Schneier on Security

The Limits of Visual Inspection

Mon, 08 Feb 2010 13:54:20 -0600

Interesting research: Target prevalence powerfully influences visual search behavior. In most visual search experiments, targets appear on at least 50% of trials. However, when targets are rare (as in medical or airport screening), observers shift response criteria, leading to elevated miss error rates. Observers also speed target-absent responses and may make more motor errors. This could be a speed/accuracy tradeoff...

More Details on the Chinese Attack Against Google

Mon, 08 Feb 2010 06:03:05 -0600

Three weeks ago, Google announced a sophisticated attack against them from China. There have been some interesting technical details since then. And the NSA is helping Google analyze the attack. The rumor that China used a system Google put in place to enable lawful intercepts, which I used as a news hook for this essay, has not been confirmed. At...

New Attack on Threefish

Sun, 07 Feb 2010 08:06:59 -0600

At FSE 2010 this week, Dmitry Khovratovich and Ivica Nikolic presented a paper where they cryptanalyze ARX algorithms (algorithms that use only addition, rotation, and exclusive-OR operations): "Rotational Cryptanalysis of ARX." In the paper, they demonstrate their attack against Threefish. Their attack breaks 39 (out of 72) rounds of Threefish-256 with a complexity of 2252.4, 42 (out of 72) rounds...

Friday Squid Blogging: Squid Cookie

Fri, 05 Feb 2010 16:15:52 -0600

I wonder if it's tasty....

10 Cartoons about Airport Security

Fri, 05 Feb 2010 13:52:48 -0600

A slide show....

Scaring the Senate Intelligence Committee

Fri, 05 Feb 2010 11:59:38 -0600

This is unconscionable: At Tuesday's hearing, Senator Dianne Feinstein, Democrat of California and chairwoman of the Senate Intelligence Committee, asked Mr. Blair [the Director of National Intelligence] to assess the possibility of an attempted attack in the United States in the next three to six months. He replied, "The priority is certain, I would say" -- a response that was...

World's Largest Data Collector Teams Up With Word's Largest Data Collector

Fri, 05 Feb 2010 06:02:27 -0600

Does anyone think this is a good idea? Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users...

Security and Function Creep

Thu, 04 Feb 2010 06:35:11 -0600

Security is rarely static. Technology changes both security systems and attackers. But there’s something else that changes security's cost/benefit trade-off: how the underlying systems being secured are used. Far too often we build security for one purpose, only to find it being used for another purpose -- one it wasn't suited for in the first place. And then the security...

Anonymity and the Internet

Wed, 03 Feb 2010 06:16:01 -0600

Universal identification is portrayed by some as the holy grail of Internet security. Anonymity is bad, the argument goes; and if we abolish it, we can ensure only the proper people have access to their own information. We'll know who is sending us spam and who is trying to hack into corporate networks. And when there are massive denial-of-service attacks,...

More Movie Plot Terrorist Threats

Tue, 02 Feb 2010 06:34:49 -0600

The Foreign Policy website has its own list of movie-plot threats: machine-gun wielding terrorists on paragliders, disease-laden insect swarms, a dirty bomb made from smoke detector parts, planning via online games, and botulinum in the food supply. The site fleshes these threats out a bit, but it's nothing regular readers of this blog can't imagine for themselves. Maybe they should...

Online Credit/Debit Card Security Failure

Mon, 01 Feb 2010 06:26:00 -0600

Ross Anderson reports: Online transactions with credit cards or debit cards are increasingly verified using the 3D Secure system, which is branded as "Verified by VISA" and "MasterCard SecureCode". This is now the most widely-used single sign-on scheme ever, with over 200 million cardholders registered. It's getting hard to shop online without being forced to use it. In a paper...

Friday Squid Blogging: Harrowgate's 1886 Giant Squid

Fri, 29 Jan 2010 16:25:10 -0600

I have no idea how to explain this....