Slashdot Mirror

Dropping USB keys in parking lots is a known way to infect a network. Any Google employee competent enough to use bitcoin should hopefully also know that picking up random USB keys is a bad idea.

https://www.schneier.com/blog/...

Bruce Schneier has Password Safe. There's KeepassX and many others. I personally use that because programs for reading them are available for all the platforms I care about: Linux, Windows, and Android.

Hmmm I seem to recall a complaint that the NSA (and others) couldn't break Skypes' encryption and wanted help.

https://www.schneier.com/blog/...

It was popular with the crooks.

http://www.theregister.co.uk/2...

Then an investment group Silver Lake Partners gained controlling interest.

http://en.wikipedia.org/wiki/S... (interesting crew there)

Then no more complaints or request for help by the NSA.

A couple years later Skype was acquired by Microsoft,

http://www.microsoft.com/en-us...

It's a fascinating coincidence.

Innit.

Bruce was asked to tell congress about the NSA because in congress' view, the NSA wasn't talking. https://www.schneier.com/blog/archives/2014/01/today_i_briefed.html

Dell serves allright -- question is: whom...
https://www.schneier.com/blog/archives/2014/01/nsa_exploit_of.html

Overthrowing an oppressive government (what the second amendment is about) requires modern military hardware. In this age, that means tanks, RPGs and military aircraft. When the Supreme Court rules that private ownership of these must be allowed then I will believe that it is handling the Second Amendment "correctly".

Your state militia has everything it needs in order to overthrow an oppressive government. If the Federal government tried to overstep its bounds, and the states stood up for their rights, they would be able to match the federal government with nearly equivalent hardware (I do realize most National Guard units are the last units to be upgraded to the latest and greatest hardware).

That being said - I believe that the second amendment is referring specifically to an individual's rights. And even if it is not explicit in writing, it is explicit in context. There was no "Delaware National Guard" back in the days of the drafting of the bill of rights. The militia, or minutemen, were compromised of citizens who owned and stored their arms at home. That is what they considered a militia. Regular citizens who pick up their rifles and defend themselves. In fact, Switzerland does have military grade artillery and other such weapons in the basements and barns of regular citizens. I don't see a lot of gun violence in Switzerland. Every able bodied male in Switzerland has to serve in the military for a brief period of time, also. Is it their gun training that reduces their gun violence, is it their culture, a combination of the two, or something else? Who knows. But the access to guns alone is not the issue. I am sure there are plenty of cultural, educational, and economic factors that play into the US crime rate.

I expect between whatever lump-sum he got when BT bought Counterpane, his actual salary at BT, and his writing and speaking engagements, he's not particularly worried about the next mortgage payment.

I expect between whatever lump-sum he got when BT bought Counterpane, his actual salary at BT, and his writing and speaking engagements, he's not particularly worried about the next mortgage payment.

You're misunderstanding a key part of the process. The system doesn't need to be perfectly accurate. It just needs to be accurate enough to fit the workload of the humans involved. The system may identify 10,000 "terrorists" in a month, which can then be passed off to a team of 100 humans who can pull up more records to see if there's anything actually suspicious, or if the system's just inaccurate as usual. The dozen or so each month that have enough evidence could then be submitted for real search warrants to start a full investigation.

The problem with such a human-moderated system is the imbalance in consequences between finding or dismissing an actual terrorist. None of those 100 reviewers wants to be the guy who let a terrorist escape, so they're likely to have lowering standards of evidence. Schneier has covered the problem well.

What I've mainly heard them say is "you shouldn't care, since we're not listening to the actual call". That's still garbage.

It is still garbage. Like Bruce says, metadata is surveillance:

Imagine you hired a detective to eavesdrop on someone. He might plant a bug in their office. He might tap their phone. He might open their mail. The result would be the details of that person's communications. That's the "data."

Now imagine you hired that same detective to surveil that person. The result would be details of what he did: where he went, who he talked to, what he looked at, what he purchased -- how he spent his day. That's all metadata.

When the government collects metadata on people, the government puts them under surveillance. When the government collects metadata on the entire country, they put everyone under surveillance. When Google does it, they do the same thing. Metadata equals surveillance; it's that simple.

Bruce Schneier had a good write-up on this in 2007:

Problems with Dual_EC_DRBG were first described in early 2006. The math is complicated, but the general point is that the random numbers it produces have a small bias.

[...]

This is how it works: There are a bunch of constants -- fixed numbers -- in the standard used to define the algorithm's elliptic curve. These constants are listed in Appendix A of the NIST publication, but nowhere is it explained where they came from.

[...]

What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.

The researchers don't know what the secret numbers are. But because of the way the algorithm works, the person who produced the constants might know; he had the mathematical opportunity to produce the constants and the secret numbers in tandem.

Of course, we have no way of knowing whether the NSA knows the secret numbers that break Dual_EC-DRBG. We have no way of knowing whether an NSA employee working on his own came up with the constants -- and has the secret numbers. We don't know if someone from NIST, or someone in the ANSI working group, has them. Maybe nobody does.

We don't know where the constants came from in the first place. We only know that whoever came up with them could have the key to this backdoor. And we know there's no way for NIST -- or anyone else -- to prove otherwise.

This is scary stuff indeed.

>Age doesnt increase the attack surface of a compute

The experts tend to disagree.

https://www.schneier.com/blog/archives/2013/12/security_vulner_3.html

I wouldn't.

Our team of scientists and Linux netwokring experts has an open, next generation router project up on IndieGogo right now, but we aren't getting much traction. I guess we missed product-market fit. To the point that we are have modified the campaign to ask people not to buy the router or if they do - risk us not shipping some of the more advanced features that we are working on in this product. We had hoped to release it all as open source but I just don't think that' going to be possible now, unless we somehow magically start getting a ton of orders.

"Tor didn't break; Kim did." as suggested by Bruce Schneier via https://www.schneier.com/blog/archives/2013/12/tor_user_identi.html

That remembers me of something. If the malware can brick the PC is probably BIOS/manufacturer fault, as it was in that case. And could be something intended by the NSA... when you force manufacturers to put your backdoors in their systems you can be the one responsible for bricking, either because you did it or because you opened the door.

He is Bruce Shneier, author of Applied Cryptography.
https://www.schneier.com/

One of the most credible persons on the subject of cryptography and security in general.

One might expect someone who cares about security to know who he is. If he needs an introduction, you need an education on cryptography.

Is he doesn't know how to do his job without violating all our rights then he should be replaced.

He doesn't even know what the job is, apparently - "connect the dots" is an absurd metaphor, and doesn't work in the real world.

It sounds like he's not even qualified. Metadata equals surveillance, and he's pretending that it's somehow strange that people don't expect their government to surveil their ever action.

Yarrow is hardly vague.

Given that it's stated that you can't trust a chip's encryption routines, which at the basis means that you don't trust its random number generator, and given that 'a chip' extends down from the latest Intel to a relatively lowly PIC, is anybody aware of an actually available TRNG (true/hardware random number generator) built out of discrete components?

Comments to a Bruce Schneier post titled "Surreptitiously Tampering with Computer Chips" once suggested this would be the only way to 1. be certain* of no tampering and 2. have reasonably sufficient output bandwidth to be used in practical applications.

However, I haven't seen any actual implementation. My Google-fu may be failing me, though.

* Barring some pretty sweet shenanigans like those pulled by Henryk Gasperowicz; [Spoiler video](https://www.youtube.com/watch?v=-KMLmpC7-Ls). I can't see manufacturers including any crypto-defeatery bits into a basic transistor thinking that it just might possibly be used in an actual crypto application, and eat the cost somehow.

till some hacker group uses NSA backdoors to cause mayhem in in US computers. Cookies are more or less harmless, as most of the privacy you lost with them is already lost by some other NSA program. But the NSA (and associated groups) backdoors are a bit more versatile, they are prepared to go into offensive mode, and probably a lot of US citizens have them installed (I don't think it is limited to just Tor, or social networks users).

And yes, they can cause mayhem in non-US computers, but how you know that it wasn't intended to happen by the NSA or some related company? The bombs are already in place.

You might be thinking of an opinion piece last month about terrorists laundering money through Online Gambling. It was a Schneier Movie-Plot Threat article.

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

###

Scientist-developed malware prototype covertly jumps air gaps using inaudible sound
---
Malware communicates at a distance of 65 feet using built-in mics and speakers.

by Dan Goodin - Dec 2, 2013 7:29 pm UTC

http://arstechnica.com/author/dan-goodin
https://twitter.com/dangoodin001

"Dan is the IT Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications."

http://arstechnica.com/security/2013/12/scientist-developed-malware-covertly-jumps-air-gaps-using-inaudible-sound/

--------------------
Topology of a covert mesh network that connects air-gapped computers to the Internet:

Before jumping to conclusions, keep in mind that they also could've taken advantage of the NSA's QUANTUM infrastructure to perform a packet injection and redirect the target's browser to a malicious copy of the site. See this article for more information about how that would work.

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

#badbios - probing for deeper looks at
----
@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

@Clive Robinson

A lot of people are wondering why dragosr was the only one to run across this malware. In fact, he wasn't. The people who were before him were mocked and most threads closed and either deleted or shuffled to areas of message boards where Joe Q public couldn't see it and question this for themselves. [some] Major Anti-Virus companies included.

Users didn't want to know, companies didn't want to know. Unless you were "known" in the field, like dragosr, and even then, you are handled like you may be retarded or just need a vacation.

Here is one of dozens of reports:

LCD Monitor Broadcasts Noise To Radio! Why? (FRS)
http://forums.radioreference.com/computer/255488-lcd-monitor-broadcasts-noise-radio-why.html

Final post in that thread:

"BOTTOM LINE: No matter WHAT you do, all devices that use electricity will emit some sort of interference in the air and there's nothing you can do about it without unplugging/turning it off. "

including:

"Have you noticed any nondescript white vans or black helicopters in your neighborhood?

What do you do or have you done to make "them" take such an interest in you that "they" have to bug you?

You need a bigger tinfoil hat, perhaps a full body suit."

Another thread:

Gpu based paravirtualization rootkit, all os vulne

http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706.html

This:

U.N. report reveals secret law enforcement techniques

"Point 201: Mentions a new covert communications technique using software defined high frequency radio receivers routed through the computer creating no logs, using no central server and extremely difficult for law enforcement to intercept."

http://www.unodc.org/documents/frontpage/Use_of_Internet_for_Terrorist_Purposes.pdf

http://www.hacker10.com/other-computing/u-n-report-reveals-secret-law-enforcement-techniques/

I think this is something which has been brewing for years, but "forces" beyond our sight have managed to stifle any serious investigation into the technology. Some have announced they are retreating to ancient technology of the 70's and 80's, others are looking towards open source hardware and software combinations.

Is it time Wireshark included audio monitoring as well? Off to play with a recording device and Audacity.

https://www.schneier.com/blog/archives/2013/11/friday_squid_bl_402.html#c2751193

I came to the same conclusion as you, based on Schneier's clueless agent.

This was exactly my idea based on Schneier's clueless agent.

An alternative construction is possible. You construct a clueless agent. It reads the current time, fills the MSBs and LSBs with 0s to select for time range, possibly with logical shift right, then performs: hash(hash(truncated_time)) XOR hash(hash(given_password)), checks against its internal value (same construct), and uses hash(truncated_time) XOR hash(given_password) as the actual decryption password. This sort of thing is trivial to implement (and has been implemented).

From an attacker's point of view. Suppose you now slice the time of day up into a short list of fragments you can hash. Now you have a list of hash(hash(truncated_time)) and potentially hash(hash(truncated_time)) XOR hash(hash(given_password)). You XOR each of your truncated time constructions to yield a list of hash(hash(given_password)), and you're back at the original clueless agent problem.

Bruce Schneier commented on this a while back:

I'm not sure he's thought this through, though. I would be more worried that someone would kill me in order to get the documents released than I would be that someone would kill me to prevent the documents from being released. Any real-world situation involves multiple adversaries, and it's important to keep all of them in mind when designing a security system.

I'm not sure what Snowden's alternative is, but a doomsday switch isn't exactly foolproof.

And this is why Schneier undid 10 years NSA work on subverting encryption algorithms. Terrorists are a miniscule threat compared to our Governments and Secret Services

The US no longer has a legitimate "government (..) for the people." The UK never did, except occasionally by chance.

We know that power like this is abused and attracts those who will abuse it. We must consider whether we want our children to live in a free country.

"The only thing necessary for the triumph of evil is for good men to do nothing."

We need to support projects like MailPile and BitMessage. Maybe some of you know of or are working on other projects you'd care to mention.

However it does do a good job at removing an entire type of attack, i.e. from remote.

Exactly. And Bruce Schneier has an excellent article on that concept. He calls it "attack trees".

https://www.schneier.com/paper-attacktrees-ddj-ft.html

I think that the biggest problem here is that there isn't a recognized definition of "security" as it applies to computers.

Security is not about becoming invulnerable. That is impossible. Mostly because there is no "secure". There is only "more secure" or "less secure" than your starting point.

Improving security is, initially, about reducing the number of people who can EFFECTIVELY attack you. Then increase the number of people REQUIRED to attack you.

And that isn't even addressing the issue of whether you KNOW that you're being attacked and/or whether the data has been compromised.

I would guess 15-20, more or less, depending on the specific application. The history of the NSA's involvement with the DES encryption algorithm is instructive.

This is a question of some import to the field of computer security. Since there are experts in the field, I would tend to follow Bruce Scheier's opinion. It took the community of cryptanalysts outside of the NSA 20 years to figure out differential cryptanalysis and why the NSA's tweaks to DES were a Good Thing(tm). In 1999 the community figured out a weakness in SHA-0, merely 4 years after the NSA. In 2004 a weakness in SHA-1 was published which it is believed the NSA did not know about. So, years ago the NSA was far ahead of everyone else, but now the NSA might be a year or two ahead on average.

For similar reasons as described in https://www.schneier.com/blog/archives/2012/05/criminal_intent.html it will not be usefull.

If they can get the false positive rate down, and they have all the other data they could get (ie: a surveillance camera network similar to London's, access to GPS networks, cell phone tower data); they could solve that problem by correlating data. They know where you live from your voter registration, they know your cell phone was at that home tower heading to this other tower, therefore they can probably figure out whether you're the guy in the brown coat or not.

The trouble with that is that they don't have any of that stuff set up into linked databases yet even in the UK. Stateside the Feds don't have access to any of it. They can get warrants for one guy's GPS, or his cell, and they can also use private security cameras to monitor said guy, but they don't have a national database putting all that shit together for everyone yet.

What this is most likely to be useful for is a lot less ambitious, and a lot less scary:

1) If we know the Secrets of Face Recognition then we'll have a pretty good idea of what the Chinese are doing when they implement their new national tracking/video/everything database in 2024. The disadvantage, of course, is that it's likely the Chinese will have stolen these secrets from us.

2) It will make investigating crimes with video evidence a lot easier. Even if the false-positive rate is too high for surveilling everyone cheaply, that doesn't mean it's too expensive to find known criminals. Let's say the tech allows you to dump 15 hours of surveillance tapes into a computer, and rule out 14 of those hours. Then your video analysts have a lot less work to do even if they have no clue whether the actual criminal is on the tape.

3) It will make locating other people easier. If you have a terrorist on your list, and your network gets 50-300 reports of him from your cameras in Detroit, and then it shoots to 500 a day for a, then you should probably have a video analyst or three analyze the Detroit video.

Note that while 2-3 will scare some people, most Americans aren't worried about the privacy of people the US government thinks are a) terrorists, or b) might be criminals.

For similar reasons as described in https://www.schneier.com/blog/archives/2012/05/criminal_intent.html it will not be usefull.

It doesn't have to.

Money is being pocketed, and fear is being spread. It's all that needs to happen.

For similar reasons as described in https://www.schneier.com/blog/archives/2012/05/criminal_intent.html it will not be usefull.

you really should check before saying something that just isn't true.

This post on Bruce Schneier's site from august 2011 talks about a discovered attack that works on all three keylenghts of FULL AES. All have complexity less than brute force.

-mto

From a comment on Bruce Schneier's blog:

No, it was a Russian contractor that serviced many of those facilities. The infections appeared to have been caused by him. We talked about this in a previous Schneier post on Stuxnet. Whether he was paid to do it or his equipment subverted I don't know.

This is also about attacking; hacking, intrusion, modifying systems, sabotaging hardware, etc. Is not a passive "i want to know this", but an active/aggresive "i will plant a backdoor/rootkit to be able to do there whatever i want", including hitting you as a person, as a country, or as a trusted media that reach enough/certain people/companies.

We already knwo they planted backdoors on Tor users and Slashdot and LinkedIn users, and with Silicon Valley cooperation, probably they will be bundled in a lot more software/hardware/services. Time to stop playing boiling frog.

Bruce Schneier had a good essay on the nuances of what "WMD" means now. From a quote in the article,

All artillery, and virtually every muzzle-loading military long arm for that matter, legally qualifies as a WMD. It does make the bombardment of Ft. Sumter all the more sinister. To say nothing of the revelation that The Star Spangled Banner is in fact an account of a WMD attack on American shores.

https://www.schneier.com/blog/archives/2013/07/counterterroris_1.html

Wow. It is truly newspeak. Doubleplus ungood.

Bruce Schneier had a good essay on the nuances of what "WMD" means now. From a quote in the article,

All artillery, and virtually every muzzle-loading military long arm for that matter, legally qualifies as a WMD. It does make the bombardment of Ft. Sumter all the more sinister. To say nothing of the revelation that The Star Spangled Banner is in fact an account of a WMD attack on American shores.

https://www.schneier.com/blog/archives/2013/07/counterterroris_1.html

The US hasn't used this data to physically harm anyone. There are plenty of allegations that the US used the data for economic advantage, but no examples of specific operations that did so. And if such operations existed Snowden would have exposed them.

Even if you don't consider planting backdoors and weakening crypto damage, Presidential Policy Directive 20 is about having ready for using those intrusions, backdoors and so on to harm. And Petrobras is an example of specific operation of using that data for economic advantage. But even snooping with other intentions than detect that is a terrorist there is damaging enough, even if it is just to find how to access and plant backdoors in a otherwise secure network (i.e. Tor users)

Why do you think that would be any more helpful than the fact that you can actually SEE what URL the link you hit leads you to?

People don't care about security. And why should they, it is not their job!

My pet peeve with security in most companies is that the CSO's trying to take the easy way out: Shifting the burden of security on his workers. Need secure access? Hey, no problem, we'll create ludicrous password requirements (like, say, at least 20 characters, with numbers, special characters and a few letters from languages that have been forgotten for 200 years at least sprinkled across, for starters 'til I have time to ponder something REALLY "secure"). And no writing down! How you should remember that gobbelygoo? Not my problem!

That's got nothing to do with increasing security. That's blame shifting. Nothing else. Any CISO who spends more than 10 seconds pondering it should realize that such a "security solution" opens a completely different and far more troublesome can of worms. And I dare imagine that most of them know that, but prefer to play the blame shifting game to actually solving the underlying problem. It is easier, more convenient and of course cheaper. But now the worker has one headache more, especially one headache that has NOTHING to do with his actual work, that weighs him down, that causes him more workload and doesn't help him at all.

So it's no wonder IT security is seen like some kind of Gestapo and Stasi rolled into one.

Dear fellow CISOs: Your job isn't to make life harder for your staff. Your job is to take that problem AWAY from them. Perfect security is not achieved when nobody can do jack anymore 'cause they're busy jumping your security hoops. Perfect security is security that CANNOT be broken by staff because staff has very little if any impact on it. In a perfectly secure corporate world, security is fully transparent to the worker and he does not even NOTICE its presence (unless he tries to do something that breaks company rules or law, of course).

You can of course start to train your workers about security. Forget it. Bruce Schneier has a very good essay about it and he said it far better than I possibly could. In a nutshell: When a worker faced the choice between doing what he wants to do (his job, chat, fool around, goof off...) and upholding security, doing what he wants always wins.

And who blames him? If he jumps the myriad of hoops presented to him by security, he wastes time and gets reprimanded for slacking. If he kicks security out the door, in 99 out of 100 times nothing bad will happen because the caller claiming to be Bob from IT Support was actually Bob from IT Support and not Alec from IT SecAuditing.

Of course, I'm fairly sure the CISO presented him a fully blown sheet of dos and don'ts when someone from IT calls, verify the caller's ID, call back, ask for the supersecret password du jour, whatever. That takes TIME. Time the worker does NOT have. Instead he simply hands out the information, because 99 out of 100 times that's the right thing to do.

How to solve that? By eliminating the need for Bob to call in the first place. I cannot think of any situation where Bob actually has to call and ask for sensitive info. And if he does, it's time to call the CISO. Not to get Bob into trouble, but to find out why he had to call and eliminate the need. Not to mention of course that someone might have tried to siphon information and that's something your CISO should know about anyway.

Of course, you cannot eliminate human interaction with secure and sensitive matters entirely. That's an unfortunate reality. But you can eliminate the need for untrained personnel to do it! Every halfway decently sized company has an IT department or at least some kind of staff that does the "IT stuff". And these are the people that you actually CAN train. Because they already have to deal with the matter anyway, and they are also the ones that will most

You're not quite 40 YEARS behind the times....


I think this whole NSA brouhaha will make some people start taking auditability a little more seriously.
Which means documenting the whole tool chain used and all options used. Of course, that only helps if you have access to the source. SUX to be you, Microsoft.

??? How old ARE you? (OMG: I'm only 55 -- maybe I really am older and more paranoid than I thought.)

Let me get this straight: you gave away control of your unencrypted files to someone who wasn't a known personal friend and then am surprised that something happened to them??

I treat on-line services slightly differently: I keep local copies of EVERYTHING that goes out, and I'm surprised when it's still accessible online 5 minutes later, never mind 5 years later. And controlling exactly who has access to it? That's just a fantasy -- really. It's actually binary: either it's out there and they MIGHT have it, or it's not and they DON'T.

I do run Dropbox and use KeePass as a password manager. The credential store is encrypted, but even then the stored password there just isn't "quite right". Phone camera pics get uploaded to Dropbox. At times I'll AES encrypt and email or use Dropbox and expose. For stupid pics I'll just dump 'em out there straight. But I know what's exposed and encrypted-exposed. The latter die soon after they're used.

You store important and critical (tax receipts, lawyer-enforced) notices that might cause breach of contract? And you put control of that in someone else's hands, paid for or not? What kind of an IDIOT are you? Then again, you must not think much of the breaching penalties. That's great, I'm glad you're so confident at everyone always doing the right thing everywhere and nothing bad ever happening.

Me, if I'm going to have a some contract or data leakage it'll be because *I* did it myself and have no one else to blame. Then again, it's obvious digital computer files and paid services will stay around forever: Just ask MegaUpload, GeoCities, and LavaBit. Oh, and the data center located in the Twin Towers? Onsite backups sure came in handy there. Some got thru better than others: One, Two

Then again, there's this brand new data center that will hold all of your data for years -- all for free! I'm sure you can retrieve all of your data from that.

Really, I'm glad things are going so well for you, with the exception of a few bumps. And local storage doesn't solve everything either -- drives can be stolen, warrants can be served, computers can be hacked and data downloaded. But damn it, for 99.9% of my data, I'm 100% directly responsible for it. Offloading everything to the cloud is just offloading responsibility, never mind anything at all to do with the NSA.

Oh, one last thing. Even if all of the employees in the ISP, supporting companies, 3rd party vendors and everyone involved are all above reproach. are you sure? And even say all of the software is 100% vetted and accurate (ignoring accidental software bugs): oops.

Paranoid? Probably, but then again most things don't deserve multiple layers of defense. Only a few do, and of those only a select few get vetted, encrypted, backed up, and rotated offsite. But as for "What would you need if everything was suddenly gone (house fire) and you could only keep a couple of things?" Well there's your answer.

Good luck with it all; hope you produce a updated

One of the early projects that Schneier lead, precipitated by the Y2K date crisis, was a security evaluation of old COBOL system (code-named "ZEBRA") that was still being used by a certain un-named U.S. Government agency.

This mainframe software had not been maintained for some years, except by patching the binary image; no online version of the source code was available. It would be too hard to audit that way, so they decided to upload the original code (from paper), recompile, diff against the binaries, and eventually reconstruct accurate source code for the Y2K bugs and security issues.

Schneier's group decided to use OCR. The source code had been "line printed" on "greenbar" paper, where alternate lines have a light green background stripes for contrast. The problem was that OCR scanners of the day were designed only for black-and-white, and would get confused by the green stripes, and sometimes mis-scan some letters and numbers, making this source code unreliable. This required them to manually read and type in corrections, to about half the code!

Bruce Schneier is an outspoken critic of agencies like the DHS and the TSA, but he has been a consultant for the Government in the past. And as you can see from the above story, he was originally an early proponent of scanners, and only in more recent years has spoken out against them. So it is quite reasonable to ask if Bruce Schneier has ever changed his stripes.

Oh, and a Bruce Schneier connection: In 2006 Bruce wrote a summary of my ACSAC paper on diverse double-compiling (DDC). Bruce's article is simply titled Countering "Trusting Trust".

Bruce completely understood the approach. He explained it very well in his blog, and he also did a nice job explaining its larger ramifications. His conclusions are still true: the "trusting trust" attack has actually gotten easier over time, because compilers have gotten increasingly complex, giving attackers more places to hide their attacks. Here's how you can use a simpler compiler -- that you can trust more -- to act as a watchdog on the more sophisticated and more complex compiler.

That's not what Bruce Schneier says, though.
Schneier's later work has focused on how trust is required for a functioning society, and how we can encourage and enforce trustworthy behaviour.

He focuses on rational consideration of cost-benefit tradeoffs. Trusting no one is somewhere between highly impractical and impossible if you want to function in a society with other people and have access to food, shelter and companionship. It's irrational since most people you'll encounter are benign, and the benefits of cooperation will far outweigh the risk.