Schneier on Security

"Who controls the off switch?" by Ross Anderson and Shailendra Fuloria. Abstract: We're about to acquire a significant new cybervulnerability. The world's energy utilities are starting to install hundreds of millions of 'smart meters' which contain a remote off switch. Its main purpose is to ensure that customers who default on their payments can be switched remotely to a prepay...

The DNSSEC root key has been divided among seven people: Part of ICANN's security scheme is the Domain Name System Security, a security protocol that ensures Web sites are registered and "signed" (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate...

Okay, this is just weird: Mark S. Price, a specialist in public security, and his privately held company, Paradise Lost Antiterrorism Network of America (www.plan-a.us), have recently applied to the United States Patent and Trademark Office for a Utility Patent on their Suicide Bomb Deterrent, a security device designed, manufactured and distributed by PLAN-A. This device has been designed to...

It's a service: The mechanism used involves captured network traffic, which is uploaded to the WPA Cracker service and subjected to an intensive brute force cracking effort. As advertised on the site, what would be a five-day task on a dual-core PC is reduced to a job of about twenty minutes on average. For the more “premium” price of $35,...

Here's a book from 1921 on how to profile people....

An article from The Economist makes a point that I have been thinking about for a while: the modern technology makes life harder for spies, not easier. It used to be the technology favored spycraft -- think James Bond gadgets -- but more and more, technology favors spycatchers. The ubiquitous collection of personal data makes it harder to maintain a...

Where do these TV shows come from? Follows the adventures of the Cuylers, an impoverished and dysfunctional family of anthropomorphic, air-breathing, redneck squids who live in a rural Appalachian community in the US state of Georgia....

The Washington Post has published a phenomenal piece of investigative journalism: a long, detailed, and very interesting expose on the U.S. intelligence industry (overall website; parts 1, 2, and 3; blog; Washington reactions; top 10 revelations; many many many blog comments and reactions; and so on). It's a truly excellent piece of investigative journalism. Pity people don't care much about...

Stuxnet is a new Internet worm that specifically targets Siemens WinCC SCADA systems: used to control production at industrial plants such as oil rigs, refineries, electronics production, and so on. The worm seems to uploads plant info (schematics and production information) to an external website. Moreover, owners of these SCADA systems cannot change the default password because it would cause...

Interesting: The use of profiling by ethnicity or nationality to trigger secondary security screening is a controversial social and political issue. Overlooked is the question of whether such actuarial methods are in fact mathematically justified, even under the most idealized assumptions of completely accurate prior probabilities, and secondary screenings concentrated on the highest-probablity individuals. We show here that strong profiling...

A book on GCHQ, and two reviews. EDITED TO ADD (7/26): Another review....

Interesting journal article evaluating the EU's counterterrorism efforts....

Two interesting research papers on website password policies. "Where Do Security Policies Come From?": Abstract: We examine the password policies of 75 different websites. Our goal is understand the enormous diversity of requirements: some will accept simple six-character passwords, while others impose rules of great complexity on their users. We compare different features of the sites to find which characteristics...

From the U.S. Government Accountability Office: "Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development." Thirty-six pages; I haven't read it....

From Wired News: The four Wiseguy defendants, who also operated other ticket-reselling businesses, allegedly used sophisticated programming and inside information to bypass technological measures -- including CAPTCHA -- at Ticketmaster and other sites that were intended to prevent such bulk automated purchases. This violated the sites' terms of service, and according to prosecutors constituted unauthorized computer access under the anti-hacking...

This is excellent. And it's been cracked already....

Symbiotic relationship between the Hawaiian bobtail squid and bioluminescent bacteria, with bonus security implications....

Someone claims to have reverse-engineered Skype's proprietary encryption protocols, and has published pieces of it. If the crypto is good, this is less of a big deal than you might think. Good cryptography is designed to be made public; it's only for business reasons that it remains secret....

In what creepy back room do they come up with these names? The federal government is launching an expansive program dubbed "Perfect Citizen" to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program. The surveillance by the National Security Agency, the government's...

How to spot a CIA officer, at least in the mid-1970s. The reason the CIA office was located in the embassy -- as it is in most of the other countries in the world -- is that by presidential order the State Department is responsible for hiding and housing the CIA. Like the intelligence services of most other countries, the...