Schneier on Security

Well, one thing I've learned from CNN is that Bruce has mispelled his blog.

It should be:

Schn3i3r 0n S3curity

In Europe, the Four Horsemen are terrorists, organized crime, pedophiles and neo-nazis. Works very well, too. In fact, works good enough to scare the European Parliament into accepting a bill that mandates a gigantic surveillance infrastructure. I suppose the public is either scared as well or, as usually, not interested in anything except the latest celebrity "news". Maybe it's just me, but I didn't see more than a sidenote in any national news outlet (if it's mentioned at all), and much less any kind of public outrage. Pretty disturbing.

Not drug dealers; music and movie pirates.

Speaking of which, Congresscritters are moving once again to hand the keys to our culture and public IP rights to a few media supercorporations:

http://www.eff.org/deeplinks/archives/004261.php

I thought the biggest scare was kids (=terrorists and organized crime) downloading music and movies.

Ugh.

The assault against privacy is never ending.

Hmm, Bruce's "Internet Horsemen" have better irony, in that each of the four represents a crime that requires physical contact with a victim and/or a customer.

@David Harmon

Yeah, that's always been my gripe about new laws on surrendering encryption keys to the police. The way I summed it up was: "You can't encrypt a bloodstain."
http://www.kuro5hin.org/story/2003/12/27/32059/...

"Bruce's 'Internet Horsemen' have better irony, in that each of the four represents a crime that requires physical contact with a victim and/or a customer."

The biggest threats have always been in places where the real world and the Internet intersect.

"I thought the biggest scare was kids (=terrorists and organized crime) downloading music and movies."

Depends on who you are, doesn't it?

i would regard a thief of my identity as an evil doppelganger sucking my life force, and only one of us would survive.

Sure, fear sells! What is the best way to turn off any critical thinking than scaring people? You just need a few seemingly plausible threats.

Companies seem to be catching on ... How about this thinggy called "OnStar"? If you listen to their commercials, it sounds like you are invariably going to DIE in your car unless you get "OnStar".

Which coincidently can spy on you, by listening to the conversations by the means of the installed microphone. But, surely, "The Big Brother" always has YOUR best interests in his mind!

I especially enjoyed the CNN poll on what I think is the biggest online threat:

- Spam
- Hackers
- Viruses
- Porn

Oh, yeah! That porn's always trying to get my personal information and hack my PC...

@Kostya

OnStar has always scared me. I have always figured that whoever figures out how to hack OnStar will have a great time tracking people, stealing cars, etc.

I don't mind having a GPS receiver in my car, or a physical switch-on transceiver, but having something that automagically goes on worries me a lot, especially when it's tied into the locks on the car.

"This is the Internet."
(free access to lots of information)

"This is the Internet after smoking ice."
(spamm, phishing, pharming, pr0n, Nigeria-419)

Any questions?

onstar is a way creepy thing, i've seen the commercials, you get in some kind of trouble or lock yourself out of your car and this omniscient benevolent babysitter comes to your rescue.
if you need a babysitter while you're driving, you shouldn't be driving at all.
onstar is just the tip of the iceberg. there are also onboard diagnostic devices hooked up to the airbags in most new cars which record speed, braking, etc. and are available for later inspection by anybody who can get a court order.
the state of oregon formed a special commission to study a new tax on miles driven in oregon by oregonians. it would require a gps in every oregon-registered vehicle and the commission explained that this would inform the state when we'd left its borders so that we would no longer be taxed for those miles. yes, hacking this would be child's play. yes, i like to be all alone sometimes with nobody knowing where i am and i'm willing to execute drastic measures to achieve this, but worst of all.....
the tourists from california, they would be able to drive on the same roads i do and not be taxed! the oregon public services infrastructure is on life support in many areas, no sales tax, laughable property tax, only a vicious 9% income tax. my answer is to soak the tourists, not exempt them.

Why is this "sensationalist hype"?

My friend wants to roll his mileage back on his lease, I knopw that this is wrong but many dealers still do this. He is worried about his On-Star GPS, does this keep track of this. He did get a insurance break because of it but if he is ever in a accedent he is worried that they may pull other driving info from his past like how fast he drives on a certian road ect. Does anyone have any answers to this. It seems like it is a voilation of your rights?

wHO WILL STOP THE us GOVT. attemps at jailing all its citizens ?

Minutemen ? The corrupt CIA ?the US Army ?
Allah? Jesus?
Will we be liberated by moslems ?

Well I for one, like our new privacy invading overlords! (Until I can get a decent connection then I am getting me some sweet Vidalia Onion Routers and I will be on my anonymous way! I'd do it now but dial-up + TOR = Even lower speeds...)

Privacy? Security?
His eyes were dark grey as he scanned the late afternoon sunlight.
As if you could find it now..
he leaned back, and said " Listen. You bought the sneakers with the RFID that Wal-Mart
specified to be implanted in the soles for stocking and store security purposes, and then
you paid with a Visa card. The chip in your purchase will respond to a backscatter sensor
from over 30 feet away with a 54 digit Identifier. Therefore your shoes would give a good
investigator your Identification through your local wal-Mart's computer records with a single query.

The number won't change, and will respond to any compatible RFID sensor you come close to.
Therefore, if you are looking for that "privacy and security", I suggest that you actually
microwave your sneakers for at least three seconds on high, and you better throw your
Target brand sweater in after that.- and check your wallet too. "
I was aghast. He continued,
"Where ever you've gone today; you're leaving a record you can't see."

Enabling TorButton first... Here's a scenario that could be in a book:
"Seargant, what's the last online information we have of the ship's captain?"
"Sir, last we knew he was downloading the Tor bundle and using Firefox. We haven't been able to track him online since."
"How long ago was that?"
"Five years ago, sir.…"

Sorry if this is just too newb, but can you tell me how to get my ISP from invading my privacy? My address menu always displays something from them called Security Check, and it lists a secure URL for them. This happens whether I'm using Vista Firefox or Ubuntu Firefox. Can I block them from my system or will that prevent me from getting online? Does Tor provide security from them?

I also have questions about the ability of my employer (a hospital) to monitor my email, even though I never access it from work, nor do they pay for my account. They do, however, have a business agreement with the telecommunications company that also happens to be my ISP. I have remained steadfast in my refusing to accept a discounted phone bill through my employer's connection, because I assume that will legitimize their scrutiny.

Governments have had a symbiotic relationship with Telcos since the 1940's
As well as media services and all licensed broadcasters. (Hence licensing Laws)
The licensing agreements provide the government and its agencies to obtain any information they choose about anyone who uses their service. Under the pretense of privacy for the client. That is lie #55.
The best privacy is not letting the government or its agencies know your business. Period.

Hi - I have an ex who I hope has forgotten my existence. I also some times post on blogs about my religion and how politics affects it. I was upset to find out that you can type in my name and get a map to my house.

When I tried to fix this myself, I ended up entering my email address, and now it is available on line too. Can this be fixed? I just want peace. Thank you.

@ hiding under the couch,

"Can this be fixed? I just want peace."

Do you want the short answer or the long answer?

The short answer :- is after you type any of your details into an internet connected machine you might as well assume you have broadcast them to the world forever, so no there is nothing you can do about what you have already typed.

The Long answer :- Is to disasociate the various parts of your life from each other and treat them in the same way you do "old school friends", "past friends", "ex girlfriends", "current work colleagues", "past work colleagues", "past church life", "current church life", etc etc.

That is treat the various non-core parts of your life as seperate roles, that each has an independent identity from each other that is fully disposable at a moments notice.

Outside of your "core life" each role has it's own nickname email address, VoIP & mobile number, disposable pre-charge payment card and even postal address as required.

For your core life (tax banking etc) do not use the Internet or anything other than good old fashioned "snail mail". Effectivly use two seperate PC's one for offline "core life" activities the other for "role based personas".

Be paranoid and assume they are out to get you as they genuinaly are. The more details an entity can build up about you the more valuable the information becomes not just to identity fraudsters but marketers and others you have had good reason to break ties with.

Never ever use your "core-life" real address telephone number etc on line ever. Organisations you have supplied those details to never do business with online.

Monetary transactions should be by cash, that is don't transfere money from your core-life bank account to pay bills or pre-charge a payment card. Never use a role based persona across roles, that is if you are fred123 don't use the VoIP number for jim234. Likewise don't use mobile phones (even with different SIMs) for different roles. Old mobile phones can be bought for next to nothing. Never ever down grade your core or role phones down to another role. When you want to get a new mobile clean up the old one take out the SIM and any Memory card and flog it via the offline second hand market. Always buy role based phones on that personas pre pay card.

All this is because at some point the data sets will cross over and it will be corelated (you cannot anonymise data with any level of utility sufficiently to prevent re-identification).

Oh and to clear up your current state, it's time to move your core life away from where you live (if you can) and offline permanently.

Two PC's sounds expensive but actually it's not. You have one good quality machine for your core life and another older machine with no hard disk plenty of RAM and a memory stick for each persona. Run the system of a CD-ROM (not re-writable) based OS. If you cannot hack Unix then look at how to put MS onto CD-ROM there are toolkits out there, but I'd advise against it MS puts lots of machine based metadata into OS and user files including network card MAC addressess and CPU ID tags etc etc.

Have a hunt around on the Internet (from a cafe etc) for various advice documents for NGO's working in hostile countries they go into various uses of anonymous services like TOR and re-mailers etc. DON'T put the document onto your hard drive, print it out and then securly delet it from a USB memory stick.

If you think this sounds paranoid a few years ago it would have been, these days it's being moderatly cautious, in a couple of years time you and many others will wish you had and a few after that it will be normal behaviour for most sensible people.

If you're going to run a HD-less computer, and use OS's to run from CD-ROM: I just tried Slax Linux out. It has a really small footprint, only needs a small amount of RAM and you can build a custom one (add modules) on their website. But their Firefox can't run Youtube videos unless you tell it to disallow a certain ad script that runs on Youtube.