Author Archive

Schneier on Security: NSA Patents Available for License

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There’s a new article on NSA’s Technology Transfer Program, a 1990s-era program to license NSA patents to private industry. I was pretty dismissive about the offerings in the article, but I didn’t find anything interesting in the catalog. Does anyone see something I missed?

My guess is that the good stuff remains classified, and isn’t “transferred” to anyone.

Slashdot thread.

Schneier on Security: Friday Squid Blogging: Squid Fishing Moves North in California

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Warmer waters are moving squid fishing up the California coast.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: Medical Records Theft and Fraud

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There’s a Reuters article on new types of fraud using stolen medical records. I don’t know how much of this is real and how much is hype, but I’m certain that criminals are looking for new ways to monetize stolen data.

Schneier on Security: Security Trade-offs of Cloud Backup

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is a good essay on the security trade-offs with cloud backup:

iCloud backups have not eliminated this problem, but they have made it far less common. This is, like almost everything in tech, a trade-off:

  • Your data is far safer from irretrievable loss if it is synced/backed up, regularly, to a cloud-based service.

  • Your data is more at risk of being stolen if it is synced/backed up, regularly, to a cloud-based service.

Ideally, the companies that provide such services minimize the risk of your account being hijacked while maximizing the simplicity and ease of setting it up and using it. But clearly these two goals are in conflict. There’s no way around the fact that the proper balance is somewhere in between maximal security and minimal complexity.

Further, I would wager heavily that there are thousands and thousands more people who have been traumatized by irretrievable data loss (who would have been saved if they’d had cloud-based backups) than those who have been victimized by having their cloud-based accounts hijacked (who would have been saved if they had only stored their data locally on their devices).

It is thus, in my opinion, terribly irresponsible to advise people to blindly not trust Apple (or Google, or Dropbox, or Microsoft, etc.) with “any of your data” without emphasizing, clearly and adamantly, that by only storing their data on-device, they greatly increase the risk of losing everything.

It’s true. For most people, the risk of data loss is greater than the risk of data theft.

Schneier on Security: Nasty Vulnerability found in Bash

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s a big and nasty one.

Invariably we’re going to see articles pointing at this and at Heartbleed and claim a trend in vulnerabilities in open-source software. If anyone has any actual data other than two instances and the natural human tendency to generalize, I’d like to see it.

Schneier on Security: Julian Sanchez on the NSA and Surveillance Reform

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Julian Sanchez of the Cato Institute has a lengthy audio interview on NSA surveillance and reform. Worth listening to.

Schneier on Security: Detecting Robot-Handwriting

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting article on the arms race between creating robot “handwriting” that looks human, and detecting text that has been written by a robot. Robots will continue to get better, and will eventually fool all of us.

Schneier on Security: Detecting Robot Handwriting

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting article on the arms race between creating robot “handwriting” that looks human, and detecting text that has been written by a robot. Robots will continue to get better, and will eventually fool all of us.

Schneier on Security: Lesson in Successful Disaster Planning

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I found the story of the Federal Reserve on 9/11 to be fascinating. It seems they just flipped a switch on all their Y2K preparations, and it worked.

Schneier on Security: Kill Switches for Weapons

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Jonathan Zittrain argues that our military weapons should be built with a kill switch, so they become useless when they fall into enemy hands.

Schneier on Security: Security for Vehicle-to-Vehicle Communications

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The National Highway Traffic Safety Administration (NHTSA) has released a report titled “Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application.” It’s very long, and mostly not interesting to me, but there are security concerns sprinkled throughout: both authentication to ensure that all the communications are accurate and can’t be spoofed, and privacy to ensure that the communications can’t be used to track cars. It’s nice to see this sort of thing thought about in the beginning, when the system is first being designed, and not tacked on at the end.

Schneier on Security: Friday Squid Blogging: Colossal Squid Dissected in New Zealand

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Months after it was found in August, scientists have dissected a colossal squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: iOS 8 Security

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Apple claims that they can no longer unlock iPhones, even if the police show up with a warrant. Of course they still have access to everything in iCloud, but it’s a start.

Schneier on Security: Fake Cell Phone Towers Across the US

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US These seems to be ISMI catchers, like Harris Corporation’s Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone towers in politically interesting places around Washington DC. In both cases, researchers used by security software that’s part of CryptoPhone from the German company GSMK. And in both cases, we don’t know who is running these fake cell phone towers. Is it the US government? A foreign government? Multiple foreign governments? Criminals?

This is the problem with building an infrastructure of surveillance: you can’t regulate who gets to use it. The FBI has been protecting Stingray like its an enormous secret, but it’s not a secret anymore. We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them.

We have one infrastructure. We can’t choose a world where the US gets to spy and the Chinese don’t. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I’m tired of us choosing surveillance over security.

Schneier on Security: Terrible Article on Vernam Ciphers

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

If there’s anything that confuses wannabe cryptographers, it’s one-time pads.

Schneier on Security: The Full Story of Yahoo’s Fight Against PRISM

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In 2008 Yahoo fought the NSA to avoid becoming part of the PRISM program. They eventually lost their court battle, and at one point were threatened with a $250,000 a day fine if they continued to resist. I am continually amazed at the extent of the government coercion.

Schneier on Security: Identifying Dread Pirate Roberts

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

According to court documents, Dread Pirate Roberts was identified because a CAPTCHA service used on the Silk Road login page leaked the users’ true location.

Schneier on Security: Tracking People From their Cellphones with an SS7 Vulnerability

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

What’s interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.

Schneier on Security: Tracking People From their Cell Phones with an SS7 Vulnerability

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

What’s interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.

Schneier on Security: Two New Snowden Stories

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

New Zealand is spying on its citizens. Edward Snowden weighs in personally.

The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom.

Schneier on Security: Security of the SHA Family of Hash Functions

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Good article on the insecurity of SHA-1 and the need to replace it sooner rather than later.

Schneier on Security: Friday Squid Blogging: 200-Pound Squid Found in Gulf of Mexico

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

A 200-pound dead giant squid was found near the coast of Matagorda, Texas. This is only the third giant squid ever found in the Gulf of Mexico.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Schneier on Security: The Concerted Effort to Remove Data Collection Restrictions

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Since the beginning, data privacy regulation focused on collection, storage, and use. You can see it in the OECD Privacy Framework from 1980 (see also this proposed update).

Recently, there has been concerted effort to focus all potential regulation on data use, completely ignoring data collection. Microsoft’s Craig Mundie argues this. So does the PCAST report. And the World Economic Forum. This is lobbying effort by US business. My guess is that the companies are much more worried about collection restrictions than use restrictions. They believe that they can slowly change use restrictions once they have the data, but that it’s harder to change collection restrictions and get the data in the first place.

We need to regulate collection as well as use. In a new essay, Chris Hoofnagle explains why.

Schneier on Security: Tabnapping: A New Phishing Attack

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Aza Raskin describes a new phishing attack: taking over a background tab on a browser to trick people into entering in their login credentials. Clever.

Schneier on Security: WikiLeaks Spy Files

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

WikiLeaks has organized the trove of documents about corporations aiding government surveillance around the world. It’s worth wandering around through all this material.