Slashdot Mirror

the thing with the M$ monopoly is that it has traditionally been that what's right for M$ is (quite deliberately) what's right for Dell, so that's what they've done. With that monopoly weakening every day we'll see more and more of this, particularly as the cost of the hardware continues to drop while the cost of the M$ tax is reasonably static (if not on the rise). Bear in mind also that given that Internet Explorer Sucks (with only 7 days in 2004 without an unpatched, public security hole), this reflects badly on Dell and is likely to be one of their major support costs (imagine how many 'my machine runs 10 times slower now than it did when we got it and i'm constantly harassed by popups' calls they get!). In contrast, Firefox on Windows was 7% unsafe (still a ridiculously high number - this should be very close to zero) - it's a no brainer.

That is precisely what was meant, as demonstrated by this beauty:

http://www.schneier.com/blog/archives/2005/02/the_ weakest_lin.html

Of course. GW did say that these powers should stay in effect "as long as we are in danger." I've got news for you. Terrorism has been around a long time, and it's not going away any time soon. As long as there are terrorists in the world (an ever broadening group, due to the changes in how we define "terrorist"), there will be a reason to keep these laws around.

The current government has no plan to EVER give up the these powers.

For an excellent essay on Bush's and the White House's take on terrorism see "The Security Threat of Unchecked Presidential Power" at Bruce Schneier's always outstanding blog.

http://www.schneier.com/passsafe.html

Why not make keystroke loggers useless? I love this software. Just copy and paste passwords ;)

At some point the question becomes: which of Bush's TLAs is not illegally spying on us?

Bruce Schneier has long held the position that the banks need to be held fully responsible for this sort of fraudulant activity:

http://www.schneier.com/blog/archives/2005/12/kore a_solves_th.html

At the end of the day, the bank is entrusted with managing my funds. If my bank transfers my funds to someone else without my express approval, then the bank is at fault, no questions asked. The bank should have properly verified that I indeed wanted my funds to be released to the other party. If someone claims to be me, then the bank better make damn sure to authenticate that it really is me before taking my money out of my account.

This is exactly what Bruce Schneier has been advocating for a while...here's his take on this story.

Supposing there exists a "much more robust security infrastructure" - how is it going to be improved by the addition of a Play-Doh, uh, I mean a fingerprint scanner? Why not just stick with the robust stuff, and forget the shiny newfangled contraptions?

This isn't the first demonstration that fingerprint scanners are useless. A few years ago, a Japanese university professor showed that it was possible to make a gelatin mold from a latent print (i.e., without direct access to the authorized finger in question) that would fool the readers most of the time! What is a fingerprint scanner adding but a false sense of security?

In fact, Mr. Bruce Schneier has a blog posting about this subject from October already: http://www.schneier.com/blog/archives/2005/10/pass port_requir.html

There's so much wrong with this, I don't know where to start.

First, Cryptography is hard. Even professional cryptographers with decades of experience still get it wrong -- often. Considering as this guy has essentially no previous experience (he's an EE professor), it's already near certain that he's dead wrong.

Second, he doesn't provide "absolutely secure" communications. He provides non-interceptable communications. He's totally ignoring authentication, non-repudiation, man-in-the-middle attacks, and half a dozen other very important problems. (It's also not a cipher, but we'll ignore that slip.)

He also assumes (from the abstract) that an eavesdropper can only eavesdrop by injecting current into the wire, which is blatantly false. One could easily tap the magnetic field generated by current in the wire, without drawing very much power from the wire at all.

And to top it all off, he's depending on the precise values of voltage and current, which means this is an analog system. Analog systems are notoriously difficult to build precisely -- which is why we're using digital everywhere.

This is such bad research that I can't wait until Bruce Schneier get ahold of this.

Sounds like snake oil, similar to http://www.schneier.com/blog/archives/2005/12/snak eoil_resear.html

IIRC only one antivirus program detected and removed it, everyone else was afraid to tangle with Sony. All I remember is that it wasn't Symantec. Some of them remove the rookit part but not the DRM.

That would be F-Secure

I recommend also reading a post in Schneier's blog about identity theft being over-reported and confused with fraud.

I have slight philosophical issue to shelf out money for a product, which should be protected in the first place, but will let that stand if it provides me with much needed security, but

Since the makers of security software seem in bed with "legitimate" spyware and rootkit purveyors those 40$ won't buy me shit.

I fear that save for FSecure the makers of security software have just about lost all my trust in them for this little stunt.

So it's now Sony's fault that users, who have their DRM software installed, just cicked-through a legally binding document that allows Sony to install such software?

Um, yeah. It's very much Sony's fault for creating and distributing this software. Most people don't read these EULAs, and no normal person expects a rootkit to be installed when they're simply trying to listen to music. Sony knew exactly what would happen to its users (to the very people who gave Sony money, nota bene!), and they went ahead anyway.

But even if you think that this is just OK and the user's fault, how Sony reacted to the whole thing and "fixed" it by making it even worse destroys any last shred of credibility they still had.

Phishing isn't a technology problem. If your computer has a virus, the bad guys can get your critical data without tricking it out of you. Phishing will always exist due to human nature.

Case in point: http://www.schneier.com/cgi-bin/mt/mt-tb.cgi/474/

in which a bank manager was convinced to leave 5 million under the door to a bathroom stall in a bar in Paris.

So we (yes i'am french) won't be allowed to developp some GPL'd anti drm software but in us you won't be allowed to run gpl'd secured communication software!
http://www.schneier.com/blog/archives/2005/12/fbi_ to_approve_1.html

The difference is that this fcc rule is already passed !

It means new movie plot threats, but this time from Mr. Woo.

No, that's not what he said.

"Perhaps the only security company that deserves praise is F-Secure, the first and the loudest critic of Sony's actions. And Sysinternals, of course, which hosts Russinovich's blog and brought this to light."

F-Secure has been very upfront throughout that they were trying to work with Sony on this. A month is certainly ok, especially given how deeply this hooks into the system. Releasing the information with a working, non-system-exploiting removal tool would have been much better all around, and they were entirely responsible and reasonable to try to do that.

(Russinovich was also entirely responsible and reasonable to publish, too. There is Irresponsibly Fast Full Disclosure, Responsible Full Disclosure, Irresponsibly Slow Full Disclosure, and No Disclosure. It's a continuum. Both F-Secure and Russinovich were, imo, inside the Responsible Full Disclosure window.)

Tomorrow?

http://www.schneier.com/blog/
Today's Movie-Plot Threat: Electronic Pulses from Space
...
Posted on November 23, 2005 at 07:39 AM | Comments (56) | TrackBack (0)

It's pretty sad that they're actually wasting brain cycles thinking about threats like this. No, the risk of infection isn't zero. But it's damn close to zero. It isn't zero if you 'secure' SETI systems, either. It isn't even zero if you dismantle the SETI telescopes.

But money spent on this is money better spent elsewhere, practically no matter where else you spend it. This should have been in the 'It's Funny, Laugh' topic.

(Prediction: this will appear on Schneier's blog by end of day tomorrow)

Everyone expects that Microsoft would want to shut such a site down. Believe it or not, if the Trusted Computing Machine paradigm is to really take hold, Microsoft is going to have to wait it out. Lots of companies have worked on other tamper-proof technology. If this platform can withstand a very large portion of that attack, then they will have a reputation to be proud of - from a security perspective.

Bruce Schneier reminds us of several attributes in his book Secrets and Lies.

• Tamper proof hardware through zeroization techniques (no evidence thus far), but may involve destruction when a critical chip is removed.
• Revocation of privilege to participate. If the hypervisor detects trouble, it fails to a safe position.
• "Only the key is secret" (and only for so long). Call this a free update CD every XBox360 owner must run after two years from launch - this is a valid application with new Microsoft keys.
• Compromise in one section does not compromise the whole unit (defense in depth)
• Assume something like the James Bond 007 game save buffer overflow will happen again, and the damage should require everyone to purchase this game to continue running non-standard code - during which time the bug will be patched in the new distribution discs.
• Fiercly litigate anyone that builds disc reading/writing technology for the XBox 360, specifically targetting hardware vendors.
• Develop a method by which an honest enthusiast can work in a sandbox that does anything. They'll never be entirely happy, but it will keep all but the most zealous enthusiasts at bay. Make this disk cost, oh, say $150 to cover the lost profit, or $40 per year per console. Call this a bizaare toy for the sophisticated adult, and the cost should make it a disincentive to commercial distribution of competitive products.

For the record, I have no interest in playing on a 360, much less compromizing one, but if Microsoft can apply the above principles, then they will have a reputation and platform other non-gaming industries can embrace. Even Sony couldn't buy that with money. I do, however, have my doubts that Microsoft has focused on security robustness because their first and formost motto should be "It's all about the gaming experience." Fail that and the thing dies anyway.

Until I saw a series of controlled laboratory tests and their results, I'll remain a bit skeptical. DNA isn't your garden-variety chemical and processing it is so tedious precisely because of that fact. Speed in testing DNA may be desireable (look at the trouble they have to go through identifying Katrina or 9/11 victims), but accuracy is more important. It has to be consistant to be regarded seriously as a security device.

What's more, so they have my DNA and know who I am. How? That data will have to be stored somewhere. An RFID chip in my passport? A government-run DNA database? Better yet, so what? Assuming I haven't faked the RFID chip or hacked the DNA DB, who's to say I'm not a terrorist? Maybe I don't have a criminal record and maybe I'm not Muslim (remember such golden oldies as the Bader-Meinhof?). Speedy DNA processing isn't going to solve the fundamental security problem, which is how do we read your mind.

"Bruce Schneier invented a crypto system based on playing cards for the novel."

Ah, yes, Solitaire. Not that I really believe you're going to use it, but FYI, it's broken.

It's not by chance, either. Paul Crowley, the guy who broke Solitaire, also tried to invent a strong manual encryption algorithm and failed.

Not that I'm in the league of those guys, but I've been working on the problem myself and it's not easy.

Indeed. Bruce Schneier discussed this very question in a Wired News article, also discussed on slashdot, also discussed on Schneier's weblog.

The answer, I think, as to why the security companies fell down so unanimously on this one is that they're all afraid of the DMCA. So we have yet another crystal-clear example of the DMCA's overly far reach and unintended consequences: it legitimizes malware, as long as the malware takes the form of "copy protection".

Indeed. Bruce Schneier discussed this very question in a Wired News article, also discussed on slashdot, also discussed on Schneier's weblog.

The answer, I think, as to why the security companies fell down so unanimously on this one is that they're all afraid of the DMCA. So we have yet another crystal-clear example of the DMCA's overly far reach and unintended consequences: it legitimizes malware, as long as the malware takes the form of "copy protection".

Security people rarely have any idea what they are dealing with. The main reason why is they are simply given orders to "check an RFID badge" or "wave a wand around those people who set a metal detector off". They aren't paid to think critically or anything. This is often the charge levied by Schneier. If we hired smart security people, overall we'd be more secure.

I'm sure that a widely regarded author of several security books, a cryptographer who's created a fairly robust algorithm, and a guy who's been called to testify before Congress several times is all broken up about slashdot user 805235 thinking his article sucks.

No, multiple hash routines *does not work*, as is said in every single hash related thread.

Fortunately I'm pretty sure BT uses a newer hash already.

Any half-way intelligent cryptographer would have suggested SHA-1, TIGER or perhaps HAVAL since quite some time already.

Actually collisions in SHA-1 were confirmed in February of this year, and refined in August. Any half-way decent cryptographer would be using SHA-256 or, better yet, SHA-384 or SHA-512. We've got the disk-size and bandwidth these days not to be worried about a few extra bytes. Bruce Schneier's initial article on this is instructive.

SHA-1? Wow, you're safe then... :-P

SHA-1 is not the sollution. Take a look at SHA-224, SHA-256, SHA-384, and SHA-512.

SHA-1 is not the sollution. Take a look at SHA-224, SHA-256, SHA-384, and SHA-512.

SHA-1 is not the sollution.

Blogs don't have to be publicly viewable. I'm sure many people write completely private entries. If you wander round LiveJournal an awful lot of people post to a select group of friends, ie their blogs are "by invitation only".

You have to go to the effort of loading up a blog in order to reading - hardly comparable to spraying stuff on a wall.

Being a celebrity is hardly a reason to have an interesting blog; being able to write is. The successful blogs belong to people who are interesting writers. Whether they write about their experiences in computer security, the London Ambulance Service or evolutionary biology, it always comes down to content. It takes a lot of skill to write about nothing and make it interesting, so why are you complaining that 14-year-olds don't write interesting blogs? They're probably sub-literate to start with!

Complaining that anything is bad when all you've seen are the very worst examples is misguided and childish. Or flamebait.

Yeah, they sure a bunch of losers. Not contributing a damn thing to society, just uselessly wanking about how much their dog ate and why their friends from high school don't write. Serious people only get their news and information, from trusted, reliable sources.

Seriously, what the hell is it about blogging that inspires such hatred in some people's hearts? Too many of you guys got ex-girlfriends with Livejournal accounts?

Jeez, all of you guys have a problem with shades of gray. It is neither 100% popularity nor 0% popularity.

It is a cost/benefit ratio.

According to your logic 0 banks would be robbed since they have better security.

Yet banks get robbed. Why?

Because there exists someone for whom the extra money outweighs the extra risk.

Eventually we will reach a point where the target size will be large enough that it provides enough bang/buck to defeat the extra security.

.. I believe Bruce Schneier already beat this issue to death - security is a process - that can not be gained from a book or a product or a tool or whatever... If the book moves you in the right direction, it's worth a read. Check out his short essay on this.

Bullshit response. Just because the data's hashed doesn't mean it can't be reconstructed.

The most important feature they've included is an access-control system for the RFID chip. The data on the chip is encrypted, and the key is printed on the passport. The officer swipes the passport through an optical reader to get the key, and then the RFID reader uses the key to communicate with the RFID chip. This means that the passport-holder can control who has access to the information on the chip; someone cannot skim information from the passport without first opening it up and reading the information inside. Good security.

The new design also includes a thin radio shield in the cover, protecting the chip when the passport is closed. More good security.

For better analysis of the War on Terror than anything I've seen in mainstream media:

http://globalguerrillas.typepad.com/johnrobb/

http://globalguerrillas.typepad.com/globalguerrill as/

http://www.schneier.com/blog/

I have found great value in bloggers like Bruce Schneier and Security Monkey, and I think to paint them all with one brush is useless. There are some scumbag bloggers that are out for attention and revenge - but if we wish them to go away, aren't we taking away from the purpose of blogging?

Something to think about.

After Bruce Schneier's revelations regarding Blizzard's new "the innocent have nothing to fear from our spyware" policies, I've completely hopped off the World of Warcraft bandwagon. I realize that Blizzard is just trying to help legitimate players avoid the hassles of dealing with cheats and farmers, but I'd rather worry about the cheats in a virtual world than worry that some company is scanning my computer for things it doesn't want me running. Blizzard can take their Burning Legion and cram it up their bums.

I just had to go search for more info on RFID implants because sooner or later bills will be proposed by somebody that they be introduced, initially on a voluntary basis....

Back in July silicon.com reported the following: "Tommy Thompson, the Health and Human Services Secretary in President Bush's first term and a former Governor of Wisconsin, is going to get tagged. Thompson has joined the board of Applied Digital, which owns VeriChip, the company that specialises in subcutaneous RFID tags for humans and pets. To help promote the concepts behind the technology, Thompson himself will get an RFID tag implanted under his skin." http://networks.silicon.com/lans/0,39024663,391505 25,00.htm/

December 2003 - Subdermal RFID chip provokes furore http://www.theregister.co.uk/2003/12/04/subdermal_ rfid_chip_provokes_furore/

October 2004 - FDA approves computer chip for humans - nice pic of an implant next to George Washington... http://msnbc.msn.com/id/6237364/

This article was followed up in November 2004 http://slate.msn.com/id/2109477/
Verisign thoughtfully provide a method to save you getting your child swapped in the hospital. "The number of total switching incidents is as high as 20,000 per year in the U.S." But don't worry. In this case the tag is not implanted... http://www.verichipcorp.com/

...unlike the VeriKid service provided by the Mexican distributors of verisign technology: http://www.solusat.com.mx/index1.html http://www.wired.com/news/technology/0,1282,60771, 00.html

Although RFID implants have their detractors...

http://www.spychips.com/
http://www.notags.co.uk/page26.html
http://www.rfidconcerns.com/
http://www.shire.net/big.brother/digitalangel.htm
http://whiterose.samizdata.net/archives/cat_identi ty_cards.html
http://www.schneier.com/blog/archives/2005/02/impl anting_chip.html

...they seem to be popular with body piercing fans: Amal Graafstra Gets an RFID Implant http://www.bmezine.com/news/presenttense/20050330. html
And the odd geek or two: http://www.x11.net/wiki/index.php/My_RFID_Implant He has mp4 video footage of the implanting procedure. It doesn't sound like he will want to remove this implant anytime soon - OUCH!

The Mexican Government - "Mexico's Attorney General required the Mark of the Beast in a 160 people. Thousands more are now planned..." http://www.tldm.org/News4/MarkoftheBeast.htm

And the European Parliament! "Brussels: 'Implants to track people are OK'". http://management.silicon.com/government/0,3902467 7,39128836,00.htm/

"Power tends to corrupt; absolute power corrupts absolutely" Lord Acton (1834-1902)

Let me state right up front that, technological and potential privacy issues aside, I don't think this is going to make passports any more secure. I further believe the arrogance shown by the U.S. towards other countries in this matter ("You WILL convert to this same standard if you want your citizens to be able to visit our country") is absolutely typical of our current administration.

In other words, I don't agree with it.

WITH THAT SAID: Allow me to point out a few facts, based on previously-published material and my own knowledge of RFID technology.

First and foremost: What no one seems to have noticed (it may not have been reported in TFA, which I've yet to read) is that the State Department is, reportedly, going to weave their idea of a Faraday Cage right into the covers of the new passports in the form of a metallic-filament weave. Bruce Schneier mentions this on his site already.

This should, in theory, effectively counteract any sort of attempt to read the thing remotely when the passport is closed. If you're really paranoid about it, you can place your passport into an ESD Shielding Bag, available from most electronic component distributors such as Allied Electronics, DigiKey, or Mouser.

On the subject of long-distance remote reading: I doubt very much we're going to see, as one other poster pointed out (paraphrasing), "criminals with laptops and a portable reader under their coat" any time soon. For starters, the return emission from most passive RFID chips of the low and mid-frequency ranges (125-148kHz and 13.56MHz) is very weak. The chip would require a significant amount of close-up RF energy to excite it, and a large antenna and high-quality receiver to pick up the return signal.

Going further along those lines: Remember that RF field strength decreases quickly, as you move away from the source, according to the Inverse Square Law. The main reason that the low and mid-freq chips are only readable up to about 3 feet away is because, in order to have them work from further away, you'd need a transceiver the size of a large HF ham radio setup, and equally large (and obvious) antennas (the lower the frequency, the physically larger the antenna has to be).

For a criminal to effectively read such chips with portable equipment, they'd have to be standing more than close enough to the security folk to attract unwanted attention.

While I have found some references to the State Dept. having been able to read the test passports from 30 feet away with "special equipment," I also recall that this equipment was hardly portable, and required direct connection to AC power to be operable at all. In other words, it needed a lot more power than an easily-portable battery source could provide, and it was hardly what I would call surreptitious. Based on that stated range, I have reason to believe that the DoS was using 915MHz RFID tags for their test. Such tags are, according to this list, very much readable from at least 25 feet away.

I've been unable to locate any references on which specific frequency or type of RFID chip will be used in US passports (anyone else have any references on that?) Despite that, I think it's premature to draw conclusions based solely on the news articles to date. News articles do not, after all, make for a technical white paper.

I would suggest that those who get the new passports, and that have the technical know-how, try to read them with an appropriate RFID reader. Try different distances and angles, see if you can actually read the thing with the cover closed and (if possible) try a variety of d

http://www.schneier.com/blog/archives/2005/10/bliz zard_entert.html

More commentary on Tom'sHardware: http://www.tgdaily.com/2005/10/24/world_of_warcraf t_warden_is_it_spyware/index.html

This is the real article by Bruce Schneier: Sue Companies, Not Coders

An excerpt at Bruce Schneier's web site is titled Liabilities and Software Vulnerabilities. (Scroll down to see it.)

Bruce Schneier is a very smart guy. This statement from his web log is foolish, and not typical: "Somewhere in the middle there is a reasonable amount of liablity, and that's what I want the courts to figure out."

If Bruce Schneier doesn't have a detailed plan, that shows how difficult it is to resolve the matter. "The courts" have very little knowledge or willingness to think carefully about this. In the U.S., court judges are often backed by those who want a weak judicial system, and other people, like U.S. President George W. Bush, who are corrupt and incompetent. For a list of books discussing the corruption, see: Unprecedented Corruption: A guide to conflict of interest in the U.S. government.

http://www.schneier.com/blog/archives/2005/03/the_ failure_of.html

Also, is this simlar what we have had in sweden for a couble of years for our banking systems? We have a personal badge that we enter a pin and a temporary code to get a new temporary code to be able to authenticate??

I completely agree. Moreover, this will just change the tactics of criminals. http://www.schneier.com/blog/archives/2005/10/us_r egulators_r.html

For software that's life-critical, the quality bar is set much, much higher.

Unless it is an Airbus A380