Schneier on Security

A blog covering security and security technology.

Password Sharing Among American Teenagers

Interesting article from the New York Times on password sharing as a show of affection.

"It's a sign of trust," Tiffany Carandang, a high school senior in San Francisco, said of the decision she and her boyfriend made several months ago to share passwords for e-mail and Facebook. "I have nothing to hide from him, and he has nothing to hide from me."

"That is so cute," said Cherry Ng, 16, listening in to her friend's comments to a reporter outside school. "They really trust each other."

We do, said Ms. Carandang, 17. "I know he'd never do anything to hurt my reputation," she added.

It doesn't always end so well, of course. Changing a password is simple, but students, counselors and parents say that damage is often done before a password is changed, or that the sharing of online lives can be the reason a relationship falters.

Ethnologist danah boyd discusses what's happening:

For Meixing, sharing her password with her boyfriend is a way of being connected. But it's precisely these kinds of narratives that have prompted all sorts of horror by adults over the last week since that NYTimes article came out. I can't count the number of people who have gasped "How could they!?!" at me. For this reason, I feel the need to pick up on an issue that the NYTimes let out.

The idea of teens sharing passwords didn't come out of thin air. In fact, it was normalized by adults. And not just any adult. This practice is the product of parental online safety norms. In most households, it's quite common for young children to give their parents their passwords. With elementary and middle school youth, this is often a practical matter: children lose their passwords pretty quickly. Furthermore, most parents reasonably believe that young children should be supervised online. As tweens turn into teens, the narrative shifts. Some parents continue to require passwords be forked over, using explanations like "because I'm your mother." But many parents use the language of "trust" to explain why teens should share their passwords with them.

Much more in her post.

Related: a profile of danah boyd.

Posted on January 27, 2012 at 6:39 AM • 31 Comments

Evidence on the Effectiveness of Terrorism

Readers of this blog will know that I like the works of Max Abrams, and regularly blog them. He has a new paper (full paper behind paywall) in Defence and Peace Economics, 22:6 (2011), 583–94, "Does Terrorism Really Work? Evolution in the Conventional Wisdom since 9/11, Defence and Peace Economics":

The basic narrative of bargaining theory predicts that, all else equal, anarchy favors concessions to challengers who demonstrate the will and ability to escalate against defenders. For this reason, post-9/11 political science research explained terrorism as rational strategic behavior for non-state challengers to induce government compliance given their constraints. Over the past decade, however, empirical research has consistently found that neither escalating to terrorism nor with terrorism helps non-state actors to achieve their demands. In fact, escalating to terrorism or with terrorism increases the odds that target countries will dig in their political heels, depriving the nonstate challengers of their given preferences. These empirical findings across disciplines, methodologies, as well as salient global events raise important research questions, with implications for counterterrorism strategy.

Posted on January 26, 2012 at 10:36 AM • 22 Comments

Federal Judge Orders Defendant to Decrypt Laptop

A U.S. federal judge has ordered a defendent to decrypt her laptop.

Posted on January 25, 2012 at 1:56 PM • 107 Comments

Supreme Court Rules that GPS Tracking Requires a Warrant

The U.S Supreme Court has ruled that the police cannot attach a GPS tracking device to a car without a warrant.

EDITED TO ADD (1/26): It seems I was wrong when I said that the ruling forces the police to get a warrant before placing a GPS tracking device on a car. The ruling is much more complicated and nuanced.

Posted on January 25, 2012 at 12:54 PM • 12 Comments

Research into an Information Security Risk Rating

The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals:

Existing risk management techniques are based on annual audits and only provide a snapshot of a partner's security posture. However, new vulnerabilities are discovered everyday and the industry needs a solution that enables a business to continuously monitor changing risk posture of all its partners and proactively manage assumed risks. The Phase II research objective is to build a scalable fully-automated ratings system. The research will focus on identifying and incorporating new data sources, improving the statistical properties of the ratings model, and making the ratings predictive of future behavior.

Historically, credit scoring has been a "cost and time-saving technology" that has provided tremendous value to lenders and borrowers alike by reducing costs, predicting future performance, and improving credit accessibility and affordability. Unlike credit scoring, no industry standard scoring service exists to rate business with respect to their information security risk. With Saperix's ratings service, businesses and government will have the potential to reap the same time and cost savings that lenders do from credit scoring services. If the research is successful, Saperix's solution would provide market incentives for improving security outcomes, which would be a significant change in how security investments are viewed by businesses.

I have no idea if this is snake oil or if it actually works, but note that this is a Phase II award. There was already a Phase I award, and the NSF must have liked the results from that.

Posted on January 25, 2012 at 6:44 AM • 13 Comments

Using Plant DNA for Authentication

Turns out you can create unique signatures from plant DNA. The idea is to spray this stuff on military components in order to verify authentic items and detect counterfeits, similar to SmartWater. It's a good idea in theory, but my guess is that the security is not going to center around counterfeiting the plant DNA, but rather in subverting the systems that apply, detect, and verify the chemicals.

Posted on January 24, 2012 at 6:46 AM • 12 Comments

Authentication by "Cognitive Footprint"

DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when they first start using their computers.

I remember reading a science fiction story about a computer worm that searched for people this way: going from computer to computer, trying to identify a specific individual.

Posted on January 23, 2012 at 11:49 AM • 40 Comments

The Continued Militarization of the U.S. Police

The state of Texas gets an armed patrol boat.

I guess armed drones weren't enough for them.

Posted on January 20, 2012 at 6:39 AM • 57 Comments

The Onion on Facebook

Funny news video on Facebook and the CIA.

Posted on January 19, 2012 at 1:02 PM • 23 Comments

Using False Alarms to Disable Security

I wrote about this technique in Beyond Fear:

Beginning Sunday evening, the robbers intentionally set off the gallery's alarm system several times without entering the building, according to police.

The security staffers on duty, who investigated and found no disturbances, subsequently disabled at least one alarm. The burglars then entered through a balcony door.

Posted on January 19, 2012 at 6:36 AM • 36 Comments

Going Dark to Protest SOPA/PIPA

Tomorrow, from 8 am to 8 pm EST, this site, Schneier on Security, is going on strike to protest SOPA and PIPA. In doing so, I'll be joining Wikipedia (in English), BoingBoing, WordPress, and many others.

A list of participants, and HTML and JavaScript code for anyone who wants to participate, can be found here.

Posted on January 17, 2012 at 4:10 PM • 50 Comments

Tor Opsec

Good operational security guide to Tor.

Posted on January 17, 2012 at 12:29 PM • 21 Comments

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.