Noise

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The story of how Subway’s point-of-sale system was hacked for $3 million.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Cupcakes deemed security threat:

Rebecca Hains says she was going through security at the airport in Las Vegas when a TSA agent pulled her aside and said the cupcake frosting was “gel-like” enough to constitute a security risk.

The TSA has officially jumped the shark.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s a metaphor that will not die.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Mildly amusing video.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Charles Mann made me the central focus of his article on airport security for Vanity Fair. (Mann also wrote about me in 2002 for The Atlantic.) The article was supposed to have been in the tenth-anniversary-of-9/11 issue, but got delayed.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I have no idea how good this biometric actually is.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

My box of galley copies arrived in the mail yesterday. They’re filled with uncorrected typos, but otherwise look great. Wiley printed about 500 of them, and they’re mostly going to journalists and book reviewers, with some going to different wholesale and retail outlets. I have 20 copies to give away to readers of my blog and Crypto-Gram.

Earlier this month, I asked readers to suggest methods of distribution. There were a lot of good suggestions, but one stood out:

The best way to achieve that may be by letting people hand it personally to an ‘opinion leader.’ Their argument for which ‘opinion leader’ they think is most important *and* needs to read this the most (could be someone who talks out of his ass on the subject) gives you a good selection criterium, as well as giving some people and excuse to visit an ‘opinion leader.’

So that’s the plan. If you want a book, you have to promise to give a book to someone else. This someone should be a person who doesn’t otherwise know about me, and wouldn’t otherwise know about my book. This should be someone who would enjoy my book, and who would be likely to spread the word to others. Maybe it’s the CEO of the company you work for. Maybe it’s someone in politics. Maybe it’s just someone who influences the thinking of a lot of people. It shouldn’t be someone who would just dismiss my book out of hand, or not bother reading it because he already knows what he thinks. It should be someone who will read the book, think about it, and tell others about it.

Sometime between now and Christmas Day, send an e-mail whose subject matches the subject line of this post to schneier@schneier.com. Tell me who you’re going to give the book to and why. I’ll randomly choose ten people from those e-mails and ask them for their physical addresses. (This way, only winners have to mail me their addresses.) I’ll send each of the winners two copies of the galley: one for the winner, and the other for the winner’s thought leader. If Wiley sends me more galleys to give away, I will simply choose more winners.

Of course, I have no way of verifying that the winners actually comply. Someone could keep one copy of the galley and auction the other on eBay. I can’t stop that, but I will be cross if it happens. And I will number the galleys, so if I do ever see the book, I will know who did it.

Thank you to reader Jur, who suggested this method of distributing galley copies of my readers in response to my request. Jur, email me with your address and I will send you a copy of the galley.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Citing unexplained “intelligence data,” an unnamed “senior intelligence official,” and an anonymous “privacy security official,” Bloomberg News claims that iBahn — the company that runs Internet services for a bunch of hotel chains — has been hacked by the Chinese. The rest of the story is pretty obvious: all sorts of private e-mails stolen, corporate networks hacked via iBahn, China does lot of hacking, and so on. iBahn has denied the story.

Come on, people. I know that China hacking stories are plausible, but the bar for actual evidence should be higher than this.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In 1997, I wrote about something called a chosen-protocol attack, where an attacker can use one protocol to break another. Here’s an example of the same thing in the real world: two different parking garages that mask different digits of credit cards on their receipts. Find two from the same car, and you can reconstruct the entire number.

I have to admit this puzzles me, because I thought there was a standard for masking credit card numbers. I only ever see all digits except the final four masked.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

A nice tutorial on making and using shims to open padlocks.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This could be interesting:

NOtES exploits an obscure area of physics to accomplish its bright and sharp display, known as plasmonics. Light waves interact with the array of nano-scale holes on a NOtES display–which are typically 100-200 nanometers in diameter–in a way that creates what are called “surface plasmons.” In the words of the company, this means light “[collects] on the films surface and creates higher than expected optical outputs by creating an electromagnetic field, called surface plasmonic resonance.”

[...]

And security, surprisingly, is one of the major applications of these light-amplifying tiny holes. Compared with things like holograms, NOtES has a number of advantages. For one, the technology consists of nothing more than an array of tiny holes, which means it can literally be stamped into anything. Nanotech Security is in talks with the Bank of Canada, whose new plastic bills are a perfect candidate for security measures embedded using NOtES.

[...]

Using a physical stamp, Nanotech Security can imprint its minuscule holes into bills even after they’ve been printed, instantly transforming the area of the bill that’s been stamped into something that resembles a tiny LED. It’s just like the old-school printing process that yields embossed invitations and business cards, except that instead of pressing “save the date” into cardstock, a nickel stamp covered with nano-scale bumps presses corresponding holes into a material.

The results aren’t just visually crisp, they’re also good for keeping things top secret. That’s because the NOtES process yields a surface that reflects light from ultraviolet all the way into the far infrared, or wavelengths outside what we can see, but which can easily be read by machines. This opens up the potential for NOtES to be used to create watermarks on bills that counterfeiters can’t even see.

Anti-counterfeiting technologies have a difficult set of requirements. They need to be cheap for legitimate currency printers, and at the same time expensive for counterfeiters. That this technology can encode unique serial numbers — or even digital signatures of unique serial numbers — onto paper currency would be a big deal.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s squid season off the coast of Southern California.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In 1997, I spoke at the Beyond HOPE Conference in New York. (HOPE stood for “Hackers On Planet Earth.) A video of that talk is available online.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

At the 1:46 mark, you’ll see my first cameo appearance in a transvestite-themed rock video.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There’s a report that Iran hacked the drones’ GPS systems:

“The GPS navigation is the weakest point,” the Iranian engineer told the Monitor, giving the most detailed description yet published of Iran’s “electronic ambush” of the highly classified US drone. “By putting noise [jamming] on the communications, you force the bird into autopilot. This is where the bird loses its brain.”

The “spoofing” technique that the Iranians used — which took into account precise landing altitudes, as well as latitudinal and longitudinal data — made the drone “land on its own where we wanted it to, without having to crack the remote-control signals and communications” from the US control center, says the engineer.

More stories

The Aviationist has consistently had the best analysis of this, and here it talks about the Tehran Times report that Iran has four Israeli and three U.S. drones.

My original blog post.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

When you give out money based on politics, without any accounting, this is what you get:

The West Michigan Shoreline Regional Development Commission (WMSRDC) is a federal- and state-designated agency responsible for managing and administrating the homeland security program in Montcalm County and 12 other counties.

The WMSRDC recently purchased and transferred homeland security equipment to these counties — including 13 snow cone machines at a total cost of $11,700.

Wait. It gets funnier:

“It is used to attract people so they can be educated and prepared for homeland security,” Dey said from his office in Muskegon. “More importantly, they (homeland security officials) felt in a medical emergency the machine was capable of making ice packs which could be used for medical purposes.”

This is excellent commentary.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Proposal here.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is a really good analysis about the Buckshot Yankee attack against the classified military computer network in 2008. It contains a bunch of details I had not previously known.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

My publisher is printing galley copies of Liars and Outliers. If anyone out there has a legitimate reason to get one, like writing book reviews for a newspaper, magazine, popular blog, etc., send me an e-mail and I’ll forward your request to Wiley’s PR department. I think they’ll be ready in a week or so, although it might be after the new year.

Additionally, I’m going to get 10 to 20 copies that I’d like to give away to readers of this blog. I’m not sure how to do it, though. Offering copies to “the first N people who leave a comment” would discriminate based on time zone. Giving copies away randomly to commenters seems, well, too easy. The person in charge of PR at Wiley wants me to give copies away randomly to people who “like” me on Facebook or tweet about me to their friends, or do some other sort of fake distributed marketing thing, but I’m not going to do that.

So to start, I’ve decided to give away a free galley copy of Liars and Outliers to the person who can come up with the best way to give away free galley copies of Liars and Outliers. Leave your suggestions in comments.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Sparrows have fewer surviving offspring if they feel insecure, regardless of whether they actually are insecure. Liana Y. Zanette, Aija F. White, Marek C. Allen, and Michael Clinchy, “Perceived Predation Risk Reduces the Number of Offspring Songbirds Produce per Year,” Science, 9 Dec 2011:

Abstract: Predator effects on prey demography have traditionally been ascribed solely to direct killing in studies of population ecology and wildlife management. Predators also affect the prey’s perception of predation risk, but this has not been thought to meaningfully affect prey demography. We isolated the effects of perceived predation risk in a free-living population of song sparrows by actively eliminating direct predation and used playbacks of predator calls and sounds to manipulate perceived risk. We found that the perception of predation risk alone reduced the number of offspring produced per year by 40%. Our results suggest that the perception of predation risk is itself powerful enough to affect wildlife population dynamics, and should thus be given greater consideration in vertebrate conservation and management.

Seems as if the sparrows could use a little security theater.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Al Qaeda is sewing bombs into people. Actually, not really. This is an “aspirational” terrorist threat, which basically means that someone mentioned it while drunk in a bar somewhere. Of course, that won’t stop the DHS from trying to terrorize people with the idea and the security-industrial complex from selling us an expensive “solution” to reduce our fears.

Wired: “So: a disruptive, potentially expensive panic based on a wild aspirational scheme? Actually, that sounds a lot like al-Qaida. And the TSA.”

Me: “Refuse to be terrorized.”

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This article on airplane security says many of the same things I’ve been saying for years:

Given the breadth and complexity of threats to commercial aviation, those who criticize the TSA and other aviation security regulatory agencies for reactive policies and overly narrow focus appear to have substantial grounding. Three particularly serious charges can be levied against the TSA: it overemphasizes defending against specific attack vectors (such as hijackings or passenger-borne IEDs) at the expense of others (such as insider threats or attacks on airports); it overemphasizes securing U.S. airports while failing to acknowledge the significantly greater threat posed to flights arriving or departing from foreign airports; and it has failed to be transparent with the American people that certain threats are either extremely difficult or beyond the TSA’s ability to control. Furthermore, the adoption of cumbersome aviation security measures in the wake of failed attacks entails a financial burden on both governments and the airline industry, which has not gone unnoticed by jihadist propagandists and strategists. While the U.S. government has spent some $56 billion on aviation security measures since 9/11, AQAP prominently noted that its 2010 cargo plot cost a total of $4,900.

The author is a former Delta advisor. Wired talked to him:

Brandt says aviation security needs a fundamental overhaul. Not only is the aviation industry failing to keep up with the new terrorist tactics, TSA’s regimen of scanning and groping is causing a public backlash. “From the public’s perspective, this kind of refocusing would reduce the amount of screening they have to put up with in the United States,” Brandt tells Danger Room, “and refocus it where it’s needed.”

[...]

None of this is going to be easy, or cheap. Brandt proposes that the government subsidize airlines for better employee background checks or explosives detection tech. But that’s could strike taxpayers as a bailout.

On the other hand, he and Pistole actually share the same headspace, so it’s possible that TSA will buy his overall critique. “The best defense is still developing solid intelligence on terrorist groups interested in targeting aviation,” Brandt says. Beats treating us all like terrorists.

Or, as I say: investigation, intelligence, and emergency response.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Iran has captured a U.S. surveillance drone. No one is sure how it happened. Looking at the pictures of the drone, it wasn’t shot down and it didn’t crash. The various fail-safe mechanisms on the drone seem to have failed; otherwise, it would have returned home. The U.S. claims that it was a simple “malfunction,” but that doesn’t make a whole lot of sense.

The Iranians claim they used “electronic warfare” to capture the drone, implying that they somehow took control of it in the air and steered it to the ground. It would be a serious security design failure if they could do that. Two years ago, there was a story about al Qaeda intercepting video signals from drones. The command-and-control channel is different; I assumed that there was some pretty strong encryption protecting that.

EDITED TO ADD (12/14): Photo analysis of the captured drone.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In London:

While photography bans are pretty common, the station has decided to only ban DSLRs due to “their combination of high quality sensor and high resolution”. Other cameras are allowed in, as long as they don’t look “big” enough to shoot amazing photos.

The iPhone 4S camera is pretty amazing.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

This is a few years old, but I seem not to have blogged it before.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Humbolt Squid off the coast of Mexico are spawning younger and smaller than usual. El Nino is to blame. The mystery was solved by a class of biology students. (A blog of the expedition.)

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

A funny story.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Just in time for Christmas, a USB drive housed in a physical combination lock.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

DARPA held an unshredding contest, and there’s a winner:

“Lots of experts were skeptical that a solution could be produced at all let alone within the short time frame,” said Dan Kaufman, director, DARPA Information Innovation Office. “The most effective approaches were not purely computational or crowd-sourced, but used a combination blended with some clever detective work. We are impressed by the ingenuity this type of competition elicits.”

Lots of information about the contest and the winners here. This is the winning entry. And this is the original input for the challenge.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Just announced:

The researchers found several properties of Skype that can track not only users’ locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without the user’s consent.

“Even when a user blocks callers or connects from behind a Network Address Translation (NAT) ­– a common type of firewall ­– it does not prevent the privacy risk,” according to a release from NYU-Poly.

The research team tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period and found that callers using VoIP systems can obtain the IP address of another user when establishing a call with that person. The caller can then use commercial geo-IP mapping services to determine the other user’s location and Internet Service Provider (ISP).

The user can also initiate a Skype call, block some packets and quickly terminate the call to obtain an unsuspecting person’s IP address without alerting them with ringing or pop-up windows. Users do not need to be on a contact list, and it can be done even when a user explicitly configures Skype to block calls from non-contacts.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

In Montreal, police marked protesters with invisible ink to be able to identify them later. The next step is going to be a spray that marks people surreptitiously, maybe with SmartWater.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Invasive U.S. surveillance programs, either illegal like the NSA’s wiretapping of AT&T phone lines or legal as authorized by the PATRIOT Act, are causing foreign companies to think twice about putting their data in U.S. cloud systems.

I think these are legitimate concerns. I don’t trust the U.S. government, law or no law, not to spy on my data if it thought it was a good idea. The more interesting question is: which government should I trust instead?

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last week, I had a long conversation with Robert Lemos over an article he was writing about full disclosure. He had noticed that companies have recently been reacting more negatively to security researchers publishing vulnerabilities about their products.

The debate over full disclosure is as old as computing, and I’ve written about it before. Disclosing security vulnerabilities is good for security and good for society, but vendors really hate it. It results in bad press, forces them to spend money fixing vulnerabilities, and comes out of nowhere. Over the past decade or so, we’ve had an uneasy truce between security researchers and product vendors. That truce seems to be breaking down.

Lemos believes the problem is that because today’s research targets aren’t traditional computer companies — they’re phone companies, or embedded system companies, or whatnot — they’re not aware of the history of the debate or the truce, and are responding more viscerally. For example, Carrier IQ threatened legal action against the researcher that outed it, and only backed down after the EFF got involved. I am reminded of the reaction of locksmiths to Matt Blaze’s vulnerability disclosures about lock security; they thought he was evil incarnate for publicizing hundred-year-old security vulnerabilities in lock systems. And just last week, I posted about a full-disclosure debate in the virology community.

I think Lemos has put his finger on part of what’s going on, but that there’s more. I think that companies, both computer and non-computer, are trying to retain control over the situation. Apple’s heavy-handed retaliation against researcher Charlie Miller is an example of that. On one hand, Apple should know better than to do this. On the other hand, it’s acting in the best interest of its brand: the fewer researchers looking for vulnerabilities, the fewer vulnerabilities it has to deal with.

It’s easy to believe that if only people wouldn’t disclose problems, we could pretend they didn’t exist, and everything would be better. Certainly this is the position taken by the DHS over terrorism: public information about the problem is worse than the problem itself. It’s similar to Americans’ willingness to give both Bush and Obama the power to arrest and indefinitely detain any American without any trial whatsoever. It largely explains the common public backlash against whistle-blowers. What we don’t know can’t hurt us, and what we do know will also be known by those who want to hurt us.

There’s some profound psychological denial going on here, and I’m not sure of the implications of it all. It’s worth paying attention to, though. Security requires transparency and disclosure, and if we willingly give that up, we’re a lot less safe as a society.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

GCHQ is holding a hacking contest to drum up
“>new recruits.

EDITED TO ADD (12/6): The contest has been cracked, but only because the administrators didn’t hide the solution page from search-engine spiders.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Spyware on many smart phones monitors your every action, including collecting individual keystrokes. The company that makes and runs this software on behalf of different carriers, Carrier IQ, freaked when a security researcher outed them. It initially claimed it didn’t monitor keystrokes — an easily refuted lie — and threatened to sue the researcher. It took EFF getting involved to get the company to back down. (A good summary of the details is here. This is pretty good, too.)

Carrier IQ is reacting really badly here. Threatening the researcher was a panic reaction, but I think it’s still clinging to the notion that it can keep the details of what it does secret, or hide behind such statements such as:

Our customers select which metrics they need to gather based on their business need–such as network planning, customer care, device performance–within the bounds of the agreement they form with their end users.

Or hair-splitting denials it’s been giving to the press.

In response to some questions from PCMag, a Carrier IQ spokeswoman said “we count and summarize performance; we do not record keystrokes, capture screen shots, SMS, email, or record conversations.”

“Our software does not collect the content of messages,” she said.

How then does Carrier IQ explain the video posted by Trevor Eckhart, which showed an Android-based phone running Carrier IQ in the background and grabbing data like encrypted Google searches?

“While ‘security researchers’ have identified that we examine many aspects of a device, our software does not store or transmit what consumers view on their screen or type,” the spokeswoman said. “Just because every application on your phone reads the keyboard does not make every application a key-logging application. Our software measures specific performance metrics that help operators improve the customer experience.”

The spokeswoman said Carrier IQ would record the fact that a text message was sent correctly, for example, but the company “cannot record what the content of the SMS was.” Similarly, Carrier IQ records where you were when a call dropped, but cannot record the conversation, and can determine which applications drain battery life but cannot capture screen shots, she said.

Several things matter here: 1) what data the CarrerIQ app collects on the handset, 2) what data the CarrerIQ app routinely transmits to the carriers, and 3) what data can the CarrierIQ app transmit to the carrier if asked. Can the carrier enable the logging of everything in response to a request from the FBI? We have no idea.

Expect this story to unfold considerably in the coming weeks. Everyone is pointing fingers of blame at everyone else, and Sen. Franken has asked the various companies involved for details.

One more detail is worth mentioning. Apple announced it no longer uses CarrierIQ in iOS5. I’m sure this means that they have their own surveillance software running, not that they’re no longer conducting surveillance on their users.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It crawls on land.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Last weekend, I received an honorary PhD from the University of Westminster, in London.

I have had mixed feelings about this since I was asked early this year. The best piece of advice I’ve read is: “It’s a great honor, but it is an honor, not a degree.”

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It’s the kind of research result that screams hype, but online attacks that have physical-world consequences are fundamentally a different sort of threat. I suspect we’ll learn more about what’s actually possible in the coming weeks.

HP has issued a rebuttal.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Interesting essay on walls and their effects:

Walls, then, are built not for security, but for a sense of security. The distinction is important, as those who commission them know very well. What a wall satisfies is not so much a material need as a mental one. Walls protect people not from barbarians, but from anxieties and fears, which can often be more terrible than the worst vandals. In this way, they are built not for those who live outside them, threatening as they may be, but for those who dwell within. In a certain sense, then, what is built is not a wall, but a state of mind.

The essay goes on to talk about the value of walls as security theater.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

According to researchers, full-disk encryption is hampering police forensics.

The authors of the report suggest there are some things law enforcement can do, but they all must happen prior to a drive being buttoned up by encryption. Specifically, they say that law enforcement should stop turning computers off to bring them to another location for study, doing so only causes the need for a password to be entered to read the encrypted data. Also, in some cases, doing so causes the data to be automatically destroyed. Fortunately, there are some tools forensics experts can use to gather data if it sits untouched, such as copying everything in memory to a separate disk. The team also suggests that law enforcement look first to see if the drive has been encrypted before scanning it with their own software, as doing so will likely result in a lot of wasted time.

Paper, behind a paywall.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

After a long and hard year, Liars and Outliers is done. I submitted the manuscript to the publisher on Nov 1, got edits back from both an outside editor and a copyeditor about a week later, spent another week integrating the comments and edits, and submitted the final manuscript to the publisher just before Thanksgiving. Now it’s being laid out, and I’ll have one more chance to read it and correct typos next week.

It really feels great to be done. This is the hardest book I’ve written, and the most ambitious. Now I have to see how it’s received. I know I should be thinking about creating a talk based on the book, but I want some time away from the ideas. I’ll get back to that task in January.

Meanwhile, the publisher and I have been working on the cover. We settled on the art and layout months ago, but there’s the back cover copy, the inside flaps copy, the author’s bio, and the blurbs. I’m really happy with the blurbs I’ve received, and we’re deciding what goes on the front cover, what goes on the back cover, and what goes inside on the first couple of pages of the book. Much of this text will also be used at various online bookstores as well, and at my own webpage for the book. I’ll post the whole cover when it’s final.

After that, the publisher will create the various e-book formats. I’m not sure how the figures and tables will translate, but I’ll figure it out. Publication is still scheduled for mid-February, in time for the RSA Conference in San Francisco at the end of the month. I’ll be doing a short interview about my book in something called the “Author’s Studio” on Wednesday, and will have a book signing at the conference bookstore sometime that week. If there is any exhibitor wanting to use my book as a conference giveaway and have me sign them, e-mail me and we’ll work something out.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The debate over full disclosure in computer security has been going on for the better part of two decades now. The stakes are much higher in biology:

The virus is an H5N1 avian influenza strain that has been genetically altered and is now easily transmissible between ferrets, the animals that most closely mimic the human response to flu. Scientists believe it’s likely that the pathogen, if it emerged in nature or were released, would trigger an influenza pandemic, quite possibly with many millions of deaths.

In a 17th floor office in the same building, virologist Ron Fouchier of Erasmus Medical Center calmly explains why his team created what he says is “probably one of the most dangerous viruses you can make”­and why he wants to publish a paper describing how they did it. Fouchier is also bracing for a media storm. After he talked to ScienceInsider yesterday, he had an appointment with an institutional press officer to chart a communication strategy.

Of course, there’s value to the research:

“These studies are very important,” says biodefense and flu expert Michael Osterholm, director of the Center for Infectious Disease Research and Policy at the University of Minnesota, Twin Cities. The researchers “have the full support of the influenza community,” Osterholm says, because there are potential benefits for public health. For instance, the results show that those downplaying the risks of an H5N1 pandemic should think again, he says.

Knowing the exact mutations that make the virus transmissible also enables scientists to look for them in the field and take more aggressive control measures when one or more show up, adds Fouchier. The study also enables researchers to test whether H5N1 vaccines and antiviral drugs would work against the new strain.

And we know how badly this sort of security works:

Osterholm says he can’t discuss details of the papers because he’s an NSABB member. But he says it should be possible to omit certain key details from controversial papers and make them available to people who really need to know. “We don’t want to give bad guys a road map on how to make bad bugs really bad,” he says.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

I have no idea if this story about CIA spies in Lebanon is true, and it will almost certainly never be confirmed or denied:

But others inside the American intelligence community say sloppy “tradecraft” — the method of covert operations — by the CIA is also to blame for the disruption of the vital spy networks.

In Beirut, two Hezbollah double agents pretended to go to work for the CIA. Hezbollah then learned of the restaurant where multiple CIA officers were meeting with several agents, according to the four current and former officials briefed on the case. The CIA used the codeword “PIZZA” when discussing where to meet with the agents, according to U.S. officials. Two former officials describe the location as a Beirut Pizza Hut. A current US official denied that CIA officers met their agents at Pizza Hut.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

If something is protected by heavy security, it’s obviously worth stealing. Here’s an example from the insect world:

Maize plants, like many others, protect themselves with poisons. They pump their roots with highly toxic insecticides called BXDs, which deters hungry mandibles. But these toxins don’t come free. The plant needs energy to act as its own pharmacist, so it distributes the poison to the areas that deserve the greatest fortification — its crown roots.

Maize seedlings grow roots either from the embryo itself (embryonic roots), or from the growing stem (crown roots). Christelle Robert found that the crown roots are especially important. They contain the most nutrients, and their loss matters more to the seedlings. As such, they receive the greatest investment of BXDs; they contain five times more of one particularly toxic compound called DIMBOA.

So, if plant-eating insects want to nibble on the most nutritious roots, they also swallow the highest amount of poison. Instead, they target the more lightly defended embryonic roots, which are less valuable to the plant. But the Western corn rootworm ignores these rules of engagement.

The larva of this beetle eats the roots of maize, corn and other cereals and it’s a significant pest that can ravage entire crops. Its success stems from its ability to turn maize’s defence against it. Robert found that the rootworm, unlike other insects, ignore the embryonic roots and head straight for the crown ones.

When Robert gave rootworms a mutant plant that couldn’t produce BXDs, it lost its interest in the crown roots. Rather than being deterred by the plant’s poisons, the rootworm actually uses them to track down the most nutritious meals.

The rootworms are immune to the poison, of course. Otherwise the trick wouldn’t work.

Paper, behind a paywall.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Electronic surveillance is becoming so easy that even marketers can do it:

The cellphone tracking technology, called Footpath, is made by Path Intelligence Ltd., a Portsmouth, U.K.-based company. It uses sensors placed throughout the mall to detect signals from mobile phones and track their path around the mall. The sensors cannot gather phone numbers or other identifying data, or intercept or log data about calls or SMS messages, the company says.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Shichang Zhang, Teck Hui Koh, Wee Khee Seah, Yee Hing Lai, Mark A. Elgar, and Daiqin Li (2011), “A Novel Property of Spider Silk: Chemical Defence Against Ants,” Proceedings of the Royal Society B: Biological Sciences (full text is behind a paywall).

Abstract: Spider webs are made of silk, the properties of which ensure remarkable efficiency at capturing prey. However, remaining on, or near, the web exposes the resident spiders to many potential predators, such as ants. Surprisingly, ants are rarely reported foraging on the webs of orb-weaving spiders, despite the formidable capacity of ants to subdue prey and repel enemies, the diversity and abundance of orb-web spiders, and the nutritional value of the web and resident spider. We explain this paradox by reporting a novel property of the silk produced by the orb-web spider Nephila antipodiana (Walckenaer). These spiders deposit on the silk a pyrrolidine alkaloid (2-pyrrolidinone) that provides protection from ant invasion. Furthermore, the ontogenetic change in the production of 2-pyrrolidinone suggests that this compound represents an adaptive response to the threat of natural enemies, rather than a simple by-product of silk synthesis: while 2-pyrrolidinone occurs on the silk threads produced by adult and large juvenile spiders, it is absent on threads produced by small juvenile spiders, whose threads are sufficiently thin to be inaccessible to ants.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

It seems to be harder and harder to keep people scared:

The Department’s “If You See Something, Say Something™” partnership with the MLS Cup will feature a “If You See Something, Say Something™” graphic that will aired on the video board during the MLS Cup championship game in Carson City, Calif. Safety messaging will also be printed on the back of MLS Cup credentials for staff, players, and volunteers and in game day programs distributed to fans. Throughout the MLS season “If You See Something, Say Something™” campaign graphics appeared on video boards and on the MLS website, and the “If You See Something, Say Something™” Public Service Announcement was read at games.

Will there also be “If You See Something, Say Something™” Day, with Janet Napolitano bobbleheads given to all the kids?

This kind of thing only serves to ratchet up fear, and doesn’t make us any safer. I’ve written about this before.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

There was an interdisciplinary cephalopod art conference earlier this year, in Minneapolis. Videos of the conference are available online.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

The Android platform is where the malware action is:

What happens when anyone can develop and publish an application to the Android Market? A 472% increase in Android malware samples since July 2011. These days, it seems all you need is a developer account, that is relatively easy to anonymize, pay $25 and you can post your applications.

[...]

In addition to an increase in the volume, the attackers continue to become more sophisticated in the malware they write. For instance, in the early spring, we began seeing Android malware that was capable of leveraging one of several platform vulnerabilities that allowed malware to gain root access on the device, in the background, and then install additional packages to the device to extend the functionality of the malware. Today, just about every piece of malware that is released contains this capability, simply because the vulnerabilities remain prevalent in nearly 90% of Android devices being carried around today.

I believe that smart phones are going to become the primary platform of attack for cybercriminals in the coming years. As the phones become more integrated into people’s lives — smart phone banking, electronic wallets — they’re simply going to become the most valuable device for criminals to go after. And I don’t believe the iPhone will be more secure because of Apple’s rigid policies for the app store.

EDITED TO ADD (11/26): This article is a good debunking of the data I quoted above. And also this:

“A virus of the traditional kind is possible, but not probable. The barriers to spreading such a program from phone to phone are large and difficult enough to traverse when you have legitimate access to the phone, but this isn’t Independence Day, a virus that might work on one device won’t magically spread to the other.”

DiBona is right. While some malware and viruses have tried to make use of Bluetooth and Wi-Fi radios to hop from device to device, it simply doesn’t happen the way security companies want you to think it does.

Of course he’s right. Malware on portable devices isn’t going to look or act the same way as malware on traditional computers. It isn’t going to spread from phone to phone. I’m more worried about Trojans, either on legitimate or illegitimate apps, malware embedded in webpages, fake updates, and so on. A lot of this will involve social engineering the user, but I don’t see that as much of a problem.

But I do see mobile devices as the new target of choice. And I worry much more about privacy violations. Your phone knows your location. Your phone knows who you talk to and — with a recorder — what you say. And when your phone becomes your digital wallet, your phone is going to know a lot more intimate things about you. All of this will be useful to both criminals and marketers, and we’re going to see all sorts of illegal and quasi-legal ways both of those groups will go after that information.

And securing those devices is going to be hard, because we don’t have the same low-level access to these devices we have with computers.

Anti-virus companies are using FUD to sell their products, but there are real risks here. And the time to start figuring out how to solve them is now.

This post was syndicated from: Schneier on Security and was written by: schneier. Original post: at Schneier on Security

Dan Boneh of Stanford University is teaching a free cryptography class starting in January.