Ramblings & ephemera

Security decisions are often made for non-security reasons

From Bruce Schneier’s Crypto-Gram of 15 July 2004: There was a single guard watching the X-ray machine’s monitor, and a line of people putting their bags onto the machine. The people themselves weren’t searched at all. Even worse, no guard was watching the people. So when I walked with everyone else in line and just […]

Quanta Crypto: cool but useless

From Bruce Schneier’s “Quantum Cryptography” (Crypto-Gram: 15 November 2008): Quantum cryptography is back in the news, and the basic idea is still unbelievably cool, in theory, and nearly useless in real life. The idea behind quantum crypto is that two people communicating using a quantum channel can be absolutely sure no one is eavesdropping. Heisenberg’s […]

How to deal with the fact that users can’t learn much about security

From Bruce Schneier’s “Second SHB Workshop Liveblogging (4)” (Schneier on Security: 11 June 2009): Diana Smetters, Palo Alto Research Center …, started with these premises: you can teach users, but you can’t teach them very much, so you’d better carefully design systems so that you 1) minimize what they have to learn, 2) make it […]

The future of security

From Bruce Schneier’s “Security in Ten Years” (Crypto-Gram: 15 December 2007): Bruce Schneier: … The nature of the attacks will be different: the targets, tactics and results. Security is both a trade-off and an arms race, a balance between attacker and defender, and changes in technology upset that balance. Technology might make one particular tactic […]

Problems with airport security

From Jeffrey Goldberg’s “The Things He Carried” (The Atlantic: November 2008): Because the TSA’s security regimen seems to be mainly thing-based—most of its 44,500 airport officers are assigned to truffle through carry-on bags for things like guns, bombs, three-ounce tubes of anthrax, Crest toothpaste, nail clippers, Snapple, and so on—I focused my efforts on bringing […]

Bruce Schneier on wholesale, constant surveillance

From Stephen J. Dubner’s interview with Bruce Schneier in “Bruce Schneier Blazes Through Your Questions” (The New York Times: 4 December 2007): There’s a huge difference between nosy neighbors and cameras. Cameras are everywhere. Cameras are always on. Cameras have perfect memory. It’s not the surveillance we’ve been used to; it’s wholesale surveillance. I wrote […]

Those who know how to fix know how to destroy as well

From Stephen J. Dubner’s interview with Bruce Schneier in “Bruce Schneier Blazes Through Your Questions” (The New York Times: 4 December 2007): This is true in many aspects of our society. Here’s what I said in my book, Secrets and Lies (page 389): “As technology becomes more complicated, society’s experts become more specialized. And in […]

Bruce Schneier on security & crime economics

From Stephen J. Dubner’s interview with Bruce Schneier in “Bruce Schneier Blazes Through Your Questions” (The New York Times: 4 December 2007): Basically, you’re asking if crime pays. Most of the time, it doesn’t, and the problem is the different risk characteristics. If I make a computer security mistake — in a book, for a […]

Bruce Schneier on identity theft

From Stephen J. Dubner’s interview with Bruce Schneier in “Bruce Schneier Blazes Through Your Questions” (The New York Times: 4 December 2007): Identity theft is a problem for two reasons. One, personal identifying information is incredibly easy to get; and two, personal identifying information is incredibly easy to use. Most of our security measures have […]

9 reasons the Storm botnet is different

From Bruce Schneier’s “Gathering ‘Storm’ Superworm Poses Grave Threat to PC Nets” (Wired: 4 October 2007): Storm represents the future of malware. Let’s look at its behavior: 1. Storm is patient. A worm that attacks all the time is much easier to detect; a worm that attacks and then shuts off for a while hides […]

Synchronization attacks at fast food drive-through windows

From Bruce Schneier’s “Getting Free Food at a Fast-Food Drive-In” (Crypto-Gram: 15 September 2007): It’s easy. Find a fast-food restaurant with two drive-through windows: one where you order and pay, and the other where you receive your food. This won’t work at the more-common U.S. configuration: a microphone where you order, and a single window […]

Serial-numbered confetti

From Bruce Schneier’s “News” (Crypto-Gram: 15 September 2007): Taser — yep, that’s the company’s name as well as the product’s name — is now selling a personal-use version of their product. It’s called the Taser C2, and it has an interesting embedded identification technology. Whenever the weapon is fired, it also sprays some serial-number bar-coded […]

Trusted insiders and how to protect against them

From Bruce Schneier’s “Basketball Referees and Single Points of Failure” (Crypto-Gram: 15 September 2007): What sorts of systems — IT, financial, NBA games, or whatever — are most at risk of being manipulated? The ones where the smallest change can have the greatest impact, and the ones where trusted insiders can make that change. … […]

A collective action problem: why the cops can’t talk to firemen

From Bruce Schneier’s “First Responders” (Crypto-Gram: 15 September 2007): In 2004, the U.S. Conference of Mayors issued a report on communications interoperability. In 25% of the 192 cities surveyed, the police couldn’t communicate with the fire department. In 80% of cities, municipal authorities couldn’t communicate with the FBI, FEMA, and other federal agencies. The source […]

A wireless router with 2 networks: 1 secure, 1 open

From Bruce Schneier’s “My Open Wireless Network” (Crypto-Gram: 15 January 2008): A company called Fon has an interesting approach to this problem. Fon wireless access points have two wireless networks: a secure one for you, and an open one for everyone else. You can configure your open network in either “Bill” or “Linus” mode: In […]

Anonymity and Netflix

From Bruce Schneier’s “Anonymity and the Netflix Dataset” (Crypto-Gram: 15 January 2008): The point of the research was to demonstrate how little information is required to de-anonymize information in the Netflix dataset. … What the University of Texas researchers demonstrate is that this process isn’t hard, and doesn’t require a lot of data. It turns […]

A cheap, easy way to obfuscate license plates

From Victor Bogado da Silva Lins’ letter in Bruce Schneier’s Crypto-Gram (15 May 2004): You mentioned in your last crypto-gram newsletter about a cover that makes a license plate impossible to read from certain angles. Brazilian people have thought in another low-tech solution for the same “problem”, they simply tie some ribbons to the plate […]

People being rescued run from their rescuers

From Les Jones’s email in Bruce Schneier’s “Crypto-Gram” (15 August 2005): Avoiding rescuers is a common reaction in people who have been lost in the woods. See Dwight McCarter’s book, “Lost,” an account of search and rescue operations in the Great Smoky Mountains National Park. In one chapter McCarter tells the story of two backpackers […]

World distance reading WiFi and RFID

From Bruce Schneier’s “Crypto-Gram” (15 August 2005): At DefCon earlier this month, a group was able to set up an unamplified 802.11 network at a distance of 124.9 miles. http://www.enterpriseitplanet.com/networking/news/… http://pasadena.net/shootout05/ Even more important, the world record for communicating with a passive RFID device was set at 69 feet. Remember that the next time someone […]

The NSA’s cryptographic backdoor

From Bruce Schneier’s “The Strange Story of Dual_EC_DRBG” (Crypto-Gram: 15 November 2007): This year, the U.S. government released a new official standard for random number generators, which will likely be followed by software and hardware developers around the world. Called NIST Special Publication 800-90, the 130-page document contains four different approved techniques, called DRBGs, or […]