Slashdot Mirror

Although you said in jest... REAL security pros do write it down...
http://www.schneier.com/news-101.html

http://www.schneier.com/blog/archives/2005/06/write_down_your.html

I can almost bet NSA has a multi-million dollar hardware cracker that can brute-force your Linux or TrueCrypt password, assuming it has less than about 50 bits of entropy. Very few people are capable or willing to use truly safe passwords with 100bit+ entropy.

I wasn't certain about how entropy was measured, so I read this Entropy as a measure of password strength. Given we assume that the regular typeable characters still provide enough entropy (not sure about, but it's possible), then you're saying, given someone has a password under 6.25 (50 bits / 8) characters, it would be cracked. I would agree with that. That's an absurdly small password. Based on this article Real World Passwords less than 17% on average fit that criteria. Additionally, this is lowest common denominator stuff. They fell for a phishing attack, and use myspace, and based on the most common passwords, aren't geniuses.

Very few people are capable or willing to use truly safe passwords with 100bit+ entropy.

Interestingly this would imply 12.5 characters. While I looked at my old stock standard passwords, they were just under this amount. However my high security passwords (the ones on the TrueCrypt / LastPass data), are in excess of 400 bits, and I'd gather anyone who really wants to/needs to protect something, will take a similar tact.

Lastly, there have been numerous articles, and legal documents, showing the NSA/FBI/etc attempting to crack many different peoples volumes, but being unable to. Don't see them as magic, they can't just crack anything they want. While it might induce you to maintain extreme security measures, that's about the only benefit from thinking this way, that you'll get. Also, you'll likely spend too much time/money/effort on these solutions.

Yes, they have to brute force match the encrypted data with a dictionary attack.

Iterating your hash function n times makes that n times harder. That's worse for the attacker though - your app spends a small portion of its time verifying passwords, whereas attackers spend their cycles on nothing but a whole lot of that.

Every serious crypto app that uses passwords or passphrases uses key strengthening

If you don't believe me, ask Bruce Schneier.

Of course this all assumes your user database is compromised. You should really try to prevent that. But if it does happen, at least you know your users' passwords won't go down without a fight.

You suggestion fails:
-I is a security theater. If this is covered bombers will refine their technology.
-You need to send/call people NOT in crowds. If you send it to a bomb in a crowd you just triggered the bomb.
-But your Method beats the voluntary Denial Of Service some police make by shutting off all mobile phones in a area to preven futher bombers... that also hampers the aid....

The trouble with conspiracy theories around government agencies is that, well, they are government agencies. Not all that good at what they do, with some small exceptions, and mostly terrible about keeping things secret after they do them. Some secrets last years, but most of them are too boring to actually talk about, and are mostly "policy" which means, some incompetent fool classified something to cover his lousy (or unethical) job performance. We're not working with supermen or angels anymore than any other part of society there.

There's already a tax on buggy software, it's just paid by the wrong side of the equation, the user. Bruce Schneier has a ton of stuff on the issue, and as long as the makers aren't paying the price, it'll never happen. http://www.schneier.com/

The thing is, at the point of perfect security, no system is usable -- there is always a trade-off of some kind. This sounds so hard to adjudicate, I kind of doubt it will ever happen -- and at least one software outfit that has the most issues also has enough lobbyists to keep things the way they want them -- the billions of lost dollars yearly due to their bugs will still be with the users, not them.

As long as people can pass off the costs of insecurity, there will be little to no progress in the field. Anyone remember the British banks claiming in court they were liable for hacked chips and pins because they were "perfect" so the customer must have made a mistake? As long as that sort of crap flies, why should they invest in security? Good security is hard.

The Supreme Court has already declared that when you're in public spaces (including outside a building) you have no expectation of not being recorded both visually and audibly.

Unless you are a police officer of course, in which case being outside a building in a public space is considered "private"...

source

> And you think someone in 2030 won't be able to break 2010 encryption with their pocketknife?

That is exactly what I think. The encryption schemes that get broken all the time are usually DRM schemes which are defective by design, because the client must have access to the key to access to content, and must have access to the unencrypted content to view it. But encryption algorithms in general are quite good, and brute forcing the solution usually takes more time than the lifetime of the universe, or more energy than is available in the visible universe, or some combination thereof. 20 years advancement in hardware is not going to change that. Unless some serious flaw is found in an encryption algorithm, your amazing encryption-breaking pocket knife will be very disappointing.

You may find this http://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html an interesting read.

I'm not disagreeing with what you've said, but I will point out that security is a process, not a product. It's never "done."

Yes, GPS has everything to do with triangulation. Car proximity detection does not, and while it could use triangulation as a method of determining proximity, that would not prevent relay attacks in itself.

GPS spoofing is mentioned here, for one:
http://www.schneier.com/blog/archives/2008/09/gps_spoofing.html

That was Bruce Schneier on Security:

http://www.schneier.com/blog/archives/2010/11/tsa_backscatter.html

There's talk about the health risks of the machines, but I can't believe you won't get more radiation on the flight. Here's some data:

A typical dental X-ray exposes the patient to about 2 millirems of radiation. According to one widely cited estimate, exposing each of 10,000 people to one rem (that is, 1,000 millirems) of radiation will likely lead to 8 excess cancer deaths. Using our assumption of linearity, that means that exposure to the 2 millirems of a typical dental X-ray would lead an individual to have an increased risk of dying from cancer of 16 hundred-thousandths of one percent. Given that very small risk, it is easy to see why most rational people would choose to undergo dental X-rays every few years to protect their teeth.

More importantly for our purposes, assuming that the radiation in a backscatter X-ray is about a hundredth the dose of a dental X-ray, we find that a backscatter X-ray increases the odds of dying from cancer by about 16 ten millionths of one percent. That suggests that for every billion passengers screened with backscatter radiation, about 16 will die from cancer as a result.

Given that there will be 600 million airplane passengers per year, that makes the machines deadlier than the terrorists.

(bold added for emphasis by russ1337)

[citation needed]

http://www.schneier.com/blog/archives/2006/12/remotely_eavesd_1.html

even schneier tends to fall on the side of it all being software.
so no.
It's not a myth.

for the last 10 years every phone I've had, even the non-smartphones have had a respectable amount of software.

perhaps if you carry a brick from the 1980's you might not need to worry about this.

http://www.t0.or.at/delanda/meshwork.htm
"Indeed, one must resist the temptation to make hierarchies into villains and meshworks into heroes, not only because, as I said, they are constantly turning into one another, but because in real life we find only mixtures and hybrids, and the properties of these cannot be established through theory alone but demand concrete experimentation."

Compartmentalization can lead to lots of secrecy ("need to know"). Secrecy helps some things, but it also makes it easier for snakes to hide inside something, or for people to be unable to "connect the dots". I heard about one sociology professor who said, studying movies, that the "good guys" always win because they have better communications than the "bad guys". There are endless books about how organizations can improve their internal communications for greater effectiveness. Also, consider that analysis is about putting things into compartments, but synthesis is about putting things together, and both are important for creative problem solving, and the needs of our society seem to be shifting towards creative synthesis:
"RSA Animate - Changing Education Paradigms"
http://www.youtube.com/watch?v=zDZFcDGpL4U

What good is a "secure" organization if it can't perform its primary function (whatever that is) very well?

There are always tradeoffs of security vs. effectiveness/useability. See:
http://www.schneier.com/blog/archives/2009/08/security_vs_usa.html
Which links to this:
http://jnd.org/dn.mss/when_security_gets_in_the_way.html
"The numerous incidents of defeating security measures prompts my cynical slogan: The more secure you make something, the less secure it becomes. Why? Because when security gets in the way, sensible, well-meaning, dedicated people develop hacks and workarounds that defeat the security. Hence the prevalence of doors propped open by bricks and wastebaskets, of passwords pasted on the fronts of monitors or hidden under the keyboard or in the drawer, of home keys hidden under the mat or above the doorframe or under fake rocks that can be purchased for this purpose. We are being sent a mixed message: on the one hand, we are continually forced to use arbitrary security procedures. On the other hand, even the professionals ignore many of them. How is the ordinary person to know which ones matter and which don't?"

One might expect people at the NSA to be quite a bit more disciplined and trained than average, but certainly this point holds for other organizations.

And about another three letter agency (quoting from Wikipedia) apparently struggling with compartmentalization:
http://www.pdfernhout.net/on-dealing-with-social-hurricanes.html
"All of this has the effect of making it hard for DI analysts to interact even with the classified outside world. The CIA view is that there are risks to connecting CIA systems even to classified systems elsewhere. Mitigating those risks sends implicit messages to analysts: that technology is a threat, not a benefit; that the CIA does not put a high priority on analysts using IT easily or creatively; and, worst of all, that data outside the CIA’s own network are secondary to the intelligence mission."

And links on open alternatives for most of any nation's intelligence needs:
http://pcast.ideascale.com/a/dtd/76207-8319
http://groups.google.com/group/openmanufacturing/msg/2846ca1b6bee64e1
http://www.phibetaiota.net/abou

Bruce Schneier helped to make skein http://www.schneier.com/skein.html

Evaluating your security and defenses for vulnerabilities is a good thing to do. However, sitting around all day dreaming about specific terrorist targets and plots is a huge waste of time. Bruce Schneier calls these movie plot threats.

If you're a terrorist, your goal is to inflict the most amount of damage with the least amount of effort. To someone determined to blow up a bomb in or near an American building in the name of jihad, just about any building will do. Even if we could completely secure every single building, the terrorists will easily note that buildings are not really required to cause a lot of death and damage. A terrorist can just carry a briefbase or backpack bomb into any crowded area (shopping mall, city corner, subway, bus) and it's mission accomplished.

Quoth Bruce Schneier:

There's nothing we can do to educate users, and anyone who has met an actual user knows that.....Rather than focus on what can we do to educate users, we need to focus on building security that doesn't require educated users.

Reference: http://www.schneier.com/news-055.html

There's of course the tiny little issue :

a) you're right, there's no threat, and lifting security precautions won't change a thing b) you're wrong, there is a threat, and lifting security precautions means a weekly re-run of 9/11

If b) is true you're asking thousands of people to die just so you can have a little easier time at an airport. And, frankly, anyone reading the news knows perfectly well b) is true.

What you say isn't true, btw, you have the option of paying enough to charter a flight and avoid the continental U.S. altogether. The problem isn't what the sovereign united states do, the problem is that you are prepared to accept any amount of discomfort for a few bucks.

Wrong, wrong, wrong. You forgot option c): There is a threat, albeit not a statistically significant one, and the "security precautions" we are currently taking are little more than a sleight-of-hand intended to make the flying public feel (no pun intended) like the government is doing something to address their fears. If the threat were anywhere near as real as you imagined it to be, we would *still* have airplanes blowing up weekly. Remember the underwear bomber, the shoe bomber and Flight 93? Those were all thwarted by the actions of other passengers on the airplane, not the TSA. What we have right now is an out-of-control government bureaucracy trampling on our 4th Amendment rights, and still letting terrorists and entertainers smuggle contraband on board airplanes.

Regarding charter flights: c'mon, that's seriously disingenuous, not to mention one-sided. If you are that afraid of being blown up on an airliner, YOU could use charter flights rather than commercial airlines. "the problem is that you are prepared to violate others' civil rights for a few bucks." It's no less true when you say it than it is when I do. Just sayin. Furthermore, what you are saying isn't even true. TSA does require some screening, even for chartered aircraft, if the aircraft weighs more than 12,500 pounds (see here for details) and they were trying to expand that program to privately owned and operated aircraft in 2009, although that measure was dropped due to public outcry (see here and here). So no, you can't really take a charter flight without being screened, although for now you could fly in a private jet, if you can afford the cost (you probably can't, unless your last name is Pelosi, Clinton or Bush).

Bruce Schneier had a few thoughts a while back when Britain "adopted" the same threat levels to match America

Have elderly parents who need medical supplies? They'll make you wet yourself.

abcnews.go.com: Thomas Sawyer

Small kids? They'll grope them while they scream for help, wondering why their parents aren't protecting them.

examiner.com

Cancer survivor? Have some more rads!

I saw an article discussing this, but I can't seem to find the link right now. About the best I can do is Bruce Schneier's article that discusses, among other things, the case against ionizing radiation in general.

...or become fap-fodder for the guy in the back room?

According to snopes.com, the story reported here is most likely satire. I couldn't find a reputable link anywhere else, so I'd say it hasn't happened yet, but I imagine it's only a matter of time.

HTH!

If that wasn't enough, they're more likely to be arrested than make an arrest. They're absurdly expensive: we're paying $200M per arrest, about 4 arrests a year, and the arrests are almost exclusively small quantity drug possession charges. Last, on the very small percentage of flights they're actually on, they're not even sitting among the potential threats, they're always cloistered up in first class, which makes them really really easy to spot and really useless in spotting anything suspicious.

There's plenty of controversy about the new full body scanners that the TSA is installing at airports, and plenty more about the way some TSA agents are handling those that choose to opt out.

The heart of the matter comes from the fact that the TSA often doesn't understand that it is in show business, not security business. A rational look at the threats facing travelers would indicate that intense scrutiny of a four ounce jar of mouthwash or aggressive frisking of a child is a misplaced use of resources. If the goal is to find dangerous items in cargo or track down Stinger missiles, this isn't going to help.

Instead, the mission appears to be twofold:

1. Reassure the public that the government is really trying and

2. Keep random bad actors off guard by frequently raising the bar on getting caught

The challenge with #1 is that if people believe they're going to get groped, or get cancer, or have to wait in line even longer on Thanksgiving, they cease to be on your side. Particularly once they realize how irrational it is to try to stop a threat after it's already been perpetrated. (Imagine the havoc if someone had a brassiere-based weapon...)

And the challenge of #2 is that the cost of raising the bar gets higher and higher.

Smart marketers know how to pivot. I think it's time to do that. Start marketing the idea that flying is safe, like driving, but it's not perfect, like driving. If someone is crazy enough to hurt themselves or spend their life in jail, we're not going to stop them, and even if we did, they'd just cause havoc somewhere else. So instead of spending billions of dollars a year in time and money pretending, let's just get back to work.

The current model doesn't scale.

http://sethgodin.typepad.com/seths_blog/2010/11/groping-for-a-marketing-solution-tsa-and-security-theater.html

This is very much like what Schneier has been saying for years, but nobody else really cared till things got sexual. Isn't that like our species ;-)

Schneier, from 2005:

Exactly two things have made airline travel safer since 9/11: reinforcement of cockpit doors, and passengers who now know that they may have to fight back. Everything else -- Secure Flight and Trusted Traveler included -- is security theater. We would all be a lot safer if, instead, we implemented enhanced baggage security -- both ensuring that a passenger's bags don't fly unless he does, and explosives screening for all baggage -- as well as background checks and increased screening for airport employees.
Then we could take all the money we save and apply it to intelligence, investigation and emergency response. These are security measures that pay dividends regardless of what the terrorists are planning next, whether it's the movie plot threat of the moment, or something entirely different.

The TSA has not yet caught a single terrorist attempting to get on a plane.

Nice straw man. Sure, comments like this pass for "reason" on Rush Limbaugh, but I thought slashdot was slightly higher caliber.

The purpose of screening is deterrence. Let me repeat that: the screening is there to deter, not capture, terrorists. Take for example the famous "underwear bomber" of last Xmas. Even Bruce Schneier, vocal critic of the TSA, admits that airport security helped foil the underwear bomber.

From the link: "In order to get through airport security, Abdulmutallab -- or, more precisely, whoever built the bomb -- had to construct a far less reliable bomb than he would have otherwise; he had to resort to a much more ineffective detonation mechanism. And, as we've learned, detonating PETN is actually very hard."

Admittedly, it's easier to count angels on the head of a pin than deterred terrorists, but the underwear bomber was truly foiled by airport security, and his failure surely adds to the deterrence power of airport security.

your (sic) actually forced to acccept the terms of activesync in order to setup sync

By reading this message you hereby give me legal permission to extract your liver.

would german law also object to the blackberry

Possibly

*disclamer, I'm a windows and exchange admin*

When they outlaw Windows and Exchange, only outlaws will admin Windows and Exchange.

Profiling works for the Israelis because they have about 1/70 the number of passengers as the US, and about 1/50th the number of major airports. Can you imagine having a detailed 15 minute conversation with each of the 250k passengers going through LAX on a busy day? If the two-minute "enhanced patdown" is going to slow things down, imagine what a 15 minute interview would do, and how many people you'd have to hire and train (something we have not been willing to do with the current TSA), and how much you'd have to expand the terminals just to keep the current throughput the same.

On the other hand, the additional cost of a ticket due to the additional highly trained personnel hired and construction would likely put air travel beyond the means of most of us, so we'd all be driving anyway.

See Bruce Schneier's blog on this subject.

"... assuming that the radiation in a backscatter X-ray is about a hundredth the dose of a dental X-ray, we find that a backscatter X-ray increases the odds of dying from cancer by about 16 ten millionths of one percent. That suggests that for every billion passengers screened with backscatter radiation, about 16 will die from cancer as a result."

"Given that there will be 600 million airplane passengers per year, that makes the machines deadlier than the terrorists."

http://www.schneier.com/blog/archives/2010/11/tsa_backscatter.html

I'm no statistics genius but is his logic correct ? Scan of 1 person increases his risk with 16 ten mill%, so given a billion scans, 16 people WILL die ?

As far as I know my statistiscs, in this type every scan of a person is a singular event that doesn't have a relation with the next one (ie throw a coin for heads or tails, and the chance is still 50% no matter how many billion times you've thrown before) ?

Only if the same person is scanned a few million times he will die from cancer as a result ?
But scan a billion different persons and the chance for each of them to die of cancer has increased an (insignificant ?) amount ?

"... assuming that the radiation in a backscatter X-ray is about a hundredth the dose of a dental X-ray, we find that a backscatter X-ray increases the odds of dying from cancer by about 16 ten millionths of one percent. That suggests that for every billion passengers screened with backscatter radiation, about 16 will die from cancer as a result." "Given that there will be 600 million airplane passengers per year, that makes the machines deadlier than the terrorists." http://www.schneier.com/blog/archives/2010/11/tsa_backscatter.html

It doesn't give me a lot of confidence that the government could crack anything strong than the ciphers encoded by a Capt'n Crunch decoder wheel...

It's because they don't have to. The spooks have backdoors in most algorithms, there's no need to crack anything when you can simply decode it because it was sent using an algorithm whose creators were strong-armed by you.

Some fun reading if you're the skeptical type:Here and here.

It doesn't give me a lot of confidence that the government could crack anything strong than the ciphers encoded by a Capt'n Crunch decoder wheel...

It's because they don't have to. The spooks have backdoors in most algorithms, there's no need to crack anything when you can simply decode it because it was sent using an algorithm whose creators were strong-armed by you.

Some fun reading if you're the skeptical type:Here and here.

"had improperly — perhaps illegally — saved [35,000] images [low resolution] of the scans of public servants and private citizens."

Ok, how many times were we told they did not save the images? Sorry, boardingarea.com, voa.com, Tim Bennett, Bruce Schneier, and others, but either you were a willing conspirator in lulling us into accepting this, or you were also lied to. Choose your side now, ok?

And we can stop believing DHS now, can't we? Lying weasels, all of them, even so many of the front-line worker weasels. Soon, airflight security will be so onerous that we will stop choosing to fly. Then the airlines will ask for relief. And there will be none.

What took them so long? The English version was leaked online before the book was released.

The U.S. Government fully understands the need for isolation and just how impossible it really it. There are niche companies out there that make systems that comply with specific DCID 6/3 requirements to make the system match a Protection Level. They use mandatory access control with Solaris 10 Containers, Trusted Solaris/Irix before that, and SELinux nowadays.

Here's their problem though. In order to be effective, an organisation must clearly know what must come in or out, network wise. It is difficult, technically speaking, and managing such an interface point is a speciality either run by expensive people or by cheap, clueless dimwits.

As Bruce Schneier has pointed out, liability laws need to be in place because the market will not apply the proper controls, if for nothing else, then for cost alone. Folks may complain about PCI or SOX compliance and how it doesn't really make things safer and I agree because it just forces compliance but doesn't make them want to be compliant. Companies that are able to equate vulnerability with a decrease in stock price will find themselves motivated to make it right. The fear of lawyers can be pretty good motivation to do the right thing.

Here's my recommendation. Provide an incentive for passing an inspection. Provide an incentive for the inspector. Then clearly set the rules of the competition. The incentives are not based upon a "failure to hijack," but upon an ability to control an intrusion. The inspector does not get incentive for penetration, he gets incentive for control after he's in. The integrators need to pride themselves in limiting the damage that can be done. If they keep the installation simple and easy to understand, then it's harder to find sneaky ways in.

Meanwhile, light one up and pass it over 'cause I'm not holding my breath.

So isnt it cheaper to use an $8 USB stick, with software based FIPS140 via BitLocker?

Also "FIPS 140-2 Level 2 Certified USB Memory Stick Cracked"
http://www.schneier.com/blog/archives/2010/01/fips_140-2_leve.html

Some snake oil still gets through....
http://www.schneier.com/blog/archives/2010/01/fips_140-2_leve.html

I'm curious about the USB drives.
Are there no software encryption systems which are FIPS compliant?
or is this a case of requiring hardware which forces the user to encrypt properly rather than merely allowing them to encrypt properly.

Bruce Schneier calls it CYA security ("Cover Your Ass" security).

1) That's the least-useful Wikipedia page I've ever seen. It doesn't even discuss proposed methodologies for implementing its subject - it just has an extremely short definition.

3) ... I'm curious to see how you're going to get the RFID chip to cough up enough information to verify that it knows the private key, without giving away enough information to allow key determination through heuristic analysis anyway. ..

Yes the Wikipedia article is a bit short, hopefully someone will fix it. I highly recommend Applied Cryptography as a good starter that will cover the information you're looking for.

This already works by using a thin layer of gelatin on your fingers, and has been well documented for years.

http://www.schneier.com/crypto-gram-0205.html

The language is either not Turing complete and then mostly useless for practical general computing, or it is Turing complete and then it provides no real security.

It might avoid some class of problems, but it will never free a programmer from having to clarify his/her intentions. Security is an abstraction-level free problem, meaning that it equally can be an issue at the x86_64 instruction set level and also at the level of high level contractual/social agreements that code has to handle.

As Bruce Schneier said long ago: Security is not a product; it's a process.

Security is also a tradeoff between a system being secure and usable. You can make things more secure by allowing a system to do less. I'm not saying that this new programming language is useless, but it all comes down to a careful description of the language. If the creators advocate it as a secure programming language that makes code written in it secure by default, then they are almost certainly wrong and will quickly become a laughingstock. On the other hand, if they market it as a language that avoids or makes it impossible to commit certain classes of security problems, as a language that pays attention to it's core code for security issues and as a language that makes it clear security is a mindset, then I see it being useful.

Seems like a rational fear to have. I would cancel my flight immediately if I observed anyone getting on board that appeared to be of middle eastern origin.

No - fear is not rational. Fear is an irrational survival instinct. Acting on that fear is simply an indication that you are a poor judge of risk.

There is no way to know if the open wifi networks are open intentionally or not. Just ask Bruce Schneier. Saying they're "open to criminals" is biased, maybe "open to visitors" would be more appropriate. How come coffee shops and other businesses with open wifi aren't called out for letting criminals access the network?

Turns out that a lot of SSH passwords aren't very secure. Like, who is really surprised by that...

Found on bruce schneier's blog.

Also, regarding: "And 30 percent remember their passwords by writing them down and hiding them somewhere like a desk drawer."

I think writing down your password isn't that bad of a choice (especially for online passwords, not the one that logs you into your computer).
I'm not the only one who thinks that way: http://www.schneier.com/blog/archives/2005/06/write_down_your.html

Do you have any evidence of this?

Yes. You find evidence in countries who have similar blocking infrastructure for "think of the children" and other reasons; this article incl. comments lists some but not all countries. Note that on all blocking lists which became public, you could also find sites which do not strictly fall under the laws.

That's a great example of why some argue that the "secret questions" approach to "enhanced security" is actually less secure than just a password.

Bruce Schneier has written about this, twice. Yet Target.com insists on having credit card holders set five (!) secret questions.

That's a great example of why some argue that the "secret questions" approach to "enhanced security" is actually less secure than just a password.

Bruce Schneier has written about this, twice. Yet Target.com insists on having credit card holders set five (!) secret questions.

On a keypad that is used to enter only a single combination, wear patterns can leak information. That's one advantage the ATM's keypad has over one on your personal card.

An advantage of entering the PIN on the card's keypad, on the other hand, is that it cannot be gleaned by a fake ATM machine.

Number of actual children Pedobear has molested: 0.

Number of actual children "respectable" people with power have molested: Seemingly infinite.

Might want to focus on the proven danger there, Mr. Police Officer.

We have gone from a society of doers to a society of press-releasers. Welcome to the empire's fall, kids. Enjoy the bread and circuses.

Pedobear is and should be associated with the internet and pedophiles/sexually-preferential offenders who reportedly use him to communicate their interests in young children to each other.

I love that. The entire point of the document is to FEAR THE BEAR! but their evidence can be summed up as panic-panic-guy-over-there-seen-with-a-kid-REPORTEDLY-child-molester-panic-panic.

So one guy in a suit in public surrounded by cameras watching his every move = advanced agent for the Pedophile Illuminati? I can see some cop sitting inside HQ and cuddling his gun, gibbering "First the queers ruined rainbows and now the baby-rapers are ruining teddy bears!"

And if I was part of some secret and highly illegal group that needed a way of identifying members I don't think I would use the one thing in the entire universe that people associate with the illegal activity in question.

may be an indicator of the presence of individuals who have a predilection to sexually inappropriate, or even assaultive behavior

Translation: We will use it as a justification to kick down your door, terrorize your family, and shoot your dog in the middle of the night. Saves us having to make up an "anonymous tip" and finds you guilty in the eyes of the potential jury pool all at once!

"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four." - Bruce Schneier.

It doesn't specifically call out the iPhone model so it may not apply to the newer ones with hardware encryption unless the book's been updated since 2008.

If the key is stored on the same device as the encrypted data, the encryption is a particularly funny instance of security through obscurity.

The only other options are to have the user memorise a key, which will practically inevitably be far too short, use around some kind of separate authentication device, or having the user memorise a password that is used to retrieve the key from some kind of authentication server (which could make a shorter password safer by limiting attempts). However, my money is on the key being stored on the device.

/me googles it

Heh.

(This reminds me of this photo, which I found on Bruce Shneier's blog).

At least everyone in Cuba have access to medical care.
    http://www.hr676.org/

On your points:

"Go to work,"
http://www.whywork.org/rethinking/whywork/abolition.html
http://www.basicincome.org/bien/aboutbasicincome.html

"send your kids to school."
http://www.newciv.org/whole/schoolteacher.txt
http://www.johntaylorgatto.com/chapters/16a.htm
http://www.holtgws.com/

"Follow fashion,"
http://en.wikipedia.org/wiki/Anti-consumerism
http://www.alternativeratreatments.com/eat-to-live.html

"act normal."
http://www.schneier.com/blog/archives/2007/11/the_war_on_the.html
http://www.lexrex.com/enlightened/articles/warisaracket.htm

"Walk on the pavements,"
http://www.bluezones.com/makeover-about (shows how unusual that is)

"watch T.V."
http://www.turnoffyourtv.com/
http://www.tvturnoff.org/
http://www.vitamindcouncil.org/treatment.shtml

"Save for your old age,"
http://knol.google.com/k/paul-d-fernhout/beyond-a-jobless-recovery
http://cluborlov.blogspot.com/2009/02/social-collapse-best-practices.html

"obey the law."
http://www.conceptualguerilla.com/?q=node/402
http://www.conceptualguerilla.com/?q=node/47
http://en.wikipedia.org/wiki/Incarceration_in_the_United_States
http://en.wikipedia.org/wiki/Jury_nullification

"Repeat after me: I am free."
http://www.amctv.com/videos/the-prisoner-1960s-video/
http://www.chomsky.info/articles/199710--.htm

Any more? :-)

You can be sure as shit that the Chinese PLA isn't using Windows and when the cyberwar comes the Chinese are going to have a HUGE advantage because they aren't saddled with such a primitive OS.

China already has their own military operating system Kylin . As far as anyone can tell, it's just BSD with some mods.

Another major factor you are missing is that the DoD has billions of dollars in specialized software that was designed for Windows, business practices are built around Windows, employees are trained on Windows, etc. It is not a simple matter of switching to *nix, *BSD, or whatever else when you have several hundred thousand employees who know nothing else. Look at the fact that the average age of federal workers is somewhere in the 50s [citation required]. Now think of your parents complaining about how they need a bigger hard drive because they are low on memory. Multiply that by about 300000 and you now have the headache of changing over a single service to a new OS. Multiply by 4, and you have the pain of doing that to all the services.

My confusion came from believing I linked to this:

http://www.schneier.com/essay-198.html, as a second example, that is not DES at all.

Schneier on Security
A blog covering security and security technology.
April 1, 2006
Announcing: Movie-Plot Threat Contest

For a while now, I have been writing about our penchant for "movie-plot threats": terrorist fears based on very specific attack scenarios. Terrorists with crop dusters, terrorists exploding baby carriages in subways, terrorists filling school buses with explosives -- these are all movie-plot threats. They're good for scaring people, but it's just silly to build national security policy around them.

But if we're going to worry about unlikely attacks, why can't they be exciting and innovative ones? If Americans are going to be scared, shouldn't they be scared of things that are really scary? "Blowing up the Super Bowl" is a movie plot to be sure, but it's not a very good movie. Let's kick this up a notch.

It is in this spirit I announce the (possibly First) Movie-Plot Threat Contest. Entrants are invited to submit the most unlikely, yet still plausible, terrorist attack scenarios they can come up with.

Your goal: cause terror. Make the American people notice. Inflict lasting damage on the U.S. economy. Change the political landscape, or the culture. The more grandiose the goal, the better.

Assume an attacker profile on the order of 9/11: 20 to 30 unskilled people, and about $500,000 with which to buy skills, equipment, etc.

http://www.schneier.com/blog/archives/2006/04/announcing_movi.html
http://www.schneier.com/blog/archives/2006/06/movieplot_threa_1.html