No subject

Sat Feb 13 19:31:10 CET 2010

Challenges Need to Be Addressed to Improve Research and Development."
Thirty-six pages; I haven't read it.

Two interesting research papers on website password policies.

Interesting journal article evaluating the EU's counterterrorism efforts.

A book on GCHQ, and three reviews.

More research on the effectiveness of terrorist profiling:

Stuxnet is a new Internet worm that specifically targets Siemens WinCC
SCADA systems: used to control production at industrial plants such as
oil rigs, refineries, electronics production, and so on. =A0The worm
seems to upload plant info (schematics and production information) to
an external website. =A0Moreover, owners of these SCADA systems cannot
change the default password because it would cause the software to
break down.

The Washington Post has published a phenomenal piece of investigative
journalism: a long, detailed, and very interesting expose on the U.S.
intelligence industry. =A0It's a truly excellent piece of investigative
journalism. =A0Pity people don't care much about investigative
journalism -- or facts in politics, really -- anymore.
My blog entry, with lots of links and reactions.

An article from The Economist makes a point that I have been thinking
about for a while: modern technology makes life harder for spies, not
easier. =A0It used to be technology favored spycraft -- think James Bond
gadgets -- but more and more, technology favors spycatchers. =A0The
ubiquitous collection of personal data makes it harder to maintain a
false identity, ubiquitous eavesdropping makes it harder to
communicate securely, the prevalence of cameras makes it harder to not
be seen, and so on. =A0I think this is an example of the general
tendency of modern information and communications technology to
increase power in proportion to existing power. =A0So while technology
makes the lone spy more effective, it makes an institutional
counterspy organization much more powerful.

Here's a book from 1921 on how to profile people.

WPA cracking in the cloud.

In related news, there might be a man-in-the-middle attack possible
against the WPA2 protocol. =A0Man-in-the-middle attacks are potentially
serious, but it depends on the details -- and they're not available

Okay, this is just weird: a pork-filled counter-Islamic bomb device.

DNSSEC root key split among seven people:

Security vulnerabilities of smart electricity meters.

Hacking ATMs to spit out money, demonstrated at the Black Hat conference:

The business of selling fear in the form of doomsday shelters.

Seems there are a lot of smartphone apps that eavesdrop on their
users. =A0They do it for marketing purposes. =A0Really, they seem to do it
because the code base they use does it automatically or just because
they can. (Initial reports that an Android wallpaper app was malicious
seems to have been an overstatement; they're just incompetent:
inadvertently collecting more data than necessary.)

Meanwhile, there's now an Android rootkit available.

Location-based encryption -- a system by which only a recipient in a
specific location can decrypt the message -- fails because location
can be spoofed. =A0Now a group of researchers has solved the problem in
a quantum cryptography setting. =A0Don't expect this in a product
anytime soon. =A0Quantum cryptography is mostly theoretical and almost
entirely laboratory-only. =A0But as research, it's great stuff.

More brain scanning to detect future terrorists:

Coffee cup disguised as a camera lens; yet another way to smuggle
liquids onto aircraft.

Ant warfare.

There's a new paper circulating that claims to prove that P !=3D NP.
The paper has not been refereed, and I haven't seen any independent
verifications or refutations. =A0Despite the fact that the paper is by a
respected researcher -- HP Lab's Vinay Deolalikar -- and not a crank,
my bet is that the proof is flawed.

Good information from Mikko Hypponen on the Apple JailbreakMe vulnerability=
Apple has released a patch. =A0It doesn't help people with old model
iPhones and iPod Touches, or work for people who've jailbroken their

Facebook Privacy Settings: Who Cares?" by danah boyd and Eszter Hargittai.

UAE is threatening to ban BlackBerrys. =A0It's a complicated story, and
I have much to say in my blog post:

Security analysis of smudges on smart phone touch screens.

Cloning retail gift cards.

** *** ***** ******* *********** *************

=A0 =A0 WikiLeaks Insurance File

WikiLeaks has posted an encrypted 1.4 GB file called "insurance."
It's either 1.4 GB of embarrassing secret documents, or 1.4 Gig of
random data bluffing. =A0There's no way to know.

If WikiLeaks wanted to prove that their "insurance" was the real
thing, they should have done this:

=A0 =A0 * Encrypt each document with a separate AES key.

=A0 =A0 * Ask someone to publicly tell them to choose a random document.

=A0 =A0 * Publish the decryption key for that document only.

That would be convincing.

In any case, some of the details might be wrong. The file might not be
encrypted with AES256. =A0It might be Blowfish. =A0It might be OpenSSL.
It might be something else.,_2004-2010

Weird Iranian paranoia:

** *** ***** ******* *********** *************

=A0 =A0 NSA and the National Cryptologic Museum

Most people might not be aware of it, but there's a National
Cryptologic Museum at Ft. Meade, at NSA Headquarters. =A0It's hard to
know its exact relationship with the NSA. Is it part of the NSA, or is
it a separate organization? =A0Can the NSA reclassify things in its
archives? =A0David Kahn has given his papers to the museum; is that a
good idea?

A "Memorandum of Understanding (MOU) between The National Security
Agency (NSA) and the National Cryptologic Museum Foundation" was
recently released. =A0It's pretty boring, really, but it sheds some
light on the relationshp between the museum and the agency.

** *** ***** ******* *********** *************

=A0 =A0 Schneier News

None this month. =A0Summers are always slow.

** *** ***** ******* *********** *************

=A0 =A0 Book Review: How Risky Is It, Really?

David Ropeik is a writer and consultant who specializes in risk
perception and communication. =A0His book, How Risky Is It, Really?: Why
Our Fears Don't Always Match the Facts, is a solid introduction to the
biology, psychology, and sociology of risk. =A0If you're well-read on
the topic already, you won't find much you didn't already know. =A0But
if this is a new topic for you, or if you want a well-organized guide
to the current research on risk perception all in one place, this is
pretty close to the perfect book.

Ropeik builds his model of human risk perception from the inside out.
Chapter 1 is about fear, our largely subconscious reaction to risk.
Chapter 2 discusses bounded rationality, the cognitive shortcuts that
allow us to efficiently make risk trade-offs. Chapter 3 discusses some
of the common cognitive biases we have that cause us to either
overestimate or underestimate risk: trust, control, choice, natural
vs. man-made, fairness, etc. -- 13 in all. =A0Finally, Chapter 4
discusses the sociological aspects of risk perception: how our
estimation of risk depends on that of the people around us.

The book is primarily about how we humans get risk wrong: how our
perception of risk differs from the reality of risk. =A0But Ropeik is
careful not to use the word "wrong," and repeatedly warns us not to do
it. =A0Risk perception is not right or wrong, he says; it simply is. =A0I
don't agree with this. =A0There is both a feeling and reality of risk
and security, and when they differ, we make bad security trade-offs.
If you think your risk of dying in a terrorist attack, or of your
children being kidnapped, is higher than it really is, you're going to
make bad security trade-offs. =A0Yes, security theater has its place,
but we should try to make that place as small as we can.

In Chapter 5, Ropeik tries his hand at solutions to this problem:
"closing the perception gap" is how he puts it; reducing the
difference between the feeling of security and the reality is how I
like to explain it. =A0This is his weakest chapter, but it's also a very
hard problem. =A0My writings along this line are similarly weak. =A0Still,
his ideas are worth reading and thinking about.

I don't have any other complaints with the book. =A0Ropeik nicely
balances readability with scientific rigor, his examples are
interesting and illustrative, and he is comprehensive without being
boring. =A0Extensive footnotes allow the reader to explore the actual
research behind the generalities. =A0Even though I didn't learn much
from reading it, I enjoyed the ride.

How Risky Is It, Really? is available in hardcover and for the Kindle.
Presumably a paperback will come out in a year or so. =A0Ropeik has a
blog, although he doesn't update it much.

David Ropeik:

My essay on the feeling and reality of security:

My essay on the value of security theater:

** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. =A0You can subscribe, unsubscribe, or change your address
on the Web at <>. =A0Back issues
are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. =A0Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its

CRYPTO-GRAM is written by Bruce Schneier. =A0Schneier is the author of
the best sellers "Schneier on Security," "Beyond Fear," "Secrets and
Lies," and "Applied Cryptography," and an inventor of the Blowfish,
Twofish, Threefish, Helix, Phelix, and Skein algorithms. =A0He is the
Chief Security Technology Officer of BT BCSG, and is on the Board of
Directors of the Electronic Privacy Information Center (EPIC). =A0He is
a frequent writer and lecturer on security topics. =A0See

Crypto-Gram is a personal newsletter. =A0Opinions expressed are not
necessarily those of BT.

Copyright (c) 2010 by Bruce Schneier.

More information about the foaf-dev mailing list