Schneier on Security
A blog covering security and security technology.
« Time to Patch Your HP Printers |
| The TSA Proves its Own Irrelevance »
January 6, 2012
Friday Squid Blogging: Squid Skateboards
Posted on January 6, 2012 at 4:36 PM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This article on twins is only tangentially related to security but there are several paragraphs in the article that discuss on-going research by the FBI to improve facial recognition technology through the use of twins.
In contradiction to public comments reported about on this blog the article paints a highly negative view on the efficacy of current facial recognition technology with one unnamed LEA stating that FRT would "probably not" be able to catch a criminal.
I tried to track down more details about the on-going research but I was not able to. Could be classified.
If private parties can be licensed to fly drone aircraft over the US national airspace (not to mention usage of drones by domestic law enforcement), how should privacy issues be taken into account? In the spring of 2012, the FAA may propose rules with regard to the licensing of drone operators. The Center for Democracy and Technology (CDT) suggests that data collection information be required from holders of FAA drone licenses, among other things. (The CDT acknowledges that public availability of data collection statements will not resolve all privacy issues regarding drone aircraft.) Also, it would seem that issues could arise over privacy policies being difficult to understand or less meaningful than they appear to be.
On another issue, digital photos that contain camera serial numbers as metadata (or even better, serial numbers plus geotag info) may help owners to track down stolen cameras, among other things.
Stupid security practices: My bank has PINs for logging in on the mobile version of their website. While you can't do much with just the PIN, you can move money around from saving accounts to the card account.
And the security failure: Yesterday, when I was standing in line and were about to transfer money to the card account, they forced me to change the password.
Right there in the line, they expected me to make up a new password/PIN that is hard to guess AND that I will remember afterwards!
New DoS technique
Qualys Security Labs researcher Sergey Shekyan has created a proof-of-concept tool that could be used to essentially shut down websites from a single computer with little fear of detection. The attack exploits the nature of the Internet's Transmission Control Protocol (TCP), forcing the target server to keep a network connection open by performing a "slow read" of the server's responses.
A blog reader:
That third link was really interesting. I expect there are analogous issues with modern computer-to-computer gaming.
There's a board game called Frag which simulates a networked game where players are trying to kill each other-- complete with "hack" cards which let you do things like suddenly have unlimited ammo, or cause another player's connection to freeze up (i.e., make them lose a turn).
Looking at the released NSA docs up on cryptome the other day I thought I'd have a look at what else is up there. And the following caught my eye,
Because it indicates that the RSA and other attacks claimed in the US to be "China APT" may actualy have originated in Russia not China...
Now I admit I'm a litttle biased because I feel the US "China APT War Hawks" are very like "the boy who cried wolf" or "chicken little" if you preferre. Mainly because they are trying way to hard to shift blaim in China's direction rather than maintain an open and cautious view point. As I've said before most sufficiently advanced nations including all of America's allies are very much into cyber-espionage, and also many criminal gangs are sufficiently advanced to be major plays in "the great game" as it used to be called.
Which leaves the important question of why the US "China APT" "war hawks" are talking it up as much as they are... Could it be they are to inept to spot cyber-espionage from other nations? Or perhaps they have another agenda?
Me I'm keeping an eye on the North / South Korea issue, after all the US has something like 100,000 military personnel in the region around China and appear to be activly encoraging saber rattling type behaviour in South Korea, Japan and Taiwan
Any one want too bet if the next US "Military involvment" will be Middle East (ie Iran) or Far East (ie China's proxies)?
Again via cryptome, the following caught my eye,
It's a quick look at the. "physics of brut forcing a 128bit key" and concludes some quite interesting time and energy limitations as to why it's not realy possible to brut force a 128bit key.
Clive: Somebody also pointed out that if you'd build such a computer as a compact 1 m^3 block with as tiny components as possible (atoms as transistors), working at the maximum possible clock frequency, it would become hotter than a star. Like, supernova or something. It would simply just evaporate.
"Any one want too bet if the next US "Military involvment" will be Middle East (ie Iran) or Far East (ie China's proxies)?"
I think you underestimate China and the game they must play given the hand that they have been dealt.
I agree completely that China ATP belongs in the same boat as Iraq WMD. It is something to keep an eye on but it is not the main game...
As far as N/S Korea goes,in my opinion S/Korea can have all of Korea anytime it wants it. IF the US withdraws from the region and Taiwan and the other islands including Okinawa are returned to China.
When the US is desperate enough to make the above deal, then China with gladly fix the N/Korea problem. However up until this time they have a lunatic neighbor (that listens to them) positioned between them and their ultimate enemy (US) that's not a bad strategy. It gives them lots of opportunities to extract small favors from the regions 2nd tier players (such as oil rights for Sth China Sea). All this equals an increasingly powerful hand that they can play WHEN IT SUITS CHINA!
Hackers Expose India's Backdoor Intercept Program
Contains such nuggets as: "Security and privacy researcher Christopher Soghoian commented, “Due to export control [requirements], NSA (and until 2010, Commerce Dept) have source code for all US made enterprise security/communications products...”
Good find. India and a few other countries have been doing that for a long time. It was in the news a few times. I haven't seen any evidence backing up the claim that the NSA has the source code for every commercial encryption or security product. However, they do have the resources to reverse engineer critical components of the most widespread software. Hence, I err on the safe side assuming they know any flaws in any commercial product.
The solution is, of course, to get your stuff from a neutral country or at least one that's not likely to share with the US. EAL6/7 and DO-178B software development processes are also designed to prove there's no backdoors just as much as reducing the defects. Of course, the NSA does get source code for THOSE systems. Of course, at that quality level, the odds of them finding flaws are slim. And we still can buy foreign.
Examples: Cryptophone (German), Thales (France) inline encryptors, Norway's throwaway military gear, Chinese Loongson PC's, Israeli encryption or Russian military hardware. Of course, you must assume that the parent government might have a backdoor, so pick a country you don't mind listening in. Russia & China have the advantage of not cooperating with the US as much. And always get a local company to buy the stuff for you. More expensive, but increases protection.
I very much don't under estimate China, what they are doing to ring fence raw resources not just in their own territory but Africa and South America gives me grave cause for concern.
Put simply most Western Nations Politicians cannot look more than a few days into the future if that. Whilst Chinese "politicos" tend to think not just in years or decades but in generations.
Sadly the Western "short term" view point is going to prove significintly detrimental to our future we will find that at some point in the near future, we have outsourced not just our food production, or our industry, but also all our security and our ability to bargain in the world.
If you stand back from the monkeys tea party of our representive democracy where our elected representatives sell their opinions and votes to those with the ability to sufficiently enrich them as individuals and the parties they claim to allie themselves with, you will see that there is a degree of longterm policy.
However you have to look behind the policy to see what the aims and objectives are.
For instance "energy security" the big nations (US, Russia, China) are activly involved not just in trying to corner the current fossil fuel supplies but also the current viable replacment (nuclear).
In this respect it is a policy very similar to that of "water rights" that historicaly have turned many people into "vasal" status. Russia has demonstrated that they are quite happy to inflict unwanted political leverage on independant nations simply by breaching agreaments and turning of the energy tap. The US is also clearly trying to stop as many nations as possible from developing independant nuclear energy generation capability under the pretence of "non proliferation".
Hopefully I won't be around when the pigeons come home to roost...
Wifi (un)protected setup broken by brute force attack. http://sviehb.files.wordpress.com/2011/12/...
I'm shocked my truly random 63 character WPA2/AES password , mac address filtering, completely bypassed by a damn 7 digit PIN.
Pwnie awards 2012 we have an epic fail winner.
Go watch the excellent documentary Food Inc if you want to see why the food industry is so secretive about what goes on.
A couple of things in the news..
First from the Register the news that some smart meters leek sufficient information to work out what filmss etc people are watching,
The important thing to note is the sampling time of the channel of 2 seconds giving a bandwidth for signitures etc of 0.25Hz...
As some of you know I've been banging on about it for ages and some have doubted there is the bandwidth to get "reliable information" well this shows it is to a certain extent...
Secondly something that has made me smile is an articale that indicats the Anti-virus code that has been copied off of a server originated not on the AV Company server but one in India supposedly under the control of the Indian Itelligence Service...
Interestingly there was also (supposedly) evidnce that data from US Gov networks was up on the server... So now we have Indian-APT too add to the list ;-)
It would appear that the USAF Nellies base where they "fly" the drones from has changed over from Windows XP and it's pesky virus infection that caused such bad press over to Linux...
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.