Schneier on Security

November 20, 2009 3:13 PM

cynical on Denial-of-Service Attack Against CALEA:

"There are *much* better ways to achieve the goal.."

@notme

O RLY?

What's the goal, then?

Looks plain to me that the goal is merely to encourage the feds to pay the telcos for upgraded link bandwidth.

That furthers the goal of generating higher profits, and increasing stock prices. Which, in turn, leads to higher bonuses for telco execs.

Or you don't think that's a plausible goal?

---

November 20, 2009 3:12 PM

DTS on Stabbing People with Stuff You Can Get Through Airport Security:

Surely there's a way to give these scientists something useful to study...
what a total waste of time.

http://www.idiotstrafficschool.com
http://www.freetrytrafficschool.com
http://www.dummiestrafficschool.com

---

November 20, 2009 3:03 PM

sam on Best Buy Sells Surveillance Tracker:

You all don't know what the hell you're talking about. It's for kid 3 to 7 years old and whatever else you want to track. It works fine indroors as it uses cell towers and GPS for location.

---

November 20, 2009 2:50 PM

notme on Denial-of-Service Attack Against CALEA:

over-subscription != DoS...

this only works if:
a) there is no 'filter' at the 'tap' point
b) target has more usable BW than the smallest pipe between 'tap' and 'collector'.

Seriously folks.. I'm disappointed that this even made it here. There are *much* better ways to achieve the goal.. basic steg comes to mind (and yes you can steg voice).

---

November 20, 2009 2:28 PM

Clive Robinson on FailBlog on Security:

@ spaceman spiff,

As I'm stuck ill in a bed again awaiting the administrations of a nurse, I don't have a lot to do (appart from listening to the moans from those around me) I have found the following link for you,

http://mobile.bostonist.com/2008/02/01/...

Hope that helps you on your quest.

---

November 20, 2009 2:02 PM

Brian on FailBlog on Security:

Her name is "Star Simpsion"; the LEDs were in a shape of a star, and she was using that as her nametag at a career fair.

http://images.google.com/images?q=star+simpson

http://www.boingboing.net/images/x_2008/...

---

November 20, 2009 1:54 PM

Ralph on Denial-of-Service Attack Against CALEA:

It's quite common for telco networks to run protocols originally designed for limited data rates over completely different and/or much faster layers.

If I was attempting to avoid wiretaps, I wouldn't be relying on this DoS without positive confirmation that it actually works in practice.

---

November 20, 2009 1:52 PM

RonK on Denial-of-Service Attack Against CALEA:

@ Clive, Fred P, Grim Reaper

> Your setup will send multiple SMS's but
> from different IME's

I had thought that it wasn't very hard to clone a known IMEI/IMSI and this was a way to eavesdrop on cellular phone conversations. Or are those days long gone, now?

---

November 20, 2009 1:43 PM

Clive Robinson on FailBlog on Security:

@ spaceman spiff,

"I'd still like to get a picture of the gal in Boston who shut down the airport because of the blinky lights on her tee-shirt."

Do a google search on salient words and "schneier on security" to find the page and then have a look at some of the links.

IIRC one of them pointed of to a picture of her wearing the offending item.

If that does not work google her name I suspect a photo will still be on the web somewhere even if it's just on the Internet time machine.

---

November 20, 2009 1:29 PM

mcb on Stabbing People with Stuff You Can Get Through Airport Security:

@ Alex

"In the last two years over 80 people have been killed by law abiding concealed handgun license holders."

Since you possess the source of this interesting statistic, how many of these persons had presented a threat of deadly violence to the law abiding concealed handgun license holder who shot them?

In the words of Detective Callahan: "Nothing wrong with shooting as long as the right people get shot!"

---

November 20, 2009 1:25 PM

Clive Robinson on Denial-of-Service Attack Against CALEA:

@ Fred P,

With regards to Grim Reaper's comment,

"How would you send multiple simultaneous SMS messages? I bet you cannot? Lets see who can list the steps to doing so"

Your setup will send multiple SMS's but from different IME's thus different phones.

I suspect what Grim Reaper was questioning is the ability to send "multiple non identical SMS to multiple destinations from the same phone".

That indead would be a difficult problem. Although a single phone could be programed up to send an SMS to multiple phones and repeate with different messages they would be sequential. In practice I suspect the network response would be such that the agrigate bit rate would be well below 64Kb/S of a single ISDN barer channel.

---

November 20, 2009 1:19 PM

robd on A Taxonomy of Social Networking Data:

@SvdB: I follow you there.. If we're talking semantics, most social netw. sites give you control on your @tag (ie on the facebook platform, if someone tags you on a photo you can remove the tag, and if someone posts on your wall you can remove the post). That's data posted by others you can control.
But you can't prevent someone calling you an arsehole on his wall, or blog (unless you DMCA his ass) as well as you can't prevent the bad rep induced by some google suggests (which is content posted by others you can't control).
@Bruce: Wouldn't you think interresting to extend this taxonomy to google, which has many 'social' aspects?

---

November 20, 2009 12:56 PM

ObiJan on FailBlog on Security:

Point taken. For those curious but too lazy to browse the flickr stream:

Close-ups:

Front:
http://www.flickr.com/photos/paperghost/...

Back:
http://www.flickr.com/photos/paperghost/...

The idea was to have little fun-poking at those that treat us international travelers as terrorists each and every time.

If they believe that taking shoes off improves security, they are probably also going to be persuaded by a "not a terrorist" label on a t-shirt or sticker.

They already believe the "volume" sticker on a liquid container, regardless of the volume of the container or its contents.

---

November 20, 2009 12:54 PM

SvdB on A Taxonomy of Social Networking Data:

So:
Disclosed data: created yourself, controlled by yourself
Entrusted data: created yourself, controlled by others
Incidental data: created by others, controlled by others

Where does that leave data created by others, but controlled by yourself,
such as comments posted by others on your blog?

---

November 20, 2009 12:44 PM

Pete on A Taxonomy of Social Networking Data:

"incidental data" could be "referential data"

---

November 20, 2009 12:39 PM

RH on FailBlog on Security:

To quote caption from the the flickr link ObiJan posted (for those like me who are oft too lazy to click links):
"The Homeland Security Booth at RSA 2007 (a security conference, not a jobfair!) In case you're wondering, the front of the tshirt says 'Not a' and they thought it was funny enough not to shoot me. "

---

November 20, 2009 12:35 PM

Clive Robinson on A Taxonomy of Social Networking Data:

@ Joanne,

"I would think that types 2 & 3 would (or *should*) have the same rights as when someone writes a letter; the author holds an implicit copyright to what was written"

As far as I'm aware under international agrement you have rights to any creative work, unless you have a contractual obligation otherwise (not sure if a sites T&Cs count as a contract in all juresdictions)

"subject to exceptions for quoted material, etc."

Err no you still have rights over a derived work providing you are playing by the rules.

For instance the composer of a piece of music has rights to their work, the writer of the words has their rights and likewise the performer has rights and if further work is added by a studio they might have rights as well.

"Type 4 data would be copyrighted again by author and then subject to libel laws."

The laws relating to libel and slander etc are a nightmare and are widley different from juresdiction to juresdictio. Due to lax rules people use the UK's laws to surpress coment from other juresdictions.

"Type 1 data - well, I would like to see a comprehensive law along the lines of HIPAA or FERPA governing all disclosed data (not just to social networking sites, but to anyone that requires you give your personal information; be it email address, name and phone number, or whatever)."

Again laws differ in the UK and Europe you have some rights over your personal data. In the US the data effectivly belongs to who has collected it. I can not see companies giving up that right without a significant fight.

While I can see that someone has an interest in what data is collected about their behavior (type 5), I am a little less sure about what rights they might have to that data, or what control they should have over it.

It is ill defined in theory you behaviour could be classed as a performance and thus subject to copyright. However I can not see a judge enforcing it unless there is something "of merit" to the claim.

"As an analogous question is, what right does a person have to the data collected by a private investigator?"

Technicaly a PI is a private citizen working at a gainfull occupation (often) as a self employed person. In some places however they are required to take courses and pass qualifications for which they are licensed upto an equivalent of a police officer.

"However, we regulate PI's, so perhaps similar regulation could be created to hold ISPs and social networking sites (and similar - and not just online, social clubs as well) accountable."

In Europe they are talking about taking the "common carrier" "common barer" privalage away and making them the equivalent of publishers...

"This would also include investigatory results (which, if I am understanding some of the above comments, could also be called 'crosslinked data')."

The problem with crosslinked, infered or amalgamated data is that when done correctly it is considerably greater than the sum of it's parts.

You have to ask at what point it becomes "a work" in it's own right even if it is derived.

Nobbody has answers to these questions as yet and it is making large organisations nervous.

---

November 20, 2009 12:26 PM

kashmarek on A Taxonomy of Social Networking Data:

Once you get all the rules in place and enforced, it won't be much of a social networking site anymore, will it? Before the internet, social networking was face to face, we used our own memory (brain) for storage, we transmitted data via voice phone or snail-mail, or with grafitti on sidewalks & walls. The difference is the other parties, their intent, and the effort to process.

---

November 20, 2009 12:15 PM

jgreco on Stabbing People with Stuff You Can Get Through Airport Security:

@Alex, @Ward S. Denker

On the topic of emotionally charged statistics, according to the National Weather Service, 60 people were killed by lightning last year. Assuming that is average, that is 20 more people per year than are killed by concealed carriers according to Alex's uncited statistic. This is a literal case of the classical "you are more likely to get hit by lightning than ..." hyperbole.

Just goes to show that perceptions of relative security are not always in line with reality.

http://www.weather.gov/om/lightning/medical.htm

---

November 20, 2009 11:53 AM

spaceman spiff on FailBlog on Security:

ROFLMAO! I'd still like to get a picture of the gal in Boston who shut down the airport because of the blinky lights on her tee-shirt. That was a couple of years ago as I recall. It was an MIT school project as I recall.

---

November 20, 2009 11:36 AM

ObiJan on FailBlog on Security:

First Failblog, then Schneier. Doesn't get any better than that.

For those interested:

- It was not a job fair, but RSA 2007
- The person in the picture is Chris "Paperghost" Boyd, a fellow security researcher, who was presenting.
- The T-shirt is not a photoshop. We got it at the "SF Spy shop".

http://www.flickr.com/photos/paperghost/...

---

November 20, 2009 11:10 AM

Ward S. Denker on Stabbing People with Stuff You Can Get Through Airport Security:

Alex,

You presuppose that people carry firearms out of fear. Lots of people carry them simply because firearms are only useful if they're with you when you need one.

Do you carry your wallet with you every day? Do you actually buy something or identify yourself to someone every day? Probably not, but you carry it with you so that you have it for the times you'll need it. Planning ahead for something you don't ever expect to happen is not the same thing as living in fear.

I've carried a pocket knife with me for most of my life. Rarely do I actually use it, but the times that I have it I am happy it's with me. I could technically stab someone with it. By your rationale, should I be required to wear an armband that identifies me?

You cite a statistic, but you don't link to where you got it. There's no context, so it's an empty number and, for all we know, something you just made up. Assuming it's factual, how many of those were later ruled as justifiable shootings? I'd be willing to bet that almost every one of them were, similar to how police officers occasionally use their firearms improperly resulting in unjustifiable homicides, but most police only use them for what they're intended for: to preserve their lives or the lives of others.

Maybe it's you who are living in fear if you worry so much about who could be carrying a concealed firearm around you.

---

November 20, 2009 10:46 AM

Bob on "Evil Maid" Attacks on Encrypted Hard Drives:

As far as I know it's only if you encrypt the hard drive that you can become vulnerable using TrueCrypt, virtual containers are still fine though.

I definitely don't recommend using Microsoft's Bitlocker mainly because I just don't trust Microsoft... if I know them well enough then they will have created a backdoor where Law Enforcement can get hold of the encryption keys.

---

November 20, 2009 10:29 AM

Al Macintyre on A Taxonomy of Social Networking Data:

Would 'second party observations' apply here?

Family and friends are first level contacts.
Third party implies someone outside formal relationship.

---

November 20, 2009 10:25 AM

jgreco on Stabbing People with Stuff You Can Get Through Airport Security:

@Alex

That kind of defeats the purpose of "concealed" carry doesn't it? If that is what you are intending to do then just say so, it is a respectable enough position that plenty of people hold.

---

November 20, 2009 10:22 AM

Alex on Stabbing People with Stuff You Can Get Through Airport Security:

People who are carrying a concealed weapon should identify themselves with a badge or armband so people around them know there is a danger of getting shot. In the last two years over 80 people have been killed by law abiding concealed handgun license holders. Laws that conceal the identity of concealed handgun license holders need to be repealed as well.

If you really believe you are not safe in America without carrying a gun at all times, then you must be crazy to stay here.

---

November 20, 2009 10:12 AM

Ward S. Denker on Stabbing People with Stuff You Can Get Through Airport Security:

I'm pretty sure that martial arts masters can kill people pretty efficiently with just their hands and feet.

The TSA's new policy: Only quadriplegics can fly.

Sir, we're going to have to ask you to remove those before boarding...

---

November 20, 2009 9:58 AM

Clive Robinson on Denial-of-Service Attack Against CALEA:

Just a point to remember the "channel" is not just limited at the CO switch end. The LEO end has a limited number of channels that can be connected to.

Thus if you know what LEO is doing the listening and you have splashed a little cash in the right places you now have a many to one possability and thus can "cascade" calls from a number of switches over a short time period to block the LEO end.

There are other tricks that can be used by getting access to the SS7 address of the LEO and just ringing in. But this requires a level of sophistication above and beyond what most people can do.

There are all sorts of other tricks once you get access to the switch, and lets be honest there are people that know how to do this and I guess in these days of malware "cracking for cash" they might find a profitable outlet for there knowledge.

---

November 20, 2009 9:41 AM

Fred P on Denial-of-Service Attack Against CALEA:

@Grim Reaper-

I hope you're being silly.

1) Buy N programmable telephones that can send SMS telephones, where N is greater than 1, and much greater than the number you think you'll need.
2) Synchronize the times on those phones.
3) Write a program for those phones to send an SMS message at a particular time.
4) Wait for that time.

---

November 20, 2009 9:39 AM

jgreco on Denial-of-Service Attack Against CALEA:

@sooth sayer

Sure, nearly anything is vulnerable to a DoS attack, the part that makes this noteworthy is such an attack is actually practicle in this case.

---

November 20, 2009 9:29 AM

jgreco on Stabbing People with Stuff You Can Get Through Airport Security:

@kangaroo

In that case, I misunderstood Pierre's comment, the opening line of "Correlation does not imply causation." must have thrown me off.

"But in the end, please, there are no "causes". There are only time-dependent correlations and defined processes. There are determined relationships, and under-determined relationships.

But "causes" and "effect"? Do we have to speak like primitive, ignorant, flee-ridden slaver Greek philosophers from the Iron Age? There are mathematical relationships, and there is verbal bullshit."

I fully agree.

---

November 20, 2009 9:26 AM

vwm on Denial-of-Service Attack Against CALEA:

So, all the authorities have to do now, is mining for simultaneous SMS floods to find out, which calls are worth listening to;-)

---

November 20, 2009 9:15 AM

Aaron on Denial-of-Service Attack Against CALEA:

Yes and I'm sure such an act would be used as casus belli for a budget to more actively surveil whomever. Ex: If they are trying so hard to prevent surveillance... There must be something there.

Better to just stay off the phone, yes? Or at least go with a method of jamming that doesn't LOOK like jamming.

---

November 20, 2009 9:10 AM

kangaroo on Stabbing People with Stuff You Can Get Through Airport Security:

jgreco -- no, that wasn't exactly the point that Grande Mocha was making. The original point was that the examples and counter-examples were irrelevant to the crimes rate essentially; that the "causation" (what a terrible word) was really social structure.

Pierre's point is that guns ARE "causative" in the case of Swiss violence -- the low violence rate would be even lower in the absence of easily available weapons.

But in the end, please, there are no "causes". There are only time-dependent correlations and defined processes. There are determined relationships, and under-determined relationships.

But "causes" and "effect"? Do we have to speak like primitive, ignorant, flee-ridden slaver Greek philosophers from the Iron Age? There are mathematical relationships, and there is verbal bullshit.

---

November 20, 2009 9:00 AM

kangaroo on Stabbing People with Stuff You Can Get Through Airport Security:

GlassKnife: Neal Stephenson wrote about glass knives back in 1992 (Snow Crash). This is a non-story.

Yes, because a scientific paper confirming the exact level of damage produced by a cohort of ostensibly safe household utensils is EXACTLY the same as ideas floating through the SFsphere.

Conversely, we should pulp all novels that include material that has been referenced in the scientific literature -- they're non-novels of no interest, since you could just read the journal articles. We can throw out Moby Dick since there are early descriptions of whaling available -- generations of high school students would appreciate that.

---

November 20, 2009 8:55 AM

Joanne on A Taxonomy of Social Networking Data:

Hello all -
I would think that types 2 & 3 would (or *should*) have the same rights as when someone writes a letter; the author holds an implicit copyright to what was written (subject to exceptions for quoted material, etc.).
Type 4 data would be copyrighted again by author and then subject to libel laws.
Type 1 data - well, I would like to see a comprehensive law along the lines of HIPAA or FERPA governing all disclosed data (not just to social networking sites, but to anyone that requires you give your personal information; be it email address, name and phone number, or whatever).
While I can see that someone has an interest in what data is collected about their behavior (type 5), I am a little less sure about what rights they might have to that data, or what control they should have over it. As an analogous question is, what right does a person have to the data collected by a private investigator? However, we regulate PI's, so perhaps similar regulation could be created to hold ISPs and social networking sites (and similar - and not just online, social clubs as well) accountable. This would also include investigatory results (which, if I am understanding some of the above comments, could also be called 'crosslinked data').

ex animo-

Jo

---

November 20, 2009 8:52 AM

evixir on Stabbing People with Stuff You Can Get Through Airport Security:

I've traveled many a time with thick 10"-long aluminum knitting needles and they've never given me a single problem. Stick them in a skein of yarn and nobody says a word. But somehow a 4" metal nail file is a problem.

---

November 20, 2009 8:52 AM

jgreco on Stabbing People with Stuff You Can Get Through Airport Security:

@Pierre "Correlation does not imply causation."

I believe that was the point he was trying to make. You will note he provided the counter-example of Somalia.

---

November 20, 2009 8:41 AM

Da Scritch on Stabbing People with Stuff You Can Get Through Airport Security:

Easier : I break the arm of a co-traveler with any martial art I know, then I use the broken bone as a knife.

Now , the TSA will forbid any bone in an airplane

---

November 20, 2009 8:41 AM

Clive Robinson on A Taxonomy of Social Networking Data:

@ PJ,

"You should have thought of that before you took a hit of that bong, Bruce :)"

It's a point that Politcos are getting paranoid about (google "jackie spliff" ;)

However I think Bruce is becoming more "self image" concious, what with finding out how much it will cost to "tool up" as an "action hero" 8)

---

November 20, 2009 8:28 AM

sooth sayer on Denial-of-Service Attack Against CALEA:

Is this not the case with all surveillance?

---

November 20, 2009 8:23 AM

Dr.White on Secret Knock Lock:

Think This Security System based on sound could be bypasseable us the phone system on the John(captain crunch) on his times...

In my case i won't put this system in my house :p

---

November 20, 2009 8:22 AM

Grim Reaper on Denial-of-Service Attack Against CALEA:

How would you send multiple simultaneous SMS messages? I bet you cannot? Lets see who can list the steps to doing so

---

November 20, 2009 8:20 AM

whatever on Bruce Schneier Action Figure:

i'd use it as voodoo doll >:)

---

November 20, 2009 8:19 AM

Trichinosis USA on Denial-of-Service Attack Against CALEA:

Going around is still a lot easier than going through. Both at once is even better. Unless the premises are being physically surveilled, a person could get away with generating robo-IMs and VOIP calls at home to kick off on a known tapped line at a certain time while they went down the street and used a disposable prepaid calling card on a pay phone for the real call.

---

November 20, 2009 8:15 AM

Pierre on Stabbing People with Stuff You Can Get Through Airport Security:

@Grande Mocha:
"In Switzerland, most of the populace is well armed (and trained in firearm use!), yet the crime rate is extremely low."

Correlation does not imply causation.

As a Swiss, I can safely contend that the crime rate is extremely low despite of the populace beeing well armed. We're only well armed, because every able man has to do military service where he gets a gun or rifle which he has to keep at home when he is on passive duty. This is however (slowly) changing since most crimes or suizides involving guns were commited with these military weapons and a lot of them could have been prevented if access to these weapons had not been so easy. I've also never heard of anyone using their weapon to defend themself but only to commit suizide or go postal and shoot innocent people.

So in Switzerland, your pro-weapons case is actually a big anti-weapons case.

---

November 20, 2009 8:08 AM

mcb on Stabbing People with Stuff You Can Get Through Airport Security:

@Clive Robinson

"Oh and for those not up on UK 'English' nuancies, 'pig' is a slang word for a policeman and whilst 'dickies' is an alternative for 'bow tie.' 'dick' in all it's varieties is slang for a part of the male anatomy...

Therefor I leave it to your own imagination what might pass through peoples minds on reading,

'I'm thinking raw pork dickies for cabin crew...'"

The fact that even most Americans have no direct experience with the fashion accessory called a "dicky" nothwithstanding, let's not forget that American English is the official language of the Global War On Terror™.

PS Even I'm more than a little surprised to learn you can still buy an American dickey http://www.dakotamainstreet.com/dickiepage.html just not one made from an uncooked pork roast.

---

November 20, 2009 8:02 AM

Clive Robinson on Denial-of-Service Attack Against CALEA:

@ Bruce,

"if only theoretical, that would allow a surveillance target to thwart the authorities"

Hmm "theoretical" is not the way I would put it the simple answer is it is actually a real problem that the authorities already have in a number of juresdictions (ie there is a limit on bandwidth thus simultanious targets).

The real question is the possability of explotation by those under watch.

As the old saying goes,

"A quart into a pint pot will not go"

Thus at the simplest level it only requires too many simultanious target activities on a single switch for the wire tap channel to be blocked.

However for pen and tap there is a work around in that the CO records all of the information for billing purposes and as Matt notes this info is usually of more interest in the long term.

---

November 20, 2009 7:51 AM

bob on Stabbing People with Stuff You Can Get Through Airport Security:

@André: you bring up a point I had never thought about. What if a hijacker tries to take over an aircraft in flight by using as a hostage that snotty little girl from the row behind you who has been screaming, kicking your seat back and putting disgusting stuff in your hair continuously for the last 2 hours while her mother alternately ignored you or cast dirty looks at you whenever you suggested her little angel's behavior was less than perfect. You would be seriously conflicted in the ensuing "take over the plane" fight as to which side to join...

---

November 20, 2009 7:10 AM

PJ on A Taxonomy of Social Networking Data:

"If you post pictures of a party with me in them, can I demand you remove those pictures -- or at least blur out my face?"

You should have thought of that before you took a hit of that bong, Bruce :)

---

November 20, 2009 6:31 AM

Realist on Stabbing People with Stuff You Can Get Through Airport Security:

@testing:
"the state is us. ...... part of the system we are free to shape ... elections ..."
Boy, you really have been hitting the Kool-Aid. I don't share Averros' position either, but at least he inhabits the real world.
Here's a clue. Large US corporations spend billions of dollars on lobbying politicians. Now, if "we the people" shaped the state, that would all be pointless.

The House of Representatives votes on hundreds of bills in a session. A voter can, at the very most, express a preference for yes/no on one of them, because the only choice the voter has is between (at most) 2 viable candidates for the House. In most districts there isn't even that choice because most districts are "owned" by one of the main parties.

---

November 20, 2009 6:19 AM

Jeremy Duffy on A Taxonomy of Social Networking Data:

Is there really a difference between disclosed and entrusted? You're entrusting your data to the social network site after all and they can do whatever they want with it (and they do).

---

November 20, 2009 6:14 AM

nostromo on Stabbing People with Stuff You Can Get Through Airport Security:

@RogerGS:
Thanks for that informative link.

---

November 20, 2009 5:53 AM

Lisa Simpson on Stabbing People with Stuff You Can Get Through Airport Security:

@Zorro: That's actually because I'm keeping them away from NRA meetings with my terrorist repellent rock.

You might not have noticed, but I've also been keeping them away from Belgian pastry shops. No need to thank me, I do it because I like crullers.

---

November 20, 2009 5:45 AM

testing on Stabbing People with Stuff You Can Get Through Airport Security:

@averros: there are so many flaws in this arguement that I hardly know where to start...
define "free" - this toppic is highly discussable and there is always the balance between freedom and safety. And it has to be a balance because neither one alone is sufficiant. The benefit of an armed population has to be weight against the dangers of the distributed guns (crime-rate, risk of accidents and injuries etc.). To carry a gun does not by itself makes one a free man (think of child soldiers in failed states like somalia)

there is no "armed group known as the state" - the state is us. I suggest to read Hobbes (Leviathan) for a short overview. The armed part of the state is part of the system we are free to shape - elections are one possibility.

If the difference between the feeling to be a slave and to be a free man depends solely on the possibility to carry a private gun, then I suggest some therapy (spent some volunteer time at the trauma station at a hospital or somethin). Taking guns as a criteria is hilarious.

---

November 20, 2009 5:43 AM

Captain Australia on The "Broken Windows" Theory of Crimefighting:

I've seen this effect directly, and think it stems from a simple principle "Evil Flourishes When Good Men Do Nothing". If you take a direct responsibility for fixing a problem and making reparations, the criminality will decline - criminals work in shadows & are cowards at heart. Light a few candles & of course they will move on.
Your friend,
Captain Australia

---

November 20, 2009 5:42 AM

Moof on A Taxonomy of Social Networking Data:

I don't like "Incidental Data" as a term. "Third-party contributed Data" is the only sensible alternative I can come up with, but I don't like it either.

An interesting thing to try and talk through is the reliability of this data. Is the Disclosed Data more reliable about a person than the Incidental Data?

Maybe Incidental Data needs further subdivision into Data contributed by friends, enemies, and family, mostly emotionally-based, and inequivocal data which tends to be legally defined as factually accurate and given by authoritative sources, e.g. a university verifying that they did admit somebody into a degree, or an online gaming system verifying a high score that a person clocked up - or is that behavioural?

Also, keep in mind that there's shades of control. I'd argue that some social networks give you control over others' contributions about you. So maybe the definition for Incidental Data should be changed to talk about less control, or about data ownership.

---

November 20, 2009 5:02 AM

Andrew on Stabbing People with Stuff You Can Get Through Airport Security:

notme:
"It is well proven that the greater the distribution of firearms in a given population the less likely it is that those firearms will be used."

by % or absolute numbers?

---

November 20, 2009 5:00 AM

averros on Stabbing People with Stuff You Can Get Through Airport Security:

@testing - you missed the point of gun rights movement completely. It is NOT about being safer, individually, or as a society. It is about being a free man rather than a chattel of the armed group of people known as "the State".

Now, of course, being a slave has it advantages... to a certain type of people. Those of them who are honest with themselves hang out at BDSM meetups. The rest are in denial.

---

November 20, 2009 4:51 AM

RogerGS on Stabbing People with Stuff You Can Get Through Airport Security:

@nostromo:

See http://www.tsa.gov/travelers/airtravel/... - the 4 inch rule must be fairly recent then.

---

November 20, 2009 4:49 AM

Zith on A Taxonomy of Social Networking Data:

@Chris Travers: I readily caught on to the intent there. The control is about what happens leading up to it being published. Entrusted data is handled by someone else as it moves towards being published. Disclosed data doesn't change hands.

Alternatively, assume a forum perfectly obfuscates its content from users who are not logged-in members. Control is now about changing whether this content remains private or goes public. If you run the forum, the information you put there is disclosed. If not, it's entrusted. That's the difference, as I see it.

---

November 20, 2009 4:35 AM

Andy Powell on A Taxonomy of Social Networking Data:

Great list. I tend to agree with others that 'incidental data' in non-obvious as a label. I think that 'extrinsic data', 'third-party data' or 'external data' work better for me.

---

November 20, 2009 4:34 AM

notme on Stabbing People with Stuff You Can Get Through Airport Security:

zorro. your comments re: "more guns distributed to people equal more incidents" is factually incorrect and the feel-good theory behind it has been debunked for years. It is well proven that the greater the distribution of firearms in a given population the less likely it is that those firearms will be used.

But this isnt about guns - its about the absurdity of removing everything that could possibly be used to injure/threaten/scare/cajole another person.

Humans kill things - they are quite good at it and have been doing it for quite a long time. Nothing that anyone does will ever change that.

---

November 20, 2009 4:08 AM

tnih on A Taxonomy of Social Networking Data:

@Bruce: you give the hint yourself in your phrase:

third-party disclosure

---

November 20, 2009 4:05 AM

averros on Quantum Ghost Imaging:

bwp - that's what the military-industrial propaganda tells you. This is a relatively recent notion, post-WWII.

Of course, they forget to tell you what research DIDN'T happen because of resources consumed by military research. Yes, time of smart people and money taken from their potential backers by force to finance the military research. Even with that, the closer examination of any purported military-made wonder technology usually shows that it'd happen anyway, without any heads in funny caps around.

Please, look what the "Broken Window" fallacy means - you're committing it by uncritically repeating propagandist claims.

---

November 20, 2009 3:47 AM

lars on A Taxonomy of Social Networking Data:

-> Crosslinked Data or not

I am in favour of a separate class for "Crosslinked Data", to especially distinguish it from Behavioural Data, and argue why it differs from the Incidental Data.

Crosslinked Data contains data that is not covered by Behavioural Data, e.g. data from a second community website that can be related to the subject. That is not "behavioural" in any sense but should fit into the crosslink-terminology.

Crosslinked data contains data that is not covered by Incidental Data. If by incidental we mean data which is explicitly linked to a profile by an other subject, then crosslinked data covers a larger set of data, namely all the data that can be linked to a profile, with or without anybody consciously linking that information. Especially the cases where information is derived by linking different profiles with similar attributes or by transferring attributes from otherwise correlates profiles. (The example of the gay detector as discussed in this blog.)

---

November 20, 2009 2:47 AM

uk visa on How Smart are Islamic Terrorists?:

@Rick You're absolutely right, my mistake - I hate it when I mix up my bs!

---

November 20, 2009 2:01 AM

testing on Stabbing People with Stuff You Can Get Through Airport Security:

@zorro and other gunslingers: it might be handy to have a gun in a dangerous area - but the statistics (yeah, i know...) are quite clear: more guns distributed to people equal more incidents. In a country with less guns the amount of shot wounds, deaths by accidents and of course gun related crime (armed robbery) etc. are fewer.
As an individual I would always prefer to have a gun. As part of society I am glad that this is not possible here[tm]. Its like speedlimits - everybody thinks of himself as a safe driver and capable of calculating risks regarding traveling speed, yet the enforcement of a strict speed limit decreases the overall number of deaths on the roads.

---

November 20, 2009 1:22 AM

Nomad on How Smart are Islamic Terrorists?:

"I don't consider successfully hijacking 4 of 4 planes within minutes and reaching the target on 3 of 4 of them was "dumb luck" or "careless." If that were the case, I suspect we would have seen some failed hijack attempts and more than one failed collision."

and they took over all 4 planes with BOX CUTTERS ... not firearms which makes me believe they had a little more than dumb luck going for them

---

November 20, 2009 1:04 AM

Stephan E on A Taxonomy of Social Networking Data:

The most surprising part of this list is that nobody seems to be at all interested in security.

"Service data" are the data that the server should never know. And most of the other data should be encrypted to the recipient group.

By analogy it is like communists discussing economy and innovation without even considering markets as an option. They fail by their very approach.

---

November 20, 2009 1:04 AM

Roger on Stabbing People with Stuff You Can Get Through Airport Security:

" ... inflict stab and incised wounds to the necks of 3 previously euthanized Large White pigs. "

This result is not valid. We request that the experiment be repeated with live, conscious pigs. Preferably Large ones, of Any Colour. Please film the proceedings.

---

November 19, 2009 11:25 PM

Chris Travers on A Taxonomy of Social Networking Data:

I find your distinction between disclosed data and entrusted data interesting. Specifically, you describe entrusted data as "the same stuff as disclosed data, but the difference is that you don't have control over the data".

I think the term "control" in this context is a little misleading. Once I publish information on my website it's out there in the wild. While I can remove that information from my website, there is very little I can do to erase any trace of it. Copies are made, web-crawlers store indexes of it, and links hold tidbits about it long after I've removed it.

I think I understand the distinction you are trying to make, but I don't have a good way to articulate it without getting caught up in complex IP and ownership questions.

---

November 19, 2009 10:09 PM

Clive Robinson on Stabbing People with Stuff You Can Get Through Airport Security:

And this years winner for the Australian "No Sh1t Sherlock" award is,

RW Byard, GE Cains and JD Gilbert from the University of Adelaide.

With,

"However, given the results of a relatively uncomplicated modification of a plastic knife, it may not be possible to remove all dangerous objects from aircraft."

I feel they should also be nominated for the "Most gratuatous use of live animals" award.

I think the answer to,

"What is the point of the paper?"

Is, for the authors to get another publication...

Oh and for those not up on UK "english" nuancies, "pig" is a slang word for a policeman and whilst "dickies" is an alternative for "bow tie" "dick" in all it's varieties is slang for a part of the male anatomy (along with pork sword / lance / other thrusting weapons).

Therefor I leave it to your own imagination what might pass through peoples minds on reading,

"I'm thinking raw pork dickies for cabin crew..."

---

November 19, 2009 8:48 PM

Clive Robinson on A Taxonomy of Social Networking Data:

@ Bruce,

"That feels like a subset of behavioral data to me.

Your type 5 is one half of it (ie traffic analysis on what you do,) that may be visable just to the admins of the "social network" site, or those that have access restricted or otherwise.

An example of the former is where for instance the site owner/admin "outs sockpuppets". The admins have access to data that the site does not normaly show (IP address / etc).

An example of the latter has been seen on some "social network" sites. What you think is limited to just a small group (say your family) can become available to many (through their friends lists). Either directly (your post and the family members post) or indirectly (just the family members half of the post).

The other half of the problem is the actual data that is cross linked to is not on your list. In a more general case (ie not just "social networking") it would be a subset of your type 4 data.

That is it is not on a "social network" site at all, or you have "deleted it" but the site has not, or issues to do with metadata.

Examples of the first could be a business web site such as a newspaper's online edition, an e-commerce site (such as Amazon) where you have rated a product, or a "black hat" site that has posted / made available your bank / CC details. Or as I previously noted commercialy available data on you such as credit rating or marketing DBs.

An example of the second is "orphaned data". Where "social network" sites use many servers to build a page. Photos have still been visable on their original URL on the photo server even though the link refrence has been removed on the HTML body server.

An example of the third type is unautherised access due to predictable naming in site URLs that enable a private URL to be fairly easily determined.

One example of this is where a "thunb nail" picture URL could be used to find the high resolution image just by changing the end of the URL (which has comercial implications for those wishing to charge for the high resolution images).

Another is where the URL contains a sequence number either put in by the site software or the user (such as uploading files from a digital camera and not changing the file names in the process).

Then there is the possability of infering "missing data" for instance a site admin might decide to delete one or more entries on an open comments page. The fact that each entry is given a unique serial number may be used to determine how many have been removed from public display or if in fact they have been deleted at all or mearly had the links removed.

---

November 19, 2009 7:23 PM

Shawn Smith on Stabbing People with Stuff You Can Get Through Airport Security:

When it comes to flying, it seemed to me one of the best ways to prevent hijacking would be to have the only entrance to the cockpit outside the plane. No internal door to the cockpit, and if a crew member needs to go to the bathroom, they need to use a bedpan. Also, just knock all the passengers out before they get on the plane and stack them like cordwood. No need for attendants, in-flight food, or other ammenities.

It won't stop timed bombs from going off, or an internal threat (bad crewmember) though, so there will have to be some way of dealing with those.

---

November 19, 2009 7:19 PM

David on A Taxonomy of Social Networking Data:

following @uqbar, I'd suggest that 2,3 & 4 are all varients on disclosed data, and that you're missing the fourth data-type in the 2d grid where 'posted by you / posted by someone else' is one axis and 'posted in your area of control / posted in someone else's area of control'.

The important thing about information about you that is posted by someone else in an area outside your control it that (compared to the other three data-types) you're less likely to be aware of the disclosure, and so less likely to be able to do anything about it, even if the ability to in some way object to the disclosure exists.

---

November 19, 2009 7:17 PM

Andrew on Stabbing People with Stuff You Can Get Through Airport Security:

TSA is trying to stop a particular type of weapon: a weapon that could be used to hold a hostage and threaten them and/or others with immediate and likely death. This is why knives are of particular concern when many of the other improvised weapons named are not.

The logical conclusion is to declare a strict no-hostages policy. This is a common practice in many American prisons and jails. Rough on visitors and stressful for the staff, but effective at preventing incidents.

I was also wondering when/if this would degenerate into Yet Another Gun Control Debate On Schneier's Blog.

---

---

---

---

November 19, 2009 5:08 PM

paul on A Taxonomy of Social Networking Data:

All these kinds of information also have differing levels of veracity (insofar as that term means anything any more). The fact that someone associates your name with a photo or a note or a link may or may not mean that it actually has anything to do with you. And information posted on sites may or may not be factual (and may draw, via links, third and fourth parties who have no direct association with a particular social networking site.)

I am amused, for example, to note that the overwhelming number of people following me on Twitter (which I don't really use) are malware bots. Not sure exactly what that says about me, though.

---

November 19, 2009 4:56 PM

scott on Stabbing People with Stuff You Can Get Through Airport Security:

@andre

"So what is it about a bowie knife, that makes it that much scarier to you than any other given object to stab someone?"

That's easy - I'm culturally trained ;-) Movies and books and what not.
Even the shape is important - a bowie knife just looks... mean. (To me at least). When I see a bowie knife, it looks like a weapon. It's big, it's prominent. It doesn't look like something else (Is that a garden trowel?).

When I see it, I don't have to think, I don't have to evaluate any context to know that the implement is there to do people harm.

A terrorist is probably trying to keep people from thinking and from moving beyond fear; they're probably trying to subdue people through emotional reaction, precisely *because* a plane is so cramped and dangerous to subdue.

Your point about hostage taking is a good one, but perhaps part of the plan is not to subdue the plane in general but to intimidate a few select people (captain, marshals, etc).

In that case I think more imposing weapon might be of value.

---

November 19, 2009 4:42 PM

Clive Robinson on Stabbing People with Stuff You Can Get Through Airport Security:

@ RH,

"It should be no surprise that those who feel value in arming themselves are, on average, in more dangerous areas to live."

Err even in the US that is arguable (Texas for instance).

I suspect it has more to do with availability and perception rather than real risk.

An argument that sometimes pops up is the lack of street crime in places where people are alowed to carry concealed weapons. Usually it is a case of incorect or overly simplistic observation / perception (broken window anyone?)

---

November 19, 2009 4:19 PM

Clive Robinson on A Taxonomy of Social Networking Data:

@ r721,

"Our de-anonymization algorithm is based purely on the network topology... ...is robust to noise and all existing defenses,... ...and the adversary's auxiliary information is small."

And people ask me why I pay in cash and don't "twitter" or "facebook" etc etc ;)

---

November 19, 2009 4:09 PM

Clive Robinson on A Taxonomy of Social Networking Data:

@ John Campbell,

"It can be argued that these will have varying relationships to one's "ego"...

Hmm "personality type" possibly some people "live inside their own heads" (techi types) others "live inside the heads of others" (your always "networking" managers / execs / politicos / con artists /etc).

Depending on your usage of "ego" you could say the former have none whilst the latter are all ego.

Techi types tend to have "social communications" issues which tends to get them (unfairly) marked down by others. Where as your networking types tend to be very good at social communications (and not a lot else) which tends to get them (unfairly) marked up by others.

The desire to be "top dog" etc (ie egotistical) is not in most cases related to ability to do a job or social communications ability (you only have to watch the X-factor to see when ego/self belife is baddly misplaced).

From the way you phrased your use of "ego" you could also argue that the "ego" has an inverse relationship to ability.

(A point many will have sympathy for as their "networking" bretherin steal the credit for their work).

---

November 19, 2009 4:05 PM

r721 on A Taxonomy of Social Networking Data:

@Clive Robinson, GregW

There's a blog on 'de-anonymization' out there (http://33bits.org/) where problems like that are discussed. For example, its author has a paper 'De-anonymizing Social Networks' out (http://randomwalker.info/social-networks/).

Abstract:

Operators of online social networks are increasingly sharing potentially sensitive information about users and their relationships with advertisers, application developers, and data-mining researchers. Privacy is typically protected by anonymization, i.e., removing names, addresses, etc.

We present a framework for analyzing privacy and anonymity in social networks and develop a new re-identification algorithm targeting anonymized social-network graphs. To demonstrate its effectiveness on real-world networks, we show that a third of the users who can be verified to have accounts on both Twitter, a popular microblogging service, and Flickr, an online photo-sharing site, can be re-identified in the anonymous Twitter graph with only a 12% error rate.

Our de-anonymization algorithm is based purely on the network topology, does not require creation of a large number of dummy "sybil" nodes, is robust to noise and all existing defenses, and works even when the overlap between the target network and the adversary's auxiliary information is small.

---

November 19, 2009 3:50 PM

Anton on Stabbing People with Stuff You Can Get Through Airport Security:

Macabre, I don't need to stab pigs to figure out that a broken glass is a weapon, just ask emergency service at large hospitals.

Poor pigs.

---

November 19, 2009 3:45 PM

HJohn on A Useful Side-Effect of Misplaced Fear:

@Geoffrey:"rather than on the choices of the perpetrator to rape someone (and the cultural forces that might compel such choices) and what might be done to stop people from perpetrating rape. "
______

If you know how to stop someone from perpetuating it by teaching them or anything else, by all means do so. But the fact remains some people are just evil. Cautioning people on reducing the risk they will be victimized is not the same as blaming the victim.

I wish no one would ever choose to steal my car too, but I still lock my doors. Failing to lock my doors doesn't make it my fault, but that doesn't make it wise either.

I don't think you'll find one syllable on this page blaming the victim. And cautioning one about risks is not the same as blaming.

---

November 19, 2009 3:25 PM

John Campbell on A Taxonomy of Social Networking Data:

@GregW:

Incidental data is more a case of "observational" or "reputational" data.

Bujold described the difference between Honor and Reputation... but things other people post about you is more related to reputation since its authorship is by an observer.

It can be argued that these will have varying relationships to one's "ego"...

---

November 19, 2009 3:24 PM

Geoffrey Hing on A Useful Side-Effect of Misplaced Fear:

This is quasi anecdotal as well, but the professionals I talked to while volunteering with a rape crisis center claimed that their research shows that a) date rape drugs quickly leave the system of the people who consume them (which is why they are used to aid assault in the first place) and b) the drugs are often synthesized from a variety of chemicals (think less stolen medication and more meth lab) which suggests that the experiences of people given date rape drugs will vary dramatically.

Furthermore, it isn't clear whether the study takes into account people who came to the hospital who didn't think they were drugged, but ended up being drugged, and obviously, those who did not go to the hospital at all. As other commentors have mentioned, rape is incredibly under-reported.

The original analysis of:

"Basically, the hypothesis is that perpetuating the fear of drug-rape allows parents and friends to warn young women off excessive drinking without criticizing their personal choices. The fake bogeyman lets people avoid talking about the real issues."

is correct, unfortunately, though I'm not sure it is correct as the author originally intended it. Centering the discussion on date rape drugs and alcohol consumption focuses the discourse on what the survivor could have done to avoid being assaulted rather than on the choices of the perpetrator to rape someone (and the cultural forces that might compel such choices) and what might be done to stop people from perpetrating rape. At best, this discourse isn't very helpful towards the safety of women or accountability for perpetrators. At worst, it's just victim blaming.

---

November 19, 2009 3:13 PM

Joy of Tech on Stabbing People with Stuff You Can Get Through Airport Security:

---

November 19, 2009 3:08 PM

Wayne on Video Interview with Me:

Very insightful video and thanks for Posting.

---

November 19, 2009 3:02 PM

Anca on How Smart are Islamic Terrorists?:

Anyone who's ever tried to coordinate an event involving multiple parties in different cities knows how complicated it is to actually make things happen at just the right time. Conceptually, it seems easy, but, Conceptually, so is Kung Fu. Organizing people and getting them to do things just right isn't easy, no matter how smart they are.

I think some of the best security we have is the fact that Wester movies and TV make it seem so damn easy to learn to do certain things (shoot a moving target, make a bomb, fly a plane, learn Kung Fu). This, at least, allows the FBI to entrap the dumb attackers, who might get lucky with a car bomb, but, instead, wind up trying to buy parts from the feds.

---

November 19, 2009 2:55 PM

GregW on A Taxonomy of Social Networking Data:

I agree with Clive's comment about "cross-linked"/"inferred" data being different than just "personal" data.

While I am not sure inferences made about data alone (e.g. time zones of postings) warrant a separate class, I do sense there's a substantial difference between a person's disclosed information, and that same information put in a "cross-linked" form with other people's personal information.

I once created a cross-link system to gather/crosslink such data to vastly reduce credit card billing fraud detection system in a prior ecommerce/telecom position.

Without going into all the details, let's just say that service data that relates just to you ("who you called/who called you") is substantially different in nature from the all the data that can be linked to you via all users (named and pseudo-anonymous) of a given service for all time. (Who calls the people who call you and who do they in turn call? ... a full graph that can has distinctly different/greater value when linked with data of many other people using the same/similar service.)

A service-wide graph that links your information with others connected to you in some way (calling/communication patterns, IPs/geographic locations, similar web traffic browsing patterns, credit card aliases used, etc) contains not just your personal information but an potentially exponentially larger amount of context when linked all together.

Cross-linked data can spiral into a mess and get one nowhere, but at times it can be tremendously powerful (cf isolating/identifying friends of Saddam).

---

November 19, 2009 2:45 PM

GregW on A Taxonomy of Social Networking Data:

Great taxonomy. I like!

Perhaps worth finding a better term than "incidental disclosure" to describe third-party postings etc. about oneself though; that wasn't an obvious connection to me terminology-wise.

---

November 19, 2009 2:37 PM

Brandioch Conner on How Smart are Islamic Terrorists?:

@Michael Begley
"Doesn't the fact that the operations were successful despite some mistakes in execution demonstrate at least some sophistication in the planning stage?"

The problem is that "sophistication" doesn't relay any information.

The more complex the operation, the more sophistication needed to plan it and to ensure that it is somewhat error-proof.

Hijacking planes doesn't take much sophistication (at that time).

Hijacking planes and flying them into buildings took more sophistication and training. And they correctly determined the amount of training that was necessary.

There are not many terrorists out there with that degree of intelligence and dedication. Which is why we do not see many attacks such as that. (BTW, there aren't many NON-terrorists with that degree of intelligence, either.)

The key for the terrorists is to match:
1. Their level of sophistication
to
2. The complexity of the attack.

Unsophisticated terrorists can easy plan, train and carry out simplistic attacks.

The more sophisticated the attack, the smaller the pool of people who could successfully complete it.

And with suicide attacks, the pool is self-limiting. A successful attack removes those members from the pool.

---

November 19, 2009 2:30 PM

Clive Robinson on A Taxonomy of Social Networking Data:

@ Bruce,

There is another type of data you need to add to your list.

That is cross linked or infered data.

You may not post on a social network site that you live or work in any particular place or other details. However time of day you post etc can bring your location down as can other things that give indicators of other places to search.

For instance you may have once posted (as many admins have) to a news group or been mentioned in corperate news (as many execs have). The time of day you post helps bring the location you are at to a time zone. This can then be used to filter out other people with similar names (there's atleast six people with my name that I have tracked down ;)

As in "traffic analysis" sometimes it's not the message contents that are important but the times and places it originates and ends at.

As another example assume the person trying to track you down has credit checking (CCN) and other "marketing target" DB access and reads on your social site that you have just purchased the latest wiz bang 90" home movie system with 10 channel suround sound and UWB networking.

There are not many places you could have obtained it and you may have taken out a credit agrement to buy it, or forgoton to check the "no marketing contact" box on the warenty or other paperwork. Some or all of those details will nail you down cold.

---

November 19, 2009 2:24 PM

PackagedBlue on Stabbing People with Stuff You Can Get Through Airport Security:

The men who stare at airplanes. I could kill an airplane with a stare.

Ha, outdid even the Trained Professional, with his bare hands.

Note to TSA: this was a joke, an attempt at humor, at perspectives.

---

November 19, 2009 2:19 PM

Ender on Stabbing People with Stuff You Can Get Through Airport Security:

Obligatory XKCD - http://xkcd.com/651/

---

November 19, 2009 2:07 PM

uqbar on A Taxonomy of Social Networking Data:

As you note, items 2,3,4 are all types of "Disclosed data" - I suggest this be made more explicit by naming as follows:

2. Disclosed data (controlled)

3. Disclosed data (entrusted)

4. Disclosed data (incidental)

---