Slashdot Mirror

← Back to Domains

Domain: schneier.com

Stories and comments across the archive that link to schneier.com.

Comments · 1,941

  1. Re:Well, they quote Bruce saying it's good. by Schraegstrichpunkt · · Score: 1 · on Simple Comm Technique Beats Quantum Crypto

    Although I don't recall seeing anything about it on his website.

    It was on his blog last December.

    In any case, the system can be defeated using a directional coupler.

  2. Re:Is Schneier enough of an electrical engineer ? by Schraegstrichpunkt · · Score: 1 · on Simple Comm Technique Beats Quantum Crypto

    Not unless Einstein was wrong.

    Kish's system depends on Alice's actions having an effect on Bob. That effect is going to propagate---at most---at the speed of light.

    The problem here is that Kish is an electrical engineer, rather than a physicist. As an engineer, he's used to throwing away unimportant details. The problem (which is a common problem among otherwise competent engineers who try to design cryptosystems) is that those "unimportant" details are exactly what an attacker is going to use to break your system.

    This system was discussed on Bruce Schneier's blog last year, and it should be looked at with a healthy dose of skepticism.

  3. Re:Well, they quote Bruce saying it's good. by eblot · · Score: 5, Informative · on Simple Comm Technique Beats Quantum Crypto

    > Although I don't recall seeing anything about it on his website.
    That would be: http://www.schneier.com/crypto-gram-0512.html#15

  4. No - this is generating a one time.. by Anonymous Coward · · Score: 0 · on Simple Comm Technique Beats Quantum Crypto

    Alice and Bob choose randomly; no need to coordinate. They end up with a stream of shared random bits, generated when they choose different resistors from each other, which is more or less good enough to use as a one time pad (actually they should probably mix them a bit to avoid problems with their equipment).

    Here's a schneier.com blog posting about this..

    http://www.schneier.com/blog/archives/2005/12/tota lly_secure.html

    and another

    http://www.schneier.com/blog/archives/2006/02/more _on_kishs_c.html

    Essentially this is about solving the problem that one time pads are very difficult to transport.

  5. No - this is generating a one time.. by Anonymous Coward · · Score: 0 · on Simple Comm Technique Beats Quantum Crypto

    Alice and Bob choose randomly; no need to coordinate. They end up with a stream of shared random bits, generated when they choose different resistors from each other, which is more or less good enough to use as a one time pad (actually they should probably mix them a bit to avoid problems with their equipment).

    Here's a schneier.com blog posting about this..

    http://www.schneier.com/blog/archives/2005/12/tota lly_secure.html

    and another

    http://www.schneier.com/blog/archives/2006/02/more _on_kishs_c.html

    Essentially this is about solving the problem that one time pads are very difficult to transport.

  6. Re:If you asked me by maxume · · Score: 1 · on FAA Software Aims to Make Flights Easier

    I guess he might not have been drunk:

    http://www.newsobserver.com/102/story/523482.html
    via: http://www.schneier.com/blog/archives/2006/12/more _airplane_s.html

    Also:

    http://www.schneier.com/blog/archives/2007/04/anot her_tsa_fai.html
    http://www.schneier.com/blog/archives/2006/03/airp ort_securit_2.html

    What the hell:

    http://www.schneier.com/cgi-bin/search/search.pl?M atch=1&Realm=blog&Terms=airport+security

  7. Re:If you asked me by maxume · · Score: 1 · on FAA Software Aims to Make Flights Easier

    I guess he might not have been drunk:

    http://www.newsobserver.com/102/story/523482.html
    via: http://www.schneier.com/blog/archives/2006/12/more _airplane_s.html

    Also:

    http://www.schneier.com/blog/archives/2007/04/anot her_tsa_fai.html
    http://www.schneier.com/blog/archives/2006/03/airp ort_securit_2.html

    What the hell:

    http://www.schneier.com/cgi-bin/search/search.pl?M atch=1&Realm=blog&Terms=airport+security

  8. Re:If you asked me by maxume · · Score: 1 · on FAA Software Aims to Make Flights Easier

    I guess he might not have been drunk:

    http://www.newsobserver.com/102/story/523482.html
    via: http://www.schneier.com/blog/archives/2006/12/more _airplane_s.html

    Also:

    http://www.schneier.com/blog/archives/2007/04/anot her_tsa_fai.html
    http://www.schneier.com/blog/archives/2006/03/airp ort_securit_2.html

    What the hell:

    http://www.schneier.com/cgi-bin/search/search.pl?M atch=1&Realm=blog&Terms=airport+security

  9. Re:If you asked me by maxume · · Score: 1 · on FAA Software Aims to Make Flights Easier

    I guess he might not have been drunk:

    http://www.newsobserver.com/102/story/523482.html
    via: http://www.schneier.com/blog/archives/2006/12/more _airplane_s.html

    Also:

    http://www.schneier.com/blog/archives/2007/04/anot her_tsa_fai.html
    http://www.schneier.com/blog/archives/2006/03/airp ort_securit_2.html

    What the hell:

    http://www.schneier.com/cgi-bin/search/search.pl?M atch=1&Realm=blog&Terms=airport+security

  10. Great Denial of Service attack! by glaqua · · Score: 1 · on Why Are CC Numbers Still So Easy To Find?
    This is perfect! And I have to put this into standard slashdot form:

    Step 1: Get the credit card companies to do a constant search for 'compromised' credit card numbers and disable them.

    Step 2: Put up websites that randomly generate possibly valid credit card numbers so that the credit card companies can automatically invalidate them and piss off their customers!

    Step 3: Profit?

    Credit card fraud is probably one of the most analyzed types of fraud for a very simple reason. The party with the ability to make changes to enhance the security are the ones who will take the loss if they do not make these changes. There have been comments here about how credit card companies just charge the fraud back to the merchants, but that is not the case. If the merchant has upheld their end of the bargain, then there is no reasonable way to charge it back to them. What happens is that they have to pay higher fees, or eventually lose their merchant account if they are the source of too much fraud. Visa quotes fraud losses on their annual report, so merchants don't get it all charged back.

    Lastly, I have to point you all over to Bruce Schneiers blog http://www.schneier.com/blog/ where he has made that point about security again and again, and uses the credit card companies as a good example. The best way to improve security is to make the guy who can fix the problem the one that is responsible for the possible loss. This gives the right incentive to address the problem. And they already know that the way to secure the credit cards is to focus on the security of the transaction, not the security of the card number.

  11. Re:Attack-proof? by sohp · · Score: 1 · on Attack-Proof Power Line to be Installed Under NY

    It's what Bruce Schneier calls Movie Plot Security. A waste of money and effort, but someone is getting rich off it.

  12. Re:Good thinking by pegr · · Score: 1 · on Holographic Storage Slated to Hit Market This Fall
    Thread is dead and buried, but yet...

    OK, don't take my word for it, take Bruce's...

    http://www.schneier.com/blog/archives/2005/02/cryp tanalysis_o.html
     
     

    "SHA-1 produces a 160-bit hash. That is, every message hashes down to a 160-bit number. Given that there are an infinite number of messages that hash to each possible value, there are an infinite number of possible collisions. But because the number of possible hashes is so large, the odds of finding one by chance is negligibly small (one in 280, to be exact). If you hashed 280 random messages, you'd find one pair that hashed to the same value. That's the "brute force" way of finding collisions, and it depends solely on the length of the hash value. "Breaking" the hash function means being able to find collisions faster than that. And that's what the Chinese did.

    They can find collisions in SHA-1 in 269 calculations, about 2,000 times faster than brute force. Right now, that is just on the far edge of feasibility with current technology. Two comparable massive computations illustrate that point.

    In 1999, a group of cryptographers built a DES cracker. It was able to perform 256 DES operations in 56 hours. The machine cost $250K to build, although duplicates could be made in the $50K-$75K range. Extrapolating that machine using Moore's Law, a similar machine built today could perform 260 calculations in 56 hours, and 269 calculations in three and a quarter years. Or, a machine that cost $25M-$38M could do 269 calculations in the same 56 hours.' 3.25 years (is less than) 5 years... (If the money's right.)

    Yes, I know I'm missing a lot of detail. No, I don't want to beat this silly argument anymore. I'm just saying that using SHA1 to maintain data integrety for five years is a misuse of SHA1. I'm done. ;)
  13. Parent is correct by Tickletaint · · Score: 3, Informative · on Texting Teens Generating OMG Phone Bills

    Parent is the only reply to get it right. It's not that the cellular providers are ripping us off (well, at least not just that)—it's that SMS bandwidth is extremely limited (see also here, here, here). For shame, Slashdot!

  14. Re:This "Feature" Has Been Known For Years by Speare · · Score: 2, Informative · on Documents Reveal US Incompetence with Word, Iraq

    Er, I hope you meant that in jest-- there have been a number of incidents with PDF files that had virtual "blackout" rectangles floating over the text, but the actual redacted text was still stored in the PDF as well. http://www.schneier.com/blog/archives/2005/05/pdf_ radacting_f.html

  15. Schneier's Comments by trawg · · Score: 3, Interesting · on Bush Causes Cell Phone Ban

    Bruce Schneier has already commented on this and the effectiveness of such a measure. He's written about things like this before - it's interesting, once you start thinking about security related issues (especially if you read his blog, I guess :), you read an article like this and go "well, gee, I guess now The Evil Terrorists know this one particular method won't work, they can just cross it off their project plan for this particular event and focus on other more effective measures".

    Also, hopefully noone has an actual emergency while this thing is going past. I'd hate for someone to have a heart attack or be trying to call in a fire or something and not be able to use their cell phone. Or dial for the police in case they see suspicious people near the motorcade. You know, like people with beards.

  16. Cellphone bomb FUD news by packetmon · · Score: 1, Informative · on Bush Causes Cell Phone Ban

    Triggering Bombs by Remote Key Entry Devices

    I regularly read articles about terrorists using cell phones to trigger bombs. The Thai government seems to be particularly worried about this; two years ago I blogged about a particularly bizarre movie-plot threat along these lines. And last year I blogged about the cell phone network being restricted after the Mumbai terrorist bombings.

    Source

  17. Hamster Wheels of Pain by Anonymous Coward · · Score: 0 · on Security Metrics

    Be far the best entertainment in this book is his explanation of the Hamster Wheels of Pain.
    http://www.securitymetrics.org/content/Wiki.jsp?pa ge=Welcome_blogentry_040505_1
    http://www.securitymetrics.org/content/Wiki.jsp?pa ge=Welcome_blogentry_061005_1

    It fits right into the same problem pointed out by Bruce Schneier and Marcus Ranum
    when it comes to Pen-Testing:
    http://www.schneier.com/blog/archives/2007/05/is_p enetration.html
    http://www.ranum.com/security/computer_security/ed itorials/point-counterpoint/pentesting.html

  18. Why It Does and Does Not Matter by Midnight+Warrior · · Score: 4, Interesting · on TiVo Awarded Patent For Password You Can't Hack

    Quickly, before Cringely ruins it with bad math, I need to point out some very obvious weaknesses in making this work correctly:

    • SHA-1 has been (somewhat) broken. Not highly repeatable yet, but they're getting there.
    • Encryption does not hide a message forever. Most of us picked up on that in one form or another. It just hides it long enough to make the information useless. If I can only break a single machine 6 years after it was written, the video isn't going to be very useful to me.
    • Good encryption methods assume two things. One is the attacker does not have the key. Smart card attacks have shown (PDF) that even though an attacker has to guess the key, a poor implementation may provide useful hints during the guessing phase.
    • The second assumption is that the message is not highly predicatable. Disk drives are known for having highly-predicable components on them which makes finding the plaintext all that easier.
    • These folks are so cocky about SHA-1's entropy space, they claim "there is no need to abort the authentication process from a specific host. For example, there is no need to abort the authentication process if a specific host generates three wrong passwords. " Zeroization is the only way to do this right. You can also vary this so that after three failures, an automatic delay is introduced to slow down the guessing.
    • Reading the patent text indicates that new "commands" will be added. No mention of a bus protocol (ATA or SCSI) is mentioned. Presumably, they won't make the drives themselves, so it will need standardized. The hard drive community is open to using patents, but only if the terms are reasonable or a cross-licensing deal is in the works. If this is a forced attempt, it will fail miserably or cost so much that the drives will be considered custom, low-volume, high-cost components.
    • The likelihood of them screwing the implementation up are so high, they should pursue FIPS 140-1 certification for every hard drive made. Then, the patent can apply outside the domain of Tivo.
    • This scheme works better as a general hard drive protection measure than for a Tivo. People who own a Tivo might probe the memory chips for the crypographic module to sweep for the drive or system keys. AACS recent events ought to make it obvious that people are motivated to do this. The general case may prevent a lost hard drive from being very useful.
    • It would appear that the cryptographic module does NOT actually encrypt data on the platters. It seems to only cover communication between the host and the disk controller. If an attacker were to replace the circuit board with one whose path was trusted, they could read the platters without issue. They do this all the time in the hard drive repair business; no clean room required.

    Okay, you all can go back to your regularly scheduled cheap shots.

  19. Re:You're so right. by maxume · · Score: 1 · on Deadline For Saying "No" To National ID

    The larger concern is the unification of access to each states database. There are many things that one needs a state issued id for. Passports are only required for international travel, so opting out is somewhat less onerous.

    http://www.schneier.com/blog/archives/2007/05/real _id_action.html

    Another side of it is that unfunded mandates always suck.

  20. Re:Actually I Support A National ID by quantaman · · Score: 2, Informative · on Deadline For Saying "No" To National ID

    If you don't like the idea of a federalized ID card,I love how the editors and submitter think that everybody on slashdot should hold the same stance as they do on this issue.

    I happen to believe Real ID is a very good idea, and that it would make society better.

    We already have national IDs in the form of passports, Social Security cards, etc.

    I'm all for cracking down on states to make their IDs more secure and lessen counterfeits. I don't believe our privacy would change markedly than what we have today.

    Verifying someone's identity is a lot tougher then just issuing them a card, in fact it could even backfire by giving people a false confidence in the authenticity of documents that are based on faulty information.

    To see the drawbacks of real id I'd take a look at http://www.schneier.com/blog/archives/2007/05/real _id_action.html/. Schneier knows a lot about these kind of issues and unlike the government he has an excellent track record when it comes to evaluating security systems.
  21. Re:Encrypted ? by malcomvetter · · Score: 2, Interesting · on TSA Loses Hard Drive With Personnel Info

    There is no problems if the disc was encrypted ...

    Wrong. Encryption is only as good as the key. Or in practical cases, only as good as the password that protects the key. And in all likelihood (like most enterprises) they key is probably managed in such a way that dozens of people could have accessed it, especially if it was shared "enterprise" data.

    Security people turn to crypto as the answer to everything. It isn't. Even cryptographer Bruce Schneier lamented that mistake in the opening of his book Secrets and Lies. Cryptography should always be a last resort. Encrypted data is not protected forever. At a maximum, the lifespan of its protection is limited by Moore's Law. At a minimum, the key management.

    This data should not have resided upon drives that were removable without notice. Period. Forget about crypto.

    I have said this before, and I'll say this again: we (the IT industry) created a problem with mobile computing. We allow data to be stored on mobile devices in a distributed computing environment and then years later (after we realize the problem we created), we freak out and throw magic crypto fairy dust at the problem. Encrypted hard drives are only as good as they keys that protect them. Since enterprises need the flexibility of a large support staff, many people will have access to the keys. And since the products are designed to run so that even computer illiterate users will use the software, a shoulder-surfer can backdoor the whole process. The best way to protect this data ... and we all know it, most of us just refuse to accept it ... is to return to the mainframe days and centralized computing. If that data stayed on a central SAN and the environment was not set up for removable drives, then this would not be news.

  22. Movie companies by hksld99 · · Score: 2, Interesting · on AACS Vows to Fight Bloggers

    Don't blame that poor AACS-LA spokesperson. He is just doing what he is required to do, i.e. claim that AACS "has not been broken", is "very robust" and that they will "vigourously fight" those oh-so-evil hackers who distribute keys. If he did not do that then he might jeopardize their future chances in DMCA litigation, and movie companies would sue AACS-LA into oblivion. If he admitted the obvious, that AACS simply cannot effectively protect content then the movie companies would jump ship and he would lose his job. I petty that guy, really. He is in a no-win situation.

    The real issue here is if movie companies will learn from this. Let's see... first they spent millions of dollars to finance the development of AACS and have it peer-reviewed, then they held back their movies past the optimum release date to wait until AACS is "ready" (whatever that means -- bus encryption still did not make it into the standard, so volume IDs are transfered in the clear -- ROTFL). Then they spent lots more money on buying new software, training their staff how to use AACS and on following AACS procedures (content-signing by AACS-LA etc.), next there were the inevitable DRM-related compatibility problems leading to recalls and bad press. Shortly afterwards (and long before HD ever reached critical mass in the market) AACS was broken. Now they are holding back movie releases yet again, hoping for some magic AACS fix, and in the case of Blu-ray hoping for BD+ to magically solve all problems. Exactly how much money did they spend on all of that, how much revenue did they lose by delaying releases while waiting for DRM, and how many movies could they have produced with that money instead ?

    The funny thing is that they made all those bad decisions after they had already been burned by the DVD DeCSS fiasco, and after industry experts had predicted that exactly this would happen again. Bruce Schneier's May 2001 CryptoGram article should have been required reading for all of them http://www.schneier.com/crypto-gram-0105.html#3. I wonder just how long it will take for them to learn. From what I have seen so far I fully expect the next round of AACS to be broken within one day, and BD+, once it is used, within one week, and no "technical measures" or take-down threats by AACS-LA will be able to stop that.

  23. "Schneir"? by sczimme · · Score: 5, Informative · on Do We Really Need a Security Industry?


    At least spell his name correctly: Schneier.

  24. Revokation of Biometrics by mwilliamson · · Score: 5, Insightful · on Home Secretary Requests Fingerprint-Activated iPods

    One of the biggest problems with biometric authentication is the lack of ability to revoke a compromised biometric key. Sure you can revoke rights based on a fingerprint, but then you've no way to use it again. Lifting fingerprints with gelatin isn't really that hard. See http://www.schneier.com/crypto-gram-0205.html#5 for more information on the gummy-bear fingerprint reader bypass technique.

    Personally, I think biometrics are great as a username equivalent, but should not be relied on for authentication. There is sound reason to have (1) something you have with (2) something you know in a good authentication system. The ability to revoke and re-generate either component is needed.

    -Michael

  25. Re:Accountability by nadamsieee · · Score: 1 · on Personal Data Exposed! Can Legislation Fix It?

    This has been tried before with the Data Accountability and Trust Act. It was a decent piece of legislation until the corporate lobbyist screwed it up...

  26. Re:Lesson for the world by SoulDrift · · Score: 1 · on Montana Says No to Real ID, Passes Law to Deny It

    Although on moral grounds I'm opposed to national ID cards (it's just the modern "papers, please" demand that we used to consider a sign of a deeply troubled society) I really can't be bothered arguing the point. Plenty of other people here will be happy to.

    But even forgetting about that, the idea that a national ID card would have some kind of positive benefit to security is largely misguided anyway. Have a skim through Bruce Schneier's essay on the topic written back in 2004 (yes, the date on it is April 1, no, it's not significant).

  27. Re:"Two-factor" authentication lame implementation by mutterc · · Score: 1 · on Boarding Pass Hacker Targets Bank of America

    mandated by the federal government to do this

    I have a dim memory of seeing that in the geek news somewhere a while back. I assumed that's why the financial corps were implementing these measures.

    [/me digs...] Here we go: U.S. Regulators Require Two-Factor Authentication for Banks

    One of the commenters to that post says that the regulators did not blindly require two-factor authentication, though that's how a lot of folks interpreted it (including, I bet, some banks). However, it seems like they can implement "security questions" or somesuch and say "look, we're compliant with these new regulations."

  28. Well... by Anonymous Coward · · Score: 0 · on The Myth of the Superhacker

    It's true that there's a weakness in almost any system, but most often that weakness is the humans involved. Unless it's DRM, the article's most flawed example, in which case it's provably insecure. You cannot give some one access and simultaneously deny it to them. "Trying to make bits uncopyable is like trying to make water not wet," as Bruce Schneier said.

    In an unrelated note, please don't turn movie quotes into religious flamewars. It's somewhere between trolling and karma whoring.

  29. Cassandra and cleverness by DogFacedJo · · Score: 1 · on F-Secure Calls for '.safe' TLD


    Cassandra:
        ( greek character cursed to see the future but have noone believe her)

    Clever:
        It is one type of clever to see that the world is different from the one other folks are acting towards.
        It is another to understand why they are acting as they do. Sometimes it is actually, ignorance, but not as often as we often suspect. Rarely is it stupidity.
        Incompetence, for example, has more to do with considering the appearence of action more important than the consequences.
        Social or even contractual forces can mean that while something might be clearly very unsafe, to act otherwise would be to implicitly accuse someone else of being incorrect. This is very hard for some people.
        It is completely different kind of clever, to be able to convince folks of stuff - presumably after having the identified actual propblems, and some real reasons the folks had for overlooking them.

    Risk:
        Analysing risk is something humans do amazingly, shockingly, poorly. Even without the bizarre political portrayals shown in the news media we (humans) cannot think about risk clearly. Without studying gambling in depth, it is extremely hard for folks to decide on actions when 'playing' - even when the odds are known and the results openly available.

        Bruce Schneier, as usual, has an insightful rant^Hessay on the topic, The Psychology of Security: http://www.schneier.com/essay-155.html

    Chanting:
        Lastly, just let me imagine how you would respond if someone repeated 'Nothing is safe online!' several times at you. You might think: 'But, I thought that already - why are they repeating it rather than explaining, expanding... now I am sceptical - what are they selling? Now I need to re-check my previous assumption that the internet was unsafe, and figure out exactly where, how badly and even 'if' the internet is unsafe.' ;}
        Personally, repetition freaks me out. I almost get a panic response. I can't watch TV, listen to the radio, or play WoW without risking intense stress. I have noticed that most folks are not affeected this way, however. they will eventually find it irritating, but not as quickly as I would hope... and what's more, in the meantime they are slightly hypnotized - often coming away with the words and idea still spinning in thier heads. This is normal folks in regular situations, not brain-damaged, stoned, tired, stressed or otherwise overly impaired humans - ie: not the ones we usually call stupid.

  30. Re:Pulse and Glide Says it All, Average Speed 26 M by maxume · · Score: 1 · on Japanese Mileage Maniacs

    Even a modest attack would, apparently, severely tax emergency services, and would also tend to take out a large amount of capacity, as capacity tends to exist where there are lots of people:

    http://www.schneier.com/blog/archives/2007/04/cons equences_of.html

  31. Re:Security Standpoint by delt0r · · Score: 3, Insightful · on RIAA Attacks Sites Participating in Its Own Campaign

    And what kind of OS will just blindlty starting excuting the code on the USB? Oh... nevermind.

    But then again, its nothing new

  32. Re:and in a related story... by elronxenu · · Score: 1 · on VBootkit Bypasses Vista's Code Signing
    ... Or you could try to discredit my argument using facts and reasoning, which is the far more intelligent approach.

    As far as I know, Microsoft is working with the RIAA and MPAA to limit Vista's capabilities in line with what those organisations demand. Here's what Bruce Schneier said in DRM in Windows Vista ...

    Microsoft put all those functionality-crippling features into Vista because it wants to own the entertainment industry. This isn't how Microsoft spins it, of course. It maintains that it has no choice, that it's Hollywood that is demanding DRM in Windows in order to allow "premium content" -- meaning, new movies that are still earning revenue -- onto your computer. If Microsoft didn't play along, it'd be relegated to second-class status as Hollywood pulled its support for the platform.
    and

    Microsoft is reaching for a much bigger prize than Apple: not just Hollywood, but also peripheral hardware vendors. Vista's DRM will require driver developers to comply with all kinds of rules and be certified; otherwise, they won't work. And Microsoft talks about expanding this to independent software vendors as well. It's another war for control of the computer market.

    Now if that's not a case of Microsoft developing an OS to further its own interests, as opposed to its customers' interests, I don't know what is.

  33. Re:Multiple keys by asninn · · Score: 1 · on DHS Wants Master Key for DNS

    I'm surprised the US Government is doing this; I'd have expected them to obtain the key through back channels rather than out-and-out demanding it.

    Maybe they are. Just think about it: they openly demand the keys, there's a cry of outrage on Slashdot (and a cry of indifference in the mainstream media), they cancel their plans (without a big announcement, but openly enough so that that story will appear on Slashdot, too), and people on Slashdot pat themselves on the shoulder and say "the internet is safe again - we sure showed 'em", all the while they obtain the keys, anyway, this time in secret.

    Maybe I'm paranoid, but it's not like it hasn't happened before. "Total Information Awareness", for example, was killed by Congress in 2003, but still exists today - the only difference is that it's classified now.

  34. Re:Relative Risk by steevc · · Score: 2, Insightful · on Space Debris Narrowly Misses Airliner

    Over a million killed worldwide on the roads! I believe it's around 40k/year just in the USA.

    How many die in plane crashes each year? I expect it's in the hundreds on average. Similar for trains.

    I think the news programmes should announce road death statistics regularly to give people some perspective on which is the most dangerous form of transport. I'm certainly more scared when driving than when flying even though I appreciate that a motoring accident is generally more survivable.

    Read some Schneier for some sanity.

  35. Re:approx 100% of are cannibalized from XP sales by argent · · Score: 1 · on MS Says Vista Selling At Twice XP's Pace

    If they had left XP alone too long, there would not have been much remaining to cannibalize because a product can only be hyped and marketed for so long before it starts losing ground to the competition, like to Linux.

    I'm sorry, but people don't buy Windows XP because it's "hyped and marketed", they buy it because it runs the applications they want to run, and developers don't develop for Windows XP because it's "hyped and marketed", they do it because that's what their customers are running. That's what the people who go on about Linux on the desktop don't understand... people don't buy a computer to run an operating system, they buy it to run applications, and developers don't write applications to run on an operating system, they write them to sell to customers.

    The only Vista sales that represent sales to people who might even have potentially switched to Linux are sales to people who are already running XP and who don't need to switch to Vista. If almost all the Vista sales are sales that Microsoft would have made anyway, then that means Microsoft didn't actually need to release a new operating system.

    XP ran its time, even if it would have been sold anyway because it would have started losing ground.

    On the contrary, Vista has the potential of costing Microsoft a lot of ground in the long run. The reason XP sold to existing Windows users was because XP was more responsive and reliable than what most of them were currently running. Vista is slower and less reliable than XP, and it can not even in theory ever change that without Microsoft backing out the changes that make Vista a different operating system than XP, because the whole point to the DRM components in Vista is to reduce the reliability of the operating system.

    Bruce Schnier says: don't upgrade to Vista.

    Peter Gutmann says: Vista will inevitably cost you more and run slower.

    These guys are not "free software whackos", they're professional computer security researchers, top names in the field. This is just the start of the backlash against Vista. Far from being necessary to "keep linux from the door", Vista is a tremendous risk for Microsoft... and no matter what they say in public they have to be worried about the low uptake.

  36. Re:So be smart, don't use the same by nacturation · · Score: 1 · on Is Flixster Using Deceptive Viral Practices?

    Is it me or does this seem really bad if you know... use more then one computer. Is there a .dat or something I can stick on a thumb drive and take with me? I use Password Safe, originally developed by Bruce Schneier, now on SourceForge. I keep a copy of the .dat file as well as a copy of the program itself on a USB drive and also email it to my GMail account periodically. Since I use a very strong master password and it uses Twofish for encryption, I'm not worried about anybody cracking it in my lifetime. No AES, I'm guessing due to the fact that it was originally Schneier's program that they stick with his crypto?
  37. Re:That's nothing! by schamarty · · Score: 1 · on Google Aids Indian Goverment Censorship

    You could start with http://www.schneier.com/crypto-gram-0412.html#11, especially point #3.

    Then follow the linked article within: http://techaos.blogspot.com/2004/05/indian-evm-com pared-with-diebold.html

    You might get the difference between localised (India) and institutionalised (the US) violations of democracy.

  38. Re:Yikes! by Mateo_LeFou · · Score: 1 · on White House Specifies And Mandates Secure Windows

    Are you suggesting that Bruce Schneier knows more about security than W and friends?

    I'm looking forward to color-coded "Vista Alert Level" updates and thousands of other goodies.

  39. Re:The main reason is lack of clear knowledge by NickFortune · · Score: 1 · on Management 'Scared' by Open Source

    You left out the part where they fire me for exposing them to liability.

    So let's get this straight: Hypothetically, you use BSD code on an internal project. You clearly document the licence and the obligations that it imposes should the code be distributed externally. Someone else distributes the code without observing those obligations, and they fire you for exposing them to liability. As opposed to, say, the miserable tosser who put the code out there without bothering to look at the documentation or do basic due diligence before distributing.

    That seems a little harsh to me. Probably good grounds for a wrongful dismissal suit too, or whatever they call it in your part of world,

    And also the fact that I am not the kind of person who thinks violating the BSD license is fine just because there are no consequences.

    Of course you're not, and it was never my intention to imply otherwise. I apologise if I came across that way. But you know, using it on an internal project and making sure you comply with the licence internally, and making sure the potential obligations are well documented - I wouldn't have called that a particularly cavalier attitude, myself.

    And you must admit that it's possible things could get uglier. For example, an IP holding company could buy the copyright to the code and start suing. I'll grant that's far-fetched, but stranger things have happened.

    It does seem a bit of a stretch. I suppose it all depends on what you consider acceptable risk or not. I mean if don't do anything that could conceivably result in being sued, no one would ever do anything at all. Like Bruce Schneier keeps saying - you can construct a movie plot scenario to justify almost any course of action or inaction - sensible or otherwise.

    I'm not going to go around copy-and-pasting such code willy-nilly.

    Of course not, and I wouldn't suggest that you should. On the other hand, if you track back a few messages, we were talking about the use of Flex. Flex doesn't involve you cutting and pasting anything at all. What it does is generate code, and there are some standard chunks of code distributed as part of that package which get inserted into all of its output. So we're talking about using certain clearly defined chunks of code in a precise manner, and one which quite clearly falls within the intended use of the package. About as far from willy-nilly cut-and-paste as you can get,

    And if you've ever done any compiler writing, you'll probably appreciate that, yes, a good lexical analyser generation package can indeed save months of work,

  40. Too bad.. by Kisil · · Score: 3, Interesting · on Sweden Admits Tapping Citizens' Phones for Decades

    .. that data mining doesn't work.

  41. Re:How is this bad? by bunratty · · Score: 5, Informative · on A Bad Month for Firefox

    The only bad thing is that Michael Zalewski is not following Mozilla policy for reporting security bugs. He should first report them to Mozilla privately and give them some time to fix the problems. Instead, he publicly announces the vulnerabilities so the bad guys can exploit them before Mozilla has any chance to fix the problems. In short, Zalewski seems to believe in full disclosure instead of responsible disclosure.

  42. One for Bruce by The+Real+Andrew · · Score: 1 · on Colossal Squid Landed Intact In Antarctica

    I hope Mr Schneier is reading today. This is another one for his famous Friday Squid Blog http://www.schneier.com/blog/archives/2007/02/frid ay_squid_bl_45.html

  43. Tony Blair should read Cryptogram by Mung+Victim · · Score: 1 · on UK's Blair Dismisses Online Anti ID-Card Petition

    Tony Blair, his ministers and probably everyone in the Home Office should subscribe to Cryptogram. In particular, they should read this article.

  44. Tony Blair should read Cryptogram by Mung+Victim · · Score: 1 · on UK's Blair Dismisses Online Anti ID-Card Petition

    Tony Blair, his ministers and probably everyone in the Home Office should subscribe to Cryptogram. In particular, they should read this article.

  45. Re:Two industries by newt0311 · · Score: 1 · on The Recording Industry's Failed Digital Strategy

    may I refer you to the Street performer protocol (http://www.schneier.com/paper-street-performer.ht ml)

  46. Re:How does this compare? by Samrobb · · Score: 1 · on Auditors Report FBI Fails in Tracking Lost Laptops

    How does this compare to other agencies and companies?

    I'd also like to know what their usage pattern is. I suspect that a lot of FBI employees have laptops because they're, you know, pilferable... I mean, portable. An FBI special agent hauling a laptop around the state from crime scene to crime scene is a little bit different from me hauling my laptop from work to home and back. Not to mention that my job doesn't require me to be in the vicinity of known and suspected criminals on daily basis. All told, I suspect that the FBI probably has a more difficult situation to deal with than your average company.

    But I wonder when they use the term "sensitive" exactly what that means?

    Don't know. Some agencies use the term to refer to sensitive but unclassified data, but the FBI doesn't appear to be on the list. This might be any number of things - information on agents in the local office (email addresses, phone numbers, etc.), data about ongoing investigations, any information that might jeopardize prosecution of a case, or even just internal documents on policies and procedures. They might even be thinking of cached versions of internal web sites. I have any number of "corporate confidential" documents on my laptop, and that's without me (a low-level code monkey in the scheme of things) really even trying. I suspect your average FBI agent can rack up a lot of "sensitive" information in the same way, just as a matter of course in carrying out their duties.

  47. It came around the full circle... by PaulBu · · Score: 1 · on Cartoon Network CEO Resigns Over Aqua Teen Scare

    ... did not it?

    Oh, irony... :-/

    Paul B.

    P.S. Reason has some good coverage of the incident: http://reason.com/news/show/118476.html and the aftermath: http://reason.com/blog/show/118625.html .

    And of course any self-respecting /.-er respects Bruce Schneier, who has this http://www.schneier.com/blog/archives/2007/02/nont errorist_em.html to say...

    And everyone knows that bombs have blinking lights on 'em. Every single movie bomb you've ever seen has a blinking light.

  48. Re:Overreaction of course by uofitorn · · Score: 2, Informative · on Cartoon Network CEO Resigns Over Aqua Teen Scare

    More specifically: http://www.schneier.com/blog/archives/2007/02/pipe _bombs_foun.html and http://www.schneier.com/blog/archives/2007/02/nont errorist_em.html

  49. Re:Overreaction of course by uofitorn · · Score: 2, Informative · on Cartoon Network CEO Resigns Over Aqua Teen Scare

    More specifically: http://www.schneier.com/blog/archives/2007/02/pipe _bombs_foun.html and http://www.schneier.com/blog/archives/2007/02/nont errorist_em.html

  50. Overreaction of course by uofitorn · · Score: 4, Insightful · on Cartoon Network CEO Resigns Over Aqua Teen Scare

    Clearly it was an overreaction and someone in Boston should have resigned/been fired instead. See here http://www.dailynews.com/ci_5180780 (via http://www.schneier.com/) for a way to dispose of bombs in a way without shutting down a major metropolitan area.