Slashdot Mirror

rtfa-troll writes "Bruce Schneier has a good article explaining how the Guardian released the encryption key for the WikiLeaks cables and destroyed the main protection against the release of informers' personal information. The comments in Schneier's blog fill in details of how exactly WikiLeaks' secondary file security protections were also bypassed. Now the Guardian has an article that Assange risks arrest by Australia over the latest leaks, which include information about an Australian intelligence officer. They even say, 'We deplore the decision of WikiLeaks to publish the unredacted state department cables, which may put sources at risk,' and go on to state that 'The decision to publish by Julian Assange was his, and his alone,' something which seems clearly debunked in the analysis on Schneier's blog."

Landing his first accepted submission, qpgmr writes "AES, generally thought to be the gold standard for encryption, is showing weaknesses. From Computerworld: 'Researchers from Microsoft and the [Belgian] Katholieke Universiteit Leuven have discovered a way to break the widely used Advanced Encryption Standard, the encryption algorithm used to secure most all online transactions and wireless communications.'" The full paper has lots of details. Note that it would still take a few billion years with current computers to actually break anything, but there may be further vunerabilities yet to be discovered.

OverTheGeicoE writes "Wired has a story about TSA's known crewmember program, which allows airline pilots to bypass traditional airport security on their way to the cockpit. Pilots will be verified using a system known as CrewPASS that relies on uniforms, identity cards, fingerprints, and possibly other biometrics to authenticate flight deck crews. Once they are authenticated, they can enter secure areas in airports without any further screening. Participation at present is voluntary, and applies at Baltimore/Washington (BWI), Pittsburg (PIT), Columbia (CAE) and now Chicago O'Hare (ORD) airports. TSA is hoping to expand the program nationally. Bruce Schneier thinks this program is 'a really bad idea.' Pilots are already avoiding scanners and patdowns at security checkpoints (video). Is the new program just a way for TSA to hide this fact from the flying public?"

Bruce Schneier's blog has a bit about a subject that gets my blood boiling too. He says "I'm really getting tired of stories like this: Computer disks and USB sticks were dropped in parking lots of government buildings and private contractors, and 60% of the people who picked them up plugged the devices into office computers... People get USB sticks all the time. The problem isn't that people are idiots... The problem is that the OS trusts random USB sticks."

ATMAvatar writes "The IEEE Symposium on Security and Privacy hosted in Oakland nearly three weeks ago featured a study on the economics of spam. It attempts to identify and analyze the chain of businesses behind spam and the products that are featured. The goal was to take a more comprehensive look at the mechanics behind the industry in an attempt to identify better, alternative means to combat spam."

decora writes "An SAIC analyst has written a paper [PDF] calling for the 'stigmatization' of the 'unattractive' types who tend to discuss government secrets in public. The plan, described in the Naval Postgraduate School Homeland Security Affairs journal, is to promote self-censorship as a 'civic duty'. Who needs to censor themselves? Amateur enthusiasts who describe satellite orbits, scientists who describe threats to the food supply, graduate students mapping the internet, the Government Accountability Office, which publishes failure reports on the TSA, the US Geologic Survey, which publishes surface water information, newspapers (the New York Times), TV shows, journalism websites, anti-secrecy websites, and even security author Bruce Schneier, to name a few."

From the article: SCADA systems -- computer systems that control industrial processes -- are one of the ways a computer hack can directly affect the real world. Here, the fears multiply. It's not bad guys deleting your files, or getting your personal information and taking out credit cards in your name; it's bad guys spewing chemicals into the atmosphere and dumping raw sewage into waterways. It's Stuxnet: centrifuges spinning out of control and destroying themselves. Never mind how realistic the threat is, it's scarier." What worries Bruce Schneier most is that industry leader Siemens is keeping its SCADA vulnerabilities secret, at least in part due to pressure from the Department of Homeland Security .

Bruce Schneier found a somewhat older story that I haven't seen before about a device that is smaller than a tissue box, but uses two 1.3 megapixel cameras and a polarized light source to scan a fingerprint from two meters away.

Schneier's blog tips an article about research into geolocation that can track down a computer's location from its IP address to within 690 meters on average without voluntary disclosure from the target. Quoting: "The first stage measures the time it takes to send a data packet to the target and converts it into a distance – a common geolocation technique that narrows the target's possible location to a radius of around 200 kilometers. Wang and colleagues then send data packets to the known Google Maps landmark servers in this large area to find which routers they pass through. When a landmark machine and the target computer have shared a router, the researchers can compare how long a packet takes to reach each machine from the router; converted into an estimate of distance, this time difference narrows the search down further. 'We shrink the size of the area where the target potentially is,' explains Wang. Finally, they repeat the landmark search at this more fine-grained level: comparing delay times once more, they establish which landmark server is closest to the target."

Hugh Pickens writes "The Register reports that the majority of the communications between convicted terrorist Rajib Karim and Bangladeshi Islamic activists were encrypted with a system which used Excel transposition tables which they invented themselves. It used a single-letter substitution cipher invented by the ancient Greeks that had been used and described by Julius Caesar in 55BC. Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim rejected the use of a sophisticated code program called 'Mujhaddin Secrets' which implements all the AES candidate cyphers, 'because "kaffirs," or non-believers, know about it so it must be less secure.'"

Bruce Schneier writes in his blog of a "New paper by Ross Anderson: 'Can We Fix the Security Economics of Federated Authentication?': There has been much academic discussion of federated authentication, and quite some political maneuvering about 'e-ID.' The grand vision, which has been around for years in various forms but was recently articulated in the US National Strategy for Trustworthy Identities in Cyberspace (NSTIC)."

Schneier's blog links to a short paper on the difference between threats and vulnerabilities. It's a little heavy for this early in the morning, but it might be worth your time.

Bruce Schneier's blog links to a nifty article listing the seven types of malicious hackers. The list is: Cyber criminals; Spammers and adware spreaders; Advanced persistent threat (APT) agents; Corporate spies; Hactivists; Cyber warriors; and Rogue hackers.

Bruce Schneier says "I've written a lot on the 'War on Photography,' where normal people are harassed as potential terrorists for taking pictures of things in public. This article is different; it's about recording the police: Allison's predicament is an extreme example of a growing and disturbing trend. As citizens increase their scrutiny of law enforcement officials through technologies such as cell phones..."

jhigh writes "Bruce Schneier posts on his blog today about the value of terror with respect to cost-benefit for the terrorists. If you look at terror attacks in terms of what they cost the terrorists to implement, compared with what they cost the economy of the nation that was hit, the reward for terrorists is astronomical. Add in the insane costs of the security measures implemented afterward, particularly in America, and it's easy to see why the terrorists do what they do. Even when they're unsuccessful, they cost us billions in security countermeasures."

An anonymous reader writes "Bruce Schneier has posted a huge recap of the controversy over TSA body scanners, including more information about the lawsuit he joined to ban them. There's too much news to summarize, but it covers everything from Penn Jillette's and Dave Barry's grope stories, to Israeli experts who say this isn't needed and hasn't ever stopped a bomb, to the three-year-old girl who was traumatized by being groped and much, much more." Another reader passed along a related article, which says, "Congressman Ron Paul lashed out at the TSA yesterday and introduced a bill aimed at stopping federal abuse of passengers. Paul’s proposed legislation would pave the way for TSA employees to be sued for feeling up Americans and putting them through unsafe naked body scanners."

jhigh writes "Bruce Schneier asks the question, how often should you change your password? 'The primary reason to give an authentication credential — not just a password, but any authentication credential — an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless.' Another reason could be to limit the amount of time an attacker has to crack the password, but Bruce's analysis seems on target."

Grond writes "The US has banned toner and ink cartridges from passenger aircraft in the wake of last month's bomb plot. 'The printer cartridge ban affects cartridges over 16 ounces.' No word yet on whether that's a weight or volume measurement or whether it's a per-cartridge or per-passenger limit." The ban comes alongside a prohibition on air cargo originating from Yemen and Somalia. Bruce Schneier's blog points out another potential consequence from the recent bomb plot: the end of in-flight Wi-Fi.

jamie writes "A comment posted to a website got its author's *friend's* car an unwanted aftermarket addon. The Orion Guardian ST820, a GPS tracking device, was attached to the underside of the car by the FBI. No warrant required. The bugged friend, a college student studying marketing, was apparently under suspicion because he's half-Egyptian. As Bruce Schneier says, 'If they're doing this to someone so tangentially connected to a vaguely bothersome post on an obscure blog, just how many of us have tracking devices on our cars right now ...' The ACLU is investigating." This follows up on our earlier mention of the same student, who turned the tracking device over to the FBI.

Bruce Schneier's blog pointed me to a research paper on "Attacks and Design of Image Recognition CAPTCHAs" (PDF). The abstract says, "We systematically study the design of image recognition CAPTCHAs (IRCs) in this paper. We first review and examine all IRCs schemes known to us and evaluate each scheme against the practical requirements in CAPTCHA applications, particularly in large-scale real-life applications such as Gmail and Hotmail."

Bruce Schneier noted a story today over at his blog about a new Skeletal Identification System being developed at Wright State. Of course this is just another biometric detection system, but one that would be pretty tough to disguise.

Jamie noted that over at Schneier's blog, he has a worthwhile entry on the data in the social networks. He writes "Lately I've been reading about user security and privacy — control, really — on social networking sites. The issues are hard and the solutions harder, but I'm seeing a lot of confusion in even forming the questions. Social networking sites deal with several different types of user data, and it's essential to separate them."

Schneier writes "Most people might not be aware of it, but there's a National Cryptologic Museum at Ft. Meade, at NSA Headquarters. It's hard to know its exact relationship with the NSA. Is it part of the NSA, or is it a separate organization? Can the NSA reclassify things in its archives?" There's some interesting stuff in the comments about the building's reason for existence (window views a nearby NSA building?) and some stuff they have (an Enigma machine!).

Bruce Schneier's blog highlights a New York Times piece on high-tech methods for detecting student cheating. Schneier notes, "The measures used to prevent cheating during tests remind me of casino security measures." "No gum is allowed during an exam: chewing could disguise a student's speaking into a hands-free cellphone to an accomplice outside. The 228 computers that students use are recessed into desk tops so that anyone trying to photograph the screen — using, say, a pen with a hidden camera, in order to help a friend who will take the test later — is easy to spot. Scratch paper is allowed — but it is stamped with the date and must be turned in later. When a proctor sees something suspicious, he records the student's real-time work at the computer and directs an overhead camera to zoom in, and both sets of images are burned onto a CD for evidence." The Times article quotes from research published a few months back suggesting that the more you copy homework, the lower your grades.

richi writes "Security guru and BT CTO Bruce Schneier discusses terrorist attacks. In fact, Bruce seems to be saying that 9/11 actually made us safer from terrorists, which seems like a curious argument. While Bruce's blog post is interesting and no doubt insightful, I'm not sure I really buy it. And what's the deal with the new rules for searching the TSA No Fly List? Why is it, in 2010, we're still mucking about with publishing database extracts and waiting hours for them to be searched? How about checking within seconds of an update? Couldn't someone volunteer to show them how to implement a reliable, scalable, NoSQL setup? Instead, the TSA plan to fix this is a classic 'big government' solution."

Schneier has a story on his blog this morning about punishing security breaches. This one is in response to the tale of Gray Powell, the Apple engineer who left an important bit of technology in a bar recently. You might have heard of it. You also might have been on either the breacher or the corporate side. I'd hate to be in either position myself.

Bruce Schneier writes "In 2006, writing about future threats on privacy, I described a life recorder: A 'life recorder' you can wear on your lapel that constantly records is still a few generations off: 200 gigabytes/year for audio and 700 gigabytes/year for video. It'll be sold as a security device, so that no one can attack you without being recorded."

Bruce Schneier's blog links to a few sources for hollow spy coins, one being BoingBoing's Bazaar — where a nickel that can hold a microSD card costs $27. Another is Slashdot's sister company ThinkGeek, where you can get hollow quarters and half-dollars in the low 20s. As if corporate and government security geeks didn't have enough to worry about.

Phrogman writes "In this CNN article by Bruce Schneier, he states that the US Government inadvertently enabled Chinese hackers access to Google's Gmail. The article states 'Google made headlines when it went public with the fact that Chinese hackers had penetrated some of its services, such as Gmail, in a politically motivated attempt at intelligence gathering. The news here isn't that Chinese hackers engage in these activities or that their attempts are technically sophisticated — we knew that already — it's that the US government inadvertently aided the hackers.'" Update: 02/22 20:26 GMT by S : As readers have noted, Schneier said not long after he wrote this article that he no longer thinks this is what happened.

I Don't Believe in Imaginary Property writes "A Facebook employee has given a tell-all interview with some very interesting things about Facebook's internals. Especially interesting are all the things relating to Facebook privacy. Basically, you don't have any. Nearly everything you've ever done on the site is recorded into a database. While they fire employees for snooping, more than a few have done it. There's an internal system to let them log into anyone's profile, though they have to be able to defend their reason for doing so. And they used to have a master password that could log into any Facebook profile: 'Chuck Norris.' Bruce Schneier might be jealous of that one."

Schneier has a blog piece about Joanna Rutkowska's "evil maid" attack, demonstrated earlier this month against TrueCrypt. "The same kind of attack should work against any whole-disk encryption, including PGP Disk and BitLocker. ... [A] likely scenario is that you leave your encrypted computer in your hotel room when you go out to dinner, and the maid sneaks in and installs the hacked bootloader. ... [P]eople who encrypt their hard drives, or partitions on their hard drives, have to realize that the encryption gives them less protection than they probably believe. It protects against someone confiscating or stealing their computer and then trying to get at the data. It does not protect against an attacker who has access to your computer over a period of time during which you use it, too."

A Schneier blog post notes that three would-be bombers were recently convicted in the UK thanks in large part to e-mail communication that was intercepted by the US National Security Agency. This was the second time the men had faced criminal charges; in the first trial, the prosecution was unable to make part of their case because they didn't yet have the e-mail evidence. "Although British prosecutors were eager to use the e-mails in their second trial against the three plotters, British courts prohibit the use of evidence obtained through interception. So last January, a US court issued warrants directly to Yahoo to hand over the same correspondence." The BBC posted a number of e-mails used as evidence in the trial. The communication is coded, and some of it looks like what you might find in your spam folder, but the article also provides the prosecution's explanation of what they mean.

pegr writes "Andrew 'bunnie' Huang, Reverse Engineer, XBox hacker, and generally smart guy, muses over the H1N1/swine flu virus as only a reverse engineer can: 'I now know how to modify the virus sequence to probably make it more deadly.' Not that he would, of course. bunnie has consistently made the esoteric available to us mere mortals, and his overview of the H1N1 virus is a fascinating read from a unique perspective." (Seen today also at the top of Schneier on Security.)

Jeremy A. Hansen writes "Bruce Schneier gives us an update on some ongoing cryptanalysis of AES. 'Over the past couple of months, there have been two new cryptanalysis papers on AES. The attacks presented in the paper are not practical — they're far too complex, they're related-key attacks, and they're against larger-key versions and not the 128-bit version that most implementations use — but they are impressive pieces of work all the same. This new attack, by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich, and Adi Shamir, is much more devastating. It is a completely practical attack against ten-round AES-256.' While ten-round AES-256 is not actually used anywhere, Schneier goes on to explain why this shakes some of the cryptology community's assumptions about the security margins of AES."

Myriad and a number of other readers passed along the news that the Canadian Privacy Commissioner has made a determination that Facebook violates Canadian privacy law in four different respects. Canada has the highest per-capita facebook participation in the world — about a third of the population — according to coverage in The Star. The EU is also expressing similar privacy concerns, though Canada's action "represents the most exhaustive official investigation of Facebook privacy practices anywhere in the world," says Michael Geist. The CBC's coverage spells out the areas of privacy concern, in particular that nearly a million developers of Facebook apps in 180 countries have full access to the entirety of users' private data. Also of concern: Facebook holds on to your data indefinitely after you quit the site. The BBC notes that Facebook is working with the privacy commission to resolve the issues, and quotes a Facebook spokesman thus: "Overall, we are looking for practical solutions that operate at scale and respect the fact that people come to share and not to hide." (Schneier recently blogged about research on "privacy salience," and cited Facebook's practices among others' as practical examples of how social networking sites have learned not to push the privacy issue in users' faces.)

Jamie noticed that Bruce Schneier wrote a piece on a paper on strong passwords that tells us that the old 'strong password' advice that many of us (myself included) regard as gospel might not be as true as we had hoped. They make things hard on users, but are useless against phishing and keyloggers. Everyone can change their password back to 'trustno1' now.

avxo writes "Bruce Schneier covers a new cryptanalytic related-key attack on AES that is better than brute force with a complexity of 2^119. According to an e-mail by the authors: 'We also expect that a careful analysis may reduce the complexities. As a preliminary result, we think that the complexity of the attack on AES-256 can be lowered from 2^119 to about 2^110.5 data and time. We believe that these results may shed a new light on the design of the key-schedules of block ciphers, but they pose no immediate threat for the real world applications that use AES.'"

Schneier points out an article from a while back in Forbes about the "hidden" cost of privacy and how expensive it can be to comply with all the various overlapping privacy laws that don't necessarily improve anyone's privacy. "What this all means is that protecting individual privacy remains an externality for many companies, and that basic market dynamics won't work to solve the problem. Because the efficient market solution won't work, we're left with inefficient regulatory solutions. So now the question becomes: how do we make regulation as efficient as possible?"

wjousts writes "Several high-profile break-ins have resulted from hackers guessing the answers to secret questions (the hijacking of Sarah Palin's Yahoo account was one). This week, research from Microsoft and Carnegie Mellon University, presented at the IEEE Symposium on Security and Privacy, will show how woefully insecure secret questions actually are. As reported in Technology Review: 'In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.'" Schneier pointed out years ago how weird it is to have a password-recovery mechanism that is less secure than the password.

Death Metal writes with an excerpt from the website of defense attorney Evan Levow: "After two years of attempting to get the computer based source code for the Alcotest 7110 MKIII-C, defense counsel in State v. Chun were successful in obtaining the code, and had it analyzed by Base One Technologies, Inc. By making itself a party to the litigation after the oral arguments in April, Draeger subjected itself to the Supreme Court's directive that Draeger ultimately provide the source code to the defendants' software analysis house, Base One. ... Draeger reviewed the code, as well, through its software house, SysTest Labs, which agreed with Base One, that the patchwork code that makes up the 7110 is not written well, nor is it written to any defined coding standard. SysTest said, 'The Alcotest NJ3.11 source code appears to have evolved over numerous transitions and versioning, which is responsible for cyclomatic complexity.'" Bruce Schneier comments on the same report and neatly summarizes the take-away lesson: "'You can't look at our code because we don't want you to' simply isn't good enough."

Earthquake Retrofit writes "Brian Krebs has a story about cybersquatting on social networking sites. He cites cases of people being impersonated and reports: 'A site called knowem.com allows you to see whether your name or whatever nickname you favor is already registered at any of some 120 social networking sites on the Web today. For a $64.95 fee, the site will register all available accounts on your behalf, a manual process that it says takes one to five business days. Whether anyone could possibly use and maintain 120 different social networking accounts is beyond my imagination. I would think an automated signup service like knowem.com would be far more useful if there was also a service that people could use to simultaneously update all of these sites with the same or slightly different content.' Is it time to saddle up for a new round of Internet land grabs?" A Schneier blog post earlier this month pointed out a related story about how not establishing yourself on social sites, combined with the frequent lack of validation for friend requests, can provide identity thieves with a tempting target .

Slatterz writes "The Chinese government is denying any involvement in the reported infiltration of US electric grid systems. Xinhua news agency quoted Chinese foreign ministry spokesperson Jiang Yu as saying that any sort of involvement from China in the incident 'doesn't exist at all.' The denial follows a report in the Wall Street Journal which claimed that agents from China and Russia along with several other countries had infiltrated the computer systems charged with managing electricity in the US and left behind software payloads which could be used to control or disable electric grids in the US." Bruce Schneier is skeptical about the whole story.

Hugh Pickens writes "California Assemblyman Joel Anderson plans to introduce a bill to force Google Earth and similar services to blur images of so-called 'soft targets' like schools, hospitals, churches and government buildings to protect them from terrorists. 'All I'm trying to do is stop terrorists,' said Anderson. 'I don't want California to be helping map out future targets for terrorists.' Concerns that detailed satellite imagery and photographs available on Web services could help terrorists plan attacks are not new, with reports that terrorists have used such imagery to carry out attacks in Iraq and Israel, and an Indian court is considering a ban on Google Earth following reports that its imagery played a part in the Mumbai terrorist attacks." "Security expert Bruce Schneier recently wondered what other things legislators might consider banning to prevent terrorism: 'Bank robbers have long used cars and motorcycles as getaway vehicles, and horses before then. I haven't seen it talked about yet, but the Mumbai terrorists used boats as well. They also wore boots. They ate lunch at restaurants, drank bottled water and breathed the air,' wrote Schneier. 'Society survives all of this because the good uses of infrastructure far outweigh the bad uses, even though the good uses are — by and large — small and pedestrian and the bad uses are rare and spectacular.'"

Bruce Schneier recently wrote another essay on privacy for the BBC concentrating on how data seems to be the "pollution of the information age" and where this seems to be leading. "We're not going to stop the march of technology, just as we cannot un-invent the automobile or the coal furnace. We spent the industrial age relying on fossil fuels that polluted our air and transformed our climate. Now we are working to address the consequences. (While still using said fossil fuels, of course.) This time around, maybe we can be a little more proactive. Just as we look back at the beginning of the previous century and shake our heads at how people could ignore the pollution they caused, future generations will look back at us — living in the early decades of the information age — and judge our solutions to the proliferation of data."

An anonymous reader writes "Fewer than 1% of airline passengers singled out at airports using the much vaunted 'suspicious behavior detection' techniques are arrested, Transportation Security Administration figures show. The TSA program, launched in early 2006, looks for terrorists using a controversial surveillance method based on behavior detection and has led to more than 160,000 people in airports receiving scrutiny, such as a pat-down search or a brief interview. It has resulted in only 1,266 arrests, often on charges of carrying drugs or fake IDs, the TSA said. The TSA has not publicly said whether it has caught a terrorist through the program." In related news, the odds of sanity coming to the TSA plummeted today when Schneier said he's not interested in the top job there.

An anonymous reader writes "Bruce Schneier and company have created a new hash function called Skein. From his blog entry: 'NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper."

An anonymous reader writes "Bruce Schneier and company have created a new hash function called Skein. From his blog entry: 'NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper."

An anonymous reader writes "Bruce Schneier and company have created a new hash function called Skein. From his blog entry: 'NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper."

An anonymous reader writes "Bruce Schneier and company have created a new hash function called Skein. From his blog entry: 'NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper."

An anonymous reader writes "Bruce Schneier and company have created a new hash function called Skein. From his blog entry: 'NIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper."