

Texas Instruments' calculators use RSA digital signatures to authenticate any updates to their operating system. Unfortunately, their signing keys are too short: 512-bits. Earlier this month, a collaborative effort factored the moduli and published the private keys. Texas Instruments responded by threatening websites that published the keys with the DMCA, but it's too late. So far, we have the operating-system...

Thu, 24 Sep 2009 19:57:49 UTC

The Onion on Security

Posted By Bruce Schneier

"Authorities Called in to Examine Suspicious-Looking Ham."...

Thu, 24 Sep 2009 11:37:34 UTC

Sears Spies on its Customers

Posted By Bruce Schneier

It's not just hackers who steal financial and medical information: Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more...

Wed, 23 Sep 2009 18:43:49 UTC

Monopoly Sets for WWII POWs: More Information

Posted By Bruce Schneier

I already blogged about this; there's more information in this new article: Included in the items the German army allowed humanitarian groups to distribute in care packages to imprisoned soldiers, the game was too innocent to raise suspicion. But it was the ideal size for a top-secret escape kit that could help spring British POWs from German war camps. The...

Wed, 23 Sep 2009 12:13:58 UTC

Eliminating Externalities in Financial Security

Posted By Bruce Schneier

This is a good thing: An Illinois district court has allowed a couple to sue their bank on the novel grounds that it may have failed to sufficiently secure their account, after an unidentified hacker obtained a $26,500 loan on the account using the customers' user name and password. [...] In February 2007, someone with a different IP address than...

Tue, 22 Sep 2009 19:00:15 UTC

Quantum Computer Factors the Number 15

Posted By Bruce Schneier

This is an important development: Shor's algorithm was first demonstrated in a computing system based on nuclear magnetic resonance -- manipulating molecules in a solution with strong magnetic fields. It was later demonstrated with quantum optical methods but with the use of bulk components like mirrors and beam splitters that take up an unwieldy area of several square meters. Last...

Tue, 22 Sep 2009 11:39:05 UTC

Hacking Two-Factor Authentication

Posted By Bruce Schneier

Back in 2005, I wrote about the failure of two-factor authentication to mitigate banking fraud: Here are two new active attacks we're starting to see: Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank's real website. Done...

Mon, 21 Sep 2009 18:41:12 UTC

Inferring Friendship from Location Data

Posted By Bruce Schneier

Interesting: For nine months, Eagle's team recorded data from the phones of 94 students and staff at MIT. By using blue-tooth technology and phone masts, they could monitor the movements of the participants, as well as their phone calls. Their main goal with this preliminary study was to compare data collected from the phones with subjective self-report data collected through...

Mon, 21 Sep 2009 11:46:32 UTC

Terrorist Havens

Posted By Bruce Schneier

Good essay on "terrorist havens" -- like Afghanistan -- and why they're not as big a worry as some maintain: Rationales for maintaining the counterinsurgency in Afghanistan are varied and complex, but they all center on one key tenet: that Afghanistan must not be allowed to again become a haven for terrorist groups, especially al-Qaeda. [...] The debate has largely...

Fri, 18 Sep 2009 21:08:41 UTC

Friday Squid Blogging: Embracing Your Inner Squid

Posted By Bruce Schneier

Interview with Jonathan Coulton....

Fri, 18 Sep 2009 11:45:43 UTC

Modifying the Color-Coded Threat Alert System

Posted By Bruce Schneier

I wrote about the DHS's color-coded threat alert system in 2003, in Beyond Fear: The color-coded threat alerts issued by the Department of Homeland Security are useless today, but may become useful in the future. The U.S. military has a similar system; DEFCON 1-5 corresponds to the five threat alerts levels: Green, Blue, Yellow, Orange, and Red. The difference is...

Wed, 16 Sep 2009 14:00:20 UTC

Printing Police Handcuff Keys

Posted By Bruce Schneier

Using a 3D printer. Impressive. At the end of the day he talked the officers into trying the key on their handcuffs and ¿ it did work! At least the Dutch Police now knows there is a plastic key on the market that will open their handcuffs. A plastic key undetectable by metal detectors¿....

Tue, 15 Sep 2009 11:10:27 UTC

Skein News

Posted By Bruce Schneier

Skein is one of the 14 SHA-3 candidates chosen by NIST to advance to the second round. As part of the process, NIST allowed the algorithm designers to implement small "tweaks" to their algorithms. We've tweaked the rotation constants of Skein. This change does not affect Skein's performance in any way. The revised Skein paper contains the new rotation constants,...

Mon, 14 Sep 2009 12:24:47 UTC

Robert Sawyer's Alibis

Posted By Bruce Schneier

Back in 2002, science fiction author Robert J. Sawyer wrote an essay about the trade-off between privacy and security, and came out in favor of less privacy. I disagree with most of what he said, and have written pretty much the opposite essay -- and others on the value of privacy and the future of privacy -- several times since...

Fri, 11 Sep 2009 21:27:42 UTC

Friday Squid Blogging: Stinky Squid

Posted By Bruce Schneier

It's a mushroom: Pseudocolus fusiformis....

Fri, 11 Sep 2009 17:29:09 UTC

Schneier on "The Future of the Security Industry"

Posted By Bruce Schneier

Here's a video of a talk I gave at an OWASP meeting in August....

Fri, 11 Sep 2009 17:14:12 UTC

Refuse to be Terrorized

Posted By Bruce Schneier

Me from 2006....

Fri, 11 Sep 2009 11:26:50 UTC

Eighth Anniversary of 9/11

Posted By Bruce Schneier

On September 30, 2001, I published a special issue of Crypto-Gram discussing the terrorist attacks. I wrote about the novelty of the attacks, airplane security, diagnosing intelligence failures, the potential of regulating cryptography -- because it could be used by the terrorists -- and protecting privacy and liberty. Much of what I wrote is still relevant today: Appalled by the...

Thu, 10 Sep 2009 11:08:08 UTC

File Deletion

Posted By Bruce Schneier

File deletion is all about control. This used to not be an issue. Your data was on your computer, and you decided when and how to delete a file. You could use the delete function if you didn't care about whether the file could be recovered or not, and a file erase program -- I use BCWipe for Windows --...

Wed, 09 Sep 2009 17:25:26 UTC

Demonstration of a Liquid Explosive

Posted By Bruce Schneier

The BBC has a video demonstration of a 16-ounce bottle of liquid blowing a hole in the side of a plane. I know no more details other than what's in the video....

Wed, 09 Sep 2009 15:10:12 UTC

NSA Intercepts Used to Convict Liquid Bombers

Posted By Bruce Schneier

Three of the UK liquid bombers were convicted Monday. NSA-intercepted e-mail was introduced as evidence in the trial: The e-mails, several of which have been reprinted by the BBC and other publications, contained coded messages, according to prosecutors. They were intercepted by the NSA in 2006 but were not included in evidence introduced in a first trial against the three...

Tue, 08 Sep 2009 12:12:19 UTC

The Global Illicit Economy

Posted By Bruce Schneier

Interesting video: A new class of global actors is playing an increasingly important role in globalization: smugglers, warlords, guerrillas, terrorists, gangs, and bandits of all stripes. Since the end of the Cold War, the global illicit economy has consistently grown at twice the rate of the licit global economy. Increasingly, illicit actors will represent not just an economic but a...

Mon, 07 Sep 2009 12:33:14 UTC

David Kilcullen on Security and Insurgency

Posted By Bruce Schneier

Very interesting hour-long interview. Australian-born David Kilcullen was the senior advisor to US General David Petraeus during his time in Iraq, advising on counterinsurgency. The implementation of his strategies are now regarded as a major turning point in the war. Here, in a fascinating discussion with human rights lawyer Julian Burnside at the Melbourne Writers' Festival, he talks about the...

Fri, 04 Sep 2009 21:45:01 UTC

Friday Squid Blogging: Squid Coloration

Posted By Bruce Schneier

Fascinating video....

Fri, 04 Sep 2009 11:18:03 UTC

Subpoenas as a Security Threat

Posted By Bruce Schneier

Blog post from Ed Felten: Usually when the threat model mentions subpoenas, the bigger threats in reality come from malicious intruders or insiders. The biggest risk in storing my documents on CloudCorp's servers is probably that somebody working at CloudCorp, or a contractor hired by them, will mess up or misbehave. So why talk about subpoenas rather than intruders or...

Thu, 03 Sep 2009 18:56:47 UTC

"The Cult of Schneier"

Posted By Bruce Schneier

If there's actually a cult out there, I want to hear about it. In an essay by that name, John Viega writes about the dangers of relying on Applied Cryptography to design cryptosystems: But, after many years of evaluating the security of software systems, I'm incredibly down on using the book that made Bruce famous when designing the cryptographic aspects...

Thu, 03 Sep 2009 17:54:58 UTC

Real-World Access Control

Posted By Bruce Schneier

Access control is difficult in an organizational setting. On one hand, every employee needs enough access to do his job. On the other hand, every time you give an employee more access, there's more risk: he could abuse that access, or lose information he has access to, or be socially engineered into giving that access to a malfeasant. So a...

Thu, 03 Sep 2009 10:36:39 UTC

The History of One-Time Pads and the Origins of SIGABA

Posted By Bruce Schneier

Blog post from Steve Bellovin: It is vital that the keystream values (a) be truly random and (b) never be reused. The Soviets got that wrong in the 1940s; as a result, the U.S. Army's Signal Intelligence Service was able to read their spies' traffic in the Venona program. The randomness requirement means that the values cannot be generated by...

Wed, 02 Sep 2009 12:40:39 UTC

The Exaggerated Fears of Cyber-War

Posted By Bruce Schneier

Good article, which basically says that our policies are based more on fear than on reality. On cyber-terrorism: So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies–which need to justify their own existence–and cyber-security companies–which derive commercial benefits from popular...

Tue, 01 Sep 2009 18:13:32 UTC

Hacking Swine Flu

Posted By Bruce Schneier

Interesting: So how many bits are in this instance of H1N1? The raw number of bits, by my count, is 26,022; the actual number of coding bits approximately 25,054 -- I say approximately because the virus does the equivalent of self-modifying code to create two proteins out of a single gene in some places (pretty interesting stuff actually), so it's...

Tue, 01 Sep 2009 11:21:51 UTC

Matthew Weigman

Posted By Bruce Schneier

Fascinating story of a 16-year-old blind phone phreaker. One afternoon, not long after Proulx was swatted, Weigman came home to find his mother talking to what sounded like a middle-aged male. The man introduced himself as Special Agent Allyn Lynd of the FBI's cyber squad in Dallas, which investigates hacking and other computer crimes. A West Point grad, Lynd had...

Mon, 31 Aug 2009 10:59:53 UTC

On London's Surveillance Cameras

Posted By Bruce Schneier

A recent report has concluded that the London's surveillance cameras have solved one crime per thousand cameras per year. David Davis MP, the former shadow home secretary, said: "It should provoke a long overdue rethink on where the crime prevention budget is being spent." He added: "CCTV leads to massive expense and minimum effectiveness. "It creates a huge intrusion on...

Fri, 28 Aug 2009 21:15:52 UTC

Friday Squid Blogging: Squid Police

Posted By Bruce Schneier

I like to think this isn't a typo....

Fri, 28 Aug 2009 17:27:34 UTC

The Security Risks of Accepting Free Laptops

Posted By Bruce Schneier

Weird: The U.S. Federal Bureau of Investigation is trying to figure out who is sending laptop computers to state governors across the U.S., including West Virginia Governor Joe Mahchin and Wyoming Governor Dave Freudenthal. Some state officials are worried that they may contain malicious software....

Fri, 28 Aug 2009 11:12:30 UTC

Marine Worms with Glowing Bombs

Posted By Bruce Schneier

More security stories from the natural world: During chase scenes, movie protagonists often make their getaway by releasing some sort of decoy to cover their escape or distract their pursuer. But this tactic isn't reserved for action heroes–some deep-sea animals also evade their predators by releasing decoys–glowing ones. Karen Osborn from the Scripps Institute of Oceanography has discovered seven new...

Thu, 27 Aug 2009 18:44:59 UTC

Banning Beer Glasses in Pubs

Posted By Bruce Schneier

Not beer, just the glasses: The Home Office has commissioned a new design, in an attempt to stop glasses being used as weapons. Official figures show 5,500 people are attacked with glasses and bottles every year in England and Wales. The British Beer and Pub Association said it did not want the new plastic glasses to be made compulsory. I...

Thu, 27 Aug 2009 12:02:07 UTC

Stealing 130 Million Credit Card Numbers

Posted By Bruce Schneier

Someone has been charged with stealing 130 million credit card numbers. Yes, it's a lot, but that's the sort of quantities credit card numbers come in. They come by the millions, in large database files. Even if you only want ten, you have to steal millions. I'm sure every one of us has a credit card in our wallet whose...

Wed, 26 Aug 2009 17:20:06 UTC

Manipulating Breathalyzers

Posted By Bruce Schneier

Interesting video demonstrating how a policeman can manipulate the results of a Breathalyzer....

Wed, 26 Aug 2009 10:46:43 UTC

Small Business Identity Theft and Fraud

Posted By Bruce Schneier

The sorts of crimes we've been seeing perpetrated against individuals are starting to be perpetrated against small businesses: In July, a school district near Pittsburgh sued to recover $700,000 taken from it. In May, a Texas company was robbed of $1.2 million. An electronics testing firm in Baton Rouge, La., said it was bilked of nearly $100,000. In many cases,...

Tue, 25 Aug 2009 11:43:59 UTC

Actual Security Theater

Posted By Bruce Schneier

As part of their training, federal agents engage in mock exercises in public places. Sometimes, innocent civilians get involved. Every day, as Washingtonians go about their overt lives, the FBI, CIA, Capitol Police, Secret Service and U.S. Marshals Service stage covert dramas in and around the capital where they train. Officials say the scenarios help agents and officers integrate the...

Mon, 24 Aug 2009 12:12:24 UTC

Non-Randomness in Coin Flipping

Posted By Bruce Schneier

It turns out that flipping a coin has all sorts of non-randomness: Here are the broad strokes of their research: If the coin is tossed and caught, it has about a 51% chance of landing on the same face it was launched. (If it starts out as heads, there's a 51% chance it will end as heads). If the coin...

Mon, 24 Aug 2009 10:57:15 UTC

Modeling Zombie Outbreaks

Posted By Bruce Schneier

The math doesn't look good: "When Zombies Attack!: Mathematical Modelling of an Outbreak of Zombie Infection." An outbreak of zombies infecting humans is likely to be disastrous, unless extremely aggressive tactics are employed against the undead. While aggressive quarantine may eradicate the infection, this is unlikely to happen in practice. A cure would only result in some humans surviving the...

Fri, 21 Aug 2009 21:17:20 UTC

Friday Squid Blogging: Jurassic Squid

Posted By Bruce Schneier

Neat: Palaeontologists have drawn with ink extracted from a preserved fossilised squid uncovered during a dig in Trowbridge, Wiltshire. The fossil, thought to be 150 million years old, was found when a rock was cracked open, revealing the one-inch-long black ink sac. The calcified ink was ground with a solution of ammonia to turn it into ink. Another article....

Fri, 21 Aug 2009 18:33:01 UTC

Embarrassing Terrorist Failures

Posted By Bruce Schneier

From the humor website Cracked: "The 5 Most Embarrassing Failures in the History of Terrorism." Yes, it's funny. But remember that these are the terrorist masterminds that politicians invoke to keep us scared. My 2007 essay, "Portrait of the Modern Terrorist as an Idiot," is also relevant. But less funny....

Fri, 21 Aug 2009 11:03:08 UTC

Hacking the Assa Solo Lock

Posted By Bruce Schneier

Marc Weber Tobias again: The new Assa Solo was recently introduced in Europe and we believe is the latest Cliq design. We were provided with samples and were able to show a reporter for Wired's Threat Level how to completely circumvent the electronic credentials in less than thirty seconds, which she easily accomplished. This is the latest and most current...

Thu, 20 Aug 2009 11:59:32 UTC

Developments in Lie Detection

Posted By Bruce Schneier

Interesting: Scientists looking for better ways to detect lies have found a promising one: increasing suspects' "cognitive load." For a host of reasons, their theory goes, lying is more mentally taxing than telling the truth. Per­forming an extra task while lying or telling the truth should therefore affect the liars more. To test this idea, deception researchers led by psychologist...

Wed, 19 Aug 2009 18:08:10 UTC

The Continuing Cheapening of the Word "Terrorism"

Posted By Bruce Schneier

"Terroristic threats"? A pickup truck driver is accused of trying to run over a bicyclist and then coming after him brandishing an ax after a road-rage incident in Burnsville last weekend. The driver, Mitchel J. Pieper, 32, of Burnsville, was charged in Dakota County District Court on Tuesday with making terroristic threats, a felony, in connection with the altercation Saturday....

Wed, 19 Aug 2009 11:57:41 UTC

Fabricating DNA Evidence

Posted By Bruce Schneier

This isn't good: The scientists fabricated blood and saliva samples containing DNA from a person other than the donor of the blood and saliva. They also showed that if they had access to a DNA profile in a database, they could construct a sample of DNA to match that profile without obtaining any tissue from that person. [...] The planting...

Tue, 18 Aug 2009 11:16:39 UTC

Movie-Plot Threat Alert: Robot Suicide Bombers

Posted By Bruce Schneier

Let's all be afraid: But it adds: "Robots that effectively mimic human appearance and movements may be used as human proxies." It raised the prospects of terrorists using robots to plant and detonate bombs or even replacing human suicide bombers. A Home Office spokeswoman said: "This strategy looks at how technology might develop in future. "Clearly it is important that...

Mon, 17 Aug 2009 11:36:23 UTC

Flash Cookies

Posted By Bruce Schneier

Flash has the equivalent of cookies, and they're hard to delete: Unlike traditional browser cookies, Flash cookies are relatively unknown to web users, and they are not controlled through the cookie privacy controls in a browser. That means even if a user thinks they have cleared their computer of tracking objects, they most likely have not. What's even sneakier? Several...

Fri, 14 Aug 2009 21:28:47 UTC

Friday Squid Blogging: Squid and Owl

Posted By Bruce Schneier

Beautiful....

Fri, 14 Aug 2009 11:30:56 UTC

EFF on Locational Privacy

Posted By Bruce Schneier

Excellent paper: "On Locational Privacy, and How to Avoid Losing it Forever." Some threats to locational privacy are overt: it's evident how cameras backed by face-recognition software could be misused to track people and record their movements. In this document, we're primarily concerned with threats to locational privacy that arise as a hidden side-effect of clearly useful location-based services. We...

Thu, 13 Aug 2009 10:09:30 UTC

Man-in-the-Middle Trucking Attack

Posted By Bruce Schneier

Clever: For over three years the pair hacked into a Department of Transportation website called Safersys.org, which maintains a list of licensed interstate-trucking companies and brokers, according to an affidavit (.pdf) filed by a DOT investigator. There, they would temporarily change the contact information for a legitimate trucking company to an address and phone number under their control. The men...

Wed, 12 Aug 2009 10:48:39 UTC

Lockpicking and the Intenet

Posted By Bruce Schneier

Physical locks aren't very good. They keep the honest out, but any burglar worth his salt can pick the common door lock pretty quickly. It used to be that most people didn't know this. Sure, we all watched television criminals and private detectives pick locks with an ease only found on television and thought it realistic, but somehow we still...

Tue, 11 Aug 2009 17:29:48 UTC

An Ethical Code for Intelligence Officers

Posted By Bruce Schneier

August's Communications of the ACM has an interesting article: "An Ethics Code for U.S. Intelligence Officers," by former NSAers Brian Snow and Clint Brooks. The article is behind a paywall, but here's the code: Draft Statement of Ethics for the Intelligence Community Preamble: Intelligence work may present exceptional or unusual ethical dilemmas beyond those of ordinary life. Ethical thinking and...

Tue, 11 Aug 2009 11:15:58 UTC

Self-Enforcing Protocols

Posted By Bruce Schneier

There are several ways two people can divide a piece of cake in half. One way is to find someone impartial to do it for them. This works, but it requires another person. Another way is for one person to divide the piece, and the other person to complain (to the police, a judge, or his parents) if he doesn't...

Mon, 10 Aug 2009 11:57:36 UTC

Password Advice

Posted By Bruce Schneier

Here's some complicated advice on securing passwords that -- I'll bet -- no one follows. DO use a password manager such as those reviewed by Scott Dunn in his Sept. 18, 2008, Insider Tips column. Although Scott focused on free programs, I really like CallPod's Keeper, a $15 utility that comes in Windows, Mac, and iPhone versions and allows you...

Fri, 07 Aug 2009 21:53:08 UTC

Friday Squid Blogging: Humboldt Squid is "Timid"

Posted By Bruce Schneier

Contrary to my previous blog entry on the topic, Humboldt squid are really timid: Humboldt squid feed in surface waters at night, then retreat to great depths during daylight hours. "They spend the day 300 meters deep where oxygen levels are very low," Seibel said. "We wanted to know how they deal with so little oxygen." Seibel said that while...

Fri, 07 Aug 2009 12:32:28 UTC

New Airport Security Hole

Posted By Bruce Schneier

Funny....

Thu, 06 Aug 2009 10:08:38 UTC

Risk Intuition

Posted By Bruce Schneier

People have a natural intuition about risk, and in many ways it's very good. It fails at times due to a variety of cognitive biases, but for normal risks that people regularly encounter, it works surprisingly well: often better than we give it credit for. This struck me as I listened to yet another conference presenter complaining about security awareness...

Wed, 05 Aug 2009 18:46:11 UTC

How we Reacted to the Unexpected 75 Years Ago

Posted By Bruce Schneier

From the International Herald Tribune: 1934 Dynamite Found On Track SPOKANE Discovery of a box of useless dynamite on the railway track two and a half miles southwest of this city led to special precautions being taken to guard the line over which President Roosevelt's train passed this morning [August 4] en route to Washington. Six deputy sheriffs guarded the...

Wed, 05 Aug 2009 11:10:59 UTC

Security vs. Usability

Posted By Bruce Schneier

Good essay: "When Security Gets in the Way." The numerous incidents of defeating security measures prompts my cynical slogan: The more secure you make something, the less secure it becomes. Why? Because when security gets in the way, sensible, well-meaning, dedicated people develop hacks and workarounds that defeat the security. Hence the prevalence of doors propped open by bricks and...

Tue, 04 Aug 2009 17:52:03 UTC

Regulating Chemical Plant Security

Posted By Bruce Schneier

The New York Times has an editorial on regulating chemical plants: Since Sept. 11, 2001, experts have warned that an attack on a chemical plant could produce hundreds of thousands of deaths and injuries. Public safety and environmental advocates have fought for strong safety rules, but the chemical industry used its clout in Congress in 2006 to ensure that only...

Tue, 04 Aug 2009 15:01:00 UTC

Too Many Security Warnings Results in Complacency

Posted By Bruce Schneier

Research that proves what we already knew: Crying Wolf: An Empirical Study of SSL Warning Effectiveness Abstract. Web users are shown an invalid certificate warning when their browser cannot validate the identity of the websites they are visiting. While these warnings often appear in benign situations, they can also signal a man-in-the-middle attack. We conducted a survey of over 400...

Tue, 04 Aug 2009 11:55:43 UTC

Too Many Security Warnings Results in Complacency

Posted By Bruce Schneier

Mon, 03 Aug 2009 11:43:46 UTC

Building in Surveillance

Posted By Bruce Schneier

China is the world's most successful Internet censor. While the Great Firewall of China isn't perfect, it effectively limits information flowing in and out of the country. But now the Chinese government is taking things one step further. Under a requirement taking effect soon, every computer sold in China will have to contain the Green Dam Youth Escort software package....

Fri, 31 Jul 2009 21:16:51 UTC

Friday Squid Blogging: Spicy Squid on a Stick

Posted By Bruce Schneier

New!...

Fri, 31 Jul 2009 18:11:17 UTC

Snake Oil Salesman

Posted By Bruce Schneier

In cryptography, we've long used the term "snake oil" to refer to crypto systems with good marketing hype and little actual security. It's the phrase I generalized into "security theater." Well, it turns out that there really is a snake oil salesman....

Fri, 31 Jul 2009 16:29:29 UTC

Eve Ensler on Security

Posted By Bruce Schneier

Interesting TED talk by Eve Ensler on security. She doesn't use any of the terms, but in the beginning she's echoing a lot of the current thinking about evolutionary psychology and how it relates to security....

Fri, 31 Jul 2009 11:00:51 UTC

Nuclear Self-Terrorization

Posted By Bruce Schneier

More fearmongering. The headline is "Terrorists could use internet to launch nuclear attack: report." The subhead: "The risk of cyber-terrorism escalating to a nuclear strike is growing daily, according to a study." In the article: The claims come in a study commissioned by the International Commission on Nuclear Non-proliferation and Disarmament (ICNND), which suggests that under the right circumstances, terrorists...

Thu, 30 Jul 2009 14:26:08 UTC

Another New AES Attack

Posted By Bruce Schneier

A new and very impressive attack against AES has just been announced. Over the past couple of months, there have been two (the second blogged about here) new cryptanalysis papers on AES. The attacks presented in the paper are not practical -- they're far too complex, they're related-key attacks, and they're against larger-key versions and not the 128-bit version that...

Thu, 30 Jul 2009 12:06:42 UTC

Risks of Cloud Computing

Posted By Bruce Schneier

Excellent essay by Jonathan Zittrain on the risks of cloud computing: The cloud, however, comes with real dangers. Some are in plain view. If you entrust your data to others, they can let you down or outright betray you. For example, if your favorite music is rented or authorized from an online subscription service rather than freely in your custody...

Wed, 29 Jul 2009 11:16:12 UTC

iPhone Encryption Useless

Posted By Bruce Schneier

Interesting, although I want some more technical details. ...the new iPhone 3GS' encryption feature is "broken" when it comes to protecting sensitive information such as credit card numbers and social-security digits, Zdziarski said. Zdziarski said it's just as easy to access a user's private information on an iPhone 3GS as it was on the previous generation iPhone 3G or first...

Wed, 29 Jul 2009 10:31:44 UTC

New Real Estate Scam

Posted By Bruce Schneier

Clever: Nigerian scammers find homes listed for sale on these public search sites, copy the pictures and listings verbatim, and then post the information onto Craigslist under available housing rentals, without the consent or knowledge of Craigslist, who has been notified. After the posting is listed, unsuspecting individuals contact the poster, who is Nigerian, for more information on the "rental."...

Tue, 28 Jul 2009 21:23:34 UTC

Large Signs a Security Risk

Posted By Bruce Schneier

A large sign saying "United States" at a border crossing was deemed a security risk: Yet three weeks ago, less than a month after the station opened, workers began prying the big yellow letters off the building's facade on orders from Customs and Border Protection. The plan is to dismantle the rest of the sign this week. "At the end...

Tue, 28 Jul 2009 12:13:43 UTC

Swiss Security Problem: Storing Gold

Posted By Bruce Schneier

Seems like the Swiss may be running out of secure gold storage. If this is true, it's a real security issue. You can't just store the stuff behind normal locks. Building secure gold storage takes time and money. I am reminded of a related problem the EU had during the transition to the euro: where to store all the bills...

Mon, 27 Jul 2009 21:16:34 UTC

Tips for Staying Safe Online

Posted By Bruce Schneier

This is funny: Tips for Staying Safe Online All citizens can follow a few simple guidelines to keep themselves safe in cyberspace. In doing so, they not only protect their personal information but also contribute to the security of cyberspace. Install anti-virus software, a firewall, and anti-spyware software to your computer, and update as necessary. Create strong passwords on your...

Mon, 27 Jul 2009 11:48:58 UTC

Base Rate Fallacy

Posted By Bruce Schneier

Nice description of the base rate fallacy....

Fri, 24 Jul 2009 21:51:32 UTC

Friday Squid Blogging: Humboldt Squid Invasion

Posted By Bruce Schneier

Yikes: Thousands of jumbo flying squid, aggressive 5-foot-long sea monsters with razor-sharp beaks and toothy tentacles, have invaded the shallow waters off San Diego, spooking scuba divers and washing up dead on beaches. They're aggressive: One diver described how one of the rust-coloured creatures ripped the buoyancy aid and light from her chest, and grabbed her with its tentacles. Very...

Fri, 24 Jul 2009 17:15:36 UTC

SHA-3 Second Round Candidates Announced

Posted By Bruce Schneier

NIST has announced the 14 SHA-3 candidates that have advanced to the second round: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. In February, I chose my favorites: Arirang, BLAKE, Blue Midnight Wish, ECHO, Grøstl, Keccak, LANE, Shabal, and Skein. Of the ones NIST eventually chose, I am most surprised to...

Fri, 24 Jul 2009 15:36:20 UTC

Social Security Numbers are Not Random

Posted By Bruce Schneier

Social Security Numbers are not random. In some cases, you can http://www.wired.com/wiredscience/2009/07/predictingssn/">predict them with date and place of birth. Abstract: Information about an individual's place and date of birth can be exploited to predict his or her Social Security number (SSN). Using only publicly available information, we observed a correlation between individuals' SSNs and their birth data and found that...

Thu, 23 Jul 2009 17:07:07 UTC

The Twitter Attack

Posted By Bruce Schneier

Excellent article detailing the Twitter attack....

Thu, 23 Jul 2009 11:09:06 UTC

Mapping Drug Use by Testing Sewer Water

Posted By Bruce Schneier

I wrote about this in 2007, ut there's New research: Scientists from Oregon State University, the University of Washington and McGill University partnered with city workers in 96 communities, including Pendleton, Hermiston and Umatilla, to gather samples on one day, March 4, 2008. The scientists then tested the samples for evidence of methamphetamine, cocaine and ecstasy, or MDMA. Addiction specialists...

Tue, 21 Jul 2009 11:50:05 UTC

Verifiable Dismantling of Nuclear Bombs

Posted By Bruce Schneier

Cryptography has zero-knowledge proofs, where Alice can prove to Bob that she knows something without revealing it to Bob. Here's something similar from the real world. It's a research project to allow weapons inspectors from one nation to verify the disarming of another nation's nuclear weapons without learning any weapons secrets in the process, such as the amount of nuclear...

Mon, 20 Jul 2009 12:43:16 UTC

Cybercrime Paper

Posted By Bruce Schneier

"Distributed Security: A New Model of Law Enforcement," Susan W. Brenner and Leo L. Clarke. Abstract: Cybercrime, which is rapidly increasing in frequency and in severity, requires us to rethink how we should enforce our criminal laws. The current model of reactive, police-based enforcement, with its origins in real-world urbanization, does not and cannot protect society from criminals using computer...

Fri, 17 Jul 2009 22:09:18 UTC

Friday Squid Blogging: Bottled Water Plus Squid

Posted By Bruce Schneier

Only in Japan: Bandai toy company from Japan has finally realized that bottles of water just aren't cute. As Japan is the cute capital of the world, this just wouldn't do. To fix the problem, they developed these adorable floating squids that can be added to any bottle of water. Thank god for Japanese innovation. Of course, they're only available...

Fri, 17 Jul 2009 19:04:04 UTC

Pepper Spray–Equipped ATMs

Posted By Bruce Schneier

South Africa takes its security seriously. Here's an ATM that automatically squirts pepper spray into the face of "people tampering with the card slots." Sounds cool, but these kinds of things are all about false positives: But the mechanism backfired in one incident last week when pepper spray was inadvertently inhaled by three technicians who required treatment from paramedics. Patrick...

Thu, 16 Jul 2009 12:05:11 UTC

Privacy Salience and Social Networking Sites

Posted By Bruce Schneier

Reassuring people about privacy makes them more, not less, concerned. It's called "privacy salience," and Leslie John, Alessandro Acquisti, and George Loewenstein -- all at Carnegie Mellon University -- demonstrated this in a series of clever experiments. In one, subjects completed an online survey consisting of a series of questions about their academic behavior -- "Have you ever cheated on...

Wed, 15 Jul 2009 18:10:47 UTC

Laptop Security while Crossing Borders

Posted By Bruce Schneier

Last year, I wrote about the increasing propensity for governments, including the U.S. and Great Britain, to search the contents of people's laptops at customs. What we know is still based on anecdote, as no country has clarified the rules about what their customs officers are and are not allowed to do, and what rights people have. Companies and individuals...

Wed, 15 Jul 2009 12:17:58 UTC

Data Leakage Through Power Lines

Posted By Bruce Schneier

The NSA has known about this for decades: Security researchers found that poor shielding on some keyboard cables means useful data can be leaked about each character typed. By analysing the information leaking onto power circuits, the researchers could see what a target was typing. The attack has been demonstrated to work at a distance of up to 15m, but...

Tue, 14 Jul 2009 19:48:08 UTC

Poor Man's Steganography

Posted By Bruce Schneier

Hide files inside pdf documents: "embed a file in a PDF document and corrupt the reference, thereby effectively making the embedded file invisible to the PDF reader."...

Tue, 14 Jul 2009 12:20:37 UTC

Gaze Tracking Software Protecting Privacy

Posted By Bruce Schneier

Interesting use of gaze tracking software to protect privacy: Chameleon uses gaze-tracking software and camera equipment to track an authorized reader's eyes to show only that one person the correct text. After a 15-second calibration period in which the software essentially "learns" the viewer's gaze patterns, anyone looking over that user's shoulder sees dummy text that randomly and constantly changes....

Mon, 13 Jul 2009 17:45:53 UTC

North Korean Cyberattacks

Posted By Bruce Schneier

To hear the media tell it, the United States suffered a major cyberattack last week. Stories were everywhere. "Cyber Blitz hits U.S., Korea" was the headline in Thursday's Wall Street Journal. North Korea was blamed. Where were you when North Korea attacked America? Did you feel the fury of North Korea's armies? Were you fearful for your country? Or did...

Mon, 13 Jul 2009 11:38:31 UTC

Strong Web Passwords

Posted By Bruce Schneier

Interesting paper from HotSec '07: "Do Strong Web Passwords Accomplish Anything?" by Dinei Florêncio, Cormac Herley, and Baris Coskun. ABSTRACT: We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are...

Fri, 10 Jul 2009 21:45:42 UTC

Friday Squid Blogging: Humboldt Squid Caught Off Seattle

Posted By Bruce Schneier

A hundred-pounder. They're still moving North....

Fri, 10 Jul 2009 17:45:03 UTC

Lost Suitcases in Airport Restrooms

Posted By Bruce Schneier

Want to cause chaos at an airport? Leave a suitcase in the restroom: Three incoming flights from London were cancelled and about 150 others were delayed for up to three hours, while the army's bomb squad carried out its investigation, before giving the all-clear at about 5pm. Passengers were told to leave the arrivals hall, main check-in area at the...

Fri, 10 Jul 2009 14:44:29 UTC

Making an Operating System Virus Free

Posted By Bruce Schneier

Commenting on Google's claim that Chrome was designed to be virus-free, I said: Bruce Schneier, the chief security technology officer at BT, scoffed at Google's promise. "It's an idiotic claim," Schneier wrote in an e-mail. "It was mathematically proved decades ago that it is impossible -- not an engineering impossibility, not technologically impossible, but the 2+2=3 kind of impossible --...

Fri, 10 Jul 2009 10:52:57 UTC

NSA Building Massive Data Center in Utah

Posted By Bruce Schneier

They're expanding: The years-in-the-making project, which may cost billions over time, got a $181 million start last week when President Obama signed a war spending bill in which Congress agreed to pay for primary construction, power access and security infrastructure. The enormous building, which will have a footprint about three times the size of the Utah State Capitol building, will...

Thu, 09 Jul 2009 17:56:14 UTC

The ATM Vulnerability You Won't Hear About

Posted By Bruce Schneier

The talk has been pulled from the BlackHat conference: Barnaby Jack, a researcher with Juniper Networks, was to present a demonstration showing how he could jackpot a popular ATM brand by exploiting a vulnerability in its software. Jack was scheduled to present his talk at the upcoming Black Hat security conference being held in Las Vegas at the end of...

Thu, 09 Jul 2009 11:36:38 UTC

Homomorphic Encryption Breakthrough

Posted By Bruce Schneier

Last month, IBM made some pretty brash claims about homomorphic encryption and the future of security. I hate to be the one to throw cold water on the whole thing -- as cool as the new discovery is -- but it's important to separate the theoretical from the practical. Homomorphic cryptosystems are ones where mathematical operations on the ciphertext have...

Wed, 08 Jul 2009 18:54:40 UTC

Spanish Police Foil Remote-Controlled Zeppelin Jailbreak

Posted By Bruce Schneier

Sometimes movie plots actually happen: ...three people have been arrested after police discovered their plan to free a drug trafficker from an island prison using a 13-foot airship carrying night goggles, climbing gear and camouflage paint. [...] The arrested men had setup an elaborate surveillance operation of the prison that involved a camouflaged tent, powerful binoculars, telephoto lenses, and motion...

Wed, 08 Jul 2009 11:42:14 UTC

Court Limits on TSA Searches

Posted By Bruce Schneier

This is good news: A federal judge in June threw out seizure of three fake passports from a traveler, saying that TSA screeners violated his Fourth Amendment rights against unreasonable search and seizure. Congress authorizes TSA to search travelers for weapons and explosives; beyond that, the agency is overstepping its bounds, U.S. District Court Judge Algenon L. Marbley said. "The...

Tue, 07 Jul 2009 18:50:35 UTC

Why People Don't Understand Risks

Posted By Bruce Schneier

Yesterday's Minneapolis Star Tribune had the front-page headline: "Co-sleeping kills about 20 infants each year." (The headline in the web article is different.) The only problem is, in either case, there's no additional information with which to make sense of the statistic. How many infants don't die each year? How many infants die each year in separate beds? Is the...

Tue, 07 Jul 2009 12:31:35 UTC

More Low-Tech Security Solutions

Posted By Bruce Schneier

Anti-theft lunch bags, for those who have a problem with their lunches being stolen. Only works until the thief figures it out, though....

Mon, 06 Jul 2009 18:30:21 UTC

Pocketless Trousers to Protect Against Bribery

Posted By Bruce Schneier

I wonder if it will work. Nepal's anti-corruption authority has come up with a novel solution to rampant bribe-taking at the country's only international airport -- the pocketless trouser. The authority said it was issuing the new, bribe-proof garment to all airport officials after uncovering widespread corruption at Kathmandu's Tribhuvan International Airport....

Mon, 06 Jul 2009 11:12:45 UTC

Terrorist Risk of Cloud Computing

Posted By Bruce Schneier

I don't even know where to begin on this one: As we have seen in the past with other technologies, while cloud resources will likely start out decentralized, as time goes by and economies of scale take hold, they will start to collect into mega-technology hubs. These hubs could, as the end of this cycle, number in the low single...

Fri, 03 Jul 2009 21:31:44 UTC

Friday Squid Blogging: Office Squid

Posted By Bruce Schneier

Office squid....

Fri, 03 Jul 2009 21:31:44 UTC

Friday Squid Blogging: Office Squid

Posted By Bruce Schneier

Office squid....

Fri, 03 Jul 2009 21:31:44 UTC

Friday Squid Blogging: Office Squid

Posted By Bruce Schneier

Office squid....

Fri, 03 Jul 2009 18:42:16 UTC

The Pros and Cons of Password Masking

Posted By Bruce Schneier

Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong. I was certainly too glib. Like any security countermeasure, password...

Fri, 03 Jul 2009 18:42:16 UTC

The Pros and Cons of Password Masking

Posted By Bruce Schneier

Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong. I was certainly too glib. Like any security countermeasure, password...

Fri, 03 Jul 2009 18:42:16 UTC

The Pros and Cons of Password Masking

Posted By Bruce Schneier

Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong. I was certainly too glib. Like any security countermeasure, password...

Fri, 03 Jul 2009 12:18:49 UTC

The Insecurity of Secrecy

Posted By Bruce Schneier

Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy. Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by...

Fri, 03 Jul 2009 12:18:49 UTC

The Insecurity of Secrecy

Posted By Bruce Schneier

Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy. Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by...

Fri, 03 Jul 2009 12:18:49 UTC

The Insecurity of Secrecy

Posted By Bruce Schneier

Good essay -- "The Staggering Cost of Playing it 'Safe'" -- about the political motivations for terrorist security policy. Senator Barbara Boxer has led an effort to at least put together a public database of ash storage sites so that people can judge the risk to the areas where they live. However, even this effort has been blocked not by...

Thu, 02 Jul 2009 17:09:30 UTC

Information Leakage from Keypads

Posted By Bruce Schneier

Can anyone guess the entry codes for these door locks? There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The second is almost certainly guessable in one....

Thu, 02 Jul 2009 17:09:30 UTC

Information Leakage from Keypads

Posted By Bruce Schneier

Can anyone guess the entry codes for these door locks? There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234....

Thu, 02 Jul 2009 17:09:30 UTC

Information Leakage from Keypads

Posted By Bruce Schneier

Can anyone guess the entry codes for these door locks? There are 10,000 possible four-digit codes, but you only have to try 24 on these keypads. The first is most likely 1986 or 1968. The second is almost certainly 1234....

Thu, 02 Jul 2009 11:11:41 UTC

More Security Countermeasures from the Natural World

Posted By Bruce Schneier

The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it. She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten...

Thu, 02 Jul 2009 11:11:41 UTC

More Security Countermeasures from the Natural World

Posted By Bruce Schneier

The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it. She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten...

Thu, 02 Jul 2009 11:11:41 UTC

More Security Countermeasures from the Natural World

Posted By Bruce Schneier

The plant caladium steudneriifolium pretends to be ill so mining moths won't eat it. She believes that the plant essentially fakes being ill, producing variegated leaves that mimic those that have already been damaged by mining moth larvae. That deters the moths from laying any further larvae on the leaves, as the insects assume the previous caterpillars have already eaten...

Wed, 01 Jul 2009 19:27:35 UTC

MD6 Withdrawn from SHA-3 Competition

Posted By Bruce Schneier

In other SHA-3 news, Ron Rivest seems to have withdrawn MD6 from the SHA-3 competition. From an e-mail to a NIST mailing list: We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward. Basically, the issue is that in order for MD6 to be...

Wed, 01 Jul 2009 19:27:35 UTC

MD6 Withdrawn from SHA-3 Competition

Posted By Bruce Schneier

In other SHA-3 news, Ron Rivest seems to have withdrawn MD6 from the SHA-3 competition. From an e-mail to a NIST mailing list: We suggest that MD6 is not yet ready for the next SHA-3 round, and we also provide some suggestions for NIST as the contest moves forward. Basically, the issue is that in order for MD6 to be...

Wed, 01 Jul 2009 16:49:18 UTC

New Attack on AES

Posted By Bruce Schneier

There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher...

Wed, 01 Jul 2009 16:49:18 UTC

New Attack on AES

Posted By Bruce Schneier

There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher...

Wed, 01 Jul 2009 16:49:18 UTC

New Attack on AES

Posted By Bruce Schneier

There's a new cryptanalytic attack on AES that is better than brute force: Abstract. In this paper we present two related-key attacks on the full AES. For AES-256 we show the first key recovery attack that works for all the keys and has complexity 2119, while the recent attack by Biryukov-Khovratovich-Nikolic works for a weak key class and has higher...

Wed, 01 Jul 2009 11:51:56 UTC

Security, Group Size, and the Human Brain

Posted By Bruce Schneier

If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with. Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking"...

Wed, 01 Jul 2009 11:51:56 UTC

Security, Group Size, and the Human Brain

Posted By Bruce Schneier

If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with. Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking"...

Wed, 01 Jul 2009 11:51:56 UTC

Security, Group Size, and the Human Brain

Posted By Bruce Schneier

If the size of your company grows past 150 people, it's time to get name badges. It's not that larger groups are somehow less secure, it's just that 150 is the cognitive limit to the number of people a human brain can maintain a coherent social relationship with. Primatologist Robin Dunbar derived this number by comparing neocortex -- the "thinking"...

Tue, 30 Jun 2009 18:36:42 UTC

Cryptography Spam

Posted By Bruce Schneier

I think this is a first. Information security, and protection of your e-money. Electronic payments and calculations, on means of a network the Internet or by means of bank credit cards, continue to win the world market. Electronic payments, it quickly, conveniently, but is not safely. Now there is a real war, between users and hackers. Your credit card can...

Tue, 30 Jun 2009 18:36:42 UTC

Cryptography Spam

Posted By Bruce Schneier

I think this is a first. Information security, and protection of your e-money. Electronic payments and calculations, on means of a network the Internet or by means of bank credit cards, continue to win the world market. Electronic payments, it quickly, conveniently, but is not safely. Now there is a real war, between users and hackers. Your credit card can...

Tue, 30 Jun 2009 18:36:42 UTC

Cryptography Spam

Posted By Bruce Schneier

I think this is a first. Information security, and protection of your e-money. Electronic payments and calculations, on means of a network the Internet or by means of bank credit cards, continue to win the world market. Electronic payments, it quickly, conveniently, but is not safely. Now there is a real war, between users and hackers. Your credit card can...

Tue, 30 Jun 2009 11:32:53 UTC

Growth of the CSE

Posted By Bruce Schneier

The Communication Security Establishment (CSE, basically Canada's NSA) is growing so fast they're running out of room and building new office buildings....

Tue, 30 Jun 2009 11:32:53 UTC

Growth of the CSE

Posted By Bruce Schneier

The Communication Security Establishment (CSE, basically Canada's NSA) is growing so fast they're running out of room and building new office buildings....

Tue, 30 Jun 2009 11:32:53 UTC

Growth of the CSE

Posted By Bruce Schneier

The Communication Security Establishment (CSE, basically Canada's NSA) is growing so fast they're running out of room and building new office buildings....

Mon, 29 Jun 2009 19:18:22 UTC

Anti-Stab Knife

Posted By Bruce Schneier

I've already written about the risks of pointy knives. This no-stabbing knife is the solution, and seems not to be a joke....

Mon, 29 Jun 2009 19:18:22 UTC

Anti-Stab Knife

Posted By Bruce Schneier

I've already written about the risks of pointy knives. This no-stabbing knife is the solution, and seems not to be a joke. EDITED TO ADD (7/1): Some people have taken this blog post to imply that I am endorsing these knives. These are obviously not regular readers of mine. (For my part, I'm going to buy a very sharp and...

Mon, 29 Jun 2009 19:18:22 UTC

Anti-Stab Knife

Posted By Bruce Schneier

I've already written about the risks of pointy knives. This no-stabbing knife is the solution, and seems not to be a joke. EDITED TO ADD (7/1): Some people have taken this blog post to imply that I am endorsing these knives. These are obviously not regular readers of mine. (For my part, I'm going to buy a very sharp and...

Mon, 29 Jun 2009 11:51:02 UTC

Protecting Against the Snatched Laptop Data Theft

Posted By Bruce Schneier

Almost two years ago, I wrote about my strategy for encrypting my laptop. One of the things I said was: There are still two scenarios you aren't secure against, though. You're not secure against someone snatching your laptop out of your hands as you're typing away at the local coffee shop. And you're not secure against the authorities telling you...

Mon, 29 Jun 2009 11:51:02 UTC

Protecting Against the Snatched Laptop Data Theft

Posted By Bruce Schneier

Almost two years ago, I wrote about my strategy for encrypting my laptop. One of the things I said was: There are still two scenarios you aren't secure against, though. You're not secure against someone snatching your laptop out of your hands as you're typing away at the local coffee shop. And you're not secure against the authorities telling you...

Mon, 29 Jun 2009 11:51:02 UTC

Protecting Against the Snatched Laptop Data Theft

Posted By Bruce Schneier

Almost two years ago, I wrote about my strategy for encrypting my laptop. One of the things I said was: There are still two scenarios you aren't secure against, though. You're not secure against someone snatching your laptop out of your hands as you're typing away at the local coffee shop. And you're not secure against the authorities telling you...

Fri, 26 Jun 2009 21:52:39 UTC

Friday Squid Blogging: 8 Gig USB Squid Flash Drive

Posted By Bruce Schneier

Cute....

Fri, 26 Jun 2009 18:16:12 UTC

Fake Receipts

Posted By Bruce Schneier

For all of you who want to scam your company's expense reimbursement system. I've heard of sites where you give them a range of dates and a city, and they give you a full set of receipts for a trip to that city: airfare, hotel, meals, everything -- but I can't find a website....

Fri, 26 Jun 2009 11:17:52 UTC

The Problem with Password Masking

Posted By Bruce Schneier

I agree with this: It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply. Most websites (and many other applications) mask passwords as users type them, and thereby theoretically...

Thu, 25 Jun 2009 17:36:40 UTC

Clear Shuts Down Operation

Posted By Bruce Schneier

Clear, the company that sped people through airport security, has ceased operations. My first question: what happened to all that personal information it collected on its members? An answer appeared on its website: Applicant and Member data is currently secured in accordance with the Transportation Security Administration's Security, Privacy and Compliance Standards. Verified Identity Pass, Inc. will continue to secure...

Thu, 25 Jun 2009 11:11:32 UTC

Authenticating Paperwork

Posted By Bruce Schneier

It's a sad, horrific story. Homeowner returns to find his house demolished. The demolition company was hired legitimately but there was a mistake and it demolished the wrong house. The demolition company relied on GPS co-ordinates, but requiring street addresses isn't a solution. A typo in the address is just as likely, and it would have demolished the house just...

Wed, 24 Jun 2009 11:45:06 UTC

Workshop on Economics of Information Security

Posted By Bruce Schneier

I'm at the 8th Workshop on Economics and Information Security at University College London (field trip to see Jeremy Bentham). Ross Anderson liveblogged the event. I wrote about WEIS 2006 back in 2006....

Wed, 24 Jun 2009 11:40:39 UTC

Fixing Airport Security

Posted By Bruce Schneier

It's been months since the Transportation Security Administration has had a permanent director. If, during the job interview (no, I didn't get one), President Obama asked me how I'd fix airport security in one sentence, I would reply: "Get rid of the photo ID check, and return passenger screening to pre-9/11 levels." Okay, that's a joke. While showing ID, taking...

Wed, 24 Jun 2009 08:33:59 UTC

Research on the Security of Online Games

Posted By Bruce Schneier

The May/June 2009 issue of IEEE Security and Privacy contains five articles about the security of online games. Unfortunately, the articles are all behind paywalls....

Tue, 23 Jun 2009 18:30:26 UTC

John Walker and the Fleet Broadcasting System

Posted By Bruce Schneier

Ph.D. thesis from 2001: An Analysis of the Systemic Security Weaknesses of the U.S. Navy Fleet Broadcasting System, 1967-1974, as exploited by CWO John Walker, by MAJ Laura J. Heath Abstract: CWO John Walker led one of the most devastating spy rings ever unmasked in the US. Along with his brother, son, and friend, he compromised US Navy cryptographic systems...

Tue, 23 Jun 2009 14:09:47 UTC

The Iranian Firewall

Posted By Bruce Schneier

Two blog posts on Iran's attempts to censor the Internet...

Tue, 23 Jun 2009 11:16:49 UTC

Eavesdropping on Dot-Matrix Printers by Listening to Them

Posted By Bruce Schneier

Interesting research. First, we develop a novel feature design that borrows from commonly used techniques for feature extraction in speech recognition and music processing. These techniques are geared towards the human ear, which is limited to approx. 20 kHz and whose sensitivity is logarithmic in the frequency; for printers, our experiments show that most interesting features occur above 20 kHz,...

Mon, 22 Jun 2009 18:46:56 UTC

John Mueller on Nuclear Disarmament

Posted By Bruce Schneier

The New York Times website has a blog called "Room for Debate," where a bunch of people -- experts in their areas -- write short essays commenting on a news item. (I participated a few weeks ago.) Earlier this month, there was a post on nuclear disarmament, following President Obama's speech in Cairo that mentioned the subject. One of the...

Mon, 22 Jun 2009 12:10:52 UTC

Engineers More Likely to Become Muslim Terrorists

Posted By Bruce Schneier

Time to start profiling....

Fri, 19 Jun 2009 21:36:22 UTC

Friday Squid Blogging: Squid Embryos

Posted By Bruce Schneier

Nice photograph....

Fri, 19 Jun 2009 19:03:48 UTC

This Week's Movie-Plot Threat: Fungus

Posted By Bruce Schneier

I had been wondering whether to post this, since it's not really a security threat -- there's no intelligence by the attacker: Crop scientists fear the Ug99 fungus could wipe out more than 80% of worldwide wheat crops as it spreads from eastern Africa. It has already jumped the Red Sea and traveled as far as Iran. Experts say it...

Fri, 19 Jun 2009 16:55:39 UTC

Fraud on eBay

Posted By Bruce Schneier

I expected selling my computer on eBay to be easy. Attempt 1: I listed it. Within hours, someone bought it -- from a hacked account, as eBay notified me, cancelling the sale. Attempt 2: I listed it again. Within hours, someone bought it, and asked me to send it to her via FedEx overnight. The buyer sent payment via PayPal...

Fri, 19 Jun 2009 11:49:09 UTC

Imagining Threats

Posted By Bruce Schneier

A couple of years ago, the Department of Homeland Security hired a bunch of science fiction writers to come in for a day and think of ways terrorists could attack America. If our inability to prevent 9/11 marked a failure of imagination, as some said at the time, then who better than science fiction writers to inject a little imagination...

Thu, 18 Jun 2009 17:59:04 UTC

Lockpicking

Posted By Bruce Schneier

Great article from Wired about the lockpicker Marc Tobias. Related: "Ten Things Everyone Should Know About Lockpicking & Physical Security."...

Thu, 18 Jun 2009 12:08:07 UTC

New Computer Snooping Tool

Posted By Bruce Schneier

From the press release: Unlike existing computer forensics solutions, EnCase Portable runs on a USB drive, rather than a laptop, and enables the user to easily and rapidly boot a target computer to the USB drive, and run a pre-configured data search and collection job. The ease-of-use and ultra-portability of EnCase Portable creates exciting new possibilities in data acquisition. Even...

Wed, 17 Jun 2009 19:05:15 UTC

The Psychology of Being Scammed

Posted By Bruce Schneier

Fascinating research on the psychology of con games. "The psychology of scams: Provoking and committing errors of judgement" was prepared for the UK Office of Fair Trading by the University of Exeter School of Psychology. From the executive summary, here's some stuff you may know: Appeals to trust and authority: people tend to obey authorities so scammers use, and victims...

Wed, 17 Jun 2009 11:49:39 UTC

Carrot-Bomb Art Project Bombs in Sweden

Posted By Bruce Schneier

Not the best idea: The carrot bombs had been placed around the city at the request of a local art gallery, as part of an open-air arts festival. They had only been in place for an hour before police received their first call. "We received a call ... from a person who said they saw two real bombs placed outside...

Tue, 16 Jun 2009 17:21:07 UTC

Ever Better Cryptanalytic Results Against SHA-1

Posted By Bruce Schneier

The SHA family (which, I suppose, should really be called the MD4 family) of cryptographic hash functions has been under attack for a long time. In 2005, we saw the first cryptanalysis of SHA-1 that was faster than brute force: collisions in 269 hash operations, later improved to 263 operations. A great result, but not devastating. But remember the great...

Tue, 16 Jun 2009 14:40:04 UTC

DHS Has a Blog

Posted By Bruce Schneier

The U.S. Department of Homeland Security has a blog. I don't know if it will be as interesting or entertaining as the TSA's blog....

Tue, 16 Jun 2009 12:24:16 UTC

Prairie Dogs Hack Baltimore Zoo

Posted By Bruce Schneier

Fun story, with a lot of echoes of our own security problems: It took just 10 minutes for a dozen prairie dogs to outwit the creators of the Maryland Zoo's new $500,000 habitat. Aircraft wire, poured concrete and slick plastic walls proved no match for the fast-footed rodents, the stars of a new exhibit that opens today. As officials were...

Mon, 15 Jun 2009 19:26:25 UTC

Did a Public Twitter Post Lead to a Burglary?

Posted By Bruce Schneier

No evidence one way or the other: Like a lot of people who use social media, Israel Hyman and his wife Noell went on Twitter to share real-time details of a recent trip. Their posts said they were "preparing to head out of town," that they had "another 10 hours of driving ahead," and that they "made it to Kansas...

Mon, 15 Jun 2009 11:45:24 UTC

The "Hidden Cost" of Privacy

Posted By Bruce Schneier

Forbes ran an article talking about the "hidden" cost of privacy. Basically, the point was that privacy regulations are expensive to comply with, and a lot of that expense gets eaten up by the mechanisms of compliance and doesn't go toward improving anyone's actual privacy. This is a valid point, and one that I make in talks about privacy all...

Fri, 12 Jun 2009 23:46:17 UTC

Friday Squid Blogging: Squid Also See Through Non-Eye Organ

Posted By Bruce Schneier

Weird: The UW-Madison researchers have been intrigued by the light organ's "counterillumination" ability -- this capacity to give off light to make squids as bright as the ocean surface above them, so that predators below can't see them. "Until now, scientists thought that illuminating tissues in the light organ functioned exclusively for the control of the intensity and direction of...

Fri, 12 Jun 2009 21:55:21 UTC

Second SHB Workshop Liveblogging (9)

Posted By Bruce Schneier

The eighth, and final, session of the SHB09 was optimistically titled "How Do We Fix the World?" I moderated, which meant that my liveblogging was more spotty, especially in the discussion section. David Mandel, Defense Research and Development Canada (suggested reading: Applied Behavioral Science in Support of Intelligence Analysis, Radicalization: What does it mean?; The Role of Instigators in Radicalization...

Fri, 12 Jun 2009 20:01:51 UTC

Second SHB Workshop Liveblogging (8)

Posted By Bruce Schneier

The penultimate session of the conference was "Privacy," moderated by Tyler Moore. Alessandro Acquisti, Carnegie Mellon University (suggested reading: What Can Behavioral Economics Teach Us About Privacy?; Privacy in Electronic Commerce and the Economics of Immediate Gratification), presented research on how people value their privacy. He started by listing a variety of cognitive biases that affect privacy decisions: illusion of...

Fri, 12 Jun 2009 17:01:10 UTC

Second SHB Workshop Liveblogging (7)

Posted By Bruce Schneier

Session Six -- Terror -- chaired by Stuart Schechter. Bill Burns, Decision Research (suggested reading: The Diffusion of Fear: Modeling Community Response to a Terrorist Strike), studies social reaction to risk. He discussed his theoretical model of how people react to fear events, and data from the 9/11 attacks, the 7/7 bombings in the UK, and the 2008 financial collapse....

Fri, 12 Jun 2009 14:54:07 UTC

Second SHB Workshop Liveblogging (6)

Posted By Bruce Schneier

The first session of the morning was "Foundations," which is kind of a catch-all for a variety of things that didn't really fit anywhere else. Rachel Greenstadt moderated. Terence Taylor, International Council for the Live Sciences (suggested video to watch: Darwinian Security; Natural Security), talked about the lessons evolution teaches about living with risk. Successful species didn't survive by eliminating...

Thu, 11 Jun 2009 21:50:13 UTC

Second SHB Workshop Liveblogging (5)

Posted By Bruce Schneier

David Livingstone Smith moderated the fourth session, about (more or less) methodology. Angela Sasse, University College London (suggested reading: The Compliance Budget: Managing Security Behaviour in Organisations; Human Vulnerabilities in Security Systems), has been working on usable security for over a dozen years. As part of a project called "Trust Economics," she looked at whether people comply with security policies...

Thu, 11 Jun 2009 19:56:42 UTC

Second SHB Workshop Liveblogging (4)

Posted By Bruce Schneier

Session three is titled "Usability." (For the record, the Stata Center is one ugly building.) Andrew Patrick, NRC Canada until he was laid off four days ago (suggested reading: Fingerprint Concerns: Performance, Usability, and Acceptance of Fingerprint Biometric Systems), talked about biometric systems and human behavior. Biometrics are used everywhere: for gym membership, at Disneyworld, at international borders. The government...

Thu, 11 Jun 2009 16:42:30 UTC

Second SHB Workshop Liveblogging (3)

Posted By Bruce Schneier

The second session was about fraud. (These session subjects are only general. We tried to stick related people together, but there was the occasional oddball -- and scheduling constraint -- to deal with.) Julie Downs, Carnegie Mellon University (suggested reading: Behavioral Response to Phishing Risk; Parents' vaccination comprehension and decisions; The Psychology of Food Consumption), is a psychologist who studies...

Thu, 11 Jun 2009 14:37:19 UTC

Second SHB Workshop Liveblogging (2)

Posted By Bruce Schneier

The first session was about deception. Frank Stajano, Cambridge University (suggested reading: Usability of Security Management: Defining the Permissions of Guests), presented research with someone who films actual scams for "The Real Hustle." His is point is that we build security systems based on our "logic," but users don't always follow our logic. It's fraudsters who really understand what people...

Thu, 11 Jun 2009 11:46:10 UTC

Second SHB Workshop Liveblogging (1)

Posted By Bruce Schneier

I'm at SHB09, the Second Interdisciplinary Workshop on Security and Human Behavior, at MIT. This is a two-day gathering of computer security researchers, psychologists, behavioral economists, sociologists, philosophers, and others -- all of whom are studying the human side of security, organized by Ross Anderson, Alessandro Acquisti, and myself. Here's the schedule. Last year's link will give you a good...

Wed, 10 Jun 2009 18:51:29 UTC

Malware Steals ATM Data

Posted By Bruce Schneier

One of the risks of using a commercial OS for embedded systems like ATM machines: it's easier to write malware against it: The report does not detail how the ATMs are infected, but it seems likely that the malware is encoded on a card that can be inserted in an ATM card reader to mount a buffer overflow attack. The...

Wed, 10 Jun 2009 16:47:54 UTC

I'm Selling My Laptop

Posted By Bruce Schneier

I'm selling my laptop on eBay. It's basically new, although the box has been opened. I wanted to downgrade the OS, but learned that one of the key drivers -- it controls the camera and the hibernate function -- was only available for Vista. So it's up for sale, at a good price....

Wed, 10 Jun 2009 11:18:24 UTC

Industry Differences in Types of Security Breaches

Posted By Bruce Schneier

Interhack has been working on a taxonomy of security breaches, and has an interesting conclusion: The Health Care and Social Assistance sector reported a larger than average proportion of lost and stolen computing hardware, but reported an unusually low proportion of compromised hosts. Educational Services reported a disproportionally large number of compromised hosts, while insider conduct and lost and stolen...

Tue, 09 Jun 2009 19:45:38 UTC

Teaching Children to Spot Terrorists

Posted By Bruce Schneier

You can't make this stuff up: More than 2,000 10 and 11-year-olds [in the UK] will see a short film, which urges them to tell the police, their parents or a teacher if they hear anyone expressing extremist views. [...] A lion explains that terrorists can look like anyone, while a cat tells pupils that should get help if they...

Tue, 09 Jun 2009 11:46:56 UTC

Corrupted Word Files for Sale

Posted By Bruce Schneier

On one hand, this is clever: We offer a wide array of corrupted Word files that are guaranteed not to open on a Mac or PC. A corrupted file is a file that contains scrambled and unrecoverable data due to hardware or software failure. Files may become corrupted when something goes wrong while a file is being saved e.g. the...

Mon, 08 Jun 2009 18:38:33 UTC

British High Schoolers Write About CCTV in School

Posted By Bruce Schneier

If you think that under-20-year-olds don't care about privacy, this is an eloquent op-ed by two students about why CCTV cameras have no place in their UK school: Adults are often quick to define the youth of today as stereotypical troublemakers and violent offenders --­ generalisations which are prompted by the media --­ when in fact the majority of students...

Mon, 08 Jun 2009 11:15:15 UTC

Fear of Aerial Images

Posted By Bruce Schneier

Time for some more fear about terrorists using maps and images on the Internet. But the more striking images come when Portzline clicks on the "bird's-eye" option offered by the map service. The overhead views, which come chiefly from satellites, are replaced with strikingly clear oblique-angle photos, chiefly shot from aircraft. By clicking another button, he can see the same...

Fri, 05 Jun 2009 21:18:42 UTC

Friday Squid Blogging: Flying Squid

Posted By Bruce Schneier

Ommastrephid squids....

Fri, 05 Jun 2009 17:19:01 UTC

Bullet Pen

Posted By Bruce Schneier

Earlier this year, I blogged about a self-defense pen that is likely to easily pass through airport security. On the other hand, this normal pen in the shape of a bullet will probably get you in trouble....

Fri, 05 Jun 2009 11:53:28 UTC

Clever Combination Door Lock Design

Posted By Bruce Schneier

This combination door lock is very pretty. Of course, four digits is too short an entry code, but I like the overall design and the automatic rescrambling feature....

Thu, 04 Jun 2009 19:42:36 UTC

I'm Being Interviewed in Second Life Today

Posted By Bruce Schneier

I'll be interviewed in Second Life on "Virtually Speaking" tonight at 9:00 PM ET....

Thu, 04 Jun 2009 18:07:39 UTC

Secret Goverment Communications Cables Buried Around Washington, DC

Posted By Bruce Schneier

Interesting: This part happens all the time: A construction crew putting up an office building in the heart of Tysons Corner a few years ago hit a fiber optic cable no one knew was there. This part doesn't: Within moments, three black sport-utility vehicles drove up, a half-dozen men in suits jumped out and one said, "You just hit our...

Thu, 04 Jun 2009 11:14:28 UTC

Cloud Computing

Posted By Bruce Schneier

This year's overhyped IT concept is cloud computing. Also called software as a service (Saas), cloud computing is when you run software over the internet and access it via a browser. The Salesforce.com customer management software is an example of this. So is Google Docs. If you believe the hype, cloud computing is the future. But, hype aside, cloud computing...

Wed, 03 Jun 2009 18:35:26 UTC

Why Is Terrorism so Hard?

Posted By Bruce Schneier

I don't know how I missed this great series from Slate in February. It's eight essays exploring why there have been no follow-on terrorist attacks in the U.S. since 9/11 (not counting the anthrax mailings, I guess). Some excerpts: Al-Qaida's successful elimination of the Twin Towers, part of the Pentagon, four jetliners, and nearly 3,000 innocent lives makes the terror...

Wed, 03 Jun 2009 10:57:48 UTC

Arming the Boston Police with Assault Rifles

Posted By Bruce Schneier

Whose idea is this? The Boston Police Department is preparing a plan to arm as many as 200 patrol officers with semiautomatic assault rifles, a significant boost in firepower that department leaders believe is necessary to counter terrorist threats, according to law enforcement officials briefed on the plan. The initiative calls for equipping specialized units, such as the bomb squad...

Tue, 02 Jun 2009 17:01:47 UTC

Update on Computer Science Student's Computer Seizure

Posted By Bruce Schneier

In April, I blogged about the Boston police seizing a student's computer for, among other things, running Linux. (Anyone who runs Linux instead of Windows is obviously a scary bad hacker.) Last week, the Massachusets Supreme Court threw out the search warrant: Massachusetts Supreme Judicial Court Associate Justice Margot Botsford on Thursday said that Boston College and Massachusetts State Police...

Mon, 01 Jun 2009 20:29:17 UTC

Research on Movie-Plot Threats

Posted By Bruce Schneier

This could be interesting: Emerging Threats and Security Planning: How Should We Decide What Hypothetical Threats to Worry About? Brian A. Jackson, David R. Frelinger Concerns about how terrorists might attack in the future are central to the design of security efforts to protect both individual targets and the nation overall. In thinking about emerging threats, security planners are confronted...

Fri, 29 May 2009 21:35:27 UTC

Friday Squid Blogging: Squid Pasta

Posted By Bruce Schneier

Step by step instructions on how to make squid pasta....

Fri, 29 May 2009 20:01:17 UTC

Obama's Cybersecurity Speech

Posted By Bruce Schneier

I am optimistic about President Obama's new cybersecurity policy and the appointment of a new "cybersecurity coordinator," though much depends on the details. What we do know is that the threats are real, from identity theft to Chinese hacking to cyberwar. His principles were all welcome -- securing government networks, coordinating responses, working to secure the infrastructure in private hands...

Fri, 29 May 2009 19:51:36 UTC

Interview with Me on Cloud Security

Posted By Bruce Schneier

From vnunet.com....

Fri, 29 May 2009 16:19:17 UTC

No Smiling in Driver's License Photographs

Posted By Bruce Schneier

In other biometric news, four states have banned smiling in driver's license photographs. The serious poses are urged by DMVs that have installed high-tech software that compares a new license photo with others that have already been shot. When a new photo seems to match an existing one, the software sends alarms that someone may be trying to assume another...

Fri, 29 May 2009 11:37:52 UTC

News from the Fingerprint Biometrics World

Posted By Bruce Schneier

Wacky: A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints -- which had apparently disappeared because of a drug he was taking. [...] The drug, capecitabine, is commonly used to treat cancers in the head and neck, breast, stomach and colorectum. One side-effect is chronic inflammation...

Thu, 28 May 2009 19:40:00 UTC

Faking Background Checks for Security Clearances

Posted By Bruce Schneier

What do you do if you have too many background checks to do, and not enough time to do them? You fake them, of course: Eight current and former security clearance investigators say they have been pressured to work faster and take on crushing workloads in recent years, as the government tried to eliminate a backlog that once topped 531,000...

Thu, 28 May 2009 11:40:31 UTC

Steganography Using TCP Retransmission

Posted By Bruce Schneier

Research: Hiding Information in Retransmissions Wojciech Mazurczyk, Milosz Smolarczyk, Krzysztof Szczypiorski The paper presents a new steganographic method called RSTEG (Retransmission Steganography), which is intended for a broad class of protocols that utilises retransmission mechanisms. The main innovation of RSTEG is to not acknowledge a successfully received packet in order to intentionally invoke retransmission. The retransmitted packet carries a steganogram...

Wed, 27 May 2009 11:44:56 UTC

Automatic Dice Thrower

Posted By Bruce Schneier

Imprssive: The Dice-O-Matic is 7 feet tall, 18 inches wide and 18 inches deep. It has an aluminum frame covered with Plexiglas panels. A 6x4 inch square Plexiglas tube runs vertically up the middle almost the entire height. Inside this tube a bucket elevator carries dice from a hopper at the bottom, past a camera, and tosses them onto a...

Tue, 26 May 2009 12:09:24 UTC

Defending Against Movie-Plot Threats with Movie Characters

Posted By Bruce Schneier

Excellent: Seeking to quell fears of terrorists somehow breaking out of America's top-security prisons and wreaking havoc on the defenseless heartland, President Barack Obama moved quickly to announce an Anti-Terrorist Strike Force headed by veteran counterterrorism agent Jack Bauer and mutant superhero Wolverine. Already dubbed a "dream team," their appointment is seen by experts as a crucial step in reducing...

Mon, 25 May 2009 15:56:39 UTC

Secret Questions

Posted By Bruce Schneier

In 2004, I wrote about the prevalence of secret questions as backup passwords. The problem is that the answers to these "secret questions" are often much easier to guess than random passwords. Mother's maiden name isn't very secret. Name of first pet, name of favorite teacher: there are some common names. Favorite color: I could probably guess that in no...

Fri, 22 May 2009 22:00:34 UTC

Friday Squid Blogging: How to Capture a Giant Squid

Posted By Bruce Schneier

Three methods: Method 2: Offer Squid a Tasty Treat If your preferred squid looks hungry, try luring it with a delicious oil tanker. During the course of the 1930s, the Norwegian tanker Brunswick was attacked not once, not twice, but three times by giant squid. Metal boats don't sound especially appetizing, but scientists think squid mistake the large, gray objects...

Fri, 22 May 2009 20:33:20 UTC

Schneier and Ranum on Face-Off Video

Posted By Bruce Schneier

Marcus Ranum and I did two video versions of our Face-Off column: one on cloud computing, and the other on who should be in charge of cyber-security....

Fri, 22 May 2009 17:29:13 UTC

The Doghouse: Net1

Posted By Bruce Schneier

They have technology: The FTS Patent has been acclaimed by leading cryptographic authorities around the world as the most innovative and secure protocol ever invented to manage offline and online smart card related transactions. Please see the independent report by Bruce Schneider [sic] in his book entitled Applied Cryptography, 2nd Edition published in the late 1990s. I have no idea...

Fri, 22 May 2009 12:11:43 UTC

This Week's Terrorism Arrests

Posted By Bruce Schneier

Four points. One: There was little danger of an actual terrorist attack: Authorities said the four men have long been under investigation and there was little danger they could actually have carried out their plan, NBC News' Pete Williams reported. [...] In their efforts to acquire weapons, the defendants dealt with an informant acting under law enforcement supervision, authorities said....

Thu, 21 May 2009 21:54:33 UTC

IEDs Are Now Weapons of Mass Destruction

Posted By Bruce Schneier

In an article on the recent arrests in New York: On Wednesday night, they planted one of the mock improvised explosive devices in a trunk of a car outside the temple and two mock bombs in the back seat of a car outside the Jewish center, the authorities said. Shortly thereafter, police officers swooped in and broke the windows on...

Thu, 21 May 2009 12:15:21 UTC

On the Anonymity of Home/Work Location Pairs

Posted By Bruce Schneier

Interesting: Philippe Golle and Kurt Partridge of PARC have a cute paper on the anonymity of geo-location data. They analyze data from the U.S. Census and show that for the average person, knowing their approximate home and work locations — to a block level — identifies them uniquely. Even if we look at the much coarser granularity of a census...

Wed, 20 May 2009 20:34:44 UTC

Me on Full-Body Scanners in Airports

Posted By Bruce Schneier

I'm very happy with this quote in a CNN.com story on "whole-body imaging" at airports: Bruce Schneier, an internationally recognized security technologist, said whole-body imaging technology "works pretty well," privacy rights aside. But he thinks the financial investment was a mistake. In a post-9/11 world, he said, he knows his position isn't "politically tenable," but he believes money would be...

Wed, 20 May 2009 12:17:10 UTC

Microsoft Bans Memcopy()

Posted By Bruce Schneier

This seems smart: Microsoft plans to formally banish the popular programming function that's been responsible for an untold number of security vulnerabilities over the years, not just in Windows but in countless other applications based on the C language. Effective later this year, Microsoft will add memcpy(), CopyMemory(), and RtlCopyMemory() to its list of function calls banned under its secure...

Tue, 19 May 2009 19:06:52 UTC

"Lost" Puzzle in Wired Magazine

Posted By Bruce Schneier

For the April 09 issue Wired Magazine, I was asked to create a cryptographic puzzle based on the television show Lost. Specifically, I was given a "clue" to encrypt. Here are details of the puzzle and solving attempts. Near as I can tell, no one has published a solution. Creating something like this is very hard. The puzzle needs to...

Tue, 19 May 2009 12:49:48 UTC

Invisible Ink Pen

Posted By Bruce Schneier

This is cool. It writes like a normal pen, but if you run a hair dryer over the written words they disappear. And if you put the paper in the freezer the words reappear. Fantastic....

Mon, 18 May 2009 19:38:14 UTC

Pirate Terrorists in Chesapeake Bay

Posted By Bruce Schneier

This is a great movie-plot threat: Pirates could soon find their way to the waters of the Chesapeake Bay. That's assuming that a liquefied natural gas terminal gets built at Sparrows Point. The folks over at the LNG Opposition Team have long said that building an LNG plant on the shores of the bay would surely invite terrorists to attack....

Mon, 18 May 2009 12:06:35 UTC

Kylin: New Chinese Operating System

Posted By Bruce Schneier

Interesting: China has developed more secure operating software for its tens of millions of computers and is already installing it on government and military systems, hoping to make Beijing's networks impenetrable to U.S. military and intelligence agencies. The secure operating system, known as Kylin, was disclosed to Congress during recent hearings that provided new details on how China's government is...

Fri, 15 May 2009 22:00:10 UTC

Friday Squid Blogging: Welcome Squid Overlords

Posted By Bruce Schneier

T-shirts and stuff....

Fri, 15 May 2009 20:29:08 UTC

Interview with Me

Posted By Bruce Schneier

ThreatPost interviewed me. SlashDot thread on the interview....

Fri, 15 May 2009 12:30:52 UTC

No Warrant Required in U.S. for GPS Tracking

Posted By Bruce Schneier

At least, according to a U.S. District Court ruling: As the law currently stands, the court said police can mount GPS on cars to track people without violating their constitutional rights -- even if the drivers aren't suspects. Officers do not need to get warrants beforehand because GPS tracking does not involve a search or a seizure, Judge Paul Lundsten...

Thu, 14 May 2009 19:30:13 UTC

Detecting Liars by Content

Posted By Bruce Schneier

Interesting: Kevin Colwell, a psychologist at Southern Connecticut State University, has advised police departments, Pentagon officials and child protection workers, who need to check the veracity of conflicting accounts from parents and children. He says that people concocting a story prepare a script that is tight and lacking in detail. "It's like when your mom busted you as a kid,...

Thu, 14 May 2009 12:24:20 UTC

Attacking the Food Supply

Posted By Bruce Schneier

Terrorists attacking our food supply is a nightmare scenario that has been given new life during the recent swine flu outbreak. Although it seems easy to do, understanding why it hasn't happened is important. G.R. Dalziel, at the Nanyang Technological University in Singapore, has written a report chronicling every confirmed case of malicious food contamination in the world since 1950:...

Wed, 13 May 2009 20:07:49 UTC

Software Problems with a Breath Alcohol Detector

Posted By Bruce Schneier

This is an excellent lesson in the security problems inherent in trusting proprietary software: After two years of attempting to get the computer based source code for the Alcotest 7110 MKIII-C, defense counsel in State v. Chun were successful in obtaining the code, and had it analyzed by Base One Technologies, Inc. Draeger, the manufacturer maintained that the system was...

Wed, 13 May 2009 13:55:47 UTC

Using Surveillance Cameras to Detect Cashier Cheating

Posted By Bruce Schneier

It's called "sweethearting": when cashiers pass free merchandise to friends. And some stores are using security cameras to detect it: Mathematical algorithms embedded in the stores' new security system pick out sweethearting on their own. There's no need for a security guard watching banks of video monitors or reviewing hours of grainy footage. When the system thinks it's spotted evidence,...

Tue, 12 May 2009 12:40:21 UTC

Fourth Movie-Plot Threat Contest Winner

Posted By Bruce Schneier

For this contest, the goal was to: ...to find an existing event somewhere in the industrialized world—Third World events are just too easy—and provide a conspiracy theory to explain how the terrorists were really responsible. I thought it was straightforward enough but, honestly, I wasn't very impressed with the submissions. Nothing surprised me with its cleverness. There were scary entries...

Mon, 11 May 2009 18:25:27 UTC

Zeus Trojan has Self-Destruct Option

Posted By Bruce Schneier

From Brian Krebs at The Washington Post: One of the scarier realities about malicious software is that these programs leave ultimate control over victim machines in the hands of the attacker, who could simply decide to order all of the infected machines to self-destruct. Most security experts will tell you that while this so-called "nuclear option" is an available feature...

Mon, 11 May 2009 12:56:18 UTC

Researchers Hijack a Botnet

Posted By Bruce Schneier

A bunch of researchers at the University of California Santa Barbara took control of a botnet for ten days, and learned a lot about how botnets work: The botnet in question is controlled by Torpig (also known as Sinowal), a malware program that aims to gather personal and financial information from Windows users. The researchers gained control of the Torpig...

Fri, 08 May 2009 22:52:28 UTC

Friday Squid Blogging: Squid Wallet

Posted By Bruce Schneier

Nice....

Fri, 08 May 2009 12:41:16 UTC

Marc Rotenberg on Security vs. Privacy

Posted By Bruce Schneier

Nice essay: In the modern era, the right of privacy represents a vast array of rights that include clear legal standards, government accountability, judicial oversight, the design of techniques that are minimally intrusive and the respect for the dignity and autonomy of individuals. The choice that we are being asked to make is not simply whether to reduce our expectation...

Thu, 07 May 2009 19:27:37 UTC

MI6 and a Lost Memory Stick

Posted By Bruce Schneier

Oops: The United Kingdom's MI6 agency acknowledged this week that in 2006 it had to scrap a multi-million-dollar undercover drug operation after an agent left a memory stick filled with top-secret data on a transit coach. The general problem. The general solution....

Thu, 07 May 2009 13:10:21 UTC

Virginia Data Ransom

Posted By Bruce Schneier

This is bad: On Thursday, April 30, the secure site for the Virginia Prescription Monitoring Program (PMP) was replaced with a $US10M ransom demand: "I have your shit! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to...

Wed, 06 May 2009 18:14:22 UTC

Lie Detector Charlatans

Posted By Bruce Schneier

This is worth reading: Five years ago I wrote a Language Log post entitled "BS conditional semantics and the Pinocchio effect" about the nonsense spouted by a lie detection company, Nemesysco. I was disturbed by the marketing literature of the company, which suggested a 98% success rate in detecting evil intent of airline passengers, and included crap like this: The...

Wed, 06 May 2009 12:43:20 UTC

Secure Version of Windows Created for the U.S. Air Force

Posted By Bruce Schneier

I have long argued that the government should use its massive purchasing power to pressure software vendors to improve security. Seems like the U.S. Air Force has done just that: The Air Force, on the verge of renegotiating its desktop-software contract with Microsoft, met with Ballmer and asked the company to deliver a secure configuration of Windows XP out of...

Tue, 05 May 2009 19:39:17 UTC

Security Considerations in the Design of the Human Penis

Posted By Bruce Schneier

Fascinating bit of evolutionary biology: So how did natural selection equip men to solve the adaptive problem of other men impregnating their sexual partners? The answer, according to Gallup, is their penises were sculpted in such a way that the organ would effectively displace the semen of competitors from their partner's vagina, a well-synchronized effect facilitated by the "upsuck" of...

Tue, 05 May 2009 12:06:06 UTC

An Expectation of Online Privacy

Posted By Bruce Schneier

If your data is online, it is not private. Oh, maybe it seems private. Certainly, only you have access to your e-mail. Well, you and your ISP. And the sender's ISP. And any backbone provider who happens to route that mail from the sender to you. And, if you read your personal mail from work, your company. And, if they...

Mon, 04 May 2009 12:19:59 UTC

Mathematical Illiteracy

Posted By Bruce Schneier

This may be the stupidest example of risk assessment I've ever seen. It's a video clip from a recent Daily Show, about he dangers of the Large Hadron Collider. The segment starts off slow, but then there's an exchange with high school science teacher Walter L. Wagner, who insists the device has a 50-50 chance of destroying the world: "If...

Fri, 01 May 2009 22:52:45 UTC

Friday Squid Blogging: Squid Beer Ad

Posted By Bruce Schneier

Not five miles from my house....

Fri, 01 May 2009 20:50:23 UTC

I've Been Named the 31st Most Influential Person on the Web

Posted By Bruce Schneier

At least, in Canada....

Fri, 01 May 2009 18:52:13 UTC

Googling Justice Scalia

Posted By Bruce Schneier

Nice hack: Last year, when law professor Joel Reidenberg wanted to show his Fordham University class how readily private information is available on the Internet, he assigned a group project. It was collecting personal information from the Web about himself. This year, after U.S. Supreme Court Justice Antonin Scalia made public comments that seemingly may have questioned the need for...

Fri, 01 May 2009 16:46:50 UTC

Yet Another New York Times Cyberwar Article

Posted By Bruce Schneier

It's the season, I guess: The United States has no clear military policy about how the nation might respond to a cyberattack on its communications, financial or power networks, a panel of scientists and policy advisers warned Wednesday, and the country needs to clarify both its offensive capabilities and how it would respond to such attacks. The report, based on...

Thu, 30 Apr 2009 20:18:26 UTC

Preparing for Cyberwar

Posted By Bruce Schneier

Interesting article from The New York Times. Because so many aspects of the American effort to develop cyberweapons and define their proper use remain classified, many of those officials declined to speak on the record. The White House declined several requests for interviews or to say whether Mr. Obama as a matter of policy supports or opposes the use of...

Thu, 30 Apr 2009 12:19:36 UTC

A Sad Tale of Biometrics Gone Wrong

Posted By Bruce Schneier

From The Daily WTF: Johnny was what you might call a "gym rat." In incredible shape from almost-daily gym visits, a tight Lycra tank top, iPod strapped to his sizable bicep, underneath which was a large black tribal tattoo. He scanned his finger on his way out, but the turnstile wouldn't budge. "Uh, just a second," the receptionist furiously typed...

Wed, 29 Apr 2009 19:05:13 UTC

Ireland Does Away with Electronic Voting

Posted By Bruce Schneier

They're voting on paper again; smart country. I wrote about electronic voting machines back in 2004....

Wed, 29 Apr 2009 11:57:01 UTC

Lessons from the Columbine School Shooting

Posted By Bruce Schneier

Lots of high-tech gear, but that's not what makes schools safe: Some of the noticeable security measures remain, but experts say the country is exploring a new way to protect kids from in-school violence: administrators now want to foster school communities that essentially can protect themselves with or without the high-tech gear. "The first and best line of defense is...

Tue, 28 Apr 2009 19:00:52 UTC

"No-Fly" Also Means "No-Flyover"

Posted By Bruce Schneier

I've previously written about the piece of counterterrorism silliness known as the no-fly list: Imagine a list of suspected terrorists so dangerous that we can't ever let them fly, yet so innocent that we can't arrest them -- even under the draconian provisions of the Patriot Act. Turns out these people are so dangerous that they can't be allowed to...

Tue, 28 Apr 2009 15:06:33 UTC

How to Spot a Fake Census Worker

Posted By Bruce Schneier

This apparently non-ironic video warns that people might impersonate census workers in an effort to rob you. But while you shouldn't trust the ID of a stranger, you should trust that same stranger to give you a phone number where you can verify that ID. This, of course, makes no sense. Preventing impersonation is hard....

Mon, 27 Apr 2009 12:57:44 UTC

Cell Phones and Hostage Situations

Posted By Bruce Schneier

I haven't read this book on the Columbine school shooting and massacre, but the New York Times review had an interesting paragraph about cell phones in a hostage situation: Fuselier is one of the people Cullen spotlights in his retelling in order to clear up the historical record. Some of the confusion generated by Columbine was inevitable: Harris and Klebold...

Mon, 27 Apr 2009 12:16:06 UTC

Unfair and Deceptive Data Trade Practices

Posted By Bruce Schneier

Do you know what your data did last night? Almost none of more than 27 million people who took the RealAge quiz realized that their personal health data was sold to drug companies, who in turned used that information for targeted e-mail marketing campaigns. There's a basic consumer protection principle at work here, and it's the concept of "unfair and...

Fri, 24 Apr 2009 22:36:32 UTC

Friday Squid Blogging: Squid Forensics

Posted By Bruce Schneier

Not what you think; it's about forensics of the Squid web/proxy cache. Note the squid stamp, though....

Fri, 24 Apr 2009 20:46:46 UTC

San Francisco Restaurant Reviews for the RSA Conference

Posted By Bruce Schneier

The RSA Conference organizers asked me to write a restaurant review column for their show daily -- distributed only electronically. I called my column "The Dining Cryptographer." Here are links to them. I reviewed two restaurants each day: one walking distance from Moscone Center, and one a taxi ride away....

Fri, 24 Apr 2009 19:27:45 UTC

The Terrorism Arrests that Weren't

Posted By Bruce Schneier

Remember those terrorism arrests that the UK government conducted, after a secret document was accidentally photographed? No one was charged: The Crown Prosecution Service said there was insufficient evidence to press charges or hold them any longer. The Muslim Council of Britain said the government behaved "very dishonourably" over the treatment of the men should admit it had made a...

Fri, 24 Apr 2009 12:29:54 UTC

Fake Facts on Twitter

Posted By Bruce Schneier

Clever hack: Back during the debate for HR 1, I was amazed at how easily conservatives were willing to accept and repeat lies about spending in the stimulus package, even after those provisions had been debunked as fabrications. The $30 million for the salt marsh mouse is a perfect example, and Kagro X documented well over a dozen congressmen repeating...

Thu, 23 Apr 2009 18:30:52 UTC

Hacking U.S. Military Satellites

Posted By Bruce Schneier

The problem is more widespread than you might think: First lofted into orbit in the 1970s, the FLTSATCOM bird was at the time a major advance in military communications. Their 23 channels were used by every branch of the U.S. armed forces and the White House for encrypted data and voice, typically from portable ground units that could be quickly...

Thu, 23 Apr 2009 11:50:29 UTC

Conficker

Posted By Bruce Schneier

Conficker’s April Fool’s joke -- the huge, menacing build-up and then nothing -- is a good case study on how we think about risks, one whose lessons are applicable far outside computer security. Generally, our brains aren't very good at probability and risk analysis. We tend to use cognitive shortcuts instead of thoughtful analysis. This worked fine for the simple...

Wed, 22 Apr 2009 19:31:12 UTC

Lessons in Key Management

Posted By Bruce Schneier

Encrypting your USB drive is smart. Writing the encryption key on a piece of paper and attaching it to the USB drive is not....

Wed, 22 Apr 2009 13:04:13 UTC

Low-Tech Impersonation

Posted By Bruce Schneier

Sometimes the basic tricks work best: Police say a man posing as a waiter collected $186 in cash from diners at two restaurants in New Jersey and walked out with the money in his pocket. Diners described the bogus waiter as a spikey-haired 20-something wearing a dark blue or black button-down shirt, yellow tie and khaki pants. Police say he...

Wed, 22 Apr 2009 00:20:00 UTC

NSA at RSA

Posted By Bruce Schneier

I was going to write a commentary on the RSA Conference keynote speech by General Alexander, NSA Director. But he didn't actually say anything. Does anyone have any other opinions?...

Tue, 21 Apr 2009 18:15:02 UTC

Funny "War on Photography" Anecdote

Posted By Bruce Schneier

Posting an excerpt would give it away....

Tue, 21 Apr 2009 12:25:36 UTC

DHS Recruitment Drive

Posted By Bruce Schneier

Anyone interested? General Dynamics Information Technology put out an ad last month on behalf of the Homeland Security Department seeking someone who could "think like the bad guy." Applicants, it said, must understand hackers' tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems. In the Pentagon's budget request submitted last week, Defense...

Mon, 20 Apr 2009 18:10:57 UTC

Hacking a Time Poll

Posted By Bruce Schneier

Not a particularly subtle hack, but clever nonetheless....

Mon, 20 Apr 2009 12:16:04 UTC

Book Review: The Science of Fear

Posted By Bruce Schneier

Daniel Gardner's The Science of Fear was published last July, but I've only just gotten around to reading it. That was a big mistake. It's a fantastic book at how how humans deal with fear: exactly the kind of thing I have been reading and writing about for the past couple of years. It's the book I wanted to write,...

Fri, 17 Apr 2009 20:24:39 UTC

Friday Squid Blogging: Squid T-Shirt

Posted By Bruce Schneier

I like this one....

Fri, 17 Apr 2009 11:41:53 UTC

New Frontiers in Biometrics

Posted By Bruce Schneier

Ears? Arm swinging? I guess biometrics is now the "it" thing to study....

Thu, 16 Apr 2009 12:48:39 UTC

Boston Police Consider Using Linux to be Ground for Suspicion

Posted By Bruce Schneier

This is pretty awful. More war on the unexpected....

Wed, 15 Apr 2009 12:17:23 UTC

How to Write a Scary Cyberterrorism Story

Posted By Bruce Schneier

From Foreign Affairs, of all places: 8. If you are still having trouble working the Chinese or the Russian governments into your story, why not throw in some geopolitical kerfuffle that involves a country located in between? Not only would it implicate both governments, it would also make cyberspace seem relevant to geopolitics. I suggest you settle on Kyrgyzstan, as...

Tue, 14 Apr 2009 12:45:39 UTC

UK Terrorism Arrests

Posted By Bruce Schneier

Details of the arrests made in haste after this inadvertant disclosure....

Mon, 13 Apr 2009 12:14:21 UTC

Tweenbots

Posted By Bruce Schneier

Tweenbots: Tweenbots are human-dependent robots that navigate the city with the help of pedestrians they encounter. Rolling at a constant speed, in a straight line, Tweenbots have a destination displayed on a flag, and rely on people they meet to read this flag and to aim them in the right direction to reach their goal. Given their extreme vulnerability, the...

Fri, 10 Apr 2009 22:10:14 UTC

Friday Squid Blogging: Squid Cartoon

Posted By Bruce Schneier

Lio....

Fri, 10 Apr 2009 13:06:48 UTC

How Not to Carry Around Secret Documents

Posted By Bruce Schneier

Here's a tip: when walking around in public with secret government documents, put them in an envelope. A huge MI5 and police counterterrorist operation against al-Qaeda suspects had to be brought forward at short notice last night after Scotland Yard's counter-terrorism chief accidentally revealed a briefing document. [...] The operation was nearly blown when Assistant Commissioner Bob Quick walked up...

Thu, 09 Apr 2009 18:02:39 UTC

U.S. Power Grid Hacked, Everyone Panic!

Posted By Bruce Schneier

Yesterday I talked to at least a dozen reporters about this breathless Wall Street Journal story: Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials. The spies came from China, Russia and other countries, these officials said, and were believed to be...

Thu, 09 Apr 2009 13:07:15 UTC

P2P Privacy

Posted By Bruce Schneier

Interesting research: The team of researchers, which includes graduate students David Choffnes (electrical engineering and computer science) and Dean Malmgren (chemical and biological engineering), and postdoctoral fellow Jordi Duch (chemical and biological engineering), studied connection patterns in the BitTorrent file-sharing network -- one of the largest and most popular P2P systems today. They found that over the course of weeks,...

Wed, 08 Apr 2009 19:25:26 UTC

Police Powers and the UK Government in the 1980s

Posted By Bruce Schneier

I found this great paragraph in this article on the future of privacy in the UK: One of the few home secretaries who dominated his department rather than be cowed by it was Lord Whitelaw in the 1980s. He boasted how after any security lapse, the police would come to beg for new and draconian powers. He laughed and sent...

Wed, 08 Apr 2009 12:43:05 UTC

Social Networking Identity Theft Scams

Posted By Bruce Schneier

Clever: I'm going to tell you exactly how someone can trick you into thinking they're your friend. Now, before you send me hate mail for revealing this deep, dark secret, let me assure you that the scammers, crooks, predators, stalkers and identity thieves are already aware of this trick. It works only because the public is not aware of it....

Tue, 07 Apr 2009 19:03:23 UTC

Crypto Puzzle and NSA Problem

Posted By Bruce Schneier

From Cryptosmith: The NSA had an incinerator in their old Arlington Hall facility that was designed to reduce top secret crypto materials and such to ash. Someone discovered that it wasn't in fact working. Contract disposal trucks had been disposing of this not-quite-sanitized rubish, and officers tracked down a huge pile in a field in Ft. Meyer. How did they...

Tue, 07 Apr 2009 12:14:55 UTC

What to Fear

Posted By Bruce Schneier

Nice rundown of the statistics. The single greatest killer of Americans is the so-called "lifestyle disease." Somewhere between half a million and a million of us get a short ride in a long hearse every year because of smoking, lousy diets, parking our bodies in front of the TV instead of operating them, and downing yet another six pack and...

Mon, 06 Apr 2009 13:10:15 UTC

Definition of "Weapon of Mass Destruction"

Posted By Bruce Schneier

At least, according to U.S. law: 18 U.S.C. 2332a (2) the term "weapon of mass destruction" means— (A) any destructive device as defined in section 921 of this title; (B) any weapon that is designed or intended to cause death or serious bodily injury through the release, dissemination, or impact of toxic or poisonous chemicals, or their precursors; (C) any...

Mon, 06 Apr 2009 12:51:37 UTC

Identifying People using Anonymous Social Networking Data

Posted By Bruce Schneier

Interesting: Computer scientists Arvind Narayanan and Dr Vitaly Shmatikov, from the University of Texas at Austin, developed the algorithm which turned the anonymous data back into names and addresses. The data sets are usually stripped of personally identifiable information, such as names, before it is sold to marketing companies or researchers keen to plumb it for useful information. Before now,...

Fri, 03 Apr 2009 22:28:14 UTC

Learning About Giant Squid From Sperm Whale Stomachs

Posted By Bruce Schneier

Interesting research: By looking in the stomachs of three sperm whales stranded in the Bay of Biscay, Cherel recovered hundreds of beaks from 19 separate species -- 17 squids including the giant squid, the seven-arm octopus (the largest in the world) and the bizarre vampire squid. Together, these species represent a decent spread of the full diversity of deep-sea cephalopods....

Fri, 03 Apr 2009 19:47:18 UTC

Interview with Me

Posted By Bruce Schneier

On the threats of insiders, from Federal News Radio....

Fri, 03 Apr 2009 11:25:36 UTC

Stealing Commodities

Posted By Bruce Schneier

Before his arrest, Tom Berge stole lead roof tiles from several buildings in south-east England, including the Honeywood Museum in Carshalton, the Croydon parish church, and the Sutton high school for girls. He then sold those tiles to scrap metal dealers. As a security expert, I find this story interesting for two reasons. First, amongst increasingly ridiculous attempts to ban,...

Thu, 02 Apr 2009 20:54:29 UTC

DNA False Positives

Posted By Bruce Schneier

A story about a very expensive series of false positives. The German police spent years and millions of dollars tracking a mysterious killer whose DNA had been found at the scenes of six murders. Finally they realized they were tracking a worker at the factory that assembled the prepackaged swabs used for DNA testing. This story could be used as...

Thu, 02 Apr 2009 12:09:14 UTC

Who Should be in Charge of U.S. Cybersecurity?

Posted By Bruce Schneier

U.S. government cybersecurity is an insecure mess, and fixing it is going to take considerable attention and resources. Trying to make sense of this, President Barack Obama ordered a 60-day review of government cybersecurity initiatives. Meanwhile, the U.S. House Subcommittee on Emerging Threats, Cybersecurity, Science and Technology is holding hearings on the same topic. One of the areas of contention...

Wed, 01 Apr 2009 18:55:37 UTC

Thefts at the Museum of Bad Art

Posted By Bruce Schneier

I'm not making this up: The loss of two MOBA works to theft has drawn media attention, and enhanced the museum's stature. In 1996, the painting Eileen, by R. Angelo Le, vanished from MOBA. Eileen was acquired from the trash by Wilson, and features a rip in the canvas where someone slashed it with a knife even before the museum...

Wed, 01 Apr 2009 12:37:11 UTC

Fourth Annual Movie-Plot Threat Contest

Posted By Bruce Schneier

Let's face it, the War on Terror is a tired brand. There just isn't enough action out there to scare people. If this keeps up, people will forget to be scared. And then both the terrorists and the terror-industrial complex lose. We can't have that. We're going to help revive the fear. There's plenty to be scared about, if only...

Tue, 31 Mar 2009 12:30:43 UTC

Privacy and the Fourth Amendment

Posted By Bruce Schneier

In the United States, the concept of "expectation of privacy" matters because it's the constitutional test, based on the Fourth Amendment, that governs when and how the government can invade your privacy. Based on the 1967 Katz v. United States Supreme Court decision, this test actually has two parts. First, the government's action can't contravene an individual's subjective expectation of...

Mon, 30 Mar 2009 18:43:08 UTC

Massive Chinese Espionage Network

Posted By Bruce Schneier

The story broke in The New York Times yesterday: In a report to be issued this weekend, the researchers said that the system was being controlled from computers based almost exclusively in China, but that they could not say conclusively that the Chinese government was involved. [...] Their sleuthing opened a window into a broader operation that, in less than...

Mon, 30 Mar 2009 12:50:47 UTC

The Zone of Essential Risk

Posted By Bruce Schneier

Bob Blakley makes an interesting point. It's in the context of eBay fraud, but it's more general than that. If you conduct infrequent transactions which are also small, you'll never lose much money and it's not worth it to try to protect yourself - you'll sometimes get scammed, but you'll have no trouble affording the losses. If you conduct large...

Fri, 27 Mar 2009 22:09:31 UTC

Friday Squid Blogging: Two Squid Recipes

Posted By Bruce Schneier

Braised squid with artichokes, and squid in red wine sauce, both from the New York Times food blog....

Fri, 27 Mar 2009 19:17:24 UTC

Gorilla Detector

Posted By Bruce Schneier

From Muppet Labs: How many times have you awakened at night in the dark and said to yourself..."Is there a gorilla in here?" And how many people do you know whose vacations were ruined because they were eaten by undetected gorillas?...

Fri, 27 Mar 2009 11:52:11 UTC

Security Fears Drive Iran to Linux

Posted By Bruce Schneier

According to The Age in Australia: "We would have to pay a lot of money," said Sephery-Rad, noting that most of the government's estimated one million PCs and the country's total of six to eight million computers were being run almost exclusively on the Windows platform. "Secondly, Microsoft software has a lot of backdoors and security weaknesses that are always...

Thu, 26 Mar 2009 18:44:00 UTC

A Solar Plasma Movie-Plot Threat

Posted By Bruce Schneier

This is impressive: It is midnight on 22 September 2012 and the skies above Manhattan are filled with a flickering curtain of colourful light. Few New Yorkers have seen the aurora this far south but their fascination is short-lived. Within a few seconds, electric bulbs dim and flicker, then become unusually bright for a fleeting moment. Then all the lights...

Thu, 26 Mar 2009 14:08:27 UTC

Surviving a Suicide Bombing

Posted By Bruce Schneier

Where you stand matters: The two researchers have developed accurate physics-based models of a suicide bombing attack, including casualty levels and explosive composition. Their work also describes human shields available in the crowd with partial and full coverage in both two- and three-dimensional environments. Their virtual simulation tool assesses the impact of crowd formation patterns and their densities on the...

Wed, 25 Mar 2009 12:59:24 UTC

Sniffing Keyboard Keystrokes with a Laser

Posted By Bruce Schneier

Interesting: Chief Security Engineer Andrea Barisani and hardware hacker Daniele Bianco used a handmade laser microphone device and a photo diode to measure the vibrations, software for analyzing the spectrograms of frequencies from different keystrokes, as well as technology to apply the data to a dictionary to try to guess the words. They used a technique called dynamic time warping...

Tue, 24 Mar 2009 12:41:42 UTC

Election Fraud in Kentucky

Posted By Bruce Schneier

I think this is the first documented case of election fraud in the U.S. using electronic voting machines (there have been lots of documented cases of errors and voting problems, but this one involves actual maliciousness): Five Clay County officials, including the circuit court judge, the county clerk, and election officers were arrested Thursday after they were indicted on federal...

Mon, 23 Mar 2009 18:31:45 UTC

Fear and the Availability Heuristic

Posted By Bruce Schneier

Psychology Today on fear and the availability heuristic: We use the availability heuristic to estimate the frequency of specific events. For example, how often are people killed by mass murderers? Because higher frequency events are more likely to occur at any given moment, we also use the availability heuristic to estimate the probability that events will occur. For example, what...

Mon, 23 Mar 2009 12:55:12 UTC

Research in Explosive Detection

Posted By Bruce Schneier

Interesting: Much of this research focuses on "micromechanical" devices -- tiny sensors that have microscopic probes on which airborne chemical vapors deposit. When the right chemicals find the surface of the sensors, they induce tiny mechanical motions, and those motions create electronic signals that can be measured. These devices are relatively inexpensive to make and can sensitively detect explosives, but...

Fri, 20 Mar 2009 22:45:27 UTC

Friday Squid Blogging: Make a Giant Giant Squid Pillow

Posted By Bruce Schneier

Photos and instructions....

Fri, 20 Mar 2009 21:10:00 UTC

Holy Hand Grenade of Antioch Bomb Scare

Posted By Bruce Schneier

You just can't make this stuff up: Buildings were evacuated, a street was cordoned off and a bomb disposal team called in after workmen spotted a suspicious object. But the dangerous-looking weapon turned out to be the Holy Hand Grenade of Antioch, made famous in the 1975 film Monty Python And The Holy Grail. [...] They evacuated a pub and...

Fri, 20 Mar 2009 19:34:06 UTC

More NSA Video Courses from 1991

Posted By Bruce Schneier

Last month, I posted this. There's an update with new information (the FOIA redactions were appealed)....

Fri, 20 Mar 2009 12:24:26 UTC

Why People Steal Rare Books

Posted By Bruce Schneier

Interesting analysis: "Book theft is very hard to quantify because very often pages are cut and it's not noticed for years," says Rapley. "Often we come across pages from books [in hauls of recovered property] and we work back from there." The Museum Security Network, a Dutch-based, not-for-profit organisation devoted to co-ordinating efforts to combat this type of theft, estimates...

Thu, 19 Mar 2009 18:18:22 UTC

Blowfish on 24, Again

Posted By Bruce Schneier

Three nights ago, my encryption algorithm Blowfish was mentioned on the Fox show 24. The clip is available here, or streaming on Hulu. This is the exchange: Janis Gold: I isolated the data Renee uploaded to Bauer but I can't get past the filed header. Ryan Burnett: What does that mean? JG: She encrypted the name and address she used...

Thu, 19 Mar 2009 12:07:55 UTC

Fingerprinting Paper

Posted By Bruce Schneier

Interesting paper: Fingerprinting Blank Paper Using Commodity Scanners Will Clarkson, Tim Weyrich, Adam Finkelstein, Nadia Heninger, Alex Halderman, and Edward W. Felten Abstract: This paper presents a novel technique for authenticating physical documents based on random, naturally occurring imperfections in paper texture. We introduce a new method for measuring the three-dimensional surface of a page using only a commodity scanner...

Wed, 18 Mar 2009 18:45:15 UTC

Hiding Behind Terrorism Law

Posted By Bruce Schneier

The Bayer company is refusing to talk about a fatal accident at a West Virginia plant, citing a 2002 terrorism law. CSB had intended to hear community concerns, gather more information on the accident, and inform residents of the status of its investigation. However, Bayer attorneys contacted CSB Chairman John Bresland and set up a Feb. 12 conference at the...

Wed, 18 Mar 2009 13:22:06 UTC

1801 Cipher Solved

Posted By Bruce Schneier

Interesting piece of cryptographic history: a cipher designed by Robert Patterson and sent to Thomas Jefferson. The full story is behind a paywall....

Tue, 17 Mar 2009 19:10:59 UTC

Leaving Infants in the Car

Posted By Bruce Schneier

It happens; sometimes they die. "Death by hyperthermia" is the official designation. When it happens to young children, the facts are often the same: An otherwise loving and attentive parent one day gets busy, or distracted, or upset, or confused by a change in his or her daily routine, and just... forgets a child is in the car. It happens...

Tue, 17 Mar 2009 11:42:59 UTC

The Onion on the Hudson River Plane Crash

Posted By Bruce Schneier

Fowl Qaeda....

Mon, 16 Mar 2009 12:36:00 UTC

Privacy in Google Latitude

Posted By Bruce Schneier

Good news: What Loopt — and now Google — are asserting is this: when you tell your friends where you are, you are using a public conveyance to communicate privately. And, just as it would if it wanted to record your phone call or read your e-mail, the government needs to get a wiretap order. That's even tougher to get...

Fri, 13 Mar 2009 22:31:44 UTC

Friday Squid Blogging: Build Your Own Virtual Squid

Posted By Bruce Schneier

This site lets you build your own squid and let it loose in a virtual environment. You can even come back later and visit your squid....

Fri, 13 Mar 2009 19:46:44 UTC

The Doghouse: Sentex Keypads

Posted By Bruce Schneier

It has a master key: Here's a fun little tip: You can open most Sentex key pad-access doors by typing in the following code: ***00000099#* The first *** are to enter into the admin mode, 000000 (six zeroes) is the factory-default password, 99# opens the door, and * exits the admin mode (make sure you press this or the access...

Fri, 13 Mar 2009 13:41:49 UTC

The Kindness of Strangers

Posted By Bruce Schneier

When I was growing up, children were commonly taught: "don't talk to strangers." Strangers might be bad, we were told, so it's prudent to steer clear of them. As it turns out, this is profoundly bad advice. Most people are honest, kind, and generous, especially when someone asks them for help. If a small child is in trouble, the smartest...

Thu, 12 Mar 2009 18:39:06 UTC

IT Security: Blaming the Victim

Posted By Bruce Schneier

Blaming the victim is common in IT: users are to blame because they don't patch their systems, choose lousy passwords, fall for phishing attacks, and so on. But, while users are, and will continue to be, a major source of security problems, focusing on them is an unhelpful way to think. People regularly don't do things they are supposed to:...

Thu, 12 Mar 2009 12:36:20 UTC

The Story of the World's Largest Diamond Heist

Posted By Bruce Schneier

Read the whole thing: He took the elevator, descending two floors underground to a small, claustrophobic room--the vault antechamber. A 3-ton steel vault door dominated the far wall. It alone had six layers of security. There was a combination wheel with numbers from 0 to 99. To enter, four numbers had to be dialed, and the digits could be seen...

Wed, 11 Mar 2009 18:38:38 UTC

Google Map Spam

Posted By Bruce Schneier

There are zillions of locksmiths in New York City. Not really; this is the latest attempt by phony locksmiths to steer business to themselves: This is one of the scary parts they have a near monopoly on the cell phone 411 system. They have filled the data bases with so many phony address listings in most major citys that when...

Wed, 11 Mar 2009 11:49:11 UTC

The Techniques for Distributing Child Porn

Posted By Bruce Schneier

Fascinating history of an illegal industry: Today's schemes are technologically very demanding and extremely complex. It starts with the renting of computer servers in several countries. First the Carders are active to obtain the credit cards and client identities wrongfully. These data are then passed to the falsifiers who manufacture wonderful official documents so that they can be used to...

Tue, 10 Mar 2009 13:52:04 UTC

Security Theater Scare Mongering

Posted By Bruce Schneier

We need more security in hotels and churches: First Baptist Church in Maryville, Illinois, had a security plan in place when a gunman walked into services Sunday morning and killed Pastor Fred Winters, said Tim Lawson, another pastor at the church. Lawson told CNN he was not prepared to disclose details of his church's security plan on Monday. But Maryville...

Mon, 09 Mar 2009 19:19:47 UTC

Choosing a Bad Password Has Real-World Consequences

Posted By Bruce Schneier

Oops....

Mon, 09 Mar 2009 12:59:21 UTC

History and Ethics of Military Robots

Posted By Bruce Schneier

This article gives an overview of U.S. military robots, and discusses a bit around the issues regarding their use in war: As military robots gain more and more autonomy, the ethical questions involved will become even more complex. The U.S. military bends over backwards to figure out when it is appropriate to engage the enemy and how to limit civilian...

Fri, 06 Mar 2009 22:47:01 UTC

Friday Squid Blogging: Squid Pie

Posted By Bruce Schneier

Amusing story....

Fri, 06 Mar 2009 19:30:43 UTC

New eBay Fraud

Posted By Bruce Schneier

Here's a clever attack, exploiting relative delays in eBay, PayPal, and UPS shipping: The buyer reported the item as "destroyed" and demanded and got a refund from Paypal. When the buyer shipped it back to Chad and he opened it, he found there was nothing wrong with it -- except that the scammer had removed the memory, processor and hard...

Fri, 06 Mar 2009 12:05:54 UTC

Self-Defense Pen

Posted By Bruce Schneier

I'm sure you need some skill to actually use this, and I'm also sure it'll get through airport security checkpoints just fine....

Thu, 05 Mar 2009 18:45:37 UTC

More European Chip and Pin Insecurity

Posted By Bruce Schneier

"Optimised to Fail: Card Readers for Online Banking," by Saar Drimer, Steven J. Murdoch, and Ross Anderson. Abstract The Chip Authentication Programme (CAP) has been introduced by banks in Europe to deal with the soaring losses due to online banking fraud. A handheld reader is used together with the customer's debit card to generate one-time codes for both login and...

Thu, 05 Mar 2009 12:43:37 UTC

All-or-Nothing Encryption Program

Posted By Bruce Schneier

Programs staple and unstaple perform all-or-nothing encryption. Just demonstration code, but interesting all the same....

Wed, 04 Mar 2009 18:32:11 UTC

Commentary on the UK Government National Security Strategy

Posted By Bruce Schneier

This is scary: Sir David Omand, the former Whitehall security and intelligence co-ordinator, sets out a blueprint for the way the state will mine data -- including travel information, phone records and emails -- held by public and private bodies and admits: "Finding out other people's secrets is going to involve breaking everyday moral rules." In short: it's immoral, but...

Wed, 04 Mar 2009 13:25:59 UTC

Michael Froomkin on Identity Cards

Posted By Bruce Schneier

University of Miami law professor Michael Froomkin writes about ID cards and society in "Identity Cards and Identity Romanticism." This book chapter for "Lessons from the Identity Trail: Anonymity, Privacy and Identity in a Networked Society" (New York: Oxford University Press, 2009)—a forthcoming comparative examination of approaches to the regulation of anonymity edited by Ian Kerr—discusses the sources of hostility...

Tue, 03 Mar 2009 19:20:43 UTC

Three Security Anecdotes from the Insect World

Posted By Bruce Schneier

Beet armyworm caterpillars react to the sound of a passing wasp by freezing in place, or even dropping off the plant. Unfortunately, armyworm intelligence isn't good enough to tell the difference between enemy aircraft (the wasps that prey on them) and harmless commercial flights (bees); they react the same way to either. So by producing pollen for bees, plants not...

Tue, 03 Mar 2009 11:23:42 UTC

Shower Mirror with Hidden Camera

Posted By Bruce Schneier

Use it to catch the lovers of cheating spouses. (The site has a wide variety of hidden cameras in common household objects.)...

Mon, 02 Mar 2009 18:30:53 UTC

Judge Orders Defendant to Decrypt Laptop

Posted By Bruce Schneier

This is an interesting case: At issue in this case is whether forcing Boucher to type in that PGP passphrase--which would be shielded from and remain unknown to the government--is "testimonial," meaning that it triggers Fifth Amendment protections. The counterargument is that since defendants can be compelled to turn over a key to a safe filled with incriminating documents, or...

Mon, 02 Mar 2009 13:10:54 UTC

Perverse Security Incentives

Posted By Bruce Schneier

An employee of Whole Foods in Ann Arbor, Michigan, was fired in 2007 for apprehending a shoplifter. More specifically, he was fired for touching a customer, even though that customer had a backpack filled with stolen groceries and was running away with them. I regularly see security decisions that, like the Whole Foods incident, seem to make absolutely no sense....

Fri, 27 Feb 2009 22:01:00 UTC

Friday Squid Blogging: Researching Squid Bacteria

Posted By Bruce Schneier

New research: Intriguingly, that gene is the one that enables the bacteria to form a biofilm, the tightly woven matrix of "slime" which allows bacterial colonies to behave in many ways like a single organism. "The biofilm might be critical for adhering to the light organ, or telling the host that the correct symbiont has arrived," says Mandel. Biofilms also...

Fri, 27 Feb 2009 12:13:01 UTC

Privacy in the Age of Persistence

Posted By Bruce Schneier

Note: This isn't the first time I have written about this topic, and it surely won't be the last. I think I did a particularly good job summarizing the issues this time, which is why I am reprinting it. Welcome to the future, where everything about you is saved. A future where your actions are recorded, your movements are tracked,...

Thu, 26 Feb 2009 18:53:55 UTC

Defeating Caller ID Blocking

Posted By Bruce Schneier

TrapCall is a new service that reveals the caller ID on anonymous or blocked calls: TrapCall instructs new customers to reprogram their cellphones to send all rejected, missed and unanswered calls to TrapCall's own toll-free number. If the user sees an incoming call with Caller ID blocked, he just presses the button on the phone that would normally send it...

Thu, 26 Feb 2009 12:48:03 UTC

Electromagnetic Pulse Grenades

Posted By Bruce Schneier

There are rumors of a prototype: Even the highly advanced US forces hadn't been generally thought to have developed a successful pulse-bomb yet, with most reports indicating that such a capability remains a few years off (as has been the case for decades). Furthermore, the pulse ordnance has usually been seen as large and heavy, in the same league as...

Wed, 25 Feb 2009 20:00:30 UTC

The Doghouse: Singularics

Posted By Bruce Schneier

This is priceless: Our advances in Prime Number Theory have led to a new branch of mathematics called Neutronics. Neutronic functions make possible for the first time the ability to analyze regions of mathematics commonly thought to be undefined, such as the point where one is divided by zero. In short, we have developed a new way to analyze the...

Wed, 25 Feb 2009 12:19:21 UTC

Maine Man Tries to Build a Dirty Bomb

Posted By Bruce Schneier

No one cares, probably because he isn't Muslim. White supremicist terrorism just isn't sexy these days....

Tue, 24 Feb 2009 18:36:48 UTC

Melissa Hathaway Interview

Posted By Bruce Schneier

President Obama has tasked Melissa Hathaway with conducting a 60-day review of the nation's cybersecurity policies. Who is she? Hathaway has been working as a cybercoordination executive for the Office of the Director of National Intelligence. She chaired a multiagency group called the National Cyber Study Group that was instrumental in developing the Comprehensive National Cyber Security Initiative, which was...

Tue, 24 Feb 2009 11:23:54 UTC

New Conficker Variant

Posted By Bruce Schneier

This is one well-designed piece of malware: Conficker B++ is somewhat similar to Conficker B, with 294 of 297 sub-routines the same and 39 additional subroutines. The latest variant, first spotted on 16 February, is even more sneaky than its previous incarnations, SRI explains. Conficker B++ is no longer limited to reinfection by similarly structured Conficker DLLs, but can now...

Mon, 23 Feb 2009 18:28:16 UTC

Is Megan's Law Worth It?

Posted By Bruce Schneier

A study from New Jersey shows that Megan's Law—laws designed to identity sex offenders to the communities they live in—is ineffective in reducing sex crimes or deterring victims. The study, funded by the National Institute of Justice, examined the cases of 550 sex offenders who were broken into two groups—those released from prison before the passage of Megan's Law and...

Mon, 23 Feb 2009 12:51:16 UTC

NSA Wants Help Eavesdropping on Skype

Posted By Bruce Schneier

At least, according to an anonymous "industry source": The spybiz exec, who preferred to remain anonymous, confirmed that Skype continues to be a major problem for government listening agencies, spooks and police. This was already thought to be the case, following requests from German authorities for special intercept/bugging powers to help them deal with Skype-loving malefactors. Britain's GCHQ has also...

Fri, 20 Feb 2009 22:48:20 UTC

Friday Squid Blogging: Jumbo Squid Teeth

Posted By Bruce Schneier

They're strong and lightweight: The teeth get their strength from architecture. A series of tooth pores runs through the protein, and on the outer edge the pores are spaced widely for a hard, shape edge that digs into the flesh of hapless prey. Toward the base, the pores are closer together, making a softer material that can absorb the prey's...

Fri, 20 Feb 2009 18:03:56 UTC

The "Broken Windows" Theory of Crimefighting

Posted By Bruce Schneier

Evidence of its effectiveness: Researchers, working with police, identified 34 crime hot spots. In half of them, authorities set to work—clearing trash from the sidewalks, fixing street lights, and sending loiterers scurrying. Abandoned buildings were secured, businesses forced to meet code, and more arrests made for misdemeanors. Mental health services and homeless aid referrals expanded. In the remaining hot spots,...

Fri, 20 Feb 2009 13:31:11 UTC

Another Password Analysis

Posted By Bruce Schneier

Here's an analysis of 30,000 passwords from phpbb.com, similar to my analysis of 34,000 MySpace passwords: The striking different between the two incidents is that the phpbb passwords are simpler. MySpace requires that passwords "must be between 6 and 10 characters, and contain at least 1 number or punctuation character." Most people satisfied this requirement by simply appending "1" to...

Thu, 19 Feb 2009 19:44:26 UTC

Balancing Security and Usability in Authentication

Posted By Bruce Schneier

Since January, the Conficker.B worm has been spreading like wildfire across the Internet: infecting the French Navy, hospitals in Sheffield, the court system in Houston, and millions of computers worldwide. One of the ways it spreads is by cracking administrator passwords on networks. Which leads to the important question: Why in the world are IT administrators still using easy-to-guess passwords?...

Thu, 19 Feb 2009 12:17:00 UTC

Terrorism Common Sense from MI6

Posted By Bruce Schneier

Refreshing commentary from Nigel Inkster, former Assistant Chief and Director of Operations and Intelligence of MI6: "Efforts to establish a global repository of counterterrorist information are unlikely ever to succeed. We need to be wary of rebuilding our world to deal with just one problem, one which might not be by any means the most serious we face." Asked what...

Wed, 18 Feb 2009 18:28:42 UTC

HIPAA Accountability in Stimulus Bill

Posted By Bruce Schneier

On page 379 of the current stimulus bill, there's a bit about establishing a website of companies that lost patient information: (4) POSTING ON HHS PUBLIC WEBSITE -- The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described...

Wed, 18 Feb 2009 11:53:01 UTC

Computer Virus Epidemiology

Posted By Bruce Schneier

"WiFi networks and malware epidemiology," by Hao Hu, Steven Myers, Vittoria Colizza, and Alessandro Vespignani. Abstract In densely populated urban areas WiFi routers form a tightly interconnected proximity network that can be exploited as a substrate for the spreading of malware able to launch massive fraudulent attacks. In this article, we consider several scenarios for the deployment of malware that...

Tue, 17 Feb 2009 19:56:33 UTC

Difficult-to-Pronounce Things are Judged to Be More Risky

Posted By Bruce Schneier

Do I have any readers left who think humans are rational about risks? Abstract Low processing fluency fosters the impression that a stimulus is unfamiliar, which in turn results in perceptions of higher risk, independent of whether the risk is desirable or undesirable. In Studies 1 and 2, ostensible food additives were rated as more harmful when their names were...

Tue, 17 Feb 2009 11:00:43 UTC

Los Alamos Explains Their Security Problems

Posted By Bruce Schneier

They've lost 80 computers: no idea if they're stolen, or just misplaced. Typical story—not even worth commenting on—but this great comment by Los Alamos explains a lot about what was wrong with their security policy: The letter, addressed to Department of Energy security officials, contends that "cyber security issues were not engaged in a timely manner" because the computer losses...

Mon, 16 Feb 2009 18:20:01 UTC

Insiders

Posted By Bruce Schneier

Rajendrasinh Makwana was a UNIX contractor for Fannie Mae. On October 24, he was fired. Before he left, he slipped a logic bomb into the organization's network. The bomb would have "detonated" on January 31. It was programmed to disable access to the server on which it was running, block any network monitoring software, systematically and irretrievably erase everything—and then...

Mon, 16 Feb 2009 13:28:48 UTC

Using Fear to Sell Pens, Part Two

Posted By Bruce Schneier

This ad, for a Uni-ball pen that's hard to erase, is kind of surreal. They're using fear to sell pens -- again -- but it's the wrong fear. They're confusing check-washing fraud, where someone takes a check and changes the payee and maybe the amount, with identity theft. And how can someone steal money from me by erasing and changing...

Fri, 13 Feb 2009 22:37:27 UTC

Friday Squid Blogging: Squid Art

Posted By Bruce Schneier

Not quite sure.......

Fri, 13 Feb 2009 19:58:47 UTC

Another Interview with Me

Posted By Bruce Schneier

Yet another one....

Fri, 13 Feb 2009 17:35:25 UTC

The Doghouse: Raidon's Staray-S Encrypted Hard Drives

Posted By Bruce Schneier

Turns out the algorithm is linear. When you're buying security products, you have to trust the vendor. That's why I don't buy any of these hardware-encrypted drives. I don't trust the vendors....

Fri, 13 Feb 2009 12:27:03 UTC

Worldwide Browser Patch Rates

Posted By Bruce Schneier

Interesting research: Abstract: Although there is an increasing trend for attacks against popular Web browsers, only little is known about the actual patch level of daily used Web browsers on a global scale. We conjecture that users in large part do not actually patch their Web browsers based on recommendations, perceived threats, or any security warnings. Based on HTTP useragent...

Thu, 12 Feb 2009 19:24:14 UTC

Cheating at Disneyworld

Posted By Bruce Schneier

Interesting discussion of different ways to cheat and skip the lines at Disney theme parks. Most of the tricks involve their FastPass system for virtual queuing: Moving toward the truly disingenuous, we've got the "FastPass Switcheroo." To do this, simply get your FastPass like normal for Splash Mountain. You notice that the return time is two hours away, in the...

Thu, 12 Feb 2009 12:16:33 UTC

Privacy on Facebook

Posted By Bruce Schneier

Excellent advice....

Wed, 11 Feb 2009 20:53:27 UTC

Billboards that Watch you Back

Posted By Bruce Schneier

Creepy: Small cameras can now be embedded in the screen or hidden around it, tracking who looks at the screen and for how long. The makers of the tracking systems say the software can determine the viewer's gender, approximate age range and, in some cases, ethnicity—and can change the ads accordingly. That could mean razor ads for men, cosmetics ads...

Wed, 11 Feb 2009 11:09:22 UTC

Cloning RFID Passports

Posted By Bruce Schneier

It's easy to clone RFID passports. (To make it clear, the attacker didn't actually create fake passports; he just stole the data off the RFID chips.) Not that this hasn't been done before. I've long been opposed to RFID chips in passports, and have written op eds about them in the International Herald Tribune and several other papers....

Tue, 10 Feb 2009 18:59:14 UTC

Self-Propelled Semi-Submersibles

Posted By Bruce Schneier

They're used to smuggle drugs into the U.S. Since the vessels have a low profile ­ the hulls only rise about a foot above the waterline—they are hard to see from a distance and produce a small radar signature. U.S. counterdrug officials estimate that SPSS are responsible for 32% of all cocaine movement in the transit zone. But let's not...

Tue, 10 Feb 2009 12:19:03 UTC

Man Arrested by Amtrak Police for Taking Photographs for Amtrak Photography Contest

Posted By Bruce Schneier

You can't make this stuff up. Even Stephen Colbert made fun of it. This isn't the first time Amtrak police have been idiots. And in related news, in the U.K. it soon might be illegal to photograph the police....

Mon, 09 Feb 2009 18:00:18 UTC

U.S. is One Small Step Closer to Making No-Fly List Less Harassing

Posted By Bruce Schneier

The House approved a bill creating a whitelist of people who are on the blacklist, but shouldn't be. No word yet about what they're going to do about people who are on the whitelist, but shouldn't be. Perhaps there'll create another blacklist. Then we'll all be safe from terrorists, for sure....

Mon, 09 Feb 2009 12:47:48 UTC

Monster.com Data Breach

Posted By Bruce Schneier

Monster.com was hacked, and and people's personal data was stolen. Normally I wouldn't bother even writing about this—it happens all the time—but an AP reporter called me yesterday to comment. I said: Monster's latest breach "shouldn't have happened," said Bruce Schneier, chief security technology officer for BT Group. "But you can't understand a company's network security by looking at public...

Fri, 06 Feb 2009 22:24:30 UTC

Friday Squid Blogging: Squid Cake

Posted By Bruce Schneier

Doesn't really look all that tasty....

Fri, 06 Feb 2009 19:48:01 UTC

xkcd on Cryptanalysis

Posted By Bruce Schneier

Good xkcd comic on the difference between theoretical and practical cryptanalysis....

Fri, 06 Feb 2009 18:56:10 UTC

Radio Interview with Me

Posted By Bruce Schneier

Last Saturday I was interviewed on Paul Harris's Chicago radio show....

Fri, 06 Feb 2009 12:52:58 UTC

List of NSA Video Courses from 1991

Posted By Bruce Schneier

Interesting, at least to me. It helps if you know the various code names and the names of the different equipment....

Thu, 05 Feb 2009 20:42:28 UTC

Hacking an Electronic Road Sign

Posted By Bruce Schneier

It's easy: cheap lock, and default password. And fun....

Thu, 05 Feb 2009 13:13:10 UTC

Hard Drive Encryption Specification

Posted By Bruce Schneier

There's a new hard drive encryption standard, which will make it easier for manufacturers to build encryption into drives. Honestly, I don't think this is really needed. I use PGP Disk, and I haven't noticed any slowdown due to having encryption done in software. And I worry about yet another standard with its inevitable flaws and security vulnerabilities....

Wed, 04 Feb 2009 18:50:46 UTC

Racial Profiling No Better than Random Screening

Posted By Bruce Schneier

Not that this is any news, but there's some new research to back it up: The study was performed by William Press, who does bioinformatics research at the University of Texas, Austin, with a joint appointment at Los Alamos National Labs. His background in statistics is apparent in his ability to handle various mathematical formulae with aplomb, but he's apparently...

Wed, 04 Feb 2009 12:35:19 UTC

Confessions Corrupt Eyewitnesses

Posted By Bruce Schneier

People confess to crimes they don't commit. They do it a lot. What's interesting about this research is that confessions—whether false or true—corrupt other eyewitnesses: Abstract A confession is potent evidence, persuasive to judges and juries. Is it possible that a confession can also affect other evidence? The present study tested the hypothesis that a confession will alter eyewitnesses' identification...

Tue, 03 Feb 2009 19:01:21 UTC

Cost of the U.S. No-Fly List

Posted By Bruce Schneier

Someone did the analysis: As will be analyzed below, it is estimated that the costs of the no-fly list, since 2002, range from approximately $300 million (a conservative estimate) to $966 million (an estimate on the high end). Using those figures as low and high potentials, a reasonable estimate is that the U.S. government has spent over $500 million on...

Tue, 03 Feb 2009 12:08:09 UTC

Making Cameras Go Click

Posted By Bruce Schneier

There's a bill in Congress—unlikely to go anywhere—to force digital cameras to go "click." The idea is that this will make surreptitious photography harder: The bill's text says that Congress has found that "children and adolescents have been exploited by photographs taken in dressing rooms and public places with the use of a camera phone." This is so silly it...

Mon, 02 Feb 2009 19:26:59 UTC

Evaluating Risks of Low-Probability High-Cost Events

Posted By Bruce Schneier

"Probing the Improbable: Methodological Challenges for Risks with Low Probabilities and High Stakes," by Toby Ord, Rafaela Hillerbrand, Anders Sandberg. Abstract: Some risks have extremely high stakes. For example, a worldwide pandemic or asteroid impact could potentially kill more than a billion people. Comfortingly, scientific calculations often put very low probabilities on the occurrence of such catastrophes. In this paper,...

Mon, 02 Feb 2009 12:47:02 UTC

Airlines Defining Anyone Disruptive as Terrorists

Posted By Bruce Schneier

From the Los Angeles Times: Freeman is one of at least 200 people on flights who have been convicted under the amended law. In most of the cases, there was no evidence that the passengers had attempted to hijack the airplane or physically attack any of the flight crew. Many have simply involved raised voices, foul language and drunken behavior....

Fri, 30 Jan 2009 22:34:22 UTC

Friday Squid Blogging: Safe Quick Undercarriage Immobilization Device (SQUID)

Posted By Bruce Schneier

New security device: But what if an officer could lay down a road trap in seconds, then activate it from a nearby hiding place? What if—like sea monsters of ancient lore—the trap could reach up from below to ensnare anything from a MINI Cooper to a Ford Expedition? What if this trap were as small as a spare tire, as...

Fri, 30 Jan 2009 19:59:18 UTC

John Stewart on Closing Guantanamo and Movie-Plot Threats

Posted By Bruce Schneier

Funny....

Fri, 30 Jan 2009 17:38:36 UTC

Jeffrey Rosen on the Department of Homeland Security

Posted By Bruce Schneier

Excellent article: The same elements of psychology lead people to exaggerate the likelihood of terrorist attacks: Images of terrifying but highly unusual catastrophes on television—such as the World Trade Center collapsing—are far more memorable than images of more mundane and more prevalent threats, like dying in car crashes. Psychologists call this the "availability heuristic," in which people estimate the probability...

Fri, 30 Jan 2009 12:19:29 UTC

Interview with an Adware Developer

Posted By Bruce Schneier

Fascinating: I should probably first speak about how adware works. Most adware targets Internet Explorer (IE) users because obviously they're the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you're using IE, then either you don't care or you don't know about all the vulnerabilities that IE has. IE has...

Thu, 29 Jan 2009 12:00:27 UTC

Helping the Terrorists

Posted By Bruce Schneier

It regularly comes as a surprise to people that our own infrastructure can be used against us. And in the wake of terrorist attacks or plots, there are fear-induced calls to ban, disrupt or control that infrastructure. According to officials investigating the Mumbai attacks, the terrorists used images from Google Earth to help learn their way around. This isn't the...

Wed, 28 Jan 2009 13:12:36 UTC

The Exclusionary Rule and Security

Posted By Bruce Schneier

Earlier this month, the Supreme Court ruled that evidence gathered as a result of errors in a police database is admissible in court. Their narrow decision is wrong, and will only ensure that police databases remain error-filled in the future. The specifics of the case are simple. A computer database said there was a felony arrest warrant pending for Bennie...

Tue, 27 Jan 2009 20:10:37 UTC

A Rational Response to Peanut Allergies and Children

Posted By Bruce Schneier

Some parents of children with peanuts allergies are not asking their school to ban peanuts. They consider it more important that teachers know which children are likely to have a reaction, and how to deal with it when it happens; i.e., how to use an Epipen. This is a much more resilient response to the threat. It works even when...

Tue, 27 Jan 2009 18:34:19 UTC

Remote Fireworks Launcher

Posted By Bruce Schneier

How soon before these people are accused of helping the terrorists? With around a thousand people in the UK injured every year by fireworks, a new electronic remote control 'Firework Launcher' will put safety first and ensure everyone enjoys the Christmas and new year celebrations.This innovative, compact device dramatically reduces the chance of injury by launching fireworks without a flame...

Mon, 26 Jan 2009 19:55:17 UTC

Teaching Risk Analysis in School

Posted By Bruce Schneier

Good points: "I regard myself as part of a movement we call risk literacy," Professor Spiegelhalter told The Times. "It should be a basic component of discussion about issues in media, politics and in schools. "We should essentially be teaching the ability to deconstruct the latest media story about a cancer risk or a wonder drug, so people can work...

Mon, 26 Jan 2009 13:08:31 UTC

Risk Mismanagement on Wall Street

Posted By Bruce Schneier

Long article from the New York Times Magazine on Wall Street's risk management, and where it went wrong. The most interesting part explains how the incentives for traders encouraged them to take asymmetric risks: trade-offs that would work out well 99% of the time but fail catastrophically the remaining 1%. So of course, this is exactly what happened....

Fri, 23 Jan 2009 22:26:30 UTC

Friday Squid Blogging: Squid Teething Toy

Posted By Bruce Schneier

From Japan....

Fri, 23 Jan 2009 19:52:25 UTC

Interview with Me

Posted By Bruce Schneier

From Reason....

Fri, 23 Jan 2009 16:35:14 UTC

BitArmor's No-Breach Guarantee

Posted By Bruce Schneier

BitArmor now comes with a security guarantee. They even use me to tout it: "We think this guarantee is going to encourage others to offer similar ones. Bruce Schneier has been calling on the industry to do something like this for a long time," he [BitArmor's CEO] says. Sounds good, until you read the fine print: If your company has...

Fri, 23 Jan 2009 13:43:44 UTC

When Voting Machine Audit Logs Don't Help

Posted By Bruce Schneier

Wow: Computer audit logs showing what occurred on a vote tabulation system that lost ballots in the November election are raising more questions not only about how the votes were lost, but also about the general reliability of voting system audit logs to record what occurs during an election and to ensure the integrity of results. The logs, which Threat...

Thu, 22 Jan 2009 19:51:56 UTC

New Police Computer System Impeding Arrests

Posted By Bruce Schneier

In Queensland, Australia, policemen are arresting fewer people because their new data-entry system is too annoying: He said police were growing reluctant to make arrests following the latest phased roll-out of QPRIME, or Queensland Police Records Information Management Exchange. "They are reluctant to make arrests and they're showing a lot more discretion in the arrests they make because QPRIME is...

Thu, 22 Jan 2009 12:54:54 UTC

Identity, Authentication, and Authorization

Posted By Bruce Schneier

Good essay on why they must remain distinct. I spent a chapter on this in Beyond Fear....

Wed, 21 Jan 2009 22:00:22 UTC

The Presidential Limousine

Posted By Bruce Schneier

Some, but not many, details....

Wed, 21 Jan 2009 12:59:44 UTC

Breach Notification Laws

Posted By Bruce Schneier

There are three reasons for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law—"They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing"—is just wrong. Two, it provides statistics to...

Tue, 20 Jan 2009 18:34:15 UTC

The Discovery of TEMPEST

Posted By Bruce Schneier

Another recently unclassified NSA document: Jeffrey Friedman, "TEMPEST: A Signal Problem," NSA Cryptologic Spectrum, Summer 1972....

Tue, 20 Jan 2009 11:47:49 UTC

Dognapping

Posted By Bruce Schneier

Dognapping -- or, at least, the fear of dognapping -- is on the rise. So people are no longer leaving their dogs tied up outside stores, and are buying leashes that can't be easily cut through....

Mon, 19 Jan 2009 19:23:18 UTC

In-Person Credit Card Scam

Posted By Bruce Schneier

Surely this isn't new: Suspects entered the business, selected merchandise worth almost $8,000. They handed a credit card with no financial backing to the clerk which when swiped was rejected by the cash register's computer. The suspects then informed the clerk that this rejection was expected and to contact the credit card company by phone to receive a payment approval...

Mon, 19 Jan 2009 12:19:52 UTC

"The Cost of Fearing Strangers"

Posted By Bruce Schneier

Excellent essay from the Freakonomics blog: As we wrote in Freakonomics, most people are pretty terrible at risk assessment. They tend to overstate the risk of dramatic and unlikely events at the expense of more common and boring (if equally devastating) events. A given person might fear a terrorist attack and mad cow disease more than anything in the world,...

Fri, 16 Jan 2009 22:14:10 UTC

Friday Squid Blogging: Your Octopus, Squid and Cephalopod Information Center

Posted By Bruce Schneier

Tonmo.com....

Fri, 16 Jan 2009 19:06:19 UTC

Podcast with Me

Posted By Bruce Schneier

Cato recorded a podcast with me. Nothing you haven't read before....

Fri, 16 Jan 2009 17:11:52 UTC

Top Eleven Reasons Why Lists of Top Ten Bugs Don't Work

Posted By Bruce Schneier

Worth reading....

Fri, 16 Jan 2009 11:24:15 UTC

Michael Chertoff Claims that Hijackings were Routine Prior to 9/11

Posted By Bruce Schneier

I missed this interview with DHS Secretary Michael Chertoff from December. It's all worth reading, but I want to point out where he claims that airplane hijackings were routine prior to 9/11: What I can tell you is that in the period prior to September 12, 2001, it was a regular, routine issue to have American aircraft hijacked or blown...

Thu, 15 Jan 2009 12:14:30 UTC

Economic Distress and Fear

Posted By Bruce Schneier

This was the Quotation of the Day from January 12: Part of the debtor mentality is a constant, frantically suppressed undercurrent of terror. We have one of the highest debt-to-income ratios in the world, and apparently most of us are two paychecks from the street. Those in power -- governments, employers -- exploit this, to great effect. Frightened people are...

Wed, 14 Jan 2009 18:04:37 UTC

Michael Chertoff Parodied in The Onion

Posted By Bruce Schneier

Funny: "While 9/11 has historically always fallen on 9/11, we as Americans need to be prepared for a wide range of dates," Chertoff said during a White House press conference. "There's a chance we could all find ourselves living in a post-6/10 world as early as next July. Unless, that is, we're already living in a pre-2/14 world." "1/1, 1/2,...

Wed, 14 Jan 2009 11:27:55 UTC

Stupid Security Tricks: Key Management

Posted By Bruce Schneier

It's smart to encrypt USB memory devices, but it's stupid to attach the encryption key to the device. Health bosses today admitted the memory stick was encrypted, but the password had been attached to the device when it went missing. I'm sure they were so proud that they chose a secure encryption algorithm....

Tue, 13 Jan 2009 12:58:56 UTC

Two Security Camera Studies

Posted By Bruce Schneier

From San Francisco: San Francisco's Community Safety Camera Program was launched in late 2005 with the dual goals of fighting crime and providing police investigators with a retroactive investigatory tool. The program placed more than 70 non-monitored cameras in mainly high-crime areas throughout the city. This report released today (January 9, 2009) consists of a multi-disciplinary collaboration examining the program's...

Mon, 12 Jan 2009 18:44:20 UTC

Shaping the Obama Administration's Counterterrorism Strategy

Posted By Bruce Schneier

I'm at a two-day conference: Shaping the Obama Adminstration's Counterterrorism Strategy, sponsored by the Cato Institute in Washington, DC. It's sold out, but you can watch or listen to the event live on the Internet. I'll be on a panel tomorrow at 9:00 AM. I've been told that there's a lively conversation about the conference on Twitter, but -- as...

Mon, 12 Jan 2009 12:48:52 UTC

Bad Password Security at Twitter

Posted By Bruce Schneier

Twitter fell to a dictionary attack because the site allowed unlimited failed login attempts: Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts. Coding Horror has more, but -- come on, people -- this is basic stuff....

Mon, 12 Jan 2009 11:15:03 UTC

DHS's Files on Travelers

Posted By Bruce Schneier

This is interesting: I had been curious about what's in my travel dossier, so I made a Freedom of Information Act (FOIA) request for a copy. I'm posting here a few sample pages of what officials sent me. My biggest surprise was that the Internet Protocol (I.P.) address of the computer used to buy my tickets via a Web agency...

Sun, 11 Jan 2009 18:47:04 UTC

Movie-Plot Threat: Terrorists Using Insects

Posted By Bruce Schneier

Fear sells books: Terrorists could easily contrive an "insect-based" weapon to import an exotic disease, according to an entomologist who's promoting a book on the subject....

Fri, 09 Jan 2009 22:50:07 UTC

Friday Squid Blogging: Squid Hats

Posted By Bruce Schneier

Awesome....

Fri, 09 Jan 2009 22:06:43 UTC

Friday Squid Blogging: Bizarre Squid Reproductive Habits

Posted By Bruce Schneier

Lots of them: Hoving investigated the reproductive techniques of no fewer than ten different squids and related cuttlefish -- from the twelve-metre long giant squid to a mini-squid of no more than twenty-five millimetres in length. Along the way he made a number of remarkable discoveries. Hoving: "Reproduction is no fun if you're a squid. With one species, the Taningia...

Fri, 09 Jan 2009 20:04:17 UTC

Impersonation

Posted By Bruce Schneier

Impersonation isn't new. In 1556, a Frenchman was executed for impersonating Martin Guerre and this week hackers impersonated Barack Obama on Twitter. It's not even unique to humans: mockingbirds, Viceroy butterflies, and the brown octopus all use impersonation as a survival strategy. For people, detecting impersonation is a hard problem for three reasons: we need to verify the identity of...

Fri, 09 Jan 2009 19:04:19 UTC

Interview with Me

Posted By Bruce Schneier

I was interviewed for CSO Magazine....

Fri, 09 Jan 2009 12:54:13 UTC

Allocating Resources: Financial Fraud vs. Terrorism

Posted By Bruce Schneier

Interesting trade-off: The FBI has been forced to transfer agents from its counter-terrorism divisions to work on Bernard Madoff's alleged $50 billion fraud scheme as victims of the biggest scam in the world continue to emerge. The Freakonomics blog discusses this: This might lead you to ask an obvious counter-question: Has the anti-terror enforcement since 9/11 in the U.S. helped...

Thu, 08 Jan 2009 18:53:57 UTC

Biometrics

Posted By Bruce Schneier

Biometrics may seem new, but they're the oldest form of identification. Tigers recognize each other's scent; penguins recognize calls. Humans recognize each other by sight from across the room, voices on the phone, signatures on contracts and photographs on driver's licenses. Fingerprints have been used to identify people at crime scenes for more than 100 years. What is new about...

Thu, 08 Jan 2009 12:44:51 UTC

Reporting Unruly Football Fans via Text Message

Posted By Bruce Schneier

This system is available in most NFL stadiums: Fans still are urged to complain to an usher or call a security hotline in the stadium to report unruly behavior. But text-messaging lines -- typically advertised on stadium scoreboards and on signs where fans gather -- are aimed at allowing tipsters to surreptitiously alert security personnel via cellphone without getting involved...

Wed, 07 Jan 2009 19:39:32 UTC

The NSA on the Origins of the NSA

Posted By Bruce Schneier

From its website....

Wed, 07 Jan 2009 12:56:08 UTC

Censorship on Google Maps

Posted By Bruce Schneier

"Blurred Out: 51 Things You Aren't Allowed to See on Google Maps." An interesting list....

Tue, 06 Jan 2009 20:28:11 UTC

The Best Capers of 2008

Posted By Bruce Schneier

Good list....

Tue, 06 Jan 2009 11:51:37 UTC

Kip Hawley Is Starting to Sound Like Me

Posted By Bruce Schneier

Good quote: "In the hurly-burly and the infinite variety of travel, you can end up with nonsensical results in which the T.S.A. person says, 'Well, I'm just following the rules,'" Mr. Hawley said. "But if you have an enemy who is going to study your technology and your process, and if you have something they can figure out a way...

Mon, 05 Jan 2009 20:56:32 UTC

FBI's New Cryptanalysis Contest

Posted By Bruce Schneier

From their website....

Mon, 05 Jan 2009 12:34:15 UTC

Trends in Counterfeit Currency

Posted By Bruce Schneier

It's getting worse: More counterfeiters are using today's ink-jet printers, computers and copiers to make money that's just good enough to pass, he said, even though their product is awful. In the past, he said, the best American counterfeiters were skilled printers who used heavy offset presses to turn out decent 20s, 50s and 100s. Now that kind of work...

Fri, 02 Jan 2009 22:49:03 UTC

Friday Squid Blogging: Climate Change Affects Squids

Posted By Bruce Schneier

No surprise, really....

Fri, 02 Jan 2009 22:08:21 UTC

Friday Squid Blogging: Squid Attacks ROV

Posted By Bruce Schneier

Video. Looks like a Humboldt squid....

Fri, 02 Jan 2009 18:17:49 UTC

Another Recently Released NSA Document

Posted By Bruce Schneier

American Cryptology during the Cold War, 1945-1989, by Thomas R. Johnson: documents 1, 2, 3, 4, 5, and 6. In response to a declassification request by the National Security Archive, the secretive National Security Agency has declassified large portions of a four-part "top-secret Umbra" study, American Cryptology during the Cold War. Despite major redactions, this history discloses much new information...

Fri, 02 Jan 2009 12:42:33 UTC

Software Security

Posted By Bruce Schneier

Real-world data on software security programs....

Wed, 31 Dec 2008 20:33:29 UTC

Schneier on Twitter

Posted By Bruce Schneier

This account, "bruceschneier," is not me. This account, "schneier," is me. I have never posted; I don't promise that I ever will....

Wed, 31 Dec 2008 19:39:43 UTC

Forging SSL Certificates

Posted By Bruce Schneier

We already knew that MD5 is a broken hash function. Now researchers have successfully forged MD5-signed certificates: Molnar, Appelbaum, and Sotirov joined forces with the European MD5 research team in mid-2008, along with Swiss cryptographer Dag Arne Osvik. They realized that the co-construction technique could be used to simultaneously generate one normal SSL certificate and one forged certificate, which could...

Wed, 31 Dec 2008 11:44:56 UTC

CDC Bioterrorism Readiness Plan

Posted By Bruce Schneier

From 1999....

Tue, 30 Dec 2008 18:07:06 UTC

NSA Patent on Network Tampering Detection

Posted By Bruce Schneier

The NSA has patented a technique to detect network tampering: The NSA's software does this by measuring the amount of time the network takes to send different types of data from one computer to another and raising a red flag if something takes too long, according to the patent filing. Other researchers have looked into this problem in the past...

Tue, 30 Dec 2008 12:37:54 UTC

Matthew Alexander on Torture

Posted By Bruce Schneier

Alexander is a former Special Operations interrogator who worked in Iraq in 2006. His op-ed is worth reading: I learned in Iraq that the No. 1 reason foreign fighters flocked there to fight were the abuses carried out at Abu Ghraib and Guantanamo. Our policy of torture was directly and swiftly recruiting fighters for al-Qaeda in Iraq. The large majority...

Mon, 29 Dec 2008 20:52:00 UTC

Shoplifting on the Rise in Bad Economy

Posted By Bruce Schneier

From the New York Times: Police departments across the country say that shoplifting arrests are 10 percent to 20 percent higher this year than last. The problem is probably even greater than arrest records indicate since shoplifters are often banned from stores rather than arrested. Much of the increase has come from first-time offenders like Mr. Johnson making rash decisions...

Mon, 29 Dec 2008 13:05:19 UTC

Gunpowder Is Okay to Bring on an Airplane

Posted By Bruce Schneier

Putting it in a clear plastic baggie magically makes it safe: Mind you, I had packed the stuff safely. It was in three separate jars: one of charcoal, one of sulphur, and one of saltpetre (potassium nitrate). Each jar was labeled: Charcoal, Sulphur, Saltpetre. I had also thoroughly wet down each powder with tap water. No ignition was possible. As...

Fri, 26 Dec 2008 22:41:13 UTC

Friday Squid Blogging: Vandals Wreck Giant Squid Collection

Posted By Bruce Schneier

Sad squid news. ...vandals got in by taking advantage of a temporary door, smashed windows and broke display cases containing male and female giant squids each measuring ten metres long as well as skeletons of whales, tortoises, marine birds and fossils. Where was the security?...

Fri, 26 Dec 2008 22:08:19 UTC

Friday Squid Blogging: Bruce Eating Squid

Posted By Bruce Schneier

Bruce eating grilled squid in Wuxi, China, earlier this month....

Fri, 26 Dec 2008 16:38:46 UTC

Interview with Me

Posted By Bruce Schneier

Another one....

Fri, 26 Dec 2008 13:09:54 UTC

CCTV Cameras Going Unmonitored

Posted By Bruce Schneier

This is not surprising at all; when money is scarce, these sorts of things go unfunded. Perhaps the biggest surprise is that people thought the cameras were ever monitored -- generally, they're not....

Wed, 24 Dec 2008 19:31:04 UTC

Securing Cyberspace for the 44th Presidency

Posted By Bruce Schneier

"Securing Cyberspace for the 44th Presidency," by the Center for Strategic and International Studies....

Wed, 24 Dec 2008 17:03:43 UTC

U.S. COMSEC History from 1973

Posted By Bruce Schneier

Just declassified, this document -- A History of U.S. Communications Security (Volumes I and II); the David G. Boak Lectures, National Security Agency (NSA), 1973 -- is definitely worth reading. The first sections are highly redacted, but the remainder is fascinating....

Wed, 24 Dec 2008 12:02:27 UTC

Comparing the Security of Electronic Slot Machines and Electronic Voting Machines

Posted By Bruce Schneier

From the Washington Post. Other important differences: Slot machine are used every day, 24 hours a day. Electronic voting machines are used, at most, twice a year -- often less frequently. Slot machines involve money. Electronic voting machines involve something much more abstract. Slot machine accuracy is a non-partisan issue. For some reason I can't fathom, electronic voting machine accuracy...

Tue, 23 Dec 2008 19:10:01 UTC

DHS Reality Show

Posted By Bruce Schneier

On ABC: Every day the men and women of the Department of Homeland Security patrol more than 100,000 miles of America's borders. This territory includes airports, seaports, land borders, international mail centers, the open seas, mountains, deserts and even cyberspace. Now viewers will get an unprecedented look at the work of these men and women while they use the newest...

Tue, 23 Dec 2008 13:25:15 UTC

Voice Prints

Posted By Bruce Schneier

Seems that it's hard: "There is no such thing as a voice print," he said. "It's a very very dangerous term. There is no single feature of a voice that is indelible that works like a fingerprint does." Many different factors influence how people speak at any particular time and place. "If you're tired or if you have a cold...

Mon, 22 Dec 2008 18:01:41 UTC

Registry of Cell Phone Owners

Posted By Bruce Schneier

In Mexico: Also Tuesday, the Senate voted to create a registry of cell phone owners to combat kidnappings and extortions in which gangs often use untraceable mobile phones to make ransom demands. Telecoms would be required to ask purchasers of cell phones or phone memory chips for their names, addresses and fingerprints, and to turn that information over to investigators...

Mon, 22 Dec 2008 12:16:46 UTC

Food in Defense of a Crime

Posted By Bruce Schneier

Last year, throwing hot coffee in the face of a store clerk was a new robbery tactic. Now, we have a Pizza Hut delivery man throwing a hot pie in the face of a would-be (armed) mugger....

Sun, 21 Dec 2008 22:00:00 UTC

Schneier on 60 Minutes

Posted By Bruce Schneier

I'm on 60 Minutes today. If you're a new reader who has just found me from that show, welcome. Here are links to some of my previous writings about airplane security: Airport Pasta-Sauce Interdiction Considered Harmful The TSA's Useless Photo ID Rules Airline Security a Waste of Cash Airplane Security and Metal Knives I also interviewed Kip Hawley last year....

Fri, 19 Dec 2008 22:49:22 UTC

Friday Squid Blogging: Squid Print

Posted By Bruce Schneier

Squid print....

Fri, 19 Dec 2008 22:45:35 UTC

Friday Squid Blogging: Christmas Squid

Posted By Bruce Schneier

Ho ho ho, everyone....

Fri, 19 Dec 2008 20:08:19 UTC

Security Cartoon: Overly Specific Countermeasures

Posted By Bruce Schneier

At President Bush's press conferences....

Fri, 19 Dec 2008 16:05:06 UTC

Dilbert on Computer Security

Posted By Bruce Schneier

Funny....

Fri, 19 Dec 2008 12:56:50 UTC

"Nut Allergy" Fear and Overreaction

Posted By Bruce Schneier

Good article: Professor Nicolas Christakis, a professor of medical sociology at Harvard Medical School, told the BMJ there was "a gross over-reaction to the magnitude of the threat" posed by food allergies, and particularly nut allergies. In the US, serious allergic reactions to foods cause just 2,000 of more than 30 million hospitalisations a year and comparatively few deaths --...

Thu, 18 Dec 2008 20:21:55 UTC

Schneier on 60 Minutes

Posted By Bruce Schneier

I'll be on 60 Minutes this Sunday. I honestly don't know how it will look; it wasn't my best interview....

Thu, 18 Dec 2008 16:19:25 UTC

Bypassing Airport Checkpoints

Posted By Bruce Schneier

From a reader: I always get a giggle from reading about TSA security procedures, because of what I go through during my occasional job at an airport. I repair commercial kitchen cooking equipment -- restaurants etc. On occasion I have to go to restaurants inside a nearby airport terminal to repair equipment, sometimes needing a return trip with parts. So...

Thu, 18 Dec 2008 12:42:07 UTC

James Bamford Interview on the NSA

Posted By Bruce Schneier

Worth reading. One excerpt: The problem is that NSA was never designed for what it's doing. It was designed after World War II to prevent another surprise attack from another nation-state, particularly the Soviet Union. And from 1945 or '46 until 1990 or '91, that's what its mission was. That's what every piece of equipment, that's what every person recruited...

Wed, 17 Dec 2008 22:29:09 UTC

DNS Dead Drop

Posted By Bruce Schneier

Clever....

Wed, 17 Dec 2008 17:52:45 UTC

Brazilian Logging Firms Hire Hackers to Modify Logging Limits

Posted By Bruce Schneier

Interesting: Some Brazilian states used a computerised allocation system to levy how much timber can be logged in each area. However, logging firms attempted to subvert these controls by hiring hackers to break systems and increase the companies' allocations. Greenpeace reckons these types of computer swindles were responsible for the excess export of 1.7 million cubic metres of timber (or...

Wed, 17 Dec 2008 12:38:58 UTC

Ed Felten on TSA Behavioral Screening

Posted By Bruce Schneier

Good comment: Now suppose that TSA head Kip Hawley came to you and asked you to submit voluntarily to a pat-down search the next time you travel. And suppose you knew, with complete certainty, that if you agreed to the search, this would magically give the TSA a 0.1% chance of stopping a deadly crime. You'd agree to the search,...

Tue, 16 Dec 2008 21:43:13 UTC

Arming New York City Police with Machine Guns

Posted By Bruce Schneier

I have mixed feelings about this: The NYPD wants all 1,000 Police Academy recruits trained to use M4 automatic machine guns - which are now carried only by the 400 cops in its elite Emergency Service Unit - in time for the holiday celebration in Times Square. On the one hand, deploying these weapons seems like a bad idea. On...

Tue, 16 Dec 2008 16:47:42 UTC

Buying Fake Nintendo Consoles Helps Terrorists

Posted By Bruce Schneier

Really: Speaking to the BBC, HMRC spokesperson Clare Merrills warned that faulty counterfeit consoles could be unsafe. "You might find you plug it in and the adaptor sets on fire or the wires start to melt and stick out," she warned. "When you buy these goods, you're not funding our economy, you're actually funding criminals in these far off places...

Tue, 16 Dec 2008 12:25:07 UTC

Snipers

Posted By Bruce Schneier

Really interesting article on snipers: It might be because there's another side to snipers and sniping after all. In particular, even though a sniper will often be personally responsible for huge numbers of deaths -- body counts in the hundreds for an individual shooter are far from unheard of -- as a class snipers kill relatively few people compared to...

Mon, 15 Dec 2008 20:34:49 UTC

Hollow Coins

Posted By Bruce Schneier

Cheap....

Mon, 15 Dec 2008 18:23:14 UTC

How to Steal the Empire State Building

Posted By Bruce Schneier

A reporter managed to file legal papers, transferring ownership of the Empire State Building to himself. Yes, it's a stunt: The office of the city register, upon receipt of the phony documents prepared by the newspaper, transferred ownership of the 102-story building from Empire State Land Associates to Nelots Properties, LLC. Nelots is "stolen" spelled backward. To further enhance the...

Mon, 15 Dec 2008 12:07:11 UTC

Killing Robot Being Tested by Lockheed Martin

Posted By Bruce Schneier

Wow: The frightening, but fascinatingly cool hovering robot - MKV (Multiple Kill Vehicle), is designed to shoot down enemy ballistic missiles. A video released by the Missile Defense Agency (MDA) shows the MKV being tested at the National Hover Test Facility at Edwards Air Force Base, in California. Inside a large steel cage, Lockheed's MKV lifts off the ground, moves...

Fri, 12 Dec 2008 20:18:05 UTC

Friday Squid Blogging: Petrified Squid

Posted By Bruce Schneier

Petrified squid pictures. And a new cartoon....

Fri, 12 Dec 2008 18:22:22 UTC

Influential Security Professionals

Posted By Bruce Schneier

I have been named as one of the 25 most influential people in the security industry....

Fri, 12 Dec 2008 12:21:28 UTC

Jim Harper Responds to My Comments on Fingerprinting Foreigners at the Border

Posted By Bruce Schneier

Good comments: Anyway, turning someone away from the border is a trivial security against terrorism because terrorists are fungible. Turning away a known terrorist merely inconveniences a terrorist group, which just has to recruit someone different. The 9/11 attacks were conducted for the most part by people who had no known record of terrorism and who arrived on visas granted...

Thu, 11 Dec 2008 22:21:05 UTC

Another Schneier on Security Book Review

Posted By Bruce Schneier

Another book review. Remember, you can order your signed copies here. They make great Christmas presents....

Thu, 11 Dec 2008 19:16:52 UTC

More SHA-3 News

Posted By Bruce Schneier

NIST has published all 51 first-round candidates. (Presumably the other submissions -- we heard they received 64 -- were rejected because they weren't complete.) You can download the submission package from the NIST page. The SHA-3 Zoo is still the best source for up-to-date cryptanalysis information. Various people have been trying to benchmark the performance of the candidates, but --...

Thu, 11 Dec 2008 12:55:24 UTC

Remote-Controlled Thermostats

Posted By Bruce Schneier

People just don't understand security: Mr. Somsel, in an interview Thursday, said he had done further research and was concerned that the radio signal — or the Internet instructions that would be sent, in an emergency, from utilities' central control stations to the broadcasters sending the FM signal — could be hacked into. That is not possible, said Nicole Tam,...

Wed, 10 Dec 2008 20:21:45 UTC

Audit

Posted By Bruce Schneier

As the first digital president, Barack Obama is learning the hard way how difficult it can be to maintain privacy in the information age. Earlier this year, his passport file was snooped by contract workers in the State Department. In October, someone at Immigration and Customs Enforcement leaked information about his aunt's immigration status. And in November, Verizon employees peeked...

Wed, 10 Dec 2008 13:02:54 UTC

Disguised USB Drive

Posted By Bruce Schneier

This is a 2 Gig USB drive disguised as a piece of frayed cable. You'll still want to encrypt it, of course, but it is likely to be missed if your bags are searched at customs, the police raid your house, or your lose it....

Tue, 09 Dec 2008 18:58:01 UTC

Who Worries About Terrorism?

Posted By Bruce Schneier

The paper, "Terrorism-Related Fear and Avoidance Behavior in a Multiethnic Urban Population," is for subscribers only. Abstract Objectives. We sought to determine whether groups traditionally most vulnerable to disasters would be more likely than would be others to perceive population-level risk as high (as measured by the estimated color-coded alert level) would worry more about terrorism, and would avoid activities...

Tue, 09 Dec 2008 13:22:50 UTC

Flying While Armed

Posted By Bruce Schneier

Two years ago, all it took to bypass airport security was filling out a form: Grant was flying from Boston to San Diego on Jan. 1, 2007, when he approached an American Airlines ticket counter at Logan International Airport and flashed a badge he carries as a part-time assistant harbor master in Chatham, according to federal prosecutors. Grant, a medical...

Mon, 08 Dec 2008 20:20:50 UTC

Mumbai Terrorists Used Google Earth, Boats, Food

Posted By Bruce Schneier

The Mumbai terrorists used Google Earth to help plan their attacks. This is bothering some people: Google Earth has previously come in for criticism in India, including from the country's former president, A.P.J. Abdul Kalam. Kalam warned in a 2005 lecture that the easy availability online of detailed maps of countries from services such as Google Earth could be misused...

Mon, 08 Dec 2008 12:54:36 UTC

Tourist Scams

Posted By Bruce Schneier

Interesting list of tourist scams: I have only heard of this happening in Spain on the Costa del Sol, but it could happen anywhere. This scam depends on you paying a restaurant/bar bill in cash, usually with a ¿50 note. The waiter will take your payment, then return shortly after, apologetically telling you that the note is a fake and...

Fri, 05 Dec 2008 22:38:57 UTC

Friday Squid Blogging: Elbowed Squid

Posted By Bruce Schneier

Very alien-like....

Fri, 05 Dec 2008 22:03:32 UTC

Friday Squid Blogging: Colossal Squid Causes Traffic Jam

Posted By Bruce Schneier

Remember the colossal squid defrosted live on the Internet? It stopped traffic in Wellington, New Zealand....

Fri, 05 Dec 2008 18:54:28 UTC

Protecting Yourself from Hotel Terrorism

Posted By Bruce Schneier

I stand by my quote: Also, my personal security guru, Bruce Schneier, says it's foolish even to worry about hotel safety, because the chances of something happening on any particular night in any particular hotel are vanishingly small. The taxi ride to the hotel is invariably more dangerous than the hotel itself. But if you tend to stay in targeted...

Fri, 05 Dec 2008 13:01:40 UTC

Prisoner Escapes by Mailing Himself Out of Jail

Posted By Bruce Schneier

So maybe this isn't an obvious tactic, and maybe large packages coming into a prison are searched more thoroughly than large packages leaving a prison -- but you'd expect prison guards to pay attention to anything large enough for a person to fit into. At the end of his shift, the inmate climbed into a cardboard box and was taken...

Thu, 04 Dec 2008 19:04:34 UTC

Cyberattacks Against NASA

Posted By Bruce Schneier

It's been going on for a while....

Thu, 04 Dec 2008 12:17:26 UTC

Credit Card with One-Time Password Generator

Posted By Bruce Schneier

This is a nifty little device: a credit card with an onboard one-time password generator. The idea is that the user enters his PIN every time he makes an online purchase, and enters the one-time code on the screen into the webform. The article doesn't say if the code is time-based or just sequence-based, but in either case the credit...

Wed, 03 Dec 2008 19:59:58 UTC

Hacking a Teleprompter

Posted By Bruce Schneier

Funny....

Wed, 03 Dec 2008 14:20:20 UTC

Who Falls for those Nigerian 419 Scams Anyway?

Posted By Bruce Schneier

This is the story of a woman who sent the scammers $400K: She wiped out her husband's retirement account, mortgaged the house and took a lien out on the family car. Both were already paid for. For more than two years, Spears sent tens and hundreds of thousands of dollars. Everyone she knew, including law enforcement officials, her family and...

Tue, 02 Dec 2008 20:15:36 UTC

TSA Aiding Luggage Thieves

Posted By Bruce Schneier

In this story about luggage stealing at Los Angeles International Airport, we find this interesting paragraph: They both say there are organized rings of thieves, who identify valuables in your checked luggage by looking at the TSA x-ray screens, then communicate with baggage handlers by text or cell phone, telling them exactly what to look for. Someone should investigate the...

Tue, 02 Dec 2008 13:53:20 UTC

Evolutionary Perspectives of War

Posted By Bruce Schneier

This looks like it was a very interesting conference. And here's a random paper on the subject....

Mon, 01 Dec 2008 18:02:50 UTC

Communications During Terrorist Attacks are Not Bad

Posted By Bruce Schneier

Twitter was a vital source of information in Mumbai: News on the Bombay attacks is breaking fast on Twitter with hundreds of people using the site to update others with first-hand accounts of the carnage. The website has a stream of comments on the attacks which is being updated by the second, often by eye-witnesses and people in the city....

Mon, 01 Dec 2008 14:03:41 UTC

Lessons from Mumbai

Posted By Bruce Schneier

I'm still reading about the Mumbai terrorist attacks, and I expect it'll be a long time before we get a lot of the details. What we know is horrific, and my sympathy goes out to the survivors of the dead (and the injured, who often seem to get ignored as people focus on death tolls). Without discounting the awfulness of...

Fri, 28 Nov 2008 22:09:02 UTC

Friday Squid Blogging: Cooking a Humboldt Squid

Posted By Bruce Schneier

I thought that large squid were too chewy and not very tasty, but this person cooked a 30-pound Humboldt squid....

Fri, 28 Nov 2008 17:39:01 UTC

Terrorism Survival Bundle for Windows Mobile

Posted By Bruce Schneier

Seems not to be a joke....

Fri, 28 Nov 2008 12:30:22 UTC

1941 Pencil-and-Paper Cipher

Posted By Bruce Schneier

Fascinating photo and explanation....

Thu, 27 Nov 2008 18:27:35 UTC

FBI Stoking Fear

Posted By Bruce Schneier

Another unsubstantiated terrorist plot: An internal memo obtained by The Associated Press says the FBI has received a "plausible but unsubstantiated" report that al-Qaida terrorists in late September may have discussed attacking the subway system. [...] The internal bulletin says al-Qaida terrorists "in late September may have discussed targeting transit systems in and around New York City. These discussions reportedly...

Thu, 27 Nov 2008 14:39:38 UTC

Victoria's Secret Competition Gets Hacked

Posted By Bruce Schneier

Colleges aren't assigning enough homework these days. In seriousness, it's hard to prevent ballot stuffing in online polls....

Wed, 26 Nov 2008 18:43:33 UTC

New DHS Head Understands Security

Posted By Bruce Schneier

This quote impresses me: Gov. Janet Napolitano, D-Ariz., is smashing the idea of a border wall, stating it would be too expensive, take too long to construct, and be ineffective once completed. "You show me a 50-foot wall and I'll show you a 51-foot ladder at the border. That's the way the border works," Napolitano told the Associated Press. Instead...

Wed, 26 Nov 2008 12:06:43 UTC

Government Can Determine Location of Cell Phones without Telco Help

Posted By Bruce Schneier

Interesting: Triggerfish, also known as cell-site simulators or digital analyzers, are nothing new: the technology was used in the 1990s to hunt down renowned hacker Kevin Mitnick. By posing as a cell tower, triggerfish trick nearby cell phones into transmitting their serial numbers, phone numbers, and other data to law enforcement. Most previous descriptions of the technology, however, suggested that...

Tue, 25 Nov 2008 13:39:13 UTC

Here Comes Everybody Review

Posted By Bruce Schneier

In 1937, Ronald Coase answered one of the most perplexing questions in economics: if markets are so great, why do organizations exist? Why don't people just buy and sell their own services in a market instead? Coase, who won the 1991 Nobel Prize in Economics, answered the question by noting a market's transaction costs: buyers and sellers need to find...

Mon, 24 Nov 2008 20:06:41 UTC

The Future of Ephemeral Conversation

Posted By Bruce Schneier

When he becomes president, Barack Obama will have to give up his BlackBerry. Aides are concerned that his unofficial conversations would become part of the presidential record, subject to subpoena and eventually made public as part of the country's historical record. This reality of the information age might be particularly stark for the president, but it's no less true for...

Mon, 24 Nov 2008 12:26:07 UTC

BNP Database Leaked

Posted By Bruce Schneier

This is a big deal. British National Party (BNP, a far-right nationalist party) membership and contacts list. 12,801 individuals are represented. Contains contact details and notes on selected party members and (possibly) other individuals. The list has been independently verified by Wikileaks staff as predominantly containing current or ex-BNP members, however other individuals who have donated to the BNP or...

Fri, 21 Nov 2008 22:20:18 UTC

Friday Squid Blogging: Preserving Giant Squid

Posted By Bruce Schneier

At the Smithsonian: At the centerof the Smithsonian Institution's National Museum of Natural History's gleaming new Sant Ocean Hall lies a preserved giant female squid -- the arresting, spineless star among the vibrant exhibition's animal specimens. Tentacles menacingly outstretched and seemingly frozen in time, the 24-foot squid embodies humans' fascination with the briny deep. But this squid also symbolizes something...

Fri, 21 Nov 2008 19:07:38 UTC

Lego Safe

Posted By Bruce Schneier

Nice: You might think that a Lego safe would be easy to open. Maybe just remove a few bricks and you're in. But that's not the case with this thing, the cutting edge of Lego safe technology. The safe weighs 14 pounds and has a motion detecting alarm so it can't be moved without creating a huge ruckus....

Fri, 21 Nov 2008 17:47:28 UTC

Online Age Verification

Posted By Bruce Schneier

A discussion of the security trade-off: Child-safety activists charge that some of the age-verification firms want to help Internet companies tailor ads for children. They say these firms are substituting one exaggerated threat -- the menace of online sex predators -- with a far more pervasive danger from online marketers like junk food and toy companies that will rush to...

Fri, 21 Nov 2008 12:23:19 UTC

When Sky Marshals Do Bad Things

Posted By Bruce Schneier

They're not even close to perfect: Since 9/11, more than three dozen federal air marshals have been charged with crimes, and hundreds more have been accused of misconduct, an investigation by ProPublica, a non-profit journalism organization, has found. Cases range from drunken driving and domestic violence to aiding a human-trafficking ring and trying to smuggle explosives from Afghanistan. The meta-problem...

Thu, 20 Nov 2008 13:26:13 UTC

Secret German IP Addresses Leaked

Posted By Bruce Schneier

From Wikileaks: The PDF document holds a single paged scan of an internally distributed mail from German telecommunications company T-Systems (Deutsche Telekom), revealing over two dozen secret IP address ranges in use by the German intelligence service Bundesnachrichtendienst (BND). Independent evidence shows that the claim is almost certainly true and the document itself has been verified by a demand letter...

Wed, 19 Nov 2008 19:33:11 UTC

RIAA Lawsuits May Be Unconstitutional

Posted By Bruce Schneier

Harvard law professor Charles Nesson is arguing, in court, that the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 is unconstitutional: He makes the argument that the Digital Theft Deterrence and Copyright Damages Improvement Act of 1999 is very much unconstitutional, in that its hefty fines for copyright infringement (misleadingly called "theft" in the title of the bill)...

Wed, 19 Nov 2008 12:14:48 UTC

Skein and SHA-3 News

Posted By Bruce Schneier

There are two bugs in the Skein code. They are subtle and esoteric, but they're there. We have revised both the reference and optimized code -- and provided new test vectors -- on the Skein website. A revision of the paper -- Version 1.1 -- has new IVs, new test vectors, and also fixes a few typos in the paper....

Tue, 18 Nov 2008 19:46:24 UTC

Schneier for TSA Administrator

Posted By Bruce Schneier

It's been suggested. For the record, I don't want the job. Since the election, the newspapers and Internet have been flooded with unsolicited advice for President-elect Barack Obama. I'll go ahead and add mine. [...] And by "revamp," I mean "start over." Most security experts agree that the rigmarole we go through at the airport is mere security theater, designed...

Tue, 18 Nov 2008 12:32:42 UTC

The Neuroscience of Cons

Posted By Bruce Schneier

Fascinating: The key to a con is not that you trust the conman, but that he shows he trusts you. Conmen ply their trade by appearing fragile or needing help, by seeming vulnerable. Because of THOMAS [The Human Oxytocin Mediated Attachment System], the human brain makes us feel good when we help others--this is the basis for attachment to family...