Slashdot Mirror

Bruce Schneier and gang aren't impressed by truecrypts product .

Also gotta look at this from a risk point of view - and as previous mentioned don't forget those border guards in the US!

Actually, the more I talk to people about it, the less I find people actually say that. In fact, most people that I talk to seem to be of the opinion that they agree that this stuff is silly security theater. They agree that its overkill.

However, everyone that I talk to seems resigned to believing that the masses are stupid, and the theater seems to mean so much to everyone else (everyone except them and I of course) that we are essentially stuck with the current situation, and there is little point in complaining about it.

Funny, but I can't help but think that that attitude and people actually believing that this makes people reasonably safer have the same effect. I have really yet to meet anyone who really believes all the hype.

Maybe its just the people that I actually associate with? I wont deny that the people I socialize with might not be a representative sample of people who travel via air in the US.

Also, Schneier has written a few great articles on how people evaluate risk in Cryptogram a few months back. here: http://www.schneier.com/blog/archives/2006/11/perceived_risk_2.html

-Steve

It's good that it makes you "feel" better, but I don't think it does much to add any security. It's trivially easy for the MITM to forward you login ID to your bank, and pick up the picture they showed you, and forward the picture to you, so that you think you are actually on your bank's site. You might want to read about Bruce Schneier, and his open wireless network. Assuming you have security when you really don't is more dangerous, then knowing you are insecure in the first place.

In four mouse clicks I've added that site to my exceptions list. It warned me, I read and understood the warning, I acted.

Good for you, but people like you - and me and the rest of the people here - aren't "normal". Grandma won't know what the hell to do (besides call you). She might even think "those evil hackers" "got her".

Self-signed certs are a potential problem, but Firefox could have worked out a better way of handling it. A more novice-friendly way.

Basically, we need Bruce Schneier and Jakob Nielsen to marry and have children. We'd better contact Dr. Moreau to work out the breeding program. :)

Several kind of encryption have been inspected for years by some of the brightest minds in the field. Are you claiming that they are somehow vulnerable as well?

From the Bruce Schneier article, The Legacy of DES:

So, how good is the NSA at cryptography? They're certainly better than the academic world. They have more mathematicians working on the problems, they've been working on them longer, and they have access to everything published in the academic world, while they don't have to make their own results public. But are they a year ahead of the state of the art? Five years? A decade? No one knows.

It took the academic community two decades to figure out that the NSA "tweaks" actually improved the security of DES. This means that back in the '70s, the National Security Agency was two decades ahead of the state of the art.

The article also states that the mentioned tweaks to the DES (NSA basically called up and said, "Your algorithm is wrong. Do this, I'm not saying why, and you can't say I called. Cheers.") pioneered the entire field of cryptanalysis, so the gap may very well have narrowed, but for the sake of being paranoid, I'd rather stick with believing that the US government can read what I write.

Want to be safe? Burn up a stack of DVDs with atmospheric static, and use those as one-time pads. They may be able to break RSA, but they are not above the laws of mathematics.

Have you looked at Solitaire aka Pontifex? Workable by hand with some plausible deniability to boot.

I know you've probably been beaten over the head with this, but I ask that you fully and thoughtfully read this article.

Thank you.

All well and good for prosecution immunity, but why would anyone keep an open access point these days?

Bruce Schneier seems to have a number of reasons for doing just that.

Got a cite on that?

yup, Google says much on the subject

An example of an incorrectly granted code-signing certificate.

http://www.schneier.com/crypto-gram-0104.html#7
http://www.microsoft.com/technet/security/bulletin/MS01-017.mspx

... contains some kind of overflow bug? I guess hundreds of thousands of AVG equiped PCs will get infected instantly?

A programm that fetches each and every link it comes across *can't* be a very good idea. Certainly a feature invented by people without a security mindset?

A $500 loan in your name that you didn't take out is only a negative consequence if you have to pay it off, or if your credit rating suffers. My understanding is that neither of these is the case -- that Lifelock cleared it up for him. In that light, it's a positive advertisement for his company.

I don't know anything about your other claims -- all my information comes from Schneier's blog.

about this BEFORE Nov 2007... Can't find URLs, though...

But, see:

http://www.schneier.com/blog/archives/2006/08/hanko_security.html

">"The joker scans this image and prints it on the withdrawal slip with color printer. The bank >teller accepts this slip and passbook as authentic, and victim's account will be emptied. >Sometimes, the scanned digital image goes to hanko carving machine, too."

And...

>It's the stamped image of one's hanko that is stored in the databases of goverment offices, >banks and other public institutions. Not the particulars of physical hanko itself! And any >image can be flawlessly reproduced in this era of digital processing.

To me, I do not see the security here. If you stamp a cheque or other document with your Hanko in the 'correct dial' position, it still gives the 'Joker' the ability to scan the document and reproduce a static Hanko, without ever needing to have the device.

Could one create an encrypted hanko stamp that changes with the date? Officials would decode using a 'public key'...

Posted by: nzruss at August 17, 2006 10:37 AM"

Banks in the US are required to use two-factor authentication: http://www.schneier.com/blog/archives/2005/10/us_regulators_r.html

This won't help. It'll change the tactics of the criminals, but won't make them go away. ...the short version is that two-factor authentication won't mitigate identity theft, because it's not an authentication problem -- it's a problem with fraudulent transactions

The funnier rendition of this sad tale is here: http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx

These days, when logging on to various websites, users are asked for a name, password, and the answer to one or more "secret questions." It's actually a new-fangled type of authentication called Wish-It-Was Two-Factor.

The radio frequency identification, or RFID, is an inherently flawed idea. It is a technological solution to a social problem that it created. It is a threat to our security, our privacy, our freedom, and now also our health! And this is not a just conspiracy theory. Some of the most respectable members of our society are protesting against RFID technology, including Bruce Schneier and even Richard Stallman. My only question is, how much more insult to our intelligence can we take as a society before we start actively protesting? Our freedom, our privacy, our health and our dignity is being taken from us and all we can do is complain on the Internet? Where are the protesting groups? Where are the outraged people desperate to change the situation? Where are the angry mobs? What else are we going to let them take away from us before we stop talking and start acting?

News feeds:

IE Blog - for keeping track of what MS is up to on the browser front
http://blogs.msdn.com/ie/atom.xml

Standards Blog - not as many posts now days, was very important during the height of the ooxml/odf war
http://www.consortiuminfo.org/standardsblog/backend/geeklog.rss

I keep OSNews for completeness, but it is pretty useless - software news
http://osnews.com/files/recent.xml

Anandtech - hardware news and reviews
http://www.anandtech.com/rss/articlefeed.aspx

Ars Technica - tech news and commentary
http://arstechnica.com/index.rssx

Phoronix - linux graphics news and info
http://www.phoronix.com/rss.php

Linux Weekly News
http://lwn.net/headlines/rss

KDE announcements
http://www.kde.org/dotkdeorg.rdf

Open Source Software Planets:

http://planet.debian.org/rss20.xml

http://planet.fedoraproject.org/atom.xml

http://planet.ubuntu.com/rss20.xml

http://planet.gnome.org/atom.xml

http://planetkde.org/rss20.xml

http://planet.freedesktop.org/rss20.xml

http://planet.mozilla.org/atom.xml

http://planet.jabber.org/atom.xml

mostly software releases and XEP updates
http://planet.jabber.org/news/atom.xml

http://maemo.org/news/planet-maemo/atom.xml

environment feeds:

Good Pacific Northwest environmental news
http://www.sightline.org/daily_score/rss

Best environmental news and discussion on the web
http://www.worldchanging.com/index.xml

I keep Treehugger for completeness, but I mark 90% of their posts as read without looking at them.
Really too "light green/consumer green" for me
http://www.treehugger.com/index.xml

other feeds:

Dive into Mark - not what once was, but good enough to keep around
http://diveintomark.org/feed/

Loooong posts on software
http://steve-yegge.blogspot.com/atom.xml

Bruce Scheier knows Alice and Bob's shared secret
http://www.schneier.com/blog/index.rdf

The intersection of Science (especially Evolution), Liberalism, Atheism, and Squid
http://scienceblogs.com/pharyngula/index.xml

"Your comment has too few characters per line" - what a load of bull. Taco, I know this and the timer are supposed to cut down on spam, but I think they annoy legitimate posters more than they reduce spam. You should really reconsider these "features".

http://www.chaosmanorreviews.com/rss.xml (Jerry Pournelle, author etc, sort of tech diary)

http://fakesteve.blogspot.com/feeds/posts/default (Fake Steve Jobs, 'interesting views')

I've got more but I thought these were less obvious, yet as 'must-have' as theregister and slashdot.

Legally speaking IP infringement is not "OK".

In practice ... it's another story entirely.

SDR on it's own won't help you. You need to be able to break the crypto used on the new phones. Although there has been some progress on that: http://www.schneier.com/cmea.html

Great. So now somebody has an incentive to cut off my fingers.

From TFA:

It is important to note that both fingerprint and face-recognition technologies are not foolproof--there are a number of known, low-tech means of circumventing them. As such, depending on how secure access to your system, data, and Web sites needs to be, you might want to think twice before relying on these alternatives to typewritten passwords.

Right! Such as presenting it with a photo of the owner. Or using one of several well-known techniques to lift a fingerprint from somewhere (the computer itself?) and create a fake finger.

Why isn't this kind of "security" generally laughed at by the consumers?

http://www.youtube.com/watch?v=LA4Xx5Noxyo
http://www.theregister.co.uk/2002/05/16/gummi_bears_defeat_fingerprint_sensors/

And from 1998:
http://www.schneier.com/crypto-gram-9808.html#biometrics

I wouldn't ask this question here, maybe you will get some good responses but you will also get a bunch of seemingly good (but on deeper thought, not so much) responses from more-or-less clueless people that don't actually have any experience at election security. I would try instead Ed Felten at http://www.freedom-to-tinker.com/, or even Bruce Schneier. Both these people are experts in the field, and both have discussed these issues extensively on their blogs.

Random searches provide excellent security, provided the punishment for getting caught exceeds the benefits multiplied by the risk. Let's say I'm asked to smuggle weapons onto a plane. Not for a hijackings or anything, just as a black market delivery. I'm offered $10,000 to do it. I've got a great plan; assuming the security screeners don't hand search my bags, there is basically zero risk of getting caught. So now it's down to the random searches. If the punishment is 1 year in prison, and they only screen 1 in 10 people, the odds are pretty good; assuming that I value my freedom at less than $100,000 per year. Now if the punishment is 20 years in prison, now my freedom is worth less than $5,000 per year.

Let's hypothetically try to redo 9-11. (Yes, only a stupid terrorist would try that exact same attack again, but it's a good example with concrete numbers.) We're all expecting to die, so the threat of jail is irrelevant. However, if a single one of us gets caught with weapons, there is a good chance security will be stepped up and my 19 accomplices will be caught as well. That's very bad, from my terrorist point of view. Since 20 of us need to get past security, even if they only randomly screen 1 in 20 people, there is a 64% chance of at least one person getting searched and busted. 1 in 10? 87% chance of getting busted. Very bad odds.

Now obviously it's better to only search people who are bad guys. Unfortunately the entire point of searching people is to identify the bad guys, so that's unhelpful. We can try to be clever and profile people based on, say, their ethnicity. After all, statistically aren't Arab men more likely to hijack planes and crash them? Oddly, this makes the attack easier for the bad guys. Just start flying people around without weapons. See who gets searched. The people who run several flights without getting searched are ideal for your next attack. (A good article with further links on the complexities with profiling. As he points out, profiling based on suspicious behavior is good, although hard.)

Of course, I'm glossing over lots of details. We need to balance many other things, including civil rights. Random searches of homes would likely be a very effective way to stop many crimes. It's also a violation of the US constitution and the principles our country was founded on. Many relatively minor crimes would necessitate punishments that many people would describe as cruel and unusual to compensate for the low risk of getting caught. The benefit of stopping the bad thing may be very minor compared to the cost of the searches. (For example, random drug tests for most jobs hurts moral and costs money, with little benefit.) But fundamentally random searches do work.

Specifically the No Fly List. It is utterly trivial to change the name on a boarding pass that is expected to be printed out on a user's home computer (most are just HTML). This has received a fair amount of attention in the past, but apparently the theatrics of it suffice.

Security guru Bruce Schneier's Cryptogram newsletter has a good blurb on this issue and the topic of whether this was some disgruntled Estonian youths or was the "evil Russian gov't" that was responsible for the attacks.

What do you mean, "I've always wondered why they don't..."

They do! (Interesting article, by the way)

What'll come next is tagging the license plate with the time and GPS info. Every time you pass a police car your movements will be tracked, recorded and put in a database somewhere. Put this capability on natural chokepoints such as bridges and freeway entrances/exits and your movements will be tracked 24/7.

How about clocking your entrance and exit to a freeway, then sending you a ticket in the mail if your average speed exceeds the posted limit?

It's coming!

Creative MP3 players ship with virus
Apple Ships iPods with Windows Virus
Seagate Storage Units Ship with Virus
Sega Dreamcast console game spreads virus
Maxtor USB Hard Drives Ship Virus Infected
Digital photo frames ship with computer virus
Sony Ships Rootkit

http://www.schneier.com/blog/archives/2005/09/snooping_on_tex.html/

Its a direct reference to www.schneier.com comments on the matter.

From Wikipedia's Big Book of Things That Might Not Be True (by the Internet):

There has been some concern that EV certificates, despite their improved authentication and higher cost, will not prevent phishing attacks[9].
In 2006, researchers at Stanford University and Microsoft conducted a usability study[10] of the EV display in Internet Explorer 7. The study measured users' ability to distinguish real sites from fraudulent sites when presented with various kinds of phishing attacks, and found that there was no significant difference between users who saw extended validation indicators and those who did not. Users who received training with the Internet Explorer 7 help file were more likely to judge all sites legitimate, regardless of whether they were fraudulent.

9 = http://www.schneier.com/blog/archives/2006/12/microsoft_antip.html
10 = http://www.usablesecurity.org/papers/jackson.pdf

Are you seriously opposing one monopoly while supporting another?

A government-regulated monopoly is a different animal than merely a government-sanctioned monopoly.

First, to answer your question, yes, because there should be no restriction to what cables go where (provided that those laying the cable have permission of the property owners).

Which means there will be lots of cables -- and it may be difficult to get that permission.

Second, why would the cables have to go to every house? Why couldn't they only go to those who want the service?

It's the houses in between that would be a problem, I would think.

Regardless, I do believe it is a physical monopoly, government-mandated or not. It's a place which inherently has a high barrier of entry. The only real way around that would be to let the cables be owned by the government, and have the ISPs be somewhere further down the line -- but the whole point of an ISP is to cover that last mile. If they don't own the cables, then they're what, just a router?

Increased rights violations are still unjustified.

So you are now arguing for the right of an ISP to do whatever the hell it wants to your packets?

Saying, "hey, we haven't given up enough of our rights, lets give up some more in order to get a solution that we like" is what is being said by supporters of increased regulation, and such a statement is obviously absurd, not only because rights violations are unjustified, but also because as you give up more of your rights now, in the future you're less likely - not more likely - to get results that you prefer.

Very eloquent -- except I still cannot see myself ever wanting or needing to violate basic net neutrality.

Put another way: Assume there is a right to murder people. Your argument still works -- you'd basically be arguing that I shouldn't ever give up my own right to kill innocent people, because that's less likely to get me the result I want.

And yet, we have laws against murder, and I support those.

Your argument about net neutrality makes it even more absurd, because at least with murder, I have a shot -- I can learn kung-fu, I can buy a shotgun, and I can learn to defend myself -- or very effectively kill others. We're mostly on equal footing with murder, for now -- neither of us control armies.

But I can't be an ISP. That's not because of current regulation, that's because it costs money to lay fiber, and I don't have that money. I'm on unequal footing with my ISP already -- they have more power than I do, and they have more money than I do. Increasing both our freedoms will not improve that situation -- that's like giving muskets to the peasants and F16s to the knights. No, really.

Put another way: Bruce Schneier makes a similar case about privacy and transparency. Making everyone more transparent (and thus giving them less privacy) can as easily make things worse for us as better.

I leave my wireless open. Rather than try to explain myself, I'll let Bruce Schneier speak for me, because I agree with him: Schneier on Security: My Open Wireless Network "Whenever I talk or write about my own security setup, the one thing that surprises people -- and attracts the most criticism -- is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet..."

I wish everyone would leave their wireless open; it makes it more likely I'll get free wireless when I'm not in my home. And it makes deploying wireless VoIP much easier.

Finally, I would like to see the "It wasn't me who downloaded that song. See I have an open wireless access point. It could have been anyone." argument tested (hopefully successfully) in court. It might convince more people to open their wireless.

...banned http://www.schneier.com/blog/archives/2008/04/australia_may_o.html

In 1993, Internet pioneer John Gilmore said "the net interprets censorship as damage and routes around it", and we believed him. In 1996, cyberlibertarian John Perry Barlow issued his 'Declaration of the Independence of Cyberspace' at the World Economic Forum at Davos, Switzerland, and online. He told governments: "You have no moral right to rule us, nor do you possess any methods of enforcement that we have true reason to fear."

At the time, many shared Barlow's sentiments. The Internet empowered people. It gave them access to information and couldn't be stopped, blocked or filtered. Give someone access to the Internet, and they have access to everything. Governments that relied on censorship to control their citizens were doomed.

Today, things are very different. Internet censorship is flourishing.

Read more at: Internet Censorship.

Funnily enough, this reminds me of something I once read, by Schneier:

"In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:

'When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks' agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn't care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses--most of the fraud actually was not the cardholder's fault--while in the UK, the banks did nothing.'

The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn't until the UK courts reversed themselves and aligned interest with capability that ATM security improved."

from http://www.schneier.com/blog/archives/2006/06/aligning_intere.html

If this really was news for nerds, they would have had to include Bruce Schneier.

I was going to use a mod point to rate this up, but I wanted to reply instead... You make a great point, but I actually don't think it's 100% true. If you go back to what RMS was writing In The Beginning (c.f. Gnu Manifesto), the principles did precede the code. The notion of having the power of computing - for whatever purpose - freely available to anyone and everyone is a political notion, and the writing of tools like GCC and bison were labours of love. And, praise the Noodly One that this hard work was done, because it's created the foundation for every other open source project to exist. Think I'm going too far? See:

http://www.schneier.com/blog/archives/2006/01/countering_trus.html

plus for me, this will only work if they test it against another login with the same username and password. The rhythm and speed of my typing in a username depends on which one it is, and the same goes for the password.

However, within the bounds of an identical username/password combination, I would imagine that it would work well for me. The problem is that if there are extenuating circumstances, this would lock me or someone else out of the computer. For instance, what if my wife needed to log in for me while I'm on a business trip? Or I die? Or I break my arm and have to type with one hand? I imagine the usefulness of this technology is in merely logging the "signature" pattern rather than locking someone else based on it. Bruce Schneier has the basic arguments and a much better analysis than I could produce.

http://www.schneier.com/blog/archives/2008/03/the_security_mi_1.html

Counter-terrorists make good terrorists, too. What's your point?

So you would volunteer yourself to be subjected to the same treatment simply because you have nothing to hide and are innocent so everything will work out in the end? I don't think so.

Cities that have installed speed cameras are discovering motorists are driving slower, which is decreasing revenues from fines. So they're turning the cameras off.

There are cases where the use of MD5, which is considered broken quite thoroughly, will get the case thrown out of court. See Bruce Schneier's blog entry about the MD5 defense. Time to upgrade your hash algorithm. Some smart lawyers are able to use the fact that MD5 is broken to make a judge believe that the evidence could have been doctored to produce an MD5 collision with planted evidence.

My blood type is (still) legally private.

My iris scan is (still) legally private.

My DNA is (still) legally private.

I am still allowed to walk down the street anonymously, with a cap, and dark glasses own, and a police officer still needs probable cause to ask me to remove those. A police officer also needs cause to request a fully, well made iris scan.

But if I need to: travel abroad, or while living in another EU country, get any paperwork done. (Both rights I have, mind you). I need a passport.
To have a passport I need to surrender my fingerprints. My fingerprints are no longer private, the government has the right to request them. I fully understand that, and I do oppose it.
Not only that, the government also made my fingerprints much, much less private. Now people don't need special permits or access to a (well kept?) database to have a copy of a very good scan of my fingerprints. Because now for every service I need to present a passport, I'll need to handle over these (high quality) files (kept in the passport) for copy if so desired.
Before, if a hotel clerk wanted my fingerprints it would be manual job, it would be time costing, expensive, and the quality would be poor. Now he buys a reader, asks to take a look at my passport, and voila! High quality copies made in a second, to extra costs, no extraordinary effort. My government after all, took good care and spend good money for it to be easy.

So now, not only my central government has access to these (high quality) scans, but also a bunch of other people as well. Which is, lets face it, a much worse problem.

I reckon you hint at the point that people confuse anonymity with privacy. But trust me, I am pretty aware of the difference.

Yea, but airport security might not like it.