No subject


Sat Feb 13 19:31:10 CET 2010


Challenges Need to Be Addressed to Improve Research and Development."
Thirty-six pages; I haven't read it.
http://www.gao.gov/new.items/d10466.pdf

Two interesting research papers on website password policies.
http://www.schneier.com/blog/archives/2010/07/website_passwor_1.html

Interesting journal article evaluating the EU's counterterrorism efforts.
http://www3.interscience.wiley.com/cgi-bin/fulltext/123574424/PDFSTART

A book on GCHQ, and three reviews.
http://www.amazon.com/exec/obidos/ASIN/0007278470/counterpane/
http://www.theregister.co.uk/2010/06/15/gchq_review/
http://www.birminghampost.net/life-leisure-birmingham-guide/postfeatures/20=
10/07/05/privacy-terrorism-and-the-surveillance-secrets-of-gchq-65233-26790=
952/
or http://tinyurl.com/3xa5gnp
http://www.economist.com/node/16537028?story_id=3D16537028

More research on the effectiveness of terrorist profiling:
http://www.pnas.org/content/106/6/1716.full

Stuxnet is a new Internet worm that specifically targets Siemens WinCC
SCADA systems: used to control production at industrial plants such as
oil rigs, refineries, electronics production, and so on. =A0The worm
seems to upload plant info (schematics and production information) to
an external website. =A0Moreover, owners of these SCADA systems cannot
change the default password because it would cause the software to
break down.
http://news.cnet.com/8301-27080_3-20011159-245.html
http://www.pcworld.com/businesscenter/article/201468/eset_discovers_second_=
variation_of_stuxnet_worm.html
or http://tinyurl.com/2b3s7dz
http://www.scmagazineus.com/stuxnet-malware-threat-continues-targets-contro=
l-systems/article/175092/
or http://tinyurl.com/2ebphdx
http://blogs.computerworld.com/16578/first_true_scada_malware_detected
http://www.infoworld.com/d/security-central/siemens-warns-users-dont-change=
-passwords-after-worm-attack-915?page=3D0,0&source=3Drss_security_central
or http://tinyurl.com/2bzqwts
http://www.wired.com/threatlevel/2010/07/siemens-scada/

The Washington Post has published a phenomenal piece of investigative
journalism: a long, detailed, and very interesting expose on the U.S.
intelligence industry. =A0It's a truly excellent piece of investigative
journalism. =A0Pity people don't care much about investigative
journalism -- or facts in politics, really -- anymore.
http://projects.washingtonpost.com/top-secret-america/articles/
My blog entry, with lots of links and reactions.
http://www.schneier.com/blog/archives/2010/07/the_washington.html

An article from The Economist makes a point that I have been thinking
about for a while: modern technology makes life harder for spies, not
easier. =A0It used to be technology favored spycraft -- think James Bond
gadgets -- but more and more, technology favors spycatchers. =A0The
ubiquitous collection of personal data makes it harder to maintain a
false identity, ubiquitous eavesdropping makes it harder to
communicate securely, the prevalence of cameras makes it harder to not
be seen, and so on. =A0I think this is an example of the general
tendency of modern information and communications technology to
increase power in proportion to existing power. =A0So while technology
makes the lone spy more effective, it makes an institutional
counterspy organization much more powerful.
http://www.economist.com/node/16590867/

Here's a book from 1921 on how to profile people.
http://www.schneier.com/blog/archives/2010/07/1921_book_on_pr.html

WPA cracking in the cloud.
http://blogs.techrepublic.com.com/security/?p=3D4097
http://www.wpacracker.com/index.html
http://www.wpacracker.com/faq.html

In related news, there might be a man-in-the-middle attack possible
against the WPA2 protocol. =A0Man-in-the-middle attacks are potentially
serious, but it depends on the details -- and they're not available
yet.
http://www.networkworld.com/newsletters/wireless/2010/072610wireless1.html
or http://tinyurl.com/27tcv6r
http://webcache.googleusercontent.com/search?q=3Dcache:VArK7JzNMyUJ:www.hac=
kforums.net/archive/index.php/thread-321253.html+hack+wpa+via+fake+ssid&cd=
=3D2&hl=3Den&ct=3Dclnk&gl=3Dus&client=3Dsafari
or http://tinyurl.com/29kkw72

Okay, this is just weird: a pork-filled counter-Islamic bomb device.
http://www.schneier.com/blog/archives/2010/07/pork-filled_cou.html

DNSSEC root key split among seven people:
http://www.schneier.com/blog/archives/2010/07/dnssec_root_key.html

Security vulnerabilities of smart electricity meters.
http://www.schneier.com/blog/archives/2010/07/security_vulner.html

Hacking ATMs to spit out money, demonstrated at the Black Hat conference:
http://www.wired.com/threatlevel/2010/07/atms-jackpotted/
http://www.technologyreview.com/computing/25888/
http://www.computerworld.com/s/article/9179796/Update_ATM_hack_gives_cash_o=
n_demand
or http://tinyurl.com/39b3yvo

The business of selling fear in the form of doomsday shelters.
http://www.schneier.com/blog/archives/2010/07/doomsday_shelte.html

Seems there are a lot of smartphone apps that eavesdrop on their
users. =A0They do it for marketing purposes. =A0Really, they seem to do it
because the code base they use does it automatically or just because
they can. (Initial reports that an Android wallpaper app was malicious
seems to have been an overstatement; they're just incompetent:
inadvertently collecting more data than necessary.)
http://www.schneier.com/blog/archives/2010/08/eavesdropping_s.html

Meanwhile, there's now an Android rootkit available.
http://www.examiner.com/x-39728-Tech-Buzz-Examiner~y2010m7d31-Researchers-r=
elease-rootkit-tool-for-Android-phones-at-Defcon-conference
or http://tinyurl.com/2ceuxgx

Location-based encryption -- a system by which only a recipient in a
specific location can decrypt the message -- fails because location
can be spoofed. =A0Now a group of researchers has solved the problem in
a quantum cryptography setting. =A0Don't expect this in a product
anytime soon. =A0Quantum cryptography is mostly theoretical and almost
entirely laboratory-only. =A0But as research, it's great stuff.
http://www.sciencedaily.com/releases/2010/07/100726162123.htm
http://arxiv.org/PS_cache/arxiv/pdf/1005/1005.1750v1.pdf

More brain scanning to detect future terrorists:
http://www.schneier.com/blog/archives/2010/08/more_brain_scan.html

Coffee cup disguised as a camera lens; yet another way to smuggle
liquids onto aircraft.
http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3D280544719941

Ant warfare.
http://www.wired.com/dangerroom/2010/08/gallery-ant-warfare/all/1

There's a new paper circulating that claims to prove that P !=3D NP.
The paper has not been refereed, and I haven't seen any independent
verifications or refutations. =A0Despite the fact that the paper is by a
respected researcher -- HP Lab's Vinay Deolalikar -- and not a crank,
my bet is that the proof is flawed.
http://www.hpl.hp.com/personal/Vinay_Deolalikar/
http://science.slashdot.org/story/10/08/08/226227/Claimed-Proof-That-P--NP
or http://tinyurl.com/2d2nw4e
http://www.allvoices.com/contributed-news/6476401-vinay-deolalikar-explains=
-the-proof-that-p-np
or http://tinyurl.com/34bvmjx

Good information from Mikko Hypponen on the Apple JailbreakMe vulnerability=
.
http://www.f-secure.com/weblog/archives/00002004.html
http://blog.iphone-dev.org/
Apple has released a patch. =A0It doesn't help people with old model
iPhones and iPod Touches, or work for people who've jailbroken their
phones.
http://www.f-secure.com/weblog/archives/00002007.html
http://support.apple.com/kb/HT4291

Facebook Privacy Settings: Who Cares?" by danah boyd and Eszter Hargittai.
http://www.uic.edu/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/3086/258=
9
or http://tinyurl.com/37y3u7v

UAE is threatening to ban BlackBerrys. =A0It's a complicated story, and
I have much to say in my blog post:
http://www.schneier.com/blog/archives/2010/08/uae_to_ban_blac.html

Security analysis of smudges on smart phone touch screens.
http://www.usenix.org/events/woot10/tech/full_papers/Aviv.pdf

Cloning retail gift cards.
http://www.oregonlive.com/beaverton/index.ssf/2010/08/beaverton_man_steals_=
thousands_from_stores_by_cloning_gift_cards.html


** *** ***** ******* *********** *************

=A0 =A0 WikiLeaks Insurance File



WikiLeaks has posted an encrypted 1.4 GB file called "insurance."
It's either 1.4 GB of embarrassing secret documents, or 1.4 Gig of
random data bluffing. =A0There's no way to know.

If WikiLeaks wanted to prove that their "insurance" was the real
thing, they should have done this:

=A0 =A0 * Encrypt each document with a separate AES key.

=A0 =A0 * Ask someone to publicly tell them to choose a random document.

=A0 =A0 * Publish the decryption key for that document only.

That would be convincing.

In any case, some of the details might be wrong. The file might not be
encrypted with AES256. =A0It might be Blowfish. =A0It might be OpenSSL.
It might be something else.

http://wikileaks.org/wiki/Afghan_War_Diary,_2004-2010
http://www.wired.com/threatlevel/2010/07/wikileaks-insurance-file/
http://www.theregister.co.uk/2010/08/02/wikileaks_insurance/
http://cryptome.org/0002/wl-diary-mirror.htm

Weird Iranian paranoia:
http://english.farsnews.com/newstext.php?nn=3D8905131636


** *** ***** ******* *********** *************

=A0 =A0 NSA and the National Cryptologic Museum



Most people might not be aware of it, but there's a National
Cryptologic Museum at Ft. Meade, at NSA Headquarters. =A0It's hard to
know its exact relationship with the NSA. Is it part of the NSA, or is
it a separate organization? =A0Can the NSA reclassify things in its
archives? =A0David Kahn has given his papers to the museum; is that a
good idea?

A "Memorandum of Understanding (MOU) between The National Security
Agency (NSA) and the National Cryptologic Museum Foundation" was
recently released. =A0It's pretty boring, really, but it sheds some
light on the relationshp between the museum and the agency.

http://www.governmentattic.org/3docs/MOU-NSA-NCMF_2010.pdf


** *** ***** ******* *********** *************

=A0 =A0 Schneier News



None this month. =A0Summers are always slow.


** *** ***** ******* *********** *************

=A0 =A0 Book Review: How Risky Is It, Really?



David Ropeik is a writer and consultant who specializes in risk
perception and communication. =A0His book, How Risky Is It, Really?: Why
Our Fears Don't Always Match the Facts, is a solid introduction to the
biology, psychology, and sociology of risk. =A0If you're well-read on
the topic already, you won't find much you didn't already know. =A0But
if this is a new topic for you, or if you want a well-organized guide
to the current research on risk perception all in one place, this is
pretty close to the perfect book.

Ropeik builds his model of human risk perception from the inside out.
Chapter 1 is about fear, our largely subconscious reaction to risk.
Chapter 2 discusses bounded rationality, the cognitive shortcuts that
allow us to efficiently make risk trade-offs. Chapter 3 discusses some
of the common cognitive biases we have that cause us to either
overestimate or underestimate risk: trust, control, choice, natural
vs. man-made, fairness, etc. -- 13 in all. =A0Finally, Chapter 4
discusses the sociological aspects of risk perception: how our
estimation of risk depends on that of the people around us.

The book is primarily about how we humans get risk wrong: how our
perception of risk differs from the reality of risk. =A0But Ropeik is
careful not to use the word "wrong," and repeatedly warns us not to do
it. =A0Risk perception is not right or wrong, he says; it simply is. =A0I
don't agree with this. =A0There is both a feeling and reality of risk
and security, and when they differ, we make bad security trade-offs.
If you think your risk of dying in a terrorist attack, or of your
children being kidnapped, is higher than it really is, you're going to
make bad security trade-offs. =A0Yes, security theater has its place,
but we should try to make that place as small as we can.

In Chapter 5, Ropeik tries his hand at solutions to this problem:
"closing the perception gap" is how he puts it; reducing the
difference between the feeling of security and the reality is how I
like to explain it. =A0This is his weakest chapter, but it's also a very
hard problem. =A0My writings along this line are similarly weak. =A0Still,
his ideas are worth reading and thinking about.

I don't have any other complaints with the book. =A0Ropeik nicely
balances readability with scientific rigor, his examples are
interesting and illustrative, and he is comprehensive without being
boring. =A0Extensive footnotes allow the reader to explore the actual
research behind the generalities. =A0Even though I didn't learn much
from reading it, I enjoyed the ride.

How Risky Is It, Really? is available in hardcover and for the Kindle.
Presumably a paperback will come out in a year or so. =A0Ropeik has a
blog, although he doesn't update it much.

http://www.amazon.com/exec/obidos/ASIN/0071629696/counterpane/

David Ropeik:
http://dropeik.com/

My essay on the feeling and reality of security:
http://www.schneier.com/blog/archives/2008/04/the_feeling_and_1.html

My essay on the value of security theater:
http://www.schneier.com/blog/archives/2007/01/in_praise_of_se.html


** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. =A0You can subscribe, unsubscribe, or change your address
on the Web at <http://www.schneier.com/crypto-gram.html>. =A0Back issues
are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. =A0Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its
entirety.

CRYPTO-GRAM is written by Bruce Schneier. =A0Schneier is the author of
the best sellers "Schneier on Security," "Beyond Fear," "Secrets and
Lies," and "Applied Cryptography," and an inventor of the Blowfish,
Twofish, Threefish, Helix, Phelix, and Skein algorithms. =A0He is the
Chief Security Technology Officer of BT BCSG, and is on the Board of
Directors of the Electronic Privacy Information Center (EPIC). =A0He is
a frequent writer and lecturer on security topics. =A0See
<http://www.schneier.com>.

Crypto-Gram is a personal newsletter. =A0Opinions expressed are not
necessarily those of BT.

Copyright (c) 2010 by Bruce Schneier.


More information about the foaf-dev mailing list