Schneier on Security

Would someone who saw that talk or watched the video be kind enough to give an overview?

TIA!

Would someone who saw that talk or watched the video

Heck, even someone who gave the talk would be OK!

Talking about SHA-1 you used as an example of an emergency a fire breaking out. Far safer would be "our ship just hit an iceberg". It will never be taken literally. Of course DHS could accuse you of making a terroristic threat, but I bet you'd beat the charge in court. Of course that's if you ever got to court.

IMO, they should have provided an audio version, since the video isn't necessary.

The talk was in the form of a Q&A covering various topics in brief. Here are a few notes and paraphrases. Any mistakes are undoubtedly mine.

TSA
- Bruce did an interview with TSA Administrator Kip Hawley which was being published around the time of this talk: http://www.schneier.com/interview-hawley.html

- security is a negotion: what are you going to give vs. what are you going to get?
- Even the TSA employees seem to know that they are cogs in a broken machine. And maybe that frustration is why some of them have a bad attitude.
- Bruce flew to the conference without an ID. The airlines and TSA have a procedure for that (which seems insecure).
- Also, it's really hard to be a TSA worker. It's an extremely boring job that requires constant attention, which is why they rotate through the positions so quickly. That's probably why some studies show 90% of guns getting through undetected.

On PRIVACY
This the most important thing I'll talk about today: now is the time we get to decide what kind of society we're going to live in.
- data is like the pollution byproduct of the information age. It stays around. How we use it, store it, etc. determines how we live in the information age.

Orwell got it wrong - it's not about intentional surveillance by big brother. Everything you do now leaves an incidental trail that is saved.

We tend to like the primary uses of that data (Amazon book recommendations), it's the secondary uses we're not so crazy about (third-party datamines sold to anyone for anything).

And this does have effects on us. How many times have you had a phone conversation where someone says "ha ha, I hope the FBI isn't listening". And even though it's a joke, you realize that you do feel constrained in what you say.

And the 4th Amendment doesn't work to protect our privacy (secure our person and papers) when our papers are not in our desks, they're in our SMS messages, ISPs and Google, etc.

Right now the approach that seems to be winning is the libertarian "let the market sort it out" deal. But you all whom the data is about, have no say in this market.

But we have the opportunity right now to say what the future of privacy looks like, instead of waiting until it's too late and then wondering why we didn't handle it. Europe has some decent privacy laws (but they don't cover everything).

Most likely, we'll deal with privacy the way we're dealing with industrial pollution. Nothing serious will be done until things get really really bad. We'll do some things around the fringes.

VOTING
Favorite voting system - optical scan, by far.
What you want in a voting system is:
accurate, fast, anonymous, auditable.

The scanner tells the voter instantly whether there was an undervote or overvote. The paper is kept securely. So you have fast tally and automatic auditing.

CRYPTOGRAPHY VS CPU POWER
Is the strength of cryptography under threat from the increasing speed of CPUs?

In computer security, the math favors the attacker. Everything can be perfect except for one flaw, and the attacker can find and exploit that. But cryptography is the exception. The math favors the defender.

No, crytpograhy isn't under threat. Breaking cryptography isn't how we get through. Does the FBI crack PGP? No, they just install a key logger. It's easier to go around the cryptography than to break it.

And there are things that will trip you up. Your OS may save the key in cache somewhere, etc. Some company decrypts stuff on hard disks by scanning the whole drive for text strings and using them as a key. It works in a great proportion of cases.

LAPTOP SECURITY
Bruce uses PGP disk. He divides the hard drive between long-term and short-term storage. Stuff that's needed seldom is encrypted with one key. The rest is handled by PGP disk.

But the best security for a laptop is to NOT PUT YOUR FILES ON IT. [Best quote of the talk!]

CAN YOU TRUST ANTI-VIRUS COMPANIES [when they may have a conflict of interest]?
No. They dutifully ignored the Sony anti-virus, e.g. You wonder if they would tell you if the FBI installed something on your computer...

The closing part was a joke (?) about a reverse Q&A after that Q&A. Was there a video of it?

"Data is the polution of the information age."
That is *brilliant*.

The Industrial revolution created - more or less - the current environmental problems. Data might kill privacy. In 100 years we will be judged according to how we dealt with this problem.
We need to get that thought out there.

Albacore

Another thing people here might find interessting.
Bruce says in the video: "According to the laws of this country, data about you isn't owned by you."
In Germany, this is different. The German Supreme court - in the 80s already! - designed by itself a new binding human right. It is called something like "right to informational self-determination".
Darn, those judges have proved to be very very wise in the 80s already.
Albacore

FYI, this doesn't work in Netscape 7.2 on Windows XP. Not your fault, I know, but I know youtube works perfectly, if you feel like putting another source online.

Re: Albacore

The usual justification is that your personal data, phone conversation, database entries etc. become someone else's business data once digitized, therefore they belong to this "someone else." E.U. privacy laws insist on tagging ownership of personal data to avoid this re-classification.

@Albacore & Thomas Veesenmayer

And yet the E.U. now *requires* ISPs to retain data about you (connection logs and such, I'm not sure about emails) for a fixed amount of time (2 years?). http://www.epic.org/privacy/intl/...

They do this on the presumption that *if* you are later suspected of doing something illegal, then you're ISP logs will be a treasure trove of evidence.

I find that form of justification absolutely astounding.

And it's a disaster for privacy.

Bruce,

Great talk! :)

My vote for favorite part was about side-channel attacking. (i.e. - the installation of a key logger rather than having to break N-bit encryption.)

I think side-channel attacking would be a worthy subject for a book or article dealing with how most of the post 9/11 security measures are vulnerable to these types of attacks.

By the way, does anyone know of a way to quantify or measure vulnerability to side-channel attacking?

[Just wondering if it would prove out the thing about complex systems being more vulnerable than simple systems.]

For my money, Bruce's best advice was right at the beginning. On how he can be so productive: "Don't watch Television"

Nice Q&A, I just got around watching that session. I saw a few while I was in Vegas and already a bunch on Video , but not that one.
It could not have a more boring title.. seriously. Not everybody knows you (yet) :) to make it obvious that the session will be high quality.

Well, it was a high quality one and I am glad that I watched it.

p.s. the "defcon roysac.com schneider" in your original search query at Google Video to find your presentation contains the reference to the source of the Videos on the web, which would be this one.

http://www.roysac.com/blog/2007/09/...

It's spread across 4 posts, but has a list of all 125 session videos with links to Google Video plus some other goodies available.

And since you seem to be an "all-around" talent in the field, a question for you. What is your opinion to this old discussion? ;)

http://www.roysac.com/blog/2007/09/...

Thanks and Cheers!
Carsten aka Roy/SAC

@Note Taker

Basically you are right about data retention. However, this hasn't gone through supreme courts. One of the high European courts is expected to declare data retention (btw. in most countries it is six months, and *not* in effect yet) illegal. Thousands of people have filled lawsuits against their governments.
>I find that form of justification absolutely astounding. <
Full ACK.
Hava a nice day, folks
Albacore

Re: Note Taker

You're right about the data retention requirement, although it is prescribed in a semi-reasonable way (I think). Retention rules mainly target data that _may_ be considered public, such as which IPs were communicating (but not communication contents). Justification may be similar to caller-id: as basically anyone along the connection path may verify who's being called, this part may not be reasonably considered private.

Obviously, the real difference is that databases persist, and the kind of secondary information, when aggregated, becomes much more valuable then it was in the non-online world. There are also local variations, I know about countries challenging retention times and similar details. Overall, I agree, it is still a troubling policy.

Another important difference, demonstrated in several E.U. countries, is how database access is restricted. Simply showing up at an ISP from some trade association, demanding access to logs, hopefully gets rejected. Typical file-sharing-related raids, on the other hand, are usually not assisted by the police, especially in countries where recordable media is taxed with a flat rate for expected copyright-violating behaviour. (In these countries, strictly speaking, downloading itself is legal, paid through the recordable media tax, but uploading is a copyright violation.) Assuming ISPs refuse to provide access without a warrant, one would believe (hope?) there are some controls on aggregate data.

@Thomas Veesenmayer: "Retention rules mainly target data that _may_ be considered public, such as which IPs were communicating (but not communication contents). Justification may be similar to caller-id: as basically anyone along the connection path may verify who's being called, this part may not be reasonably considered private."

I'm not sure I'm convinced by that argument. For example, anyone along the connection path can read the *contents* of the IP packets or telephone calls as well. So the call contents should be considered just as public as the routing information. (Or, of course -- and my preferred interpretation -- the routing information should be considered private, just like the contents.)

To take a non-electronic example: by the original argument it is "public" information who attends an STD clinic, since anyone standing on the street outside can see who goes in. Does this mean it's OK for STD clinics to post their patient lists on the Internet, though? One would hope not...