Bruce Schneier

 

Home

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

Contact Information

 

Schneier on Security

A blog covering security and security technology.

Friday Squid Blogging: Squid T-Shirt

I like this one.

Posted on April 17, 2009 at 2:24 PM7 CommentsView Blog Reactions

New Frontiers in Biometrics

Ears? Arm swinging? I guess biometrics is now the "it" thing to study.

Posted on April 17, 2009 at 5:41 AM26 CommentsView Blog Reactions

Boston Police Consider Using Linux to be Ground for Suspicion

This is pretty awful. More war on the unexpected.

EDITED TO ADD (4/16): On further analysis, this seems more reasonable than I first thought.

Posted on April 16, 2009 at 6:48 AM77 CommentsView Blog Reactions

How to Write a Scary Cyberterrorism Story

From Foreign Policy:

8. If you are still having trouble working the Chinese or the Russian governments into your story, why not throw in some geopolitical kerfuffle that involves a country located in between? Not only would it implicate both governments, it would also make cyberspace seem relevant to geopolitics. I suggest you settle on Kyrgyzstan, as it would also help to make a connection to the US military bases; there is no better story than having Russian and Chinese hackers oust the US from Kyrgyzstan via cyber-attacks. Bonus points for mentioning Azerbaijan and the importance of cyberwarfare to the politics of the Caspian oil; in the worst case, Kazakhstan would do as well. Never mention any connectivity statistics for the countries you are writing about: you don't want readers to start doubting that someone might be interested in launching a cyberwar on countries that couldn't care less about the Internet.

Posted on April 15, 2009 at 6:17 AM28 CommentsView Blog Reactions

UK Terrorism Arrests

Details of the arrests made in haste after this inadvertant disclosure.

Posted on April 14, 2009 at 6:45 AM17 CommentsView Blog Reactions

Tweenbots

Tweenbots:

Tweenbots are human-dependent robots that navigate the city with the help of pedestrians they encounter. Rolling at a constant speed, in a straight line, Tweenbots have a destination displayed on a flag, and rely on people they meet to read this flag and to aim them in the right direction to reach their goal.

Given their extreme vulnerability, the vastness of city space, the dangers posed by traffic, suspicion of terrorism, and the possibility that no one would be interested in helping a lost little robot, I initially conceived the Tweenbots as disposable creatures which were more likely to struggle and die in the city than to reach their destination. Because I built them with minimal technology, I had no way of tracking the Tweenbot's progress, and so I set out on the first test with a video camera hidden in my purse. I placed the Tweenbot down on the sidewalk, and walked far enough away that I would not be observed as the Tweenbot--a smiling 10-inch tall cardboard missionary--bumped along towards his inevitable fate.

The results were unexpected. Over the course of the following months, throughout numerous missions, the Tweenbots were successful in rolling from their start point to their far-away destination assisted only by strangers. Every time the robot got caught under a park bench, ground futilely against a curb, or became trapped in a pothole, some passerby would always rescue it and send it toward its goal. Never once was a Tweenbot lost or damaged. Often, people would ignore the instructions to aim the Tweenbot in the "right" direction, if that direction meant sending the robot into a perilous situation. One man turned the robot back in the direction from which it had just come, saying out loud to the Tweenbot, "You can't go that way, it's toward the road."

It's a measure of our restored sanity that no one called the TSA. Or maybe it's just that no one has tried this in Boston yet. Or maybe it's a lesson for terrorists: paint smiley faces on your bombs.

Posted on April 13, 2009 at 6:14 AM51 CommentsView Blog Reactions

Friday Squid Blogging: Squid Cartoon

Lio.

Posted on April 10, 2009 at 4:10 PM7 CommentsView Blog Reactions

How Not to Carry Around Secret Documents

Here's a tip: when walking around in public with secret government documents, put them in an envelope.

A huge MI5 and police counterterrorist operation against al-Qaeda suspects had to be brought forward at short notice last night after Scotland Yard's counter-terrorism chief accidentally revealed a briefing document.

[...]

The operation was nearly blown when Assistant Commissioner Bob Quick walked up Downing Street holding a document marked "secret" with highly sensitive operational details visible to photographers.

The document, carried under his arm, revealed how many terrorist suspects were to be arrested, in which cities across the North West. It revealed that armed members of the Greater Manchester Police would force entry into a number of homes. The operation's secret code headed the list of action that was to take place.

Now the debate begins about whether he was just stupid, or very very stupid:

Opposition MPs criticised Mr Quick, with the Liberal Democrats describing him as "accident prone" and the Conservatives condemning his "very alarming" lapse of judgement.

But former Labour Mayor of London Ken Livingstone said it would be wrong for such an experienced officer to resign "for holding a piece of paper the wrong way".

It wasn't just a piece of paper. It was a secret piece of paper. (Here's the best blow-up of the picture. And surely these people have procedures for transporting classified material. That's what the mistake was: not following proper procedure.

He resigned.

Posted on April 10, 2009 at 7:06 AM72 CommentsView Blog Reactions

U.S. Power Grid Hacked, Everyone Panic!

Yesterday I talked to at least a dozen reporters about this breathless Wall Street Journal story:

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

"The Chinese have attempted to map our infrastructure, such as the electrical grid," said a senior intelligence official. "So have the Russians."

[...]

Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, "If we go to war with them, they will try to turn them on."

Officials said water, sewage and other infrastructure systems also were at risk.

"Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts," Director of National Intelligence Dennis Blair recently told lawmakers. "A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure."

Read the whole story; there aren't really any facts in it. I don't know what's going on; maybe it's just budget season and someone is jockeying for a bigger slice.

Honestly, I am much more worried about random errors and undirected worms in the computers running our infrastructure than I am about the Chinese military. I am much more worried about criminal hackers than I am about government hackers. I wrote about the risks to our infrastructure here, and about Chinese hacking here.

And I wrote about last year's reports of international hacking of our SCADA control systems here.

Posted on April 9, 2009 at 12:02 PM54 CommentsView Blog Reactions

P2P Privacy

Interesting research:

The team of researchers, which includes graduate students David Choffnes (electrical engineering and computer science) and Dean Malmgren (chemical and biological engineering), and postdoctoral fellow Jordi Duch (chemical and biological engineering), studied connection patterns in the BitTorrent file-sharing network -- one of the largest and most popular P2P systems today. They found that over the course of weeks, groups of users formed communities where each member consistently connected with other community members more than with users outside the community.

"This was particularly surprising because BitTorrent is designed to establish connections at random, so there is no a priori reason for such strong communities to exist," Bustamante says. After identifying this community behavior, the researchers showed that an eavesdropper could classify users into specific communities using a relatively small number of observation points. Indeed, a savvy attacker can correctly extract communities more than 85 percent of the time by observing only 0.01 percent of the total users. Worse yet, this information could be used to launch a "guilt-by-association" attack, where an attacker need only determine the downloading behavior of one user in the community to convincingly argue that all users in the communities are doing the same.

Given the impact of this threat, the researchers developed a technique that prevents accurate classification by intelligently hiding user-intended downloading behavior in a cloud of random downloading. They showed that this approach causes an eavesdropper's classification to be wrong the majority of the time, providing users with grounds to claim "plausible deniability" if accused.

Posted on April 9, 2009 at 7:07 AM17 CommentsView Blog Reactions

Police Powers and the UK Government in the 1980s

I found this great paragraph in this article on the future of privacy in the UK:

One of the few home secretaries who dominated his department rather than be cowed by it was Lord Whitelaw in the 1980s. He boasted how after any security lapse, the police would come to beg for new and draconian powers. He laughed and sent them packing, saying only a bunch of softies would erode British liberty to give themselves an easier job. He said they laughed in return and remarked that "it was worth a try".

Posted on April 8, 2009 at 1:25 PM21 CommentsView Blog Reactions

Social Networking Identity Theft Scams

Clever:

I'm going to tell you exactly how someone can trick you into thinking they're your friend. Now, before you send me hate mail for revealing this deep, dark secret, let me assure you that the scammers, crooks, predators, stalkers and identity thieves are already aware of this trick. It works only because the public is not aware of it. If you're scamming someone, here's what you'd do:

Step 1: Request to be "friends" with a dozen strangers on MySpace. Let's say half of them accept. Collect a list of all their friends.

Step 2: Go to Facebook and search for those six people. Let's say you find four of them also on Facebook. Request to be their friends on Facebook. All accept because you're already an established friend.

Step 3: Now compare the MySpace friends against the Facebook friends. Generate a list of people that are on MySpace but are not on Facebook. Grab the photos and profile data on those people from MySpace and use it to create false but convincing profiles on Facebook. Send "friend" requests to your victims on Facebook.

As a bonus, others who are friends of both your victims and your fake self will contact you to be friends and, of course, you'll accept. In fact, Facebook itself will suggest you as a friend to those people.

(Think about the trust factor here. For these secondary victims, they not only feel they know you, but actually request "friend" status. They sought you out.)

Step 4: Now, you're in business. You can ask things of these people that only friends dare ask.

Like what? Lend me $500. When are you going out of town? Etc.

The author has no evidence that anyone has actually done this, but certainly someone will do this sometime in the future.

We have seen attacks by people hijacking existing social networking accounts:

Rutberg was the victim of a new, targeted version of a very old scam -- the "Nigerian," or "419," ploy. The first reports of such scams emerged back in November, part of a new trend in the computer underground -- rather than sending out millions of spam messages in the hopes of trapping a tiny fractions of recipients, Web criminals are getting much more personal in their attacks, using social networking sites and other databases to make their story lines much more believable.

In Rutberg's case, criminals managed to steal his Facebook login password, steal his Facebook identity, and change his page to make it appear he was in trouble. Next, the criminals sent e-mails to dozens of friends, begging them for help.

"Can you just get some money to us," the imposter implored to one of Rutberg's friends. "I tried Amex and it's not going through. ... I'll refund you as soon as am back home. Let me know please."

Posted on April 8, 2009 at 6:43 AM52 CommentsView Blog Reactions

Powered by Movable Type. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
whole site

Blog Home Page
100 Latest Comments

Archives

April 2009
March 2009
Complete Archive
Support Blogger's Rights!
New Book
Schneier on Security

more books by Bruce Schneier

Syndication
Full Text Feed
Excerpts Feed

Download Feed For E-Book Readers

Translations
German
Italian (selected entries)
Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more