schneier.com · Domains · Slashdot Mirror

Additional reading by sinij · 2016-04-20 03:53 · Score: 5, Informative · on Stephen Fry Urges Young To Flee 'Dystopian' Social Networks

Many prominent security researchers already spoke out against it. Including Bruce Schneier on his blog and in his recent 'Data and Goliath' book. No affiliation.

Re:Is there any expectation of security? by robmv · 2016-04-15 06:21 · Score: 1 · on Researchers Find Vulnerabilities In Microsoft's and Google's Short URL Services (arstechnica.com)

Exactly. I know people that send long URLs generated to privately share, like Google photos and send them using Twitter direct messages, believing they are not being shared with the world and they are wrong. Those long URLs know to be relatively secure even by Bruce Schneier are being converted to short ones, and accessible to the public. There is or was a lawsuit related to that

Snow Leopard is no longer supported by tepples · 2016-04-14 02:58 · Score: 1 · on Chrome 50 Updates Push Notifications, Drops Support For Old Windows and OS X Versions (venturebeat.com)

Is that a machine you need the latest browser on, though?

Probably not. Like Windows XP, OS X 10.6 "Snow Leopard" is no longer supported. Security updates to a web browser won't help if the operating system itself has forever-day vulnerabilities.

Re:It's not Big Brother by Bob+the+Super+Hamste · 2016-04-14 01:59 · Score: 2 · on Burr-Feinstein Anti-Encryption Bill Is Officially Released (techcrunch.com)

Well AES is turning out to not be as strong as thought. But something like SERPENT (seems to be the strongest of the AES finalists) or TWOFISH would be better choices. As far as asymmetric key encryption I would probably look into lattice based crypto as RSA is useless with quantum computers

I would guess that the number is likely higher than 0.1% but that would require training and learning about them. I mean how many people here know what S-boxes, P-boxes, MDS Matrix, Pseudo Hadamard transform, Feistel network, substution permutation network are and how to use and design them. I mean it isn't like there aren't resources and books for learning the basics that also cover how to do cryptanalysis using things like linear cryptanalysis, differential cryptanalysis and variants, or even the simple frequency analysis

Have they fixed the 2014 SS7 hole yet? by davidwr · 2016-04-13 03:18 · Score: 1 · on Facebook's Account Kit Login System Works Via Phone Numbers, No Passwords Needed (softpedia.com)

Have they fixed this known problem yet?

I'm sure this isn't the only known SS7 vulnerability out there.

If this gets popular, I predict a rash of SS7 zero-days in the coming years.

Oh, and I haven't even mentioned vendor-specific vulnerabilities in the implementation of SS7, VoIP (where applicable), cell-tower, and cellphone-handset technology.

Re:They are avoiding the right way by Anubis+IV · 2016-04-08 05:36 · Score: 1 · on White House Declines To Support Bill That Would Let Judges Order Tech Companies To Break Encryption (reuters.com)

And you expect me to trust them with maintaining confidentiality of encryption keys?

More to the point, they've already proven that they can't even be trusted with maintaining the confidentiality of physical keys.

Re:More alarming than the "hack"... by sjames · 2016-04-07 05:46 · Score: 1 · on FBI Telling Congress How It Hacked iPhone (theverge.com)

Like this?

Re: lol by sh00z · 2016-03-22 03:32 · Score: 1 · on FBI Delays Case Against Apple; May Have Way To Break Phone (threatpost.com)

Translation: They figured out they have a non trivial chance of losing this case so they 'discovered' this new alleged hack that they doubtless had all along.

I'd bet dollars to donuts (which phrase is about to become obsolete) that they're planning a smudge attack, which could only take ~7 tries...

Re:Good to hear. by dcollins117 · 2016-03-17 07:02 · Score: 1 · on The Law Is Clear: the FBI Cannot Make Apple Rewrite Its OS (backchannel.com)

Don't do your own crypto, the wiseman says.

You don't have to. Information about strong encryption is widely available to everyone, for instance here.

Re:Congrats Slashdot! by fustakrakich · 2016-03-16 07:55 · Score: 1 · on How Far Have We Come With HTTPS? Google Turns On the Spotlight (networkworld.com)

To me it's a honeypot. I wonder if there is a 'conflict' between the URL and its content :-)

Re:Waste of time, won't stop uncrackable messaging by phantomfive · 2016-03-15 11:27 · Score: 4, Informative · on DOJ Threatens To Seize iOS Source Code (idownloadblog.com)

All that is needed for unbreakable communications is a lengthy sequence of random bytes and an XOR operator. Otherwise known as a one-time-pad.

That comes up a lot. and it's usually wrong. Basically, the weak part of encryption isn't the algorithm, it's the chain of trust. If you can successfully exchange one-time-pads, then you can successfully exchange keys and get good encryption. In fact, exchanging keys is easier.

. If the parties are at least marginally smart in picking and using the pad

Nah, there are a number of mistakes you can make with a one-time-pad, and schneier pointed out a few in that link from before.

Re:He basically said "give us a back door" by MacDork · 2016-03-11 14:14 · Score: 4, Informative · on Obama: Government Can't Let Smartphones Be 'Black Boxes' (bloomberg.com)

If we give the government a back door to our data, it's only a matter of months before criminals and other nation states have that key.

I'm not even concerned about that. If the US Government has the key, that alone is bad enough. This is the same government that has systematically attacked developers as a group. Not terrorists. Software developers. They've launched the digital equivalent of a drone strike on users of this very site. They've developed malware that looks like developer tools. Coincidently, just such malware showed up to attack Chinese developers.

I am just gob smacked that Obama can show up at SXSW for any other reason than to apologize to us. He wants us to dig our own mass graves. Here is your shovel developer. Start digging.

Re:How do you decrypt a hash? by Lisandro · 2016-03-07 10:52 · Score: 0 · on Hacker May Have Discovered Plans For A Tesla P100D (jalopnik.com)

Typically you just brute-force them. SHA256 is a special case because, just like MD5, is effectively broken: you can decrypt them with significantly less operations than the brute force approach would require.

Re:gotta get the encrypted data first by macs4all · 2016-03-07 08:36 · Score: 1 · on MIT's New 5-Atom Quantum Computer Could Make Today's Encryption Obsolete (pcworld.com)

Also NIST wanted 256 bit keys for all entrants into the AES competition for that exact reason so AES, SERPENT, and TWOFISH should all be ok unless there is a break that is discovered in any of them and then you would be screwed

Yes, but isn't AES 256 actually weaker than AES 128?

Disclaimer: I am in no way a cryptologist, or a math expert

Good luck by vovin · 2016-03-02 08:58 · Score: 1 · on ISIS Supporters Abandon U.S. Encryption Tools As Apple-FBI Fight Rages

Finding an encryption scheme that isn't already backdoor'd by the CIA.
AFAIK the US/CIA has corrupt deals with all the known for-profit crypto suppliers.

http://mediafilter.org/caq/cry...
https://www.schneier.com/blog/...

Re:Tim Cook's letter by suutar · 2016-02-23 14:36 · Score: 1 · on Apple's iPhone Already Has a Backdoor

yeah, but ten years ago we were trying to hold down processing time for legitimate work. At this point the key lengths that can be handled pretty easily are unbreakable not because the cpus aren't fast enough but because thermodynamics says they can't become fast enough.- https://www.schneier.com/blog/...

Bruce Schneier says by Okian+Warrior · 2016-02-23 06:32 · Score: 5, Interesting · on DoJ Wants Apple To Decrypt 12 More iPhones (macrumors.com)

My go-to person for security issues is Bruce Schneier. Here's what he says about the issue:

The current case is about a single iPhone 5c, but the precedent it sets will apply to all smartphones, computers, cars and everything the Internet of Things promises. The danger is that the court's demands will pave the way to the FBI forcing Apple and others to reduce the security levels of their smart phones and computers, as well as the security of cars, medical devices, homes, and everything else that will soon be computerized. The FBI may be targeting the iPhone of the San Bernardino shooter, but its actions imperil us all.

He elaborates on this in another section:

This is an existing vulnerability in iPhone security that could be exploited by anyone.

There's nothing preventing the FBI from writing that hacked software itself, aside from budget and manpower issues. There's every reason to believe, in fact, that such hacked software has been written by intelligence organizations around the world. Have the Chinese, for instance, written a hacked Apple operating system that records conversations and automatically forwards them to police? They would need to have stolen Apple's code-signing key so that the phone would recognize the hacked as valid, but governments have done that in the past with other keys and other companies. We simply have no idea who already has this capability.

The best solution I've seen so far, from right here on Slashdot, is to have future firmware updates require the phone to be unlocked. IOW, the user is presented with an alert, and the user must type in the passcode before the update is applied.

This would seem to solve the problem for future releases, Apple could legitimately say that there's no way to unlock the phone.

Re:Compromise by scrib · 2016-02-22 14:45 · Score: 1 · on More Than Half of Americans Think Apple Should Comply With FBI, Finds Pew Survey (theverge.com)

The user's data is encrypted, but the OS is not. I do not have personal knowledge, but this is Schneier's article on the issue:
https://www.schneier.com/blog/...

Sure, Schneier could be mistaken, but barring other evidence I'm willing to accept his analysis. My opinion, FWIW, of what Apple should do in regards to this court order hinges on whether or not the devices can be updated without being unlocked. To be clear, I'm not talking about a remote exploit and user interaction is not an issue, the device user now is the FBI. The question is if the OS can be updated without unlocking the phone and the answer to that seems to be "yes."

Re: Really? by tlambert · 2016-02-20 05:26 · Score: 0 · on Why Are Apple's Competitors Staying Silent On the iPhone Unlocking Fight?

That means that phone backups need to be encrypted with a pass phrase and biometric identifiers (including pins and pass codes) cannot be used as keys and need to be verified by a secure subsystem before performing decryption.

Hi!

My biometric identifier has been cracked! Due to the Error 53 fiasco, which pissed off unlicensed repair shops that don't have legal access to parts not pulled out of stolen iPhones bought off of eBay, the Error 53 thing has been disabled, and now, as long as you have an electronic copy of someone's fingerprint, you can pretty much unlock their device.

How do we change our fingerprints again?!?

Oh. We can't. So what you are actually saying is, "biometrics are a totally crappy mechanism for securing anything".

You know, I think I saw Bruce Schneier say that once... https://www.schneier.com/essay...

[Citation Needed] by thomas.galvin · 2016-02-18 03:59 · Score: 5, Informative · on Paris Attacks Would Not Have Happened Without Crypto (arstechnica.com)

Bullshit. The Paris attackers did not use encrypted communications.

Was this an intelligence failure? Possibly. Was it an intelligence failure due to a lack of backdoors and/or laws against cryptography? Absolutely not.

Routers alone = shit (here's proof #15/15) by Anonymous Coward · 2016-02-14 11:51 · Score: 0 · on Firefox 44 Deletes Fine-Grained Cookie Management (mozilla.org)

https://nakedsecurity.sophos.c...
https://nakedsecurity.sophos.c...
https://threatpost.com/exploit...
https://www.hackread.com/cisco...
https://www.incapsula.com/blog...
https://www.schneier.com/blog/...
http://hardware.slashdot.org/s...
http://www.theregister.co.uk/2...
http://news.slashdot.org/story...
http://news.slashdot.org/story...
http://news.com.com/Bug+expose...
http://news.cnet.com/8301-1009...
http://it.slashdot.org/story/1...
http://www.theregister.co.uk/2...

* STILL BELIEVE routers = best security alone?

YOU SAID YOUR DNS NEVER WENT DOWN TOO?

Funny YOU ADMIT IT DOES -> http://slashdot.org/comments.p... & you FAIL vs. myself as usual, noob do-nothing "rookie ne'er-do-well" CHUMP!

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each) & YOU OUTRIGHT LIED ON YOUR DNS NEVER GOING DOWN TOO - HUGE fail (one for my bookmarks)... apk

Re:Why encrypt non-sensitive content? by fustakrakich · 2016-01-30 08:46 · Score: 1 · on Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com)

Because when you separate the two, you are flagging one as the more valuable target. It will call unwanted attention from the exact people you are avoiding. If everything were to be encrypted your adversary will waste time chasing it all, whether it's credit card numbers or a shopping list. If he were to do my shopping for me, he can have both.

All of that notwithstanding, HTTPS is a joke, worse, it's a tracker. Its vulnerabilities are well documented (I love seeing this story on a "secure" site). And our favorite TLAs have it all covered. The internet is still a broadcast system, just like TV and radio. Everything you do can be seen by all. So the best way to hide a message is to say it real loud with flashing lights and blaring horns.

Re:HTTPS Privacy Rules by fustakrakich · 2016-01-20 07:19 · Score: 2 · on Rights Groups Push For Strong Broadband Privacy Rules (reuters.com)

HTTPS is the only real answer.

I doubt that very much

And note the irony in the last question in the link

Re:Seems like time to consider the alternatives by ve3oat · 2016-01-17 14:48 · Score: 1 · on LastPass Vulnerable To Extremely Simple Phishing Attack (softpedia.com)

How about PasswordSafe? I think it was originally designed by Bruce Schneier of Schneier on Security fame. His credentials are excellent.

Re:Brutus by lgw · 2016-01-13 09:29 · Score: 2 · on NY Bill Would Force Decryption of Smartphones On Demand (onthewire.io)

Cruz looks pretty bad, when you actually pay attention

I have started paying attention. I was favorably impressed by his ad on the illegal immigration problem: it was humorous, it showed the "DC elite" in a bad light instead of showing immigrants in a bad light (it didn't show immigrants at all, let alone try to paint them as bad people). That's good stuff.

I want a candidate who can say the words "illegal immigration" and "Islamic terrorist", but is making rational points about those real problems, not playing up racism for votes from the cheap seats. I want someone to say "we're all immigrants in America, it's not about immigrants, it's about securing the border" and presents some plan that recognizes we need immigrant labor, but maybe we want to control how much. I want someone to say "Islamic terrorism is a growing problem, that doesn't mean we hate Islam, that means we'll be rational about how we address terrorism as a whole", and presents some plan that Bruce Shneier would like (man, he nails it in that article).

Re:Simpler explanation by Knuckles · 2016-01-12 19:24 · Score: 3, Informative · on Algorithms Claimed To Hunt Terrorists While Protecting the Privacy of Others (vice.com)

On the visa application form, https://www.schneier.com/blog/...

Re:Enigma by Anonymous Coward · 2016-01-05 04:18 · Score: 0 · on Dutch Government Backs Strong Encryption, Condemns Backdoors

Amateur cryptography bullet list:
- reference Enigma or something else that sounds cool - check.
- only talk about the size of the keyspace when talking about breaking the encryption - check
- hand-wave the hard part (key exchange) - check
- call it 'unbreakable' - check
- come up with something less secure than existing algorithms - check

Two things you should do:
- Read this: https://www.schneier.com/crypt...
- Use AES instead of your own algorithm

Re:Web OS 3.0 by strstr · 2016-01-03 05:08 · Score: 2 · on LG Announces "Super UHD" TV Lineup (digitaltrends.com)

this article says Samsung TV's are doing the same thing as LG; https://www.schneier.com/blog/archives/2015/02/samsung_televis.html

another article said Vizio TV's do the same thing. http://bgr.com/2015/11/10/vizio-smart-tv-spying/

It's standard for everything, every bit of data, everything your TV does to enable your viewing habits and usage to be monitored and recorded without your consent or knowledge.

It's like Google's and cellphones and telephone and internet. you cannot stop them from doing it unless you cut the Internet cord entirely.

The internet is dangerous because it's being used as a feed into your home and life any time you use it.

It's a false tradeoff by gavron · 2016-01-01 12:08 · Score: 5, Informative · on Majority of Americans OK With Warrantless Internet Surveillance (ap.org)

Security expert Bruce Schneier has been explaining for years that the "tradeoff" between security and liberty is a false one.
It's put out there by politicians to justify a war on liberties.

https://www.schneier.com/blog/...

Any "survey" or "poll" that requires comparing the two or claiming you must give up one to have the other has begged this question and is already false.

E

Re:Issues? How about major security holes? by tepples · 2015-12-31 09:42 · Score: 1 · on List of Major Linux Desktop Problems Updated For 2016 (narod.ru)

A bug is a bug. You have a trivial to exploit root hole in a common configuration of an OS. Deal with it at that level.

And it has been dealt with. Yet other attacks on common configurations requiring physical access are just as trivial for an evil maid to exploit.

Routers alone = shit (here's proof #15/15) by Anonymous Coward · 2015-12-21 10:24 · Score: 0 · on AdBlock Plus Updates Acceptable Ads Policy

https://nakedsecurity.sophos.c...
https://nakedsecurity.sophos.c...
https://threatpost.com/exploit...
https://www.hackread.com/cisco...
https://www.incapsula.com/blog...
https://www.schneier.com/blog/...
http://hardware.slashdot.org/s...
http://www.theregister.co.uk/2...
http://news.slashdot.org/story...
http://news.slashdot.org/story...
http://news.slashdot.org/story...
http://news.com.com/Bug+expose...
http://news.cnet.com/8301-1009...

* STILL BELIEVE routers = best security alone?

APK

P.S.=> So much for your faith in routers alone stupid (225 in total, 15 posts with 15 items each)... apk

Re:Moot Point Now by sociocapitalist · 2015-12-14 00:49 · Score: 1 · on FBI: Just Don't Call Them Backdoors (networkworld.com)

Groups like ISIS are now using their own encryption apps so there is nothing that can be done by any US tech companies prevent that. What would the point of making everything less secure be.

Even worse groups like IS often use no encryption whatsoever and the law still can't stop them.
https://www.schneier.com/blog/...

Re:Will somebody think of the children! by Zontar+The+Mindless · 2015-12-09 09:16 · Score: 2 · on Top Democratic Senator Will Seek Legislation To "Pierce" Through Encryption (dailydot.com)

But it's worked out so well with those TSA master keys for locked luggage--oh, wait...

Re:Ban encryption without backdoors by Zontar+The+Mindless · 2015-12-02 20:34 · Score: 1 · on Scammy Tech Support Sites Now Serving Up Ransomware (csoonline.com)

Back doors eventually become front doors.

Re:Sigh. She is NOT an engineer. by PPH · 2015-12-01 11:47 · Score: 0 · on Software Engineer Liz Bennett Talks About Being a Woman in a Nearly All Male Workplace (Video)

Computer Scientists build flight software for aircraft. They have to think about things like airgaps and an insane amount of device independence, redundancy and security.

Evidently not

Engineers don't typically go to jail.

Correct. They can have their license suspended or other disciplinary action taken. Computer Scientists? What ae they going to do? Recall your diploma? Pull your MCSE* certificate?

*Minesweeper Consultant, Solitare Expert.

Re:Bad Guys Using "Good" Guys' Tools by Anonymous Coward · 2015-11-20 04:04 · Score: 1 · on Nation-backed Hackers Using Evercookie and Web Analytics To Profile Targets (securityledger.com)

For those interested, Bruce Schneier's comments to the above article are here: NSA Tracks People Using Google Cookies, and the EFF's comments are here: NSA Turns Cookies (And More) Into Surveillance Beacons.

And the problem is that terrorist dont encrypt by DrYak · 2015-11-19 13:28 · Score: 1 · on ISIS Help Desk Assists In Covering Tracks (cnn.com)

we'll get to hear about how we have to outlaw telling people how to use encryption

If we're going to have a world where the conversations of private citizens cannot be eavesdropped on then it's a natural by product that criminals and terrorists will also benefit from this.

And the weirdest part is that, as Schneier has written on his blog ("Paris Terrorists Used Double ROT-13 Encryption"), the terrorists don't even use encryption to begin with.

It's not a case of secret services complaining "Oh my god, the terrists use unbreakable encryption! And Tor!!! We can't do nuthin' !!"

It's a case of terrorist operative having such a horrendous track of information security (actually good for us!), that some less stupid guys in ISIS decide that maybe it would be a good idea to give some introduction about encryption and anonymity, lest any operation ends up being followed by more arrests due to clues left. (As was the case in paris last wednesday)

So apparently terrorists are using *less* encryption than the average citizen (which isn't a big surprise. Bright people aren't very likely to blow themselves up in the name of some random $IDEOLOGY/$DEITY. Thus the average terrorist is rather bright than the average citizen. There might by a couple of brighter bulb among the terrorist, but they are few, and are at the top, far away from actual danger, and profiteering out of the indoctrinated masses)

Which is good for the rest of us. It's easier to win against stupider opponents.

And which also means that it's not a solution to ban encryption.

First and fore most:
- benefits of encryption and anonymisation (for the average citizen everywhere: protection one's data, avoiding becoming victim of identity theft, industrial spying, etc. for citizen of totalitarian government: better protecting themselves and avoid getting arrested for having said the wrong word at the wrong time)
far out-weight the draw-backs (a few malevolent individuals might want to use it to hide they nefarious projects).

And now we see that poor schmucks stupid enough to blow themselves up are also too stupid to even properly use encryption.

Crypto is hard by Sean0michael · 2015-11-11 15:51 · Score: 1 · on Linux Ransomware Has Predictable Key, Automated Decryption Tool Released (csoonline.com)

This just goes to show that getting cryptography right can be just as hard for the bad guys as the good guys. There are so many ways to get it wrong. Just ask Bruce: https://www.schneier.com/essay...

Re:revolutionary technology by fgouget · 2015-11-05 23:29 · Score: 1 · on "Unsecured Memory Card" Prompts Election Fraud Investigation In Georgia (ajc.com)

Dunno how things are done in the US, but ballot boxes are sealed here (with actual lead / hard to change seals). The boxes are then couriered (with several different people accompanying the box) to a central location. There are various different registers that show who has attended the vote, what papers have been used. ie. Double Entry. with different people responsible for each register. Usually with a completely separate observer overseeing the ballot box.

Lead is not hard to find and if security keys can be replicated from a photograph then a standard seal should not be much of a challenge. Who picks the people accompanying the box to the central location? Can the person picking them be trusted? Is a single team carrying a significant fraction of the ballot boxes? And if they constantly have people supervising the ballot boxes, how can they forget them at the polling station? And recounts don't always happen immediately (at least in the US) so the issue is not just transport, it's also storage. Who picked the storage area? Who has access to it? Is a team posted 24/24 to verify nobody enters that room? Who picked that team?

The room is sealed / guarded.

The room is sealed? Why? Do they want to prevent the general population from overseeing the counting?

It would take an amazing level of conspiracy and corruption to rig a count in the UK.

From what you've said I'd say on the contrary that all the conditions are met for tampering.

There are no volunteers, these people are usually paid (and paid well enough) for their role in the ballot and count.

Who picks these people?

Consequences for interfering with the vote in any way are harsh and will include criminal charges as well as most likely loss of employment (staff typically are Local Government staff).

The consequences for murder are even harsher. And yet that has never prevented them.

If you've ever been at a count or worked with the people at the polling stations you would understand.

I've been at a count many times but here it happens right at the polling station, as soon as voting is closed so that the ballot box never goes out of the voters control. The counting is done by teams of four voters who volunteered at the polling station during the election, in the open. The count also happens in the presence of party representatives of course and any one who wants to oversee it (which I've done many times too). If you wanted you could arrive in the morning (done that too, was first to vote), see the ballot box being prepared, see that the box is empty (it's transparent), gets locked with two padlocks using different keys, handed out to separate persons, and stay all day until the results are announced after the count. In other words anyone can control everything from the start to the end.

I totally agree that paper voting can be much more secure and reliable than electronic voting. And even with the flaws of the process you described it probably is (mass tampering would be harder for one). But 'paper' is not a magic bullet. It still has to be done right.

Incompetent poster? by Okian+Warrior · 2015-11-02 04:37 · Score: 1 · on The Rise of Political Doxing (schneier.com)

When the CIA director has his AOL account "hacked", it is a demonstration of his utter incompetence, not "doxing".

This is an excellent example, a departure point for discussion.

Per Bruce's article:

The CIA director did nothing wrong. He didn't choose a lousy password. He didn't leave a copy of it lying around. He didn't even send it in e-mail to the wrong person. The security failure, according to this account, was entirely with Verizon and AOL. Yet still Brennan's e-mail was leaked to the press and posted on WikiLeaks.

Also, unlike a certain presidential hopeful, Brennan didn't have any CIA sensitive information in his personal E-mail. It was simply personal stuff about him, nothing that compromised security.

And yet, internet sheep immediately jump to a conclusion of "incompetence", a charge that would ordinarily haunt a person in future job prospects for the rest of their life.

One obvious step would be to hold the providers accountable for security failures.

Schneier is not just a blog! by Anonymous Coward · 2015-10-28 11:16 · Score: 5, Informative · on Revisiting the Infamous Sony BMG Rootkit Scandal 10 Years Later (networkworld.com)