Slashdot Mirror

US banks must think that their existing fraud prevention infrastructure is up to the task. (We had people fraudulently use our credit cards twice, and even though I check my CCs regularly, the banks contacted me both times within hours of the incidents.)

Anyway...
1) One of my CCs was just switched to Chip & PIN.
2) "Our new paper shows that it is possible to create clone chip cards which normal bank procedures will not be able to distinguish from the real card."
https://www.schneier.com/blog/archives/2014/05/preplay_attack_.html

I did most of my work on Unix before I started at Apple in '95. All of the new OS development was being done in C by then. I suspect that before most of the OS development had been done in 68K assembler, not Pascal. When the switch to PPC started, Apple needed a cross-platform systems programming language and Pascal was not it.

This article from '93 references how the industry mindset had switched to C/C++ and that pushed Apple.

https://www.schneier.com/essay...

One thing to remember is that at that time, both Macs and PCs were not very powerful machines and large applications were being developed for Unix workstations.

As usual has something to say on the New NSA Documents on Offensive Cyberoperations https://www.schneier.com/blog/... with links to additional sources.

Well said, turbidostato, well said!

See also a book by a founder of MasterCard which even included a section on the importance of "open books [for accounting]" that can be inspected by all employees and customers:
"Honest Business" By Michael Phillips
http://www.amazon.com/Honest-B...
"An inspirational guide to ethical business practice explains how to create and manage a small business that emphasizes openness, personal integrity, and community involvement as the keys to success."

Another related thing is Dee Hock's (founder of Visa) work on the Chaordic Commons as value, purpose, and principles-driven fractally-organized organizations:
http://en.wikipedia.org/wiki/C...
http://www.griequity.com/resou...

That said, I have a lot of respect for Bruce Schneier, especially for writing stuff like this:
"The War on the Unexpected"
https://www.schneier.com/blog/...
"We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested -- even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats...."

Hell even more joy.
https://www.schneier.com/blog/...

http://www.foodnetwork.com/rec...!

I stand by the many findings outlined on Schneier's blog. The huge preponderance of evidence points to an insider. There is a LOT more in play than the USB speeds, but you want to take up one point I cited and rest all of your rebuttals on it? Just that ONE?

But _you_ told _me_ to "think" before replying. [sigh]

As you will not, for whatever reason, Google the terms, here's the link.
https://www.schneier.com/blog/...

Read it, or don't and continue to debate me on one example I quoted. Knock yourself out, deep thinker.

Apple Owns Your Security: Section 6.1 explains that Apple has to approve any bug fixes or security releases.

Interesting that. considering all the security failures Apple has (does have) had with their own software.

Does anyone believe this:

  "if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
        goto fail;
        goto fail; "

was accidental?

fanbois go here: https://www.schneier.com/blog/...

Was this done on purpose? I have no idea. But if I wanted to do something like this on purpose, this is exactly how I would do it.

-Schneier

I should explain what I meant better...
It may be true that Bitstamp had some security shortcomings. But it is equally plausible they were reasonably or even vigilantly security-conscious.
The reality these days (as shown by the endless string of high-profile hackings that have occurred in the last year or so) is that anyone is hackable if they are a juicy enough target. JP Morgan comes to mind as an example of a large, regulated, and security-conscious financial services firm that suffered a major hack despite not being "amateurs."

The truth is that it is harder to maintain an impenetrable fortress than it is to find a small chink in the armor of such a fortress from which a hacker can create a toehold and base an attack. I defer to Bruce Schneier for corroboration on my point:

Your reaction to the massive hacking of such a prominent company [Sony] will depend on whether you're fluent in information-technology security. If you're not, you're probably wondering how in the world this could happen. If you are, you're aware that this could happen to any company....

In fact, that Bitstamp detected some anomalous activity and froze the affected wallets while the number of affected bitcoins was well below the reserves they kept in place for any such eventualilty might show they have good security monitoring in place.

Bruce Schneier posted an analysis on his blog that points out a few things.

The timestamps on the data suggest that it was downloaded at USB2.0 speeds, and happened on the day that Charles Sipkins, Sony Pictures' head of corporate communications, publicly resigned.

The USB2.0 speeds implies an inside job, and the timing of Sipkins' resignation is suspicious.

What was the evidence for NK again?

Google can provide privacy

But they don't. They violate your privacy themselves, even when they're not cooperating with the government.

Like when? Automatically marking incoming emails as spam? Unlike your credit card, hotel, etc., Google keeps any data they collect to themselves, which is better than everyone else. Because they offer a lot of services they may collect too much data for your taste, but there are all sort of things they are accused of doing but don't do, such as rigging Chrome to send data back to them, Google glass always recording, etc.

The only cases I can find are a rogue employee using root powers to read someone's gmail (fired), and at a stretch you might be referring to PRISM. If you are, I have a lot to say on that subject.

Why are you fighting against the people who are fighting for privacy?

They aren't fighting for privacy in any meaningful sense. Occasionally they fight back as a PR move, but they've allowed all sorts of egregious privacy violations, and violate your privacy themselves.

Fighting back falls in two categories: legal and technical. Note that we need to fight on both, but the bad guys can win on whichever is weaker. I'm not a lawyer. Google published this video. My attitude is that we should fix the technical issues and hope that the lawyers will also fix the legal issues. We know that the NSA chose to bypass legal process, so there must be at least some things they want but can't get.

Google is working on end point security with Project zero, ChromeOS (secure boot + remote management), bug finding tools like afl and asan, etc. Google is working on transit security, they're upranking SSL sites, killing off SSL 3.0, killing off SHA-1, marking plain http as insecure, they invented and deployed Channel ID, Certificate pinning (which caught an intelligence agency they didn't know was attacking!). Their own networks were being snooped and they claim they now encrypt all traffic in and between data centers, but we only have their word on that. They also claim they were already planning to add encryption but reprioritized it when it was revealed that the NSA was already taking advantage of it. They're pushing for larger RSA keys, and for newer crypto entirely with features like forward secrecy. It could be argued that the newer crypto is more likely to have back doors, but as it stands there is no evidence that the NSA had any breakthrough technique for decrypting either new or old, they would just break into machines that have keys, or possibly factor smaller (1024 and less) RSA keys. Google deployed OTP and invented the U2F system which is better than OTP. As far as I'm aware, Google isn't doing much for DNS security (besides running Google DNS which has cache poisoning protection) or IP routing security (besides running Google Fiber), but perhaps they think those become irrelevant unless the attacker can also forge TLS keys.

All of those are security issues, which are tightly intertwined with privacy in that if your security can be penetrated then you lose your privacy. They also created "incognito mode", a pure privacy feature with no security implication

Some SSH has been reported cracked, I'm not skilled enough in cryptography to understand, but from comments it appears to be limited. https://www.schneier.com/blog/archives/2014/12/new_documents_o.html

http://www.schneier.com/blog/a...

Examples of better approaches and some exemplar secure products:

https://www.schneier.com/blog/...

http://www.schneier.com/blog/a...

Examples of better approaches and some exemplar secure products:

https://www.schneier.com/blog/...

According to what we know about TAO they use zero day exploits so it doesn't look like hidden hack doors in closed source software/hardware. That PPTP is insecure has been known since at least 1998: https://www.schneier.com/pptp.... That Microsoft still promotes it is beyond me.

I was behind a guy that tried to bring not one, but *two* bottles of shampoo. ... The shampoo didn't have any special labels to indicate it was prescription ...

From Schneier on Security:

Schneier took from his bag a 12-ounce container labeled "saline solution."

"It's allowed," he said. Medical supplies, such as saline solution for contact-lens cleaning, don't fall under the TSA's three-ounce rule.

"What's allowed?" I asked. "Saline solution, or bottles labeled saline solution?"

"Bottles labeled saline solution. They won't check what's in it, trust me."

They did not check. As we gathered our belongings, Schneier held up the bottle and said to the nearest security officer, "This is okay, right?" "Yep," the officer said. "Just have to put it in the tray."

(Later, Schneier would carry two bottles labeled saline solution—24 ounces in total—through security. An officer asked him why he needed two bottles. "Two eyes," he said. He was allowed to keep the bottles.)

"when it was revealed that the NSA had actually, and pretty amazingly, undermined hardware random number generators on widely available chips"

Such a thing was never revealed.

https://www.schneier.com/blog/...

"I have no idea if the NSA convinced Intel to do this with the hardware random number generator it embedded into its CPU chips, but I do know that it could." (could meaning it is conceivable here, he doesn't investigate anything about feasibility)

No one ever showed that the NSA did this. No one even tried.

It's really frustrating to see speculation reported as truth from a person who seems very careful to try to be sensible and not just ring alarm bells to get notice.

Keep your passwords with the other important pieces of paper you carry around daily: in your wallet

"Any password policy sufficiently complex to be secure is too complex to remember" is not a universally true statement. https://www.schneier.com/blog/...

no, dumbledork. There's not that much tape production.

Citation fucking provided

"This is voice, not metadata." "In the initial deployment, collection systems are recording "every single" conversation nationwide."

I noticed people fighting over FOSS vs proprietary philosophies a long time ago. They acted like these two are all there is. I posted this essay arguing there's a large variety of models with some combining proprietary and open source: https://www.schneier.com/blog/... One of the first mainframes, Burroughs B5000, was sold quite profitably with the customers getting the source code and able to extend it however they wanted. They could also submit changes back to Burroughs to include for everyone. The continued and significant funding ensured the system kept getting improved. The openness has many of the benefits of FOSS. They later closed the source like QNX did, but I could see a contract where the customers get the current and future source indefinitely so long as they pay. So, it's nice to see a new venture that challenges the false dichotomy of proprietary, FOSS, or nothing else. There's lots of mixes. I look forward to seeing how this scheme works out.

This is an absolutely fantastic idea.

Good enough for me.

meanwhile a USB device must identify itself as a device whose driver required DMA, that driver must be present, and it must emulate that device well enough to fool the driver into actually talking to it; the bar is a fair bit higher with USB than DMA.

I didn't see any of that in the Wired story. It essentially stated: "plug it in, it infects your PC, Antivirus software is useless, and future USB devices plugged into your system can be infected". When Bruce wrote about it along with quite a few others, the evidence seems to point to a rather bad security flaw.

If you're worried about USB, you need to be terrified about the other busses in your system.

The short answer to this one is I only usually have 1 set of devices that are relatively permanent for those other buses. It's not a thumbdrive that gets passed around.

Then why don't I see an issue with it when I connect 2 portable drives (bare enclosures in which I've put a couple of Samsung SSDs) via a USB hub? Also, if not a hub, why did you say:

"Hook 2 devices up to a USB 3 hub, watch yourself get lower than USB 2 speeds"?

I'd figure there'd be no reason to mention a hub if you didn't use one.

All USB controllers on motherboards have multiple ports via a hub, or called a "bus" depending upon what you're using for a reference. I have yet to personally see a 1:1 controller to port system on a motherboard. Drop 2 sets of file transfers through the disks on that one hub, and see what happens. You'll need to have those files coming from 2 separate disk subsystems so that you're not bottlenecked from a single source. I have about 10 disks hooked up and was copying files between 3 sets (3 full speed copy operations, including 2 SSDs) with each disk capable of +100MB/s on large file sequential read/write speeds. The slow down was more than 50%. As an addendum, this problem does not exist with eSata connections. Unfortunately, I do not have enough eSata external ports. It would be interesting to see what happens with a port multiplier though.

I just said that most of the problems the American people have with American democracy are the fault of the American people.

Yes.

We don't agree on jack-squat.

No. That's not the problem of the American people which is reflected in our government.

because otherwise one of them would be admitting defeat.

Ah, this is the problem... the American people, as a whole, just aren't intellectually sophisticated enough to understand that compromise isn't defeat. I'd guess that about 0% of them know what a "false dichotomy" is. Well maybe a bit more, but very little, compared with the number who "know" that the stuff they see on television is scary, or know all the gory details about the Kardashians (or other celebs). A previous poster said it before me:

Until the voter develops the strength to resist the propaganda

I think what he meant was critical thinking skills. Funny how those skills aren't a required part of the curriculum in schools, or even for that matter, at the undergraduate level in most universities.

Bruce Schneier has a good essay on this topic - Virginia Tech Lesson: Rare Risks Breed Irrational Responses - https://www.schneier.com/essay...

He sums it up with novelty + dread = overreaction.

Ebola fits that. From a public heath perspective for the US, Ebola is for the most part a non-issue.

these cops need to be taken to Guantanamo and treated as the terrorists that they are

For fucks sake, how hard is it to use the word terrorist for the individuals committing actual acts of terror rather than diluting it?

The issue is the balance between public safety and personal privacy. Denying the citizen of any democracy the right to encryption of their personal communication is not an appropriate response to the perceived threat to public safety that same encryption would bring.

Quoth Schneier:

...there's no evidence that encryption hampers criminal investigations in any serious way. In 2013, encryption foiled the police nine times, up from four in 2012 -- and the investigations proceeded in some other way.

There never is any reason to remove a citizen's right to privacy except to extend the power of the state. You can argue the reasons for and against this, but historically, we've always found that more respect for individual rights contributes significantly to better governance.

I should have added this little reality check:
NSA Has Undercover Operatives in Foreign Companies
The latest Intercept article on the Snowden documents talks about the NSA's undercover operatives working in foreign companies. There are no specifics, although the countries China, Germany, and South Korea are mentioned.

I think some of Schneier's words apply here:

"I tell people that if it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." It's when something isn't in the news, when it's so common that it's no longer news -- car crashes, domestic violence -- that you should start worrying."

If this had been a story about a Windows exploit it's unlikely it would have been reported in the mainstream in a similar manner. Even if it had it's unlikely anyone would have paid attention; even the non-technical public is massively desensitised to stories about Windows security issues.

If anything, I'm now /more/ confident about open source security. This demonstrates that when people find problems, they fix them quickly and efficiently. Who knows what is happening in closed source software?

and passwords will be written on sticky notes pasted to the underside of keyboards

I think that's the point. Bruce Schneier has been trying to get people to write down passwords for years. Think about it: Unless you're a hardcore Dave Ramsey fanboy, you probably already carrry a plastic card in your wallet with your credit card number embossed on it.

”What is there to prevent “letmeinfacebook” from being the new most common four word password for Facebook accounts”

Chance. XKCD 936 says to choose the words at random.

Diogomonica is wrong. And so was Bruce Schneier, and for the same reason – he missed that the words are to be chosen at random.

https://www.schneier.com/blog/...

This means for example picking a up a few books and selecting pages and words at random. I picked a poetry book and used only words starting with an "o". Not optimal, but nice.

Password managers are better, definitely. So sure, mention the password manager first. But nine out of ten of your readers will not install them. What will you tell them? Nothing?

The NSA did it before, and keep doing it.

Yes, all details about tilt-bits are kept secret in case those filthy pirates try to copy a movie directly from the graphics card's memory.

https://www.schneier.com/blog/...

They didn't die with Vista and this is why you'll NEVER get fully open drivers.

https://www.schneier.com/blog/...

"One of the things I routinely tell people is that if it's in the news, don't worry about it. By definition, "news" means that it hardly ever happens. If a risk is in the news, then it's probably not worth worrying about. When something is no longer reported -- automobile deaths, domestic violence -- when it's so common that it's not news, then you should start worrying."

That pretty much sums it up.

https://www.schneier.com/blog/...

That's why they always pull out pedos, kinda hard to look good arguing for encryption when they pull out the pedos.

The beta was released in 1989. 25 years ago.

Which makes a perfect farce of the notion that many eyes make all bugs shallow.

1) We don't know when the bug was introduced, although it's clear that it was quite some time ago.

2) I defy you to name any version of any reasonably complex software that is guaranteed to be free of exploitable bugs. It's been shown by people much smarter than me that it's mathmatically impossible to do so. (Just one example thread discussing the problem.)

The difference is that with OSS, they all will eventually get found and fixed. The same can't be said of closed source software.

However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation.

Bruce Schneier says:

"Microsoft's Jesper Johansson urged people to write down their passwords.

This is good advice, and I've been saying it for years.

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."

https://www.schneier.com/blog/...

Why is causing pain to others bad? Why do you care about what other people feel?

Quid pro quo. I care about them and don't cause them pain; and in return, they care about me and don't cause me pain. It's also called the social contract.

You may argue, "prisoner's dilemma" style, that an individual can then gain an advantage by breaking the social contract, and indeed some people do that. Bruce Schneier wrote a whole book about that topic. But as it turns out, most people don't break the social contract, due to 1) intense social conditioning (religious or otherwise) and/or 2) the threat of punishment if they're caught.

The social contract predates Christianity by millenias; heck, it presumably existed in a primitive form in stone age hunter-gatherer culture.

But even ignoring social conditioning and even the evolutionary traits that have developed to promote that contract (e.g. increased empathy), abiding by the contract still makes sense: Civilization depends on the majority following the social contract, and indeed, most people find that the immediate benefit of breaking the contract is outweighed by the threat of civilization falling apart. Of course, once people start to break the social contract in larger numbers, the cost-benefit ratio changes, and civilization crumbles quickly.

Surely you've heard of the Golden Rule? This requires zero belief in the supernatural or any sort of sacredness.

Except that it doesn't explain why you should follow it. Most people seem to use "karma" (or "what comes around goes around") as a not-quite-as-supernatural-as-an-omnipotent-God reason for following the Golden Rule.

I'd argue that karma is a real thing, only global, not personal. When you do a good thing for others, you increase global karma, ever so slightly increasing the odds of good things happening to you, too. (But it's a big world; I think you'll find playing the lottery has better ROI.)

Personal karma AKA the "just world" belief is of course a myth. The fact that so many people believe in it is a testament to the aforementioned social conditioning.

It is an excerpt from Applied Cryptography by Bruce Schneier.

The full section is available on Schneier's personal blog.

It is an excerpt from Applied Cryptography by Bruce Schneier.

The full section is available on Schneier's personal blog.

https://www.schneier.com/book-...;

To record a single bit by changing the state of a system requires an amount of energy no less than kT, where T is the absolute temperature of the system and k is the Boltzman constant. Given that k = 1.38 × 10^16 erg/K, and that the ambient temperature of the universe is 3.2 Kelvin, an ideal computer running at 3.2 K would consume 4.4 × 10^16 ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.

So 4.4 × 10^-23 Joules minimum per bit flip * minimum of 2^128 bit flips = 1.4 * 10^16 J. Though of course our current computers are far from ideal and it would take many bit flips to test each key. Unless someone has a better source for the energy cost of computation?

https://blogs.oracle.com/bonwi...

The mass of the oceans is about 1.4x10^21 kg. It takes about 4,000 J to raise the temperature of 1 kg of water by 1 degree Celcius, and thus about 400,000 J to heat 1 kg of water from freezing to boiling. The latent heat of vaporization adds another 2 million J/kg. Thus the energy required to boil the oceans is about 2.4x10^6 J/kg * 1.4x10^21 kg = 3.4x10^27 J

So an ideal computer might be able to count to 2^128 without boiling the oceans (doh). It would take a 10^11 increase in energy usage per bit before boiling the oceans was impossible to avoid.

Pick two or three compilers from different sources. It's okay if they are all trojaned.
Compile each compiler with the other two compilers. Unless they are all trojaned in precisely the same way, including exactly the right cross-trojans for each other, you can see which one(s) can be trusted.

https://www.schneier.com/blog/...

Other defenses are also available. If you don't have the source to the compiler, you write a loop that automatically builds up the program line by line from "return 1". If adding one line of ansi C code adds several kilobytes of binary, there's a problem. Inspect the newly added portion using your choice of tool.

AC wrote: "Based on what I've seen, I just assume that the AI from that Eagle Eye movie has taken over the NSA. Why else would they want to collect a mountain of data that no "person" is going to access?"

Hadn't know of that movie; thanks for mentioning it (partial spoiler below):
http://en.wikipedia.org/wiki/E...
"Ethan monitored the DOD's top secret intelligence-gathering supercomputer, the Autonomous Reconnaissance Intelligence Integration Analyst (ARIIA). ... Both groups learn that after ARIIA's recommendation was ignored and a botched operation in Balochistan resulted in the deaths of American citizens, ARIIA concluded that "to prevent more bloodshed, the executive branch must be removed." Acting on behalf of "We the People", and citing the Declaration of Independence ("whenever any Form of Government becomes destructive of these ends, it is the Right of the People to alter or to abolish it"), ARIIA is acting in compliance with Section 216 of the Patriot Act which "allows us to circumvent probable cause in the face of a national security threat, in this case, the chain of command itself." ..."

Another related story I first saw mentioned on slashdot:
http://en.wikipedia.org/wiki/W...
"Despite the Humanoids' benign appearance and mission, Underhill soon realizes that, in the name of their Prime Directive, the mechanicals have essentially taken over every aspect of human life. No humans may engage in any behavior that might endanger them, and every human action is carefully scrutinized. Suicide is prohibited. Humans who resist the Prime Directive are taken away and lobotomized, so that they may live happily under the direction of the humanoids."

Although aspects of our current social systems are heading that way with or without AI anyway... Example:
https://www.schneier.com/blog/...
"We've opened up a new front on the war on terror. It's an attack on the unique, the unorthodox, the unexpected; it's a war on different. If you act different, you might find yourself investigated, questioned, and even arrested -- even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats."

See also Marshall Brain's "Manna" sci-fi story about computer systems taking over. James P. Hogan goes into that in his sci-fi novel "Two Faces of Tomorrow". Two episodes of Eureka have Carter's Smart House take over, one of those times in order to prevent injuries, which includes mentally reprogramming people who might disagree with it.
http://eureka.wikia.com/wiki/H...
http://eureka.wikia.com/wiki/L...

Around 1984, I sat in on an undergrad course by Stephen Cohen in Soviet Politics. After one class where he mentioned the potential liberating power of personal computers in a USSR where every typewriter was licensed and every photocopier guarded, I suggested that ultimately personal computers could analyze what people wrote on them, looking for keywords, and report on the user. I had not envisioned networks doing that which is more what we actually got, but the effect is much the same given almost anything significant related to social change is done by communicating groups of people. Back to the point through, you don't really need need AIs to analyze massive data looking for keywords or phrases or to make statistical inferences about patterns of writings or commercial transactions. AIs might be useful, but regular software can do much of that already. You also don't have to flag everything to have a massive chilling effect that upholds the status quo.

But surveillance is still a different point than

IP banning is less effective against a DDoS using a botnet of thousands of compromised home PCs.

Already mentioned in another post. At that point, you just lock the account entirely and just ignore any and all further login attempts into you can get in contact with the account holder and work out things from there. It's an inconvenience for them, but much better than a breach.

Someone who wants to keep a legit user from being able to use the service could just log in a few times with an incorrect password and then repeat a few minutes later. Each IP would DDoS a separate user.

Better they be kept out of the service for some period of time versus their account being breached. You can also get around this by some sort of whitelisting mechanism paired with a two-factor authentication.

It's amusing how everyone is telling me that my ideas are bad yet they are basic security measures that almost every decent website and service use. I can even name drop Jeff Atwood to back me up as well:

Limiting the number of login attempts per user is security 101. If you don't do this, you're practically setting out a welcome mat for anyone to launch a dictionary attack on your site, an attack that gets statistically more effective every day the more users you attract. In some systems, your account can get locked out if you try and fail to log in a certain number of times in a row. This can lead to denial of service attacks, however, and is generally discouraged. It's more typical for each failed login attempt to take longer and longer, like so:

http://blog.codinghorror.com/d...

And even Bruce Schneier agrees and quotes the very same article:

Bad Password Security at Twitter
Twitter fell to a dictionary attack because the site allowed unlimited failed login attempts:

Cracking the site was easy, because Twitter allowed an unlimited number of rapid-fire log-in attempts.

Coding Horror has more, but -- come on, people -- this is basic stuff.

http://www.schneier.com/blog/a...

So are you guys going to tell me how Jeff Atwood and Bruce Schneier are idiots and don't know anything despite the fact that what I said is basically parroting their own suggestions?

Right. I've bought Dell computers before, and they've been quite serviceable machines that did what was advertised. That sort of thing gives Dell a good reputation, and is why I continue to buy from their website.

Hold Security doesn't have a reputation. The website is about a year old, and apparently was blank until quite recently. Looking at Bruce Schneier's blog, it looks like the only thing in its favor is Brian Krebs saying it's legit.

The question is not "Why would I pay 'raymorris' or Dell?". It's "Why would I pay Hold Security?".

The hum that helps to fight crime (ENF) Electrical Network Frequency analysis

"For the last seven years, at the Metropolitan Police forensic lab in south London, audio specialists have been continuously recording the sound of mains electricity.

It is an all pervasive hum that we normally cannot hear. But boost it a little, and a metallic and not very pleasant buzz fills the air. ...

"The power is sent out over the national grid to factories, shops and of course our homes. Normally this frequency, known as the mains frequency, is about 50Hz," explains Dr Alan Cooper, a senior digital forensic practitioner at the Met Police.

Any digital recording made anywhere near an electrical power source, be it plug socket, light or pylon, will pick up this noise and it will be embedded throughout the audio.

This buzz is an annoyance for sound engineers trying to make the highest quality recordings. But for forensic experts, it has turned out to be an invaluable tool in the fight against crime.

While the frequency of the electricity supplied by the national grid is about 50Hz, if you look at it over time, you can see minute fluctuations. ...

Comparing the unique pattern of the frequencies on an audio recording with a database that has been logging these changes for 24 hours a day, 365 days a year provides a digital watermark: a date and time stamp on the recording.

Philip Harrison, from JP French Associates, another forensic audio laboratory that has been logging the hum for several years, says: "Even if [the hum] is picked up at a very low level that you cannot hear, we can extract this information."

It is a technique known as Electric Network Frequency (ENF) analysis, and it is helping forensic scientists to separate genuine, unedited recordings from those that have been tampered with."

- http://www.bbc.co.uk/news/scie...
- http://cryptogon.com/?p=32789

#

Met lab claims 'biggest breakthrough since Watergate'
Power lines act as police informers

- http://www.theregister.co.uk/2...

#

Noisy, muffled, incoherent recordings are an audio engineerâ(TM)s worst nightmare, but all too often they contain vital evidence in criminal trials. Itâ(TM)s the job of the forensic audio specialist to extract that evidence.

- http://www.soundonsound.com/so...

#

(discussion forum) Electrical network frequency analysis, Mains frequency variations detectable in digital audio recordings?

- http://www.hydrogenaudio.org/f...

#

Met Police use electrical 'hum' to solve crimes

The Metropolitan Police is using the "hum" of background noise produced by mains electricity to help solve crimes, it has been disclosed.

- http://www.telegraph.co.uk/new...

#

Related Research
- http://www.ece.umd.edu/~ravig/...

#

Engineers Use Electrical Hum To Fight Crime

- http://science.slashdot.org/st...

#

Howâ(TM)s the 60Hz coming from your wall?

- http://hackaday.com/2012/07/24...

#

Detecting Edited Audio

- https://www.schneier.com/blog/...

#

Dating Recordings by Power Line Fluctuations

-

> That's called a movie plot security threat, and it's not a concern.

Do you always start out your arguments by "poisoning the well"? BTW, the person who coined "movie plot security threat" doesn't exactly agree with you.

> Aside from all the obvious shit like "how do you get in there unnoticed?"

Did you miss the "on a public computer" part of my post? Never heard of social engineering?

> Even without a 1-2 second turn-around for testing a password, keyboards can only enter 750 characters per second.

Where did this "750 characters per second" come from? Is this a limit built into Windows? USB 2.0 runs at 35 MB/s, according to Wikipedia.

OTOH, comparing the "1-2 second turn-around" in your reply to the "750 characters per second" undercuts your original argument as a whole --- if the password check itself is the limiting factor, even for the "slow" keyboard, it make no sense to make a distinction between password attempts from the keyboard and those from the network, so it would be silly to call Windows "retarded" for doing so.

> That's less than 100 password attempts per second for 8 character passwords,
> or 10^12 seconds to try them all. 800,000 years!

Your naivety about the average entropy in a typical 8 character password is striking.

They promised.

I'm wondering about the idea of having a group of friends who swap their cell devices. You'd have to change a lot of your comm, but if you use the cellular system just for bandwidth, you don't really care about your cellular identity except for you phone number. If you can migrate your friends to contacting you via internet comm, you don't need to have the same cellular identity from one day to the next.

Toss in dynamic proxying through SSH, and you aren't exposing your comm fingerprint to your cell provider. Use OwnCloud to swap in your files and contacts (a bit of data overhead there, maybe keep most of your heavy content data on a separate device that tethers to whatever cell phone you happen to be carrying).

They'd still be able to analyze your tracking footprint to figure out who held which phone at which time, but it would make surveillance more expensive.

No, but I trust actual experts, like this one.

Forgot to mention this: https://www.schneier.com/blog/...