Bruce Schneier | |||||||||||||
Schneier on SecurityA blog covering security and security technology. The Politics and Philosophy of National SecurityThis essay explains why we're all living in failed Hobbesian states: What do these three implications -- states have a great deal of freedom to determine what threatens a people and how to respond to those threats, and in making those determinations, they are influenced by the interests and ideologies of their primary constituencies; states have strong incentives and have been given strong justifications for exaggerating threats; and while states aspire, rhetorically, to a unity of will and judgment, they seldom achieve it in practice -- tell us about the relationship between security and freedom? What light do they shed on the question of why security is such a potent argument for the suppression of rights and liberties? Posted on January 10, 2013 at 6:49 AM • 7 Comments Denial-of-Service Attack Against FacebookJust claim the person is dead. All you need to do is fake an online obituary. Posted on January 9, 2013 at 6:44 AM • 13 Comments Cat SmugglerNot a cat burglar, a cat smuggler. Guards thought there was something suspicious about a little white cat slipping through a prison gate in northeastern Brazil. A prison official says that when they caught the animal, they found a cellphone, drills, small saws and other contraband taped to its body. Another article, with video. A prison spokesperson was quoted by local paper Estado de S. Paulo as saying: "It's tough to find out who's responsible for the action as the cat doesn't speak." Posted on January 8, 2013 at 1:36 PM • 20 Comments DHS Gets to Spy on EveryoneThis Wall Street Journal investigative piece is a month old, but well worth reading. Basically, the Total Information Awareness program is back with a different name: The rules now allow the little-known National Counterterrorism Center to examine the government files of U.S. citizens for possible criminal behavior, even if there is no reason to suspect them. That is a departure from past practice, which barred the agency from storing information about ordinary Americans unless a person was a terror suspect or related to an investigation. Note that this is government data only, not commercial data. So while it includes "almost any government database, from financial forms submitted by people seeking federally backed mortgages to the health records of people who sought treatment at Veterans Administration hospitals" as well lots of commercial data, it's data the corporations have already given to the government. It doesn't include, for example, your detailed cell phone bills or your tweets. See also this supplementary blog post to the article. Posted on January 8, 2013 at 6:28 AM • 48 Comments Details of an Internet ScamInteresting details of an Amazon Marketplace scam. Worth reading. Most scams use a hook to cause a reaction. The idea being that if you are reacting, they get to control you. If you take the time to stop and think things through, you take control back and can usually spot the scam. Common hooks involve Urgency, Uncertainty, Sex, Fear or Anger. In this case, it's all about Urgency, Uncertainty and Fear. By setting the price so low, they drive urgency high, as you're afraid that you might miss the deal. They then compound this by telling me there was an error in the shipment, trying to make me believe they are incompetent and if I act quickly, I can take advantage of their error. Posted on January 7, 2013 at 6:31 AM • 23 Comments Friday Squid Blogging: Giant Squid Finally Captured on VideoWe'll see it later this month. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. EDITED TO ADD (1/8): Some more news stories here. Posted on January 4, 2013 at 3:36 PM • 33 Comments What Facebook Gives the PoliceThis is what Facebook gives the police in response to a subpoena. (Note that this isn't in response to a warrant; it's in response to a subpoena.) This might be the first one of these that has ever become public. EDITED TO ADD (1/4): Commenters point out that this case is four years old, and that Facebook claims to have revised its policies since then. Posted on January 4, 2013 at 7:48 AM • 30 Comments Classifying a ShapeThis is a great essay: Spheres are special shapes for nuclear weapons designers. Most nuclear weapons have, somewhere in them, that spheres-within-spheres arrangement of the implosion nuclear weapon design. You don’t have to use spheres -- cylinders can be made to work, and there are lots of rumblings and rumors about non-spherical implosion designs around these here Internets -- but spheres are pretty common. The essay continues with a story of a scientist who received a security violation for leaving an orange on his desk. Two points here. One, this is a classic problem with any detection system. When it's hard to build a system that detects the thing you're looking for, you change the problem to detect something easier -- and hope the overlap is enough to make the system work. Think about airport security. It's too hard to detect actual terrorists with terrorist weapons, so instead they detect pointy objects. Internet filtering systems work the same way, too. (Remember when URL filters blocked the word "sex," and the Middlesex Public Library found that it couldn't get to its municipal webpages?) Two, the Los Alamos system only works because false negatives are much, much worse than false positives. It really is worth classifying an abstract shape and annoying an officeful of scientists and others to protect the nuclear secrets. Airport security fails because the false-positive/false-negative cost ratio is different. Posted on January 3, 2013 at 6:03 AM • 33 Comments Apollo Robbins, PickpocketFascinating story: "Come on," Jillette said. "Steal something from me." Really -- read the whole thing. EDITED TO ADD (1/6): A video accompanying the article. There's much more on YouTube. Posted on January 2, 2013 at 8:44 AM • 31 Comments Terms of Service as a Security ThreatAfter the Instagram debacle, where it changed its terms of service to give itself greater rights over user photos and reversed itself after a user backlash, it's worth thinking about the security threat stemming from terms of service in general. As cloud computing becomes the norm, as Internet security becomes more feudal, these terms of service agreements define what our service providers can do, both with the data we post and with the information they gather about how we use their service. The agreements are very one-sided -- most of the time, we're not even paying customers of these providers -- and can change without warning. And, of course, none of us ever read them. Here's one example. Prezi is a really cool presentation system. While you can run presentations locally, it's basically cloud-based. Earlier this year, I was at a CISO Summit in Prague, and one of the roundtable discussions centered around services like Prezi. CISOs were worried that sensitive company information was leaking out of the company and being stored insecurely in the cloud. My guess is that they would have been much more worried if they read Prezi's terms of use: With respect to Public User Content, you hereby do and shall grant to Prezi (and its successors, assigns, and third party service providers) a worldwide, non-exclusive, perpetual, irrevocable, royalty-free, fully paid, sublicensable, and transferable license to use, reproduce, modify, create derivative works from, distribute, publicly display, publicly perform, and otherwise exploit the content on and in connection with the manufacture, sale, promotion, marketing and distribution of products sold on, or in association with, the Service, or for purposes of providing you with the Service and promoting the same, in any medium and by any means currently existing or yet to be devised. Those paragraphs sure sound like Prezi can do anything it wants, including start a competing business, with any presentation I post to its site. (Note that Prezi's human readable -- but not legally correct -- terms of use document makes no mention of this.) Yes, I know Prezi doesn't currently intend to do that, but things change, companies fail, assets get bought, and what matters in the end is what the agreement says. I don't mean to pick on Prezi; it's just an example. How many other of these Trojan horses are hiding in commonly used cloud provider agreements: both from providers that companies decide to use as a matter of policy, and providers that company employees use in violation of policy, for reasons of convenience? Posted on December 31, 2012 at 6:44 AM • 41 Comments Friday Squid Blogging: William Gilly, Squid ResearcherGood article. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Posted on December 28, 2012 at 3:16 PM • 17 Comments I Seem to Be a VerbFrom "The Insider's TSA Dictionary": Bruce Schneiered: (V, ints) When a passenger uses logic in order to confound and perplex an officer into submission. Ex: "A TSA officer took my Swiss army knife, but let my scissors go. I then asked him wouldn't it be more dangerous if I were to make my scissors into two blades, or to go into the bathroom on the secure side and sharpen my grandmother's walking stick with one of the scissor blades into a terror spear. Then after I pointed out that all of our bodies contain a lot more than 3.4 ounces of liquids, the TSA guy got all pissed and asked me if I wanted to fly today. I totally Schneirered [sic] his ass." Supposedly the site is by a former TSA employee. I have no idea if that's true. Posted on December 28, 2012 at 12:34 PM • 19 Comments
Powered by Movable Type. Photo at top by Geoffrey Stone.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT. |
|