Bruce Schneier | |||||||||||||||
Schneier on SecurityA blog covering security and security technology. U.S. Court Rules that Hashing = SearchingReally interesting post by Orin Kerr on whether, by taking hash values of someone's hard drive, the police conducted a "search": District Court Holds that Running Hash Values on Computer Is A Search: The case is United States v. Crist, 2008 WL 4682806 (M.D.Pa. October 22 2008) (Kane, C.J.). It's a child pornography case involving a warrantless search that raises a very interesting and important question of first impression: Is running a hash a Fourth Amendment search? (For background on what a "hash" is and why it matters, see here). Posted on November 5, 2008 at 8:28 AM • 48 Comments • View Blog Reactions P = NP?People have been sending me this paper that "proves" that P != NP. These sorts of papers make the rounds regularly, and my advice is to not pay attention to any of them. G.J. Woeginger keeps a list of these papers -- he has 43 so far -- and points out: The following paragraphs list many papers that try to contribute to the P-versus-NP question. Among all these papers, there is only a single paper that has appeared in a peer-reviewed journal, that has thoroughly been verified by the experts in the area, and whose correctness is accepted by the general research community: The paper by Mihalis Yannakakis. (And this paper does not settle the P-versus-NP question, but "just" shows that a certain approach to settling this question will never work out.) Of course, there's a million-dollar prize for resolving the question -- so expect the flawed proofs to continue. Posted on November 4, 2008 at 12:12 PM • 21 Comments • View Blog Reactions Duplicating Keys from PhotographsEDITED TO ADD (11/3): Here's the paper. Posted on November 3, 2008 at 1:35 PM • 43 Comments • View Blog Reactions Understanding Terrorist BehaviorTwo items, one short and one long. The short one: "A Look at Terrorist Behavior: How They Prepare, Where They Strike," by Brent Smith, National Institute of Justice Journal, No. 260, 2008. The long one: How Terrorist Groups End: Lessons for Countering al Qa'ida, by Seth G. Jones and Martin C. Libicki, RAND Corporation, 2008. Posted on November 3, 2008 at 6:57 AM • 23 Comments • View Blog Reactions Friday Squid Blogging: Long-Arm Squid Caught by Japanese FishermenVideo in Japanese. And an (unrelated) cartoon. Posted on October 31, 2008 at 4:38 PM • 7 Comments • View Blog Reactions Podcast Interview with MeRSA interviewed me about my talk at the RSA Conference in London earlier this week. Posted on October 31, 2008 at 1:52 PM • 0 Comments • View Blog Reactions Keeping America Safe from Terrorism by Monitoring Distillery WebcamsWe had an email recently from an observer "curious as to why the webcam that was inside the shop/bar is no longer there, or at least, functional". The email was from the Defense Threat Reduction Agency in the United States. Posted on October 31, 2008 at 11:15 AM • 50 Comments • View Blog Reactions UPC Switching ScamIt's not a new scam to switch bar codes and buy merchandise for a lower value, but how do you get away with over $1M worth of merchandise with this scam? In a statement of facts filed with Tidwell's plea, he admitted that, during one year, he and others conspired to steal more than $1 million in merchandise from large retailers and sell the items through eBay. The targeted merchandise included high-end vacuum cleaners, electric welders, power winches, personal computers, and electric generators. That requires a lot of really clueless checkout clerks. Posted on October 31, 2008 at 6:43 AM • 63 Comments • View Blog Reactions Horrible Identity Theft StoryThis is a story of how smart people can be neutralized through stupid procedures. Here's the part of the story where some poor guy's account get's completely f-ed. This thief had been bounced to the out-sourced to security so often that he must have made a check list of any possible questions they would ask him. Through whatever means, he managed to get the answers to these questions. Now when he called, he could give us the information we were asking for, but by this point we knew his voice so well that we still tried to get him to security. It worked like this: We put him on hold and dial the extension for security. We get a security rep and start to explain the situation; we tell them he was able to give the right information, but that we know is the same guy that's been calling for weeks and we are certain he is not the account holder. They begrudgingly take the call. Minutes later another one of us gets a call from a security rep saying they are giving us a customer who has been cleared by them. And here the thief was back in our department. For those of us who had come to know him, the fight waged on night after night. Posted on October 30, 2008 at 12:10 PM • 39 Comments • View Blog Reactions Movie-Plot Threat: Terrorists Using TwitterNo, really. (Commentary here.) This is just ridiculous. Of course the bad guys will use all the communications tools available to the rest of us. They have to communicate, after all. They'll also use cars, water faucets, and all-you-can-eat buffet lunches. So what? This commentary is dead on: Steven Aftergood, a veteran intelligence analyst at the Federation of the American Scientists, doesn't dismiss the Army presentation out of hand. But nor does he think it's tackling a terribly seriously threat. "Red-teaming exercises to anticipate adversary operations are fundamental. But they need to be informed by a sense of what's realistic and important and what's not," he tells Danger Room. "If we have time to worry about 'Twitter threats' then we're in good shape. I mean, it's important to keep some sense of proportion." Posted on October 30, 2008 at 7:51 AM • 33 Comments • View Blog Reactions TSA NewsItem 1: Kip Hawley says that the TSA may reduce size restrictions on liquids. You'll still have to take them out of your bag, but they can be larger than three ounces. The reasons -- so he states -- are that technologies are getting better, not that the threat is reduced. I'm skeptical, of course. But read his post; it's interesting. Item 2: Hawley responded to my response to his blog post about an article about me in The Atlantic. Item 3: The Atlantic is holding a contest, based on Hawley's comment that the TSA is basically there to catch stupid terrorists: And so, a contest: How would the Hawley Principle of Federally-Endorsed Mediocrity apply to other government endeavors? Not the same as my movie-plot threat contest, but fun all the same.
Posted on October 29, 2008 at 2:27 PM • 33 Comments • View Blog Reactions The Skein Hash FunctionNIST is holding a competition to replace the SHA family of hash functions, which have been increasingly under attack. (I wrote about an early NIST hash workshop here.) Skein is our submission (myself and seven others: Niels Ferguson, Stefan Lucks, Doug Whiting, Mihir Bellare, Tadayoshi Kohno, Jon Callas, and Jesse Walker). Here's the paper: Executive Summary Here's source code, text vectors, and the like for Skein. Watch the Skein website for any updates -- new code, new results, new implementations, the proofs. NIST's deadline is Friday. It seems as if everyone -- including many amateurs -- is working on a hash function, and I predict that NIST will receive at least 80 submissions. (Compare this to the sixteen NIST submissions received for the AES competition in 1998.) I expect people to start posting their submissions over the weekend. (Ron Rivest already presented MD6 at Crypto in August.) Probably the best place to watch for new hash functions is here; I'll try to keep a listing of the submissions myself. The selection process will take around four years. I've previously called this sort of thing a cryptographic demolition derby -- last one left standing wins -- but that's only half true. Certainly all the groups will spend the next couple of years trying to cryptanalyze each other, but in the end there will be a bunch of unbroken algorithms; NIST will select one based on performance and features. NIST has stated that the goal of this process is not to choose the best standard but to choose a good standard. I think that's smart of them; in this process, "best" is the enemy of "good." My advice is this: immediately sort them based on performance and features. Ask the cryptographic community to focus its attention on the top dozen, rather than spread its attention across all 80 -- although I also expect that most of the amateur submissions will be rejected by NIST for not being "complete and proper." Otherwise, people will break the easy ones and the better ones will go unanalyzed. EDITED TO ADD (10/30): Here is a single website for all information, including cryptanalysis, of all the SHA-3 submissions. A spoke to a reporter who told me that, as of yesterday, NIST had received 30 submissions. And three news articles about Skein. Posted on October 29, 2008 at 6:35 AM • 103 Comments • View Blog Reactions
Powered by Movable Type. Photo at top by Steve Woit.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT. |
|