Schneier on Security

Interview with Me

schneier — 2009-11-20T13:21:14-06:00

Yet another interview with me. This one is audio, and was conducted in Rotterdam in October.

FailBlog on Security

schneier — 2009-11-20T11:11:19-06:00

Funny: career fair fail.

Denial-of-Service Attack Against CALEA

schneier — 2009-11-20T06:11:17-06:00

Interesting:

The researchers say they've found a vulnerability in U.S. law enforcement wiretaps, if only theoretical, that would allow a surveillance target to thwart the authorities by launching what amounts to a denial-of-service (DoS) attack against the connection between the phone company switches and law enforcement.
[...]

The University of Pennsylvania researchers found the flaw after examining the telecommunication industry standard ANSI Standard J-STD-025, which addresses the transmission of wiretapped data from telecom switches to authorities, according to IDG News Service. Under the 1994 Communications Assistance for Law Enforcement Act, or Calea, telecoms are required to design their network architecture to make it easy for authorities to tap calls transmitted over digitally switched phone networks.

But the researchers, who describe their findings in a paper, found that the standard allows for very little bandwidth for the transmission of data about phone calls, which can be overwhelmed in a DoS attack. When a wiretap is enabled, the phone company's switch establishes a 64-Kbps Call Data Channel to send data about the call to law enforcement. That paltry channel can be flooded if a target of the wiretap sends dozens of simultaneous SMS messages or makes numerous VOIP phone calls "without significant degradation of service to the targets' actual traffic."

As a result, the researchers say, law enforcement could lose records of whom a target called and when. The attack could also prevent the content of calls from being accurately monitored or recorded.

The paper. Comments by Matt Blaze, one of the paper's authors.

A Taxonomy of Social Networking Data

schneier — 2009-11-19T12:51:17-06:00

At the Internet Governance Forum in Sharm El Sheikh this week, there was a conversation on social networking data. Someone made the point that there are several different types of data, and it would be useful to separate them. This is my taxonomy of social networking data.

Service data. Service data is the data you need to give to a social networking site in order to use it. It might include your legal name, your age, and your credit card number.
Disclosed data. This is what you post on your own pages: blog entries, photographs, messages, comments, and so on.
Entrusted data. This is what you post on other people's pages. It's basically the same stuff as disclosed data, but the difference is that you don't have control over the data -- someone else does.
Incidental data. Incidental data is data the other people post about you. Again, it's basically same same stuff as disclosed data, but the difference is that 1) you don't have control over it, and 2) you didn't create it in the first place.
Behavioral data. This is data that the site collects about your habits by recording what you do and who you do it with.

Different social networking sites give users different rights for each data type. Some are always private, some can be made private, and some are always public. Some can be edited or deleted -- I know one site that allows entrusted data to be edited or deleted within a 24-hour period -- and some cannot. Some can be viewed and some cannot.

And people should have different rights with respect to each data type. It's clear that people should be allowed to change and delete their disclosed data. It's less clear what rights they have for their entrusted data. And far less clear for their incidental data. If you post pictures of a party with me in them, can I demand you remove those pictures -- or at least blur out my face? And what about behavioral data? It's often a critical part of a social networking site's business model. We often don't mind if they use it to target advertisements, but are probably less sanguine about them selling it to third parties.

As we continue our conversations about what sorts of fundamental rights people have with respect to their data, this taxonomy will be useful.

Stabbing People with Stuff You Can Get Through Airport Security

schneier — 2009-11-19T07:10:41-06:00

"Use of a pig model to demonstrate vulnerability of major neck vessels to inflicted trauma from common household items," from the American Journal of Forensic Medical Pathology.

Abstract. Commonly available items including a ball point pen, a plastic knife, a broken wine bottle, and a broken wine glass were used to inflict stab and incised wounds to the necks of 3 previously euthanized Large White pigs. With relative ease, these items could be inserted into the necks of the pigs next to the jugular veins and carotid arteries. Despite precautions against the carrying of metal objects such as knives and nail files on board domestic and international flights, objects are still available within aircraft cabins that could be used to inflict serious and potentially life-threatening injuries. If airport and aircraft security measures are to be consistently applied, then consideration should be given to removing items such as glass bottles and glass drinking vessels. However, given the results of a relatively uncomplicated modification of a plastic knife, it may not be possible to remove all dangerous objects from aircraft. Security systems may therefore need to focus on measures such as increased surveillance of passenger behavior, rather than on attempting to eliminate every object that may serve as a potential weapon.