Slashdot Mirror

Asked for an example, Gates pointed to the companies' "enthusiasm about making financial transactions anonymous and invisible, and their view that even a clear mass-murdering criminal's communication should never be available to the government."

If this is an example, then few people have anything to worry about. Communications and storage can be secured, and if someone wants it enough to be bothered making sure they have it, then nobody can do anything about it. It just takes software. And if the last couple decades have taught us anything, it's that if you want good software, you don't just get that from some company. You get it from humanity-at-large. You can even DIY (the software; you probably shouldn't try that with the algorithms unless your name is Bruce).

The main fuckup with the iPhone situation, is that Apple is in control instead of the user. If the user takes control, the user will win. Apple just happens to fight both the government and their users on this issue, because they want neither to be in control; they want Apple to be in control. I think that is an unusual situation and doesn't generalize. In most cases, the manufacturers won't have the arrogance to be as user-hostile. They'll simply make their computers good, and that will mean that the users will have the means to secure them.

I always check SchneierFacts
https://www.schneierfacts.com/

Because Bruce Schneier isn't doing the security theater.

It's common knowledge that if you knock out Chuck Norris with a roundhouse kick you become the new Chuck Norris.

Similarly, if you manage to steal Bruce Schneier's identity, you become the new Bruce Schneier.

No wonder he's a target. Everybody wants to be him.

My personal favorite Bruce Schneier Fact: "Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

It's common knowledge that if you knock out Chuck Norris with a roundhouse kick you become the new Chuck Norris.

Similarly, if you manage to steal Bruce Schneier's identity, you become the new Bruce Schneier.

No wonder he's a target. Everybody wants to be him.

My personal favorite Bruce Schneier Fact: "Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

Someone plants a nuclear device in the US. The bomb is set to detonate in 2 hours.

Looks like someone is bitter that The Bruce isn't doing Yet Another Movie-Plot Threat Contest this year.

Get over it, dude. It was getting old and tired, and your entry wouldn't have won anyway.

Lies we all know it was first known to Bruce Schneier who long ago found all Mersenne Primes in O(1) time.

If you are going to use a internet meme at least pick the right one.

I used to read "Lessig" and think, "right, he's that often clever crypto-tech guy."

Lessig is a Harvard law professor, maybe you confused him with Bruce Schneier? Both are great people, and Lessig volunteers to help the FSF. He clearly doesn't understand how to do legal activism, though (some might say that Harvard people in general are out of touch with the world).

Bruce Schneier once roundhouse kicked Chuck Norris so hard that Bruce Lee sat up in his grave and said, "Ouch!".

http://www.schneierfacts.com/, bringing you Bruce Schneier facts since 06-Jun-2009.

Yep, it's possible. There's a couple of places listed in the talk that a skilled enough attacker could maybe make inroads, but the probability is limited by the fact that the networks speak VASTLY different networking protocols. Jeff *might* be able to infect the network bridge on a couple of specific airplane models.

Of course, if it's Bruce Schneier, just let him into the cockpit and give him the flight yoke, it'll be slower :)

Min

In that case, even a password of 'veronica' should be strong enough to last until the breach is discovered (days?), the user notified

Considering how awfully many cases there have been where it has taken the company weeks or even months to notify anyone of the breach I'm going to have to disagree on that.

That's my exact point. If a system is compromised and they are going after user data unnoticed, you are boned even if can't brute force your 5000 character epic passpoem, detailing the life and works of seven mythical Norse heroes (apologies to http://www.schneierfacts.com/f...). The only thing keeping you safe in that instance is staying the fuck away from downright terrible and negligent providers.

Chuck Norris. Pfft! http://www.schneierfacts.com/f...

But Bruce Schneier is a notable person. And it isn't like he changes job frequently.

Funnily enough, I submitted this with a different headline. I went with "Bruce Schneier is leaving his job at BT" and put the following (shorter) summary:

"The Register is hosting an exclusive that Bruce Schneier (the famed cryptologist http://www.schneierfacts.com/ ) will be leaving his position at BT as security futurologist."

Looks like the editors wanted to change it around a bit ?

Here, fixed that for you.

Here's the best available data we have on Bruce: http://www.schneierfacts.com/

"The Register is hosting an exclusive that Bruce Schneier (the famed cryptologist http://www.schneierfacts.com/ ) will be leaving his position at BT as security futurologist."

Looks like the editors wanted to change it around a bit.

Those Bruce Schneier facts don't bode well for you.

If you read my third paragraph then you already know I'll assert "Windows is for 'rocket scientist' computer experts, not non-tech-savvy people," IN SPITE OF REALITY. I get that, ok? ;-) [I will write more half-truths below, because I'm bored and this is fun.]

Why should Google be limited to addressing how people did things in the 1990s (Windows) instead of the modern user, who doesn't have the time (or doesn't want to spend it) to research and analyze the risk of all the software they install? That's a job for repository maintainers. That's just how people decided to do things, a couple decades ago when they saw that the Windows approach wasn't working out for the common man (or the lazy expert).

If you're still running Windows, where doing things the hard way is your only option, then you are a bad ass motherfucker, with with a 5-digit-id, cyclopean computer capabilities, and risk assessment expertise such that you ought to have your own facts website. While some of us puny mortals occasionally see something cool on github and check it out and impulsively run it as our own uid, or we might do a plain http download from kernel.org without worrying that someone altered it in transit (actually I just checked and it looks like kernel.org switched to https quite some time ago) we don't always do that for everything; 99% my warez are straight out Ubuntu's repo, whitelisted by people I .. mmmostly trust.

By comparison, you Windows people are FEARLESS GODS.

All hail the fearless gods, the computer users who still do things the 1990s way.

But you must understand: Google isn't for you gods. It's for us. When you want someone dead, you just throw a lightning bolt at them, and here you are, bringing up some obscure point about how some electrical capacitance sources aren't working out all that great for you, with Star Trek technobabble-like talk of "scum polarity." We Google users, puny little mortals we are, normally don't blindly reach into the cosmic energy stores that You people do. When mortals discuss these things, we say "of course that is madness! Only the brave or suicidal, routinely tread there!"

To us, Google is something we use to read about something. Reading pages written to persuade us to install "bad" warez from our repositories, isn't really any different than reading pages written to persuade us to join Scientology. We have but one life, so in a way, I guess, a page telling us to do something foolish (e.g. install something called "greenshot" plus some scumware) is of less concern to us, because we protect the one life we have. You wouldn't understand, because you don't have to. There you are, with "scum polarity" lightning noisily crackling and flashing all over your hands (something that would have killed me a hundred times over!), grimacing with minor annoyance, looking for somewhere to spectacularly toss it, in an epic display of thunderous destruction that someone like me could only imagine, or else only witness in the very final moment of my single life.

REVEL IN YOUR POWER AND GLORY, FEARLESS GOD! We hail thine fearlessness! Is your situation really all that bad? So you installed some scumware. So what? The mere fact that you would (that you can) sightlessly leap into doing that, that you still run Windows, shows you're obviously not afraid and that you are above and beyond a certain thing that we little mortals call "personal consequences." So what's the problem?

No one ever expects them.

No one...except for this man.

Bruce Schneier accurately predicts the random.
http://www.schneierfacts.com/facts/485

Bruce Schneier doesn't need to hide data with steganography - data hides from Bruce Schneier
Bruce Schneier knows who the Anonymous Coward is
Bruce Schneier can recite pi. Backwards.
Bruce Schneier can securely wipe any hard drive by shaking it like an etch-a-sketch.
Bruce Schneier knows Chuck Norris' private key.
Bruce Schneier can write a recursive program that proves the Riemann Hypothesis. In Malbolge.
Bruce Schneier can read captchas.
Hashes collide because they're swerving to avoid Bruce Schneier.
Bruce Schneier is the root of all certificates.
Bruce Schneier intercepts all your internal monologues by a man-in-the-middle attack.

http://www.schneierfacts.com/

You need some schooling on Bruce:

http://www.schneierfacts.com/facts/371/

Besides, Bruce Schneier doesn't need his blog entries linked from anywhere - he just breaks into webservers and puts links wherever he wants.

for the uninitiated

you _do_ know this is why they wont let him testify, don't you? Hint: it's a matter of utmost national security! http://www.schneierfacts.com/fact/151

http://www.schneierfacts.com

Schneier and Chuck Norris don't need to communicate that often these days. Lucky us!

Schneier and Chuck Norris don't need to communicate that often these days. Lucky us!

Some people use passphrases.

Let's round this out with a little bit of biography from his website.

Bruce Schneier is an internationally renowned security technologist and author. Described by The Economist as a "security guru," he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.

You'll find more facts about him here. In addition to being an internationally recognized security expert and author he's the chief security officer for BT Group.

This is why you don't use simple passwords.

You use an epic passpoem, detailing the life and works of seven mythical Norse heroes.

Naturally, I couldn't even glance at this headline without thinking of Bruce Schneier. He has written a post on his blog disclaiming responsibility. On the other hand, if there's anyone at all who can hunt down the perpetrators... this will easily be the most epic cyber-battle ever!

(From the "don't explain the joke" department: Schneier is a well-respected and, some say, godlike security expert. He has a tradition or running joke of "Friday Squid Blogging" where he posts something squid-related every Friday. I couldn't turn up an explanation of it, but I assume it's because he likes squids.)

http://www.schneierfacts.com/fact/42

Unless you are Bruce Schneier!

Not even Bruce Schneier can protect your router from Chuck.

For the record, I [Bruce Schneier] was never approached. But I would certainly decline; this is a political job, and someone political needs to fill it.

He went on to note that he wouldn't even need to be physically present in order to carry out the duties of the position. In fact, he's already carrying them out every morning while he eats breakfast and reads the paper, hence the position remaining apparently vacant for all this time.

Now that the whole Chuck Norris phase has kinda spun down does anyone see Bruce Schneier picking up the mantel? At least in geek culture / IT? I think it would be hilarious.

Ask and ye shall receive.

Bruce Schneier says that give a choice between security and dancing pigs on your computer, people will take the dancing pigs every time.

When Windows came out, it was perfectly secure - there's only one user in the universe, and she's allowed to do whatever she wants. ("Format C: "? Sure!).

Unfortunately, while Unix was designed from the beginning for security, it didn't always _stay_ designed for security, and some of the things that were done for security had serious tradeoffs. Networking was usually the worst, certainly from TCP/IP's beginnings in 4.2BSD, but also other protocols and other applications had problems, and you're not secure unless everything's secured in some way.

• Low-numbered well-known tcp/udp ports can only be opened as root. While that avoided having ordinary lusers running fake servers, a generally worthwhile goal, it meant that every network service had to be implemented securely, and if any service had a bug, exploiting it made you root! (Of course, you don't need to be root to cause trouble - the Morris Worm didn't bother - but if you're a malicious attacker you want to be root because you can trash everybody, not just hog resources or trash individual users.)
• If you're careful, you can open any special ports you need and then setuid to a non-root user, but not every programmer bothered, and some programs were already toast before they did that.
• Sendmail used to run as root. There's no need for a mail system to run as root just to deliver mail - the System V and V8 mailers typically used group privileges to deliver mail into mailboxes - but not only did sendmail need Port 25, it also had a dancing-pigs feature, which was the ability to run received mail for a user through a mail-handling program with that user's privileges, and the easiest way to do that was to run as root.
• Sendmail's pretty solid stuff these days, but it's been a favorite target for decades, not only because of its complexity, but because it's important enough that for years, almost any Unix machine was running it.
• For the non-sendmail crowd, UUCP had its security holes as well, though the Honey DanBer version helped fix a lot of them. Remotely executing programs is a really useful and powerful concept - and doing it in environments where you have to safety-check every input that could possibly get handed to a shell means that somebody's going to slip a backquote through _some_ program or other and you'll be toast again.
• Unix security means that the operating system is mostly protected from users and whatever malicious programs the users can be conned into running, but the users can still trash their own environments. And root used to be a user, and still sort of is, though we've gotten better about that. And email makes it easy to hand files to any user in hopes they'll run it; the big change over the decades is that you can send them more than just ASCII or EBCDIC.
• Even if Unix was secure, it was originally accessed from terminals that might not be dumb enough to be secure. Back in 1979, one of the San Francisco area papers ran an article that "hackers in Berkeley" had found a security hole in "the Unix, a computer made by DEC" (ahem...) It was the then-already-old trick of sending escape sequences to a VT100 or HP2621 that would get echoed back to the computer as if the user had typed them. So what cool things is your computer running to talk to your iPhone or Bluetooth?
• Password security has always been a problem. The original Unix password system was pretty strong for its day, but if you picked a wimpy password, you were vulnerable to password-guessing. (And some of the early password-length-enforcers only applied to regular users, not root, so that's the obvious password to try cracking.)
• Unix file permissions were very flexible, but you had to be sure to tighten all of the ones that needed to be tight.

(Back when I was a newbie learning security, RTM's father used at least the last three of those methods to crack into my accounts :-)

Well Bruce Schneier helped write it, this is the same man that once decrypted a box of AlphaBits.

I think we're safe until he figures out how to decrypt cheerios.

Well Bruce Schneier helped write it, this is the same man that once decrypted a box of AlphaBits.

That's actually bad news: Anybody can invent a cryptosystem he cannot break himself. Except Bruce Schneier.

Well Bruce Schneier helped write it, this is the same man that once decrypted a box of AlphaBits.

Birth? It's already several years old.