Schneier on Security
A blog covering security and security technology.
« Conversation about Liars and Outliers on The WELL |
| Eye Twitch Patterns as a Biometric »
August 31, 2012
Friday Squid Blogging: "The Seasick Squid"
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on August 31, 2012 at 4:22 PM
• 53 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
An odd HiTec espionage story,
Hanjuan Jin, a former Motorola engineer of nine years was arrested when traveling on a "one way" ticket to China.
She was born in China but is a naturalised US Citizen.
It appears from the limited information available that what she took was propriety but not mil related information, after she returned from extended sick leave but was not offered any asignments to work on (usually a fairly reliable sign you are going to get kicked out the door as soon as HR can avoid legal complications).
It appears that shortly thereafter she applied to be laid off (as I understand it from old Mots the best paid out when your cards are marked as it saves face and legal exes on both sides). But for some reason not given this did not come about.
Also around this time she started negaotiations with a Chinese Telco related company for employment (although it has been alledged at trial by the prosecution she had carried out "Secret Military" work for the company whilst on sick leave the judge appears to have treated the information as unreliable at best from the convictions).
Shortly there after she left on the one way ticket, and when stopped was found to have considerable proprietry information.
It has been alleged that the information she took was not a "sweethart deal" to be handed over to the company but as a way to keep her value high in the form of self education / refrence.
Although I'm skeptical about both allegations (especialy the prosecutions), I don't think it was state level espionage in any way for a couple of reasons. Firstly it is unlikely she would have been alowed to buy a "one way direct flight" that is a major "red flag issue", and secondly they would have been very unlikely to have alowed her to travel with incriminating evidence when a couple of simple postal cut outs would have avoided that.
I get the feeling she had seen the state of the US economy with economic down turn (zero or less growth) in heer employment sector. And then felt by the way she was treated by Mot she was going to become jobless very quickly and would have seen that China's economy was still growing at over 8% at the time and decided to bail out of the US. And that whilst somewhat smart, was not worldly wise and. has paid the price.
However she will now be used as a "Poster Child" for the US "War Hawks" and "China APT" crowds up on the Hill.
It would appear somebody has decided to spill the beans on Oracle's patch of well manicured turff, again...
As many are aware Polish researchers told Oracle about some verry serious flaws in Java four months ago (some of which have been exploited in the wild). And Oracle appear to have draged their heals significantly, and have only jusst released at best a half harted patch which only fixes a few of the easier exploits the researchers found originally.
The result of this is many press quoted "security pundits" have said "disable or totaly remove java from your systems to protect yourself"...
But it gets worse apparently Oracle's patch has poured gas on the fire as there are bugs in it that actually made it easier to exploint other Java issues according to the same Polish researchers who have this time decided to go public immediatly rather than wait further on Oracle's so far tardy half a55ed performance...
Another odd espionage story involving US citizens and China,
Apparently the US man had actually failed to make contact with the Chinese, and then later told US investigators what he had planned to do.
Based on other stories it looks like he will be heading for a twenty to thirty year jail sentance (probably without hope of parole).
You have to ask yourself "why did he talk himself into jail", at best most odd but it raises the question of coercion, and what made 20-30years jail look good as an alternative...
@ Clive Robinson
You have to ask yourself "why did he talk himself into jail"
Seems he was interrogated first. The article does not indicate he confessed out of free will.
Seems he was interrogated first. The article does not indicate he confessed out of free will
Yes that thought was in my mind to.
Once upon a time it was fairly clear where the line was where accceptable interrogation technique stopped and illegal interrogation started which was a verry long way befor torture started.
Now thanks to "War on Terror" mission creep we have "enhanced / extended" interrogation which many regard as sadistic torture plain and simple. And if that fails a quick illegal trip (rendition) to a country where there is no line, or a US camp that is regarded as outside of the reach of the US judiciary, where again there is no line. All of which much of the Western world regards as being the same as tourture with the full approval of the US administration.
Yet the legal types on the hill argue otherwise with hair splitting logic that has no place in a country that believes it is a model of democracy that the rest of the world should aspire to.
@ Clive Robinson
Torturing another human or even an animal is not something a normal human being would approve. Only a sadist would approve such "tactic" as you said. People have tortured one another since the dawn of recorded history. It is only becoming more transparent and difficult to hide these days because of advances in communications.
Lightweight Portable Security - Linux LiveCD
"Lightweight Portable Security (LPS) is a Linux-based live CD with a goal of allowing users to work on a computer without the risk of exposing their credentials and private data to malware, key loggers and other Internet-era ills. It includes a minimal set of applications and utilities, such as the Firefox web browser or an encryption wizard for encrypting and decrypting personal files. The live CD is a product produced by the United States of America's Department of Defence and is part of that organization's Software Protection Initiative."
Do people outside the DoD seriously use this? Has anyone here tried it? I think the public release of it is funnier than sh*t.
Do people outside the DoD seriously use this? Has anyone here tried it? I think the public release of it is funnier than sh*t.
Well I don't know how good or bad it is, but pragmaticaly even if it's only marginaly better than a Live-CD only version of an MS OS it's likely to make internet banking etc a lot safer for the minority who chose to use it.
However for other uses where you are looking to fend off type three adversaries it's perhaps not a suitable end point, but may be OK as a forwarding node from an air gapped machine that is the end node.
Torturing another human or even an animal is not something a normal human being would approve.
Sadly, I disagree. I don't know if Bruce's book would support my theory (haven't had a chance to read it yet), but my belief is that "normal" people will happily toss someone onto the rack/into the dungeon if they believe it forwards a "higher" purpose: Personal safety, social organization, national security, what have you.
While tech and communication advances might make it harder to hide such behavior, it makes it easier to push out the story that "those bastiches deserved it", and the general reaction becomes "Meh..."
"Torturing another human or even an animal is not something a normal human being would approve."
Are you sure about that?
Stanford Prison Experiment
What "normal" people do depends largely on their emotional state, beliefs, environment & obedience to authority. Past research shows each of these can lead to some very bad things.
@ David, @Nick P
Torturing another human ...
1- Would you approve of torturing another human? Under what circumstances?
2- Do you consider yourselves "normal"?
Maybe my choice of words was not precise. "Normal" may not be the word I was looking for...
@ David, @ Nick P
"Do you consider yourselves "normal"? Is not meant as a personal attack. I think I consider myself "normal" and I don't approve of torture under any circumstances.
Within a small variance, I consider myself "normal"; but then, most people probably would.
The problem with the argument that "normal people wouldn't support/endorse torture" is that, on an individual basis, it is most likely correct. When you put the same question in the framework of larger groups (societies, parties, families, etc), the underlying premise changes.
Nick P's examples, which I agree with wholeheartedly, show that while individuals ("normal people") won't condone or carry out torture, the entire basis changes when there is another factor involved: Authority, us-vs-them, mob mentality, whatever.
The horror of it is that while every single person in a group can rightfully argue they won't do something because it is evil, they will allow the same thing to be done either as a group or to a group.
Maybe we're having two different discussion here...
@ David, @ Nick P
I stand corrected. You are both right, and I was wrong. I had a chance to look at the links Nick P provided. Those links changed my perspective a bit (enough to realize I was wrong). @ Nick P, you are amazing! I don't know how you find these links. Makes me think that Google comes to you for help with difficult searches ;)
I have more to say about that, but not now. Will keep it in the back of my mind for the time being...
@Clive Robinson - I think the point is that would you trust the US authorities to not phone home rather than their ability to assemble a secure distribution.
Rather like how the British distributed captured Enigma machines to friendly commonwealth countries after WWII - claiming that it was unbreakable.
Sorry about the appearance of playing both sides of the fence, but I don't think you are wrong at all--if you hand a hot poker to your average man/woman on the street, they would most likely refuse to use it on some other random individual (or animal) tied to a chair or table.
Give that random poker-holder an official title, and categorize the potential victim as an enemy of [the state/society/your family], and all bets are off.
Just like Agent K said in "Men in Black", a person is smart; people, on the other hand....
@David one of the difficulties modern armies face is teaching normal people to push a bayonet into another person - twist and pull.
However they do seem to have achieved a reasonable level of success.
"@ Nick P, you are amazing! I don't know how you find these links. Makes me think that Google comes to you for help with difficult searches ;)"
I appreciate the kindness. Google certainly helps. The particular cases were a result of my studies into human psychology, nature vs nurture, & brainwashing. Concepts like "free will", inherent goodness, etc. keep popping into discussions. They've been [almost] demolished by various studies & experiments. I remember the best of them and, when situation presents itself, drop bombs. ;)
The point, though, isn't to prove people wrong. There are aspects of human nature that people really need to come to grips with. A society in denial is setting itself up for a continuing stream of problems. In making effective societal security measures, it helps to know what the human element is capable of (or not) in a variety of circumstances.
@ Nick P
"Google certainly helps..."
I am saying Google comes to You for help, not the reverse!!!
Meaning Google needs your assistance ;)
Haha. I guess even a hundred thousand servers need some human intelligence every now and then. ;)
'bout the fable: you're gonna need more than a feeling to assume that you are better at something than everyone else; the # of those that actually are, is small enough to render this idea of superiority and self-sacrifice mute.
@Wael, that depends on whether radu means the idea is debatable or stops speaking (appealing) to people. :P
@wael mute as in silent, dumb etc.
definitely not debatable
Rather like how the British distributed captured Enigma machines to friendly commonwealth countries after WWII claiming that it was unbreakable.
Yes that is almost SOP for intel organisations in all WASP and other First World Nations, just as they don't spy on their own people. What they actually do is spy on another trusted countries people for them and the trusted country repays the favour by spying on their people. As far as I can tell the first formaly documented agreement to do this was the "BRUSA agreement" where UK troops maned US listening posts monitoring the US (but using NSA equipment and resources) and US troups mand listening posts monitoring the UK and Commonwealth countries using a mixture of DWP/MI8 and NSA equipment. BRUSA has been extended a number of times and includes most WASP nations, however the status of NZ is currently unknown they were members at one time but due to various differences with the US and Auz they may well be out.
It is well known that the "UK-US" special relationship is realy a "political nicety for UK Politico's" the reality has been that it is in effect "sacrificial" on the UK's behalf and "explotative" on the US's behalf. Because unlike the UK's nearest neighbour France the UK politico's have no faith in the abilities of UK scientists, engineers and other manufacturing workers, but are happy to take the scraps of the finance industries table for personal gain, whilst alowing the finance industry significant tax avoidence...
the status of NZ is currently unknown they were members at one time but due to various differences with the US and Auz they may well be out.
To the best of my knowledge, NZ is still an active member of the "data-collection fraternity" making use of their two eavesdropping dishes at Waihopai (near Blenheim in the north of the South Island). They're located at -41.576389,173.738889
This is the wiki page: http://en.wikipedia.org/wiki/GCSB_Waihopai but there are plenty of other web resources.
Bruce, a question for you!
I'm a member of VoF, the Swedish Septics Society, defending the scientific method and combating pseudoscience. I'm interested in security but is no expert. To my delight I found that you speak about evidence based security and you put charlatans in "the Dog House" once in a wile. I'm not an expert in security and no expert in biology, but I always find your Friday squid entry interesting (as a hobby biologist and a hobby security wannabe) and I found that your comment always is sensible and quite skeptic in nature, defending evidence based methods. I don't know why I'm writing this (drunk on Whiskey perhaps) but there is one area of expertise that is lacking even in the various skeptics societies, that is an expert of security. I have followed your argument with Sam Harris (he is totally wrong off course, but acknowledged as a skeptic) and I find that our lack of security expertise is demanding! I, as a security wannabe have a hard time sometimes to defend the field of security as a real profession with real science and no room for uneducated "common sense". I'm sure you will be a most sought after expert in the world of science defending skeptics. You will be a perfect member of CSICOP (currently known as CSI) or an organization as such. If you happens to come by Sweden, please drop me a line, and I will try to organize a lecture or such for the Swedish Skeptics Society (VoF - "Vetenskap och Folkbildning ["science and mass education"]).
Oh, I love those squids! Those creationists cannot even begun to understand the beauty of the beasts!
Perhaps a silly and unrelated comment, but the pilot episode for CBS' new Sherlock Holmes sitcom "Elementary" leaked on the internet this weekend and in the opening scene, I couldn't help but notice a copy of Schneier on Security prominently displayed on Sherlock's bookshelf.
Actually, a lot of people would agree that it is unethical not to torture a terrorist, if it provides good information. That said, I don't think the US actually tortures anyone.
Where in the 1946 BRUSA agreement, which has been declassified, does it say that the British will monitor the domestic communications of US citizens?
@Anon you're kidding, right?
You're certainly not saying that human rights apply only for most of us. Because, guess what?!, Hitler felt the same way about jews, gypsies etc.
What if, in order to preserve their ways Iranians capture American soldiers and torture them? If this provides good information, then it's ok by your reasoning.
Where in the 1946 BRUSA agreement, which has been declassified, does it say that the British will monitor the domestic communications of US citizens
That's a daft way of asking the question, such documents are not "permiso" but "non permiso" and even when excluding activities are generaly written in such a way as to have more wriggle room than a snake in the jungle.
Firstly I did not say "domestic communications" and with good reason, if you think about it from the UK perspective any US-US communications that crosses a border makes it "Foreign Communications" and legaly all "diplomatic areas" are regarded as Foreign soil within the nations they are situated, thuss for an Embassy in the US any signals received within it have crossed an international border. Those big antennas you see on top of many diplomatic buildings are not used only for diplomatic communications...
From the original discustions of the BRUSA agreement paragraph 3 said,
The parties agree to compleat exchange of the products of the following operations relating to Forign Communications :
And in the appendices we have "Definitions :" we find,
2. "Foreign Communications" as used in paragraphs 3 and 5 refers to the communications of any individual or agency or a faction, group or Nation that is not a party to this agreement.
Now if you look back at the rest of the document carefully it does not include the citizens of either country as being party to the agreement only various parts of the respective governments organisations.
So it in no way precludes Britain monitoring the signals eminating from non US Gov organisations and likewise the US of monitoring similar UK signals (there are however later exclusions on what we would now call "industrial espionage" but that has always be subject to "national security" interests).
BRUSA (later UKUSA) is as far as I can tell the first agreement to the almost unfettered exchange of SigInt between the US and the UK.
Now consider back when BRUSA was drafted personal communications amongst the citizenry was very much either by face to face contact or written letter, the use of the telephone was still very limited and "telegrams / Cables" where the way of communicating urgently to individuals. Even Telex systems where virtualy unknown.
Also consider at the time (still in war measures) the interception of domestic "posts and telecommunications" was very much allowed and carried out.
As and when "war measures" ceased (in some respects it never did in the UK due to various reasond to do with the break up of the Empire) and personal communications via electronic means became more popular the need to monitor them domestical became apparent unfortunatly other legislation was in the way. So that politico's could stand up in their places of representation and say "We do not spy on our Citizens" another method had to be found. And BRUSA/UKUSA became one such vehicle, with the scope of what constituted "Signals Intelligence" growing commensurately with that of technology.
As I noted BRUSA/UKUSA has been extended many times and the way this used to be done was by Memorandum of Intent / Understanding (MOI/U) that were kept in loose leaf folders and as such were in and out as circumstances required. The main reason for this originaly was to do in part with "code words" and "procedures" the latter often being "indoctrination" or "technical".
One advantage of the "war on terror" is it has allowed the USA and many other nations to go back to some form of "war measures" making surveillance on citizens by governmental agencies nolonger an issue.
Let me see Bruce has not posted since FS, and it is 15:00 in the UK which is now past his normal post time of ~13:30-14:00...
What are the rules in the US for posting somebody as missing?
Oh and by the junk pilling up in 100 Comments it looks like the Moderator has gone missing as well...
For now I'm assuming "Summer Hols" or "silly season" for the lack of posts ;-)
@ Clive Robinson
I figured Bruce is just doing what busy people do. Or sleeping in.
"Oh and by the junk pilling up in 100 Comments it looks like the Moderator has gone missing as well..."
I was wondering about that myself. The spammers have been hitting this blog hard recently.
Most of the recent spam problem comes from one spammer who can't figure out how to code links correctly. The spam filters give the comment a positive score for containing no links, then Movable Type strips out the bad code when displaying the comment. Not even the spammer wins.
For now I'm going to add a filter specifically for malformed links. I might wind up just getting rid of the bonus for not having a link, since it regularly lets through incompetent spammers who forgot to include one. I have to look at how many false positives that would cause, though.
I think you're insinuating an extreme claim: the US gets the British to spy on US citizens when it can't legally conduct the surveillance itself, without providing any evidence to support it. Regardless of however broad its international agreements may be, the US can only accept and store US person information from other countries, if that is permitted under its own intelligence oversight laws and regulations, which regulate both collection and retention of US person information. Accepting data from a foreign partner is defined as an act of collection in some documents, which can only happen under certain circumstances.
I think the BRUSA agreement is a lot narrower than you make it out to be.
If you read the agreement, the most significant section seems to be 3.a, which defines what intelligence is to be shared within the scope of the agreement. Section 3.a only refers to foreign communications and foreign communications for purposes of section 3.a is defined in a footnote as follows: "Throughout this agreement foreign communications are understood to mean all communications of the government or of any military, air, or naval force, faction, party, department, agency, or bureau of a foreign country, or of any person or persons acting or purporting to act therefor, and shall include [redacted] communications of a foreign country which may contain information of military, political, or economic value. Foreign country as used herein is understood to include any country, whether or not its government, is recognized by the US or the British Empire, excluding only the US, the British Commonwealth of Nations, and the British Empire." That definition would seem to exclude the sharing of communications that target US persons to the US government except in extremely rare circumstances(the US person is a known spy for a foreign country) as the type of information that would be shared under the terms of the agreement.
Why are you so insistent on trying to push words (as I've already indicated) I never said into my mouth?
Again you appear to be hung up on US-US domestic communications which I did not mention, you did.
And as I've already pointed out such US-US domestic communications would have not except in certain circumstances have crossed US borders untill the late part of the 20th Century. So would not have classified as "Foreign Communication" any way.
When quoting narowly defined legislation (such as Intel oversight) you also need to consider other legislation as pertains to what the FCC & USPO amongst others are allowed to do. In the case of the FCC monitor and record for evidentiary and regulatory reasons any licenced or unlicenced radio communications broadcast from US territory, the USPO likewise has powers again for evidentiary and regulatory reasons to open mail parcels and packages. Further all "common carriers" are given similar capabilities for (supposadly) "technical reasons" (also look into why some private services are alowed their own "private police forces").
As an example of what has gone on, it is reasonably well assumed and accepted as fact that the "Cable Companies" who had significant "previous" running up to WWII were very much complicit with supplying copies of comms going into such wired communications both during and after WWII, and it is believed for some time there after. And various respected authors have indicated and in some cases given sufficient information to show that this very probably the case.
Also you are assuming that "Foreign Partners" to the BRSUA/UKUSA just did "the collection" of US related or participated in border crossing Comms and handed it over as "raw intel" and fail to think a little further down the line about how the various BRUSA/UKUSA "personel transfers" went about, and why various "bases" in various countries whilst supposadly military instalations of the host nations were actually staffed in part but mainly run by US "civilian" personnel of which the UK had many, and what the reasoning behind it was.
For instance ask yourself a question...
Without actually fully monitoring a call how would the US know/not know if a foreign person or persons were communicating with a US person or organisation?
And again. I will point out the obvious point that you don't address or appear to want to consider, that the original agreement that could be varied at will and was to suit requirments as and when required. And yes we know beyond reasonable doubt it was modified on many many occasions and still is today (apparently Israel has recently been allowed as a partner to UKUSA).
Further your quote of the definition of SigInt for Foreign Communications used in 3(a) includes,
"... faction, party,... "
"... or of any person or persons acting or purporting to act therefor... "
What do you think "faction or party" actually means and thus what it's scope is?
Now when it comes to "US-US domestic" communications a very very significant quantity of it is of no interest or relevance to the US Intel agencies or any other intel organisations even today. And you also need to remember that untill fairly recently there was no way the bulk of it could be processed or even stored nor was there a desire to do so.
But I will reiterate the point that BRUSA was the first broad agrement on the transfer of SigInt, it was and still is modified on a regular basis and it served (and still does) as the primary model by which the WASP and related countries transfer SigInt and now other types of intel.
You said "... without providing any evidence to support it.", which is a bit of a daft thing to say when dealing with information about the intel organisations. They spend a very great deal of their time ensuring there is no evidence for mainly political reasons. I will however point out a few things that are not in dispute and are for various reasons public knowledge if you wish to go and find it.
Firstly we know for technical reasons all conversations on a transatlantic or other communications link have to be recovered if you wish to find any particular conversation etc in amongst the hundreds or thousands of other conversations.
Secondly we also know for technical reasons it is easier to record the raw data in bulk and then split it out. It also ensures you don't inadvertantly miss information.
Thirdly we know certainly that in the 1980's that the UK monitored all US to UK calls and definatly those going to both North and Southern Ireland due to trying to hunt down domestic terrorists and their funding.
We also know that due to the use of London as a "terrorist command hub" and the links between UK domestic terrorists and Middle East that a great deal of US originated traffic was intercepted and examined by US personnel in the UK and other UK territory (the US has a watching brief on the Middle East for obvious reasons going back to the end of WWII and still very much so today).
There is a lot more that is known due to photographs and other secondary sources of information but will not be "officialy" confirmed (if at all) for atleast 100years in the UK. Why do I say "if at all" well we know from the UK national archives that there is a lot of information missing about events that occured but the records of which are "not available". For instance take "ULTRA" (which is what BRUSA came from) most of the technical details were expunged from UK records, but due to US-UK info exchange a lot of the information has become available from US archives.
This has sometimes produced some commical behaviour. For instance the UK's GCHQ did not "officialy" exist for many years but, "unofficialy" they were well known about simply by looking at their recruitment adverts in the back of a magazine (Wireless World). During the "Thatcher Years" there were various "Official Secrets Act" (OSA) and Defence of the Realisation Act (DORA) court cases and one involved an investagatory journalist, the prosecution case was whittled away bit by bit untill they played their master card "he had revealed the name and location of an ultra secret organisation that he could not possibly have known about" when they reviled it was GCHQ the deffence simply held up a copy of Wireless World and it's recruitment add. It was at this point GCHQ became "officialy" existant and the court case collapsed into farce and ended shortly there after. Similar farce occured in another case against UK service personnel accused of spying for the Russians and likewise over Peter Wrights "Spy Catcher". You can if you wish get the information surounding these cases and it might prove of interest to you.
However I don't know what your agenda is so I'm going to stick with what I've said and not add further information for various reasons over and above that because I'm assuming that as the US saying has it "it's not in your pay grade".
@NickP: You forgot one of the most famous ones:
(It really pays to read the whole article, there are many interesting small insights and follow-up experiments)
In short: Most people will do pretty sick shit to other human beings when an authority figure tells them to, even when they would normally find those actions completely despicable.
I agree with Autolykos. Any sane person would be willing to commit outrageous things if something they value is threatened (or they are paid an enormous amount). It all depends on the circumstance, not always on the conscience or character of a person.
Clive Robinson - you have WAY too much time on your hands!
>>Clive Robinson - you have WAY too much time on your hands!
Glad you do! Your posts are some of the most interesting ones here! Thanks!
The statement you made that is provocative, was this one: "just as they don't spy on their own people. What they actually do is spy on another trusted countries people for them and the trusted country repays the favour by spying on their people."
Before the Church and Pike committee hearings in the mid-70s, the US did spy on its own citizens or read the international telegrams, at least those of intelligence interest. They got the telegrams directly from the telecommunications companies and processed them at NSA in Operation Shamrock, which has been declassified. Regardless of whether other countries sometimes gave the US information on US persons, the historical record doesn't support that NSA saw any need, political or otherwise, to outsource its collection on its own citizens prior to the Congressional investigations in the mid-1970s.
You continue to say: "As far as I can tell the first formaly documented agreement to do this was the "BRUSA agreement" where UK troops maned US listening posts monitoring the US (but using NSA equipment and resources)." Now, if you're there are foreign government employees using NSA facilities in the US to conduct surveillance targeting US persons in ways that are not FISA/US oversight compliant, then I would find that extremely hard to believe. However, maybe you were speaking historically of the pre-FISA era or by US listening posts, you meant posts owned by the US but not located in the US. If so, then I misunderstood your statement.
@ Bruce (and others),
One you might want to read,
Put simply adding "biometrics" (fingerprint reader and software) to supposadly make a laptop "more secure" actually made it "a lot lot less secure" due to the software.
Apparently it effects a lot of major lap top manufactures such as Dell etc. much beloved by "audit driven" organisations, and quite a few Government TLA's etc...
@Clive Robinson Re: Password cracking
US Patent 8,238,552 has the idea of using the passwords entropy to derive the PKDBF2 iteration count.
Short passwords: High iteration count
Long password Low iteration count
Thus you do not have a passwords/second rate anymore!
Us soldiers aren't terrorists, so I don't understand your post.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.