Slashdot Mirror

Actually that has been tried and it didn't work very well. The guy's body absorbed most of the explosive force and the invented victim was mostly unharmed. You certainly couldn't take out an aircraft that way.

The simple fact is that even without the nude scanners it is pretty much impossible to sneak a viable bomb onto an aircraft in hand luggage or on your person. All the easy to use explosives will be detected, and the hard to detect types like liquids either need too large a quantity or are too difficult to detonate. That's what screwed up the last couple of guys to try it - their bombs were too hard to set off and people noticed what they were trying to do and stopped them.

Islamic terrorists are apparently pretty dumb. The IRA knew what they were doing - bomb public places with no security like pubs and shopping areas, using timed bombs that allowed them to get away and live to apply their skills and training to the next attack. Islamists want to kill themselves in the attack, and only seem to be interested in hard to hit targets like aircraft instead of the easy ones. People were genuinely afraid of the IRA because they really could strike anywhere at any time, but most people don't worry about this bunch of dicks at all.

Bruce Schneier's friendly reminder that distributed/encrypted cloud storage interferes with the cloud providers' business models. It'd be terribly useful, but I'm afraid they will keep on throwing sticks between our legs there for quite a while.

Encryption is slow.

Not with a Macbook Pro running OS X 10.7 Lion (or later) it isn't. It offers "Filevault 2" nearly instantaneous (insignificant performance hit) whole-disk encryption that is standards-compliant, quite robust, and completely and utterly transparent to the user.

Also, unless you are dual-booting with Bootcamp, even running a windows or Linux VM under Parallels or Fusion should afford the "drive container" the same encryption.

And if you are running Bootcamp, Windows Vista and 7 (and presumably 8) also offer whole-drive protection (I think it's called "Bitlocker"?) that would work for that partition as well, although I have no idea regarding performance, and since MacBooks don't have TPM chips, the "verification" routine is a little more clunky for Bitlocker, but still available.

Considering the cost of the alternative ($10k penalty (or more)), that $1100 MacBook Pro looks like a pretty damned good deal.

There is no difference. Data is data, bits are bits. They don't take on some special property because you send them through a wire.

They kind of do:
http://www.schneier.com/blog/archives/2010/06/data_at_rest_vs.html

We have been specifically talking about data in motion, where part or all of the journey is (or is not) encrypted. "Encrypted Passwords" implies the data at rest portion of the problem - for which the generally accepted best practice solution is bcrypt.
http://stackoverflow.com/questions/4494234/what-are-the-best-practices-to-encrypt-passwords-stored-in-mysql-using-php

Solving the rest portion obviously does not solve the motion portion. And vice versa.

Whoops.... that should have included this link: http://www.schneier.com/blog/archives/2004/12/safe_personal_c.html

The chain of events that goes from carrying a water bottle to government-sanctioned torment in an offshore prison is little different than the blasphemy-to-death-sentence progression. A minor offense occurs, the perpetrator gets annoyed by the subjective and obtrusive enforcement, a small circus of scandal ensues, and because nobody in the enforcement agency wants to be the guy who let a lawbreaker go, especially one who doesn't seem repentant, the slightest infraction can result in the maximum possible sentence. Sanity isn't a factor.

The TSA is only the first step. Yes, I object to their tactics, but they're just one part of a larger problem. Carrying water through their checkpoint is just one way to be labeled a terrorist and get detained. Another good one is to have joined a politically-aligned group as a youth or young adult in a Middle Eastern country, little different to how one would join the Boy Scouts here. Still another route is to show a more-than-passing interest in chemistry without a university signing off on everything you do. There are many ways to get onto a watch list here, and after enough little red flags, a big one goes up that gets people "detained".

Yes, the route from offense to sentence is often a little more direct in the more tyrannical regimes, but that has little bearing on my point: Insanity is only insane to those with a different idea of sanity.

(2) Strict enforcement of traffic laws, including red light cameras and speeding cameras.

I'm all for stricter enforcement of traffic laws, but red light cameras simply don't work.

For my part, everything in my house, save the gaming rigs, uses encrypted storage not because I have anything terribly important stored, but because I want it to be as difficult and time-consuming as humanly possible for the jackboots to find absolutely nothing. I'm sort of an asshole like that.

You are not alone in your thinking. Why don't the police do the archiving and the management.
Read Bruce Schiener. http://www.schneier.com/ and his comments about risk, etc.

This is an interesting article: http://www.schneier.com/blog/archives/2012/02/computer_securi_2.html and highly relevant to this discussion... Read the linked article ( http://www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.html?_r=0 ) and all the comments.

See Bruce Schneier's "Evil Maid" described elsewhere on this thread. Encrypted volumes don't protect against an attack at the bootsector level. http://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html

Subvert the bootsector, wait for the mark to key in the password, and store it for later in the clear. Maid returns the next day, collects the password, optionally images the disk. Done.

FTW: global warming is a hoax!!!

http://www.schneier.com/blog/archives/2012/02/computer_securi_2.html

http://www.homelandsecuritynewswire.com/us-government-recommends-weighing-laptop-and-after-visit-china

She's REAL!

http://www.schneier.com/blog/archives/2009/07/laptop_security.html

https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices

The first rule of software is that all software beyond the barest of trivial examples will have bugs. Compilers are software, and have the same long and sordid history of bugs. Since compilers have been mentioned specifically, you might be interested in the classic work Reflections on Trusting Trust (it was apparently written by a guy who knows a thing or two about the topic, some Ken Thompson fellow).The same goes for test suites. In many cases, bugs translate to security vulnerabilities. In some cases, perfectly rational behavior demonstrated by entities known as programs results in unexpected behavior when they are made to exchange data. This phenomenon is referred to as "novel outcomes" in some circles, and "wow, that's some fucked up shit" in others. There is a reason the field of information security is as broad as it always has been, is, and always will be.

Your post proves you have never worked as a professional developer, or for an organization where your role was deeply connected to systems or development work. Heck, it proves you've never worked on any major open source project either, for that matter. I suppose we should all stop using anything resembling software immediately to prevent the planet from caving in under the weight of its own failure. Or perhaps you should take your obviously extremely advanced software engineering skills and produce the one true invulnerable platform for everyone, one layer and application at a time.

As Bruce Schneier famously said, "security is a process, not a product." That process never ends, and involves complexities I believe could be delicately framed as things that aren't exactly your area of expertise. That's okay, though; you can always start educating yourself immediately. We're all looking forward to your next batch of brilliant revelations on infosec strategy.

RFID passports have been demonstrated to be read from meters away, in 2004 someone I trust on this one gave a number of 20 meters.. The tag in question seems to include personal information embedded so it is not just an electronic key and given that even passport RFID security has been show to have weaknesses, even so much that US now includes built-in shielding in passports I would not automatically trust my personal info on $randomcompany's RFID implementation.

Now seriously, ! I'm tired of seeing the same bullshit again and again, just with different icing, to justify what's flawed from the very start. This shows that people taking decisions are tied to their own irrationally feelings and not paying attention to what science tells them.

I once read a scientific paper which recommends, if I remember correctly, randomly selecting 8% of the passengers for extended verification. This procedure has the advantage of transmitting zero information to the bad guys. If you start profiling, you give them a chance to test the system.

I made a similar posting with some of my own thoughts here:
http://www.schneier.com/blog/archives/2012/11/e-mail_security.html#c996365

One thing I think that the digital bill of rights should add to the constitution is an addition to the 5th amendment rights that specifically covers the disclosure of passwords, encryption keys and login details and declares that the protections relating to self-incrimination mean you cant be forced to hand over those things nor can you be forced to enter those details in and unlock things.

Lets bring in 4th amendment protections against things like warrantless seizure of domain names (if the FBI/DOJ/etc can't prove to a judge that the site is violating the law, then no they shouldn't be able to seize the domain)

FDE is mandatory for keeping all of the data on a stolen laptop from being exposed. It allows something that is broken to be repairs without fear that the repair company will get access to everything as well. That someone might give up their key if pressed for it--via violence, court order, or stealth--doesn't mean it's useless to use in the general case.

And both seem to want to increase government surveillance and trade freedom for safety.

They're trading our freedom for something, but it's not safety (as Bruce Schneier points out on a regular basis).

Tradeoffs.

It may be tough to audit paper, but it's virtually impossible to audit electronic.

read: http://www.schneier.com/essay-133.html

>> So, what exactly makes US so different that it is impossible to achieve what other countries can?

You are making an assumption.

Assumption which, in your view is...??? (my apologies, I couldn't read it between lines. As such, I can't confirm/adjust/refute your statement).

Other countries dragging themselves down into the cesspool provides great real-world examples of what not to do. Every time a country destroys itself because they decided they could re-invent the governmental wheel, it provides example that the sane can use against the insane in this country.

Is there a single "governmental wheel" - so that, once invented, any other attempts to do it again would be suboptimal?
What is sane and what is insane?

Ridiculous theories that remain not fully tested, can still influence the weak-minded. I fully support any governmental changes in other countries that do not reconcile *actual* human nature, as opposed to what they think it is (based on their own neurological disorders).

I really don't get what you mean by "reconciling actual human nature". What is the "actual human nature"?
Anyway, I have a recommendation for you: Liars and outliers. Speaking for myself, it didn't tell me anything new, but it surely put a good order in the concepts about the pragmatical approach to trust.
(I might be wrong, but... bluntly speaking... I think I detect in you an unbalanced reaction to trust in the human individuals and community, with quite strong reflection on your view about your own/family security... too scared, as it comes to me).

So, go for it. I wish you luck in your quest.

Thanks, I'm wishing the same to you... (again, my gut-feeling is that each of us think the other would need luck more than oneself. I find this an absolutely fascinating thing in life).

He's rethinking it.

I was surprised last year when I first saw an article from EFF suggesting that we open our wifi networks. I did see some reason to support what they were suggesting, but I was also anxious about opening up my LAN, weak as wireless encryption may actually be. Since then, I bought a new wireless router, which does make it easy to offer separate WLANs with configurable levels of access to each other. I see TLS being used more widely. I've learned a bit about VPNs, and set up OpenVPN on my router. And, I read the article others have mentioned in this thread, that Bruce Schneier, who both knows more than I do and has more to worry about, doesn't bother securing his wireless, since it's really not the security vulnerability that it's made out to be.
https://www.schneier.com/blog/archives/2008/01/my_open_wireles.html

But most important, I worry that a lot of the structure of IT, and especially IT security, tends to foster an individualistic and cautious outlook that needs the balance of the considerations of fostering community. Of course, offering security advice is a service to the community, but it's worth arguing for something that explicitly supports an open community, now and then.

As usual, a good thread on the topic from Schneier-ville: https://www.schneier.com/blog/archives/2012/10/hacking_tsa_pre.html

I have offered free open wireless Internet to my neighbors and passersby for many years, with no problem. Occasionally, I see a car parked in front of my house to use the connection. It's the good neighborly thing to do. Those who are more stingy and/or fearful need not follow suit, but they need not spew negative speculation about those of us who do. Bruce Schneier, security expert, does the same. https://www.schneier.com/blog/archives/2008/01/my_open_wireles.html

...at least the hijackings have stopped...

Yes, because, before then, they were so routine

don't know why Schneier focuses entirely on the time of the last hijacking before 9/11 - hijackings were extremely frequent during the 70s and the wikipedia page quoted by him shows just that.

...at least the hijackings have stopped...

Yes, because, before then, they were so routine

The reason for the failure to execute, in his words: 'During that time, Windows went through a difficult period where we had to shift a huge amount of our focus to security engineering.

You took an OS which effectively ran with superuser privileges (DOS) all the time, and added a graphical shell on top of it (Win95, Win98). You then tried to switch it to a more secure user / superuser model, but you made it so inconvenient that it was easier for everyone to just run as superuser all the time (NT, 2k, XP). Finally you started trying to enforce running as a regular user except when needed (Vista). But the industry had had a decade to acclimate to running as superuser, so you were met with so much resistance you had to scale it back (7). Of course you're going to have a huge security problem.

You should've just bitten the bullet and enforced the user / superuser paradigm as early as you could have. i.e. Back when the Internet became big, around when Windows 95 came out, you should've realized the future was for all computers to be networked, and that user vs. admin privileges were going to become very, very important. But no, you took the easy way out and stuck with the one-computer one-user model, and you've been paying the price for it for the last decade and half. You made your own bed; it's disingenuous to now blame someone else for having to lie in it.

Part of being a good leader (of a group, country, market, whatever) is to foresee and recognize what's going to become important or a problem in the future, long before your followers do. A good example is what the NSA did with DES. They had done enough secret research into DES that they knew of a vulnerability; and when DES was proposed as a standard they made some secret changes to it which eliminated that vulnerability before the public was even aware of it. Your job as a leader is to act on that foresight, even if your followers can't see what you see and complain about it. If you can't do that, you just aren't cut out to be a leader.

"... assuming that the radiation in a backscatter X-ray is about a hundredth the dose of a dental X-ray, we find that a backscatter X-ray increases the odds of dying from cancer by about 16 ten millionths of one percent. That suggests that for every billion passengers screened with backscatter radiation, about 16 will die from cancer as a result.

Given that there will be 600 million airplane passengers per year, that makes the machines deadlier than the terrorists."

quite possible, as Bruce Schneier explains in detail.

Anyone who doesn't believe chip and pin is completely broken, should read this research paper (PDF) where the researchers demonstrate practical proof-of-concept for each stage of a couple variants of "pre-play" attack that renders chip and pin useless (it is essentially as strong as being able to clone the cards, when the whole purpose of chip and pin is to prevent the cloning of cards).

Bruce Schneier reported on it in a blog post back in September.

" "Deflation" just means that your money is worth more as time goes by because the economy grows in productivity. This only happens if the growth is actually taking place - and growth does not happen forever in a finite universe, and certainly not on a finite planet. Anyone arguing against deflation is simply arguing for the State's right to reach into every pocket at the same time by printing money. This is a great deal if your pockets are empty and the some portion of the proceeds from the theft might land in them. Otherwise it plain old sucks. Proponents of government-issued fiat currency: be honest and call inflation a tax. But don't lie and paint non-rotting money as some kind of Medieval torment which the Enlightenment graciously set us free from. " via, http://www.schneier.com/blog/archives/2012/10/analysis_of_how.html#c927907

This goes for all peoples, including muslims: Refuse to be Terrorized!

You're not terrorized by anything unless you choose to be.

Garbage to be Terrorized?

This goes for all peoples, including muslims: Refuse to be Terrorized!

You're not terrorized by anything unless you choose to be.

>China practically invented the category of Gov't spyware in electronics.

NSAKEY

--
BMO

You can't be serious. Here is a better comment from someone whose log(Slashdot UID) < 0.

In my area DSL isn't available and FIOS or broadband is upward of $70. This affects me and many others who have difficulty with such prices. The act of intimidating people with open APs is ludicrous and shit-brained. A secured router with a unique user-ID, strong password, along with various options such as filters, availability-configurations, etc., is more secure than WEP with default settings. This sheriff should have a router fastened to his head until the microwaves loosen the rocks. I think the EFF elaborated on this topic quite well, also mentioning Schneier and his views on the subject.

Sharing, especially of educational/informational resources is a good thing. Intimidating people into doing otherwise against their will is encouraging greed, inefficiency and paranoia.

How about we link to Schneier's actual blog post? https://www.schneier.com/blog/archives/2012/09/sha-3_will_be_a.html

No, it's only bad if the secret is a vital piece of the security of the system. As Bruce Schneier said:

Just because security does not require that something be kept secret, it doesn't mean that it is automatically smart to publicize it.

Adopting the Israeli Airport Security Model — Schneier, 2010-01-05

-cffrost (PATPM)

We obviously are going to differ on the topic of "is a technologically enhanced existence better?", so I'll try not to belabor that point, mostly because I consider it moot - the world we live in has already progressed down the path of complexity, and voluntary regression would not be realistic to expect from its current beneficiaries. "When you can pry my TV remote from my cold dead hands..." etc. A change would be possible only in a new generation, one intentionally deprived of modern conveniences, or through deprivation due to massive external influences, such as a devastating global war, exhaustion of petroleum and other fuels, or complete economic and social collapse. I do not believe even a fraction of Western civilization would "give it all up to return to nature" voluntarily.

I would also point out that the habitable portions of the planet (outside of the Americas) are near capacity, yet population growth is still positive. Without technology providing additional food, or transport from farms to tables, I believe the balance point for hunter-gatherers or subsistence agriculture has already been exceeded. A move to a self-sustaining agrarian society would take a massive shift and reduction in population - and nobody I know would volunteer for the needed culling. We've crossed the Rubicon. So again, the point is moot.

Regarding capitalism, I believe that the levels of technology we have come to appreciate arrived only through capitalism. Profit has driven the technical revolution, from people like Edison, Bell, and Ford through Noyce and Gates. Sure, there is a huge group of Open Source advocates who are all about building free solutions for tech problems, but they are building them with the basic foundational tools that were born of the drive for profits, and many are building them out of leisure time: something else the world lacked until we had cheap and plentiful energy. The sewing machine was invented to make money by automating a job done by tailors for thousands of years. But capitalism was Thimonnier's vehicle, not socialism, and not altruism.

So that kind of leads back to the dual currency idea. People are both altruistic and selfish, and most lean one way or another. But there is always a set of "cheaters", which could be defined as people who will accept altruistic help, but then selfishly hoard (see Schneier's book, The Dishonest Minority, or the thesis posted at http://www.schneier.com/blog/archives/2011/05/status_report_t.html). You can't wish or logic or breed that kind of behavior away. And from the success of the strategy (for it is indeed a very successful strategy for the minority willing to set aside any morals and exercise it), and from the selfishness I've seen exhibited by the Romneys of the world, the rich will always expend their resources to keep the poor at arm's length. Therefore I think a basic income would always boil down to being a socialist currency in a capitalist economy, and would carry that essence as a stigma. It would divide us.

For the umpteenth time, RACIAL PROFILING DOES NOT WORK!

Stupid ignorant bigots blabbering the same shit over and over and over and over again.

Hatta, you're actually not far off from Bruce Schneier's "Full Disclosure of Security Vulnerabilities a 'Damned Good Idea'".

But it was on the planning stage, and they never got so far as to try to bring the explosives on board. According to many experts, it's unlikely to have worked (Bruce Schneier).

I've had a sneaking suspicion that the TSA is a stealth jobs program for the otherwise unemployable. It's not so much the intrusive searches and so on as the STUPIDITY of their measures (how are four small bottles of liquid different from one large bottle?). As a game I stand in line at the checkpoints daydreaming about all the ways I could sneak things through—ideas that I won't share because it appears that terrorists are generally, thank goodness, even dumber than the gatekeepers. Many critics have already dissected their policies, e.g., http://www.schneier.com/ It's just too easy.

Terrorism is a very serious problem that can get people killed. So is the TSA.

In Bruce Schneier's own words:

Just because security does not require something be kept secret, it doesn't mean that it is automatically smart to publicize it.

You might want to actually read and digest the first article on that page before spouting off again.

Shneier explains it well: http://www.schneier.com/blog/archives/2006/05/the_value_of_pr.html

• There are 2 major problems with offensive cyberwar:
• The USA has the most to lose. We are the most dependent on the Internet. It doesn't matter who initiates a cyberwar act, the USA will take the most damage. And, any cyberwar act by the US legitimises all other cyberwar activity. The USA has nothing to gain and everything to lose by offensive cyberwar preparation. This is why Schneier is advocating cyberwar treaties: https://www.schneier.com/blog/archives/2012/06/cyberwar_treati.html
• US offensive cyberwar preparations make the US internet more vulnerable. The NSA calls this effect the "Equities Issue". In order to create an offensive capability, we have to rob resources from our defence. In order to have an attack surface, we have to weaken our defences to create a vulnerability. For example, in order to have a "0 day" vulnerability, we have to chose to not disclose or fix it.

Granted, we can do some things to improve our defences without destroying ourselves. But, attempts at creating offensive cyberwar capability are careful and meticulous preparations for suicide. Any clear-thinking opponent will swiftly realize that they have everything to gain and nothing to lose.

Mel Brooks gave a good summary of our current situation: https://www.youtube.com/watch?v=Z_JOGmXpe5I

Miles

Apparently, someone at NFTA recognized this bigoted meathead for the bigoted meathead he was and that nationality is simply a concept that exists solely on paper and cannot be discerned from just looking at someone.”

I was going to comment on how profiling works regardless of it being PC, but thought I'd check up on Schneier's thoughts, and I find myself reconsidering my position. Its worth a read:
http://www.schneier.com/blog/archives/2012/05/the_trouble_wit.html

There are still other considerations-- the oft-cited security of Israeli airlines despite the gigantic target painted on them (if muslim terrorists are going to target someone, Israel tends to rank higher on "peoples we dont like" than the US) is often attributed to their use of profiling. But Bruce still makes some pretty good points about cost-benefit of profiling.

Just how much humiliation is the general American public willing to tolerate in the name of 'security'?"

Well, more than this, it seems. Poll: Americans Like the TSA.

Despite recent negative press, a majority of Americans, 54%, think the U.S. Transportation Security Administration is doing either an excellent or a good job of handling security screening at airports. At the same time, 41% think TSA screening procedures are extremely or very effective at preventing acts of terrorism on U.S. airplanes, with most of the rest saying they are somewhat effective.

http://www.schneier.com/blog/archives/2012/08/poll_americans.html