Schneier on Security

November 7, 2009 7:37 AM

vanilla on The Doghouse: ADE 651:

There are so many possibilities here.

1. Practical application of Thieves' Belief System Tenet #2: "If you were stupid enough to believe me, you deserve what you got."

2. If the buyer is truly naive, see #1.

3. If the buyer is in on it: a) quid pro quo; b) money laundering; c) gaming strategy.

If 3(c), be on the look out for the owner of the problem to ride in with the solution.

Every human is infected with some level / form of moral corruption but cheats and thieves make me sick.

Book 'em, Danno ...

November 7, 2009 5:32 AM

PackagedBlue on The Doghouse: ADE 651:

A rod that cuts through the USA-Iraq governments red tape, and saves lives by solving people process problems?

Paying off the right people for access to info and help is the system, it just often is masked by flaky stuff.

Maybe not a bad payoff device.

November 7, 2009 12:47 AM

Shachar Shemesh on The Doghouse: ADE 651:

I object to comparing this to lie detectors.

Don't get me wrong. Lie detectors are a useless piece of crap as far as detecting spies/thieves etc. Their false positive rate, in combination with the low density of actual thieves and spies, means that even at the 90% accuracy that the Polygraph association claims the devices are all but useless. Worse, 90% is a huge over-statement of the actual device's accuracy.

BUT

It does measure something. Even at 51% accuracy, one can think of some (hypothetical, useless) cases where it would come in useful (for some definition of "useful"). The polygraph's accuracy is, probably, much higher than that (at a guess, I'll put it at 60%-65%). The ADE 651 is totally useless, with no better than chance accuracy.

Don't confuse polygraph (bad science coupled with marketing) with the ADE 651 (simple fraud).

Shachar

November 7, 2009 12:33 AM

Richard on Detecting Terrorists by Smelling Fear:

People seem to be ignoring some important points.

Firstly the research in question is still at a very early stage, being at the beginning of an 18 month feasibility study. Alot of such research leads to dead ends, which is the nature of research in general.

The fact that the article got the name of the lead investigator wrong a number of times makes me question any of the quotes atributed to the researchers, or any claims either for that matter.

The correct name is Professor Tong Sun (see http://www.city.ac.uk/sems/our%20staff/eeie/... ) who has been one of the leaders in the field of optical fibre based sensors for a number of years so if she thinks it is a viable proposition, I wouldn't be so quick to dismiss it.

November 6, 2009 11:23 PM

jack on The Doghouse: ADE 651:

Money aside, I'm sure the makers of the device are rolling on the floor laughing when they think of the users "walking in place" to charge the device. It's just too precious. It's actually better than watching Bill Murray in "Stripes".

November 6, 2009 8:44 PM

Daniel on Friday Squid Blogging: Dentyne Ice Squid Ad:

She is not Japanese, she is Thai.

November 6, 2009 8:15 PM

Aviatrix on Friday Squid Blogging: Dentyne Ice Squid Ad:

That's pretty much identical to the ad where the garlic, onion and other foods follow the guy around and up the stairs until he has the gum.

But Asmor is right, it does introduce a whole different vibe what with the tentacles. You just have to recall that squid is a common food in Japan.

November 6, 2009 7:51 PM

Preston L. Bannister on The Doghouse: ADE 651:

My son (an MP in the Marines) was part of a public-service operation on Halloween, using a wand to screen for metal in bags of candy. Not a bad idea (putting aside whether this is systematically effective), except for the constant false positives.

Seems there is a surprising amount of metal in the air.

November 6, 2009 5:42 PM

Asmor on Friday Squid Blogging: Dentyne Ice Squid Ad:

Definitely the tamest thing I've ever seen involving Japanese women and tentacles.

November 6, 2009 5:38 PM

Mauro S on The Doghouse: ADE 651:

November 6, 2009 5:30 PM

jrr on Friday Squid Blogging: Dentyne Ice Squid Ad:

I totally thought that video was going in a whole different direction for a few seconds...

November 6, 2009 4:52 PM

Clive Robinson on The Doghouse: ADE 651:

@ nick,

"The obvious fact is that divining rods really work thanks to having 48% more magic than regular rods."

It has been shown that some farmers can tell were things are buried several feet or more under their fields just by looking at the way the crops grow above them.

When the same fields are looked at using photos taken from an aircraft it is usually apparent to most peoples eyes.

Put simply the crop grows differently to that in other areas, and although the difference is not that noticable at ground level to an inexperianced eye a more experianced eye will spot the difference.

Likewise leaking pipes and broken drains can be spotted simply by the difference in a crop, as can sub surface natural drainage.

Some metal ores can be found by simple chemical analysis of plants that grow above depositis and in the case of some metals this produces differences in the foliage that can be detected.

Some native people can just look at what appears to be arid land and spot small differences that tell them where there are pockets of water often upto 6 feet under the surface.

There is no magic involved just a life time of experiance.

November 6, 2009 4:50 PM

A Nonny Bunny on Interview with Me:

"It's National Cyber Security Awareness Month. What are your thoughts on cyber security in the U.S.?

Schneier: Really? We have a National Cyber Security Awareness Month? You're kidding. Whose idea was that? "

It's funny when an awareness month cannot even make people aware of itself, let alone what it is trying to create awareness on.

November 6, 2009 4:48 PM

Roger on Fear and Overreaction :

(Roger who, incidentally, will not be responding to follow-ups this weekend because he is about to head off and do a half-marathon in a remote area in the mountains in blazing heat ... )

November 6, 2009 4:42 PM

Roger on Fear and Overreaction :

Two general comments.

The observations about evolution, energy cost and so are very interesting, particularly as I have recently been making observation of the various defensive behaviours of birds around my new, semi-rural neighbourhood.

One thing that evolutionary biologists have recently come to appreciate more is that evolutionary adaptation can be extremely fast. Adaptations that require development of completely new structures may well take tens of thousands or even millions of years, but adaptations that modulate the performance of existing structures can take place in a few tens of generations (which for many species, means a decade or so.) This is particularly apparent with behaviour modification in intelligent species; rural crows don't take very long at all to adapt to urbanisation.

On a completely different note, I have recently been studying the problems with human estimation of risk, from the perspective of project management. In this field, poor risk estimation annually causes loss and wastage on the order of billions, so much research has been done -- and the result of much of this research is that Bruce is wrong.

True, we greatly overestimate the risk of rare events in comparison to common ones. But in absolute terms, the problem is not that we overestimate the risk of rare events; we actually get those about right. The problem is that we are real gamblers with common disasters. (Interestingly, depressives do much better than psychological "well" people; the estimates by depressives are not pessimistic as one might think, they are accurate ... )

The reason is not really known, but in evolutionary terms it makes sense so long as the population is continuously expanding; in that case, excessive gambling with common hazards is a winning strategy for the *species* (rather than the individual gambler) because of the Martingale effect. But as soon as the population stabilises, it becomes a losing strategy.

A such, we now either need to find new worlds to conquer, or become a species of old maids.

November 6, 2009 4:09 PM

Anonymous coward on The Doghouse: ADE 651:

I'd love to see the owner of the company manufacturing that product personally clean out a minefield.

November 6, 2009 4:01 PM

David on The Doghouse: ADE 651:

@TimH: I'm not a lawyer, but there's a difference between evidence sufficient to convict and evidence sufficient to conduct a search. Under some circumstances, a LEO can conduct a search given reasonable suspicion and articulable cause. "My drug detector went off" is an articulate statement, and grounds for suspicion. The fact that it's functionally equivalent to a used paper towel may or may not be relevant.

This is in contrast to the speed detector, which provides direct evidence of an illegal act, and which will be used in court. The results of the detector placebo won't be brought up by the prosecution. Its reliability would be brought up by the defense, arguing that the search was illegal, so any evidence gained from it is "fruit of the poisoned tree".

So, the question is whether a LEO is justified in searching based on entirely unreliable evidence. There may be laws or precedents dealing with this anyway, but as I said I'm not a lawyer and I don't know.

November 6, 2009 3:36 PM

Arno on The Doghouse: ADE 651:

@db Cooper: Very nice! I especially like to all-too-realistic plot on "ramaining pins vs. number of insertions".

November 6, 2009 3:17 PM

db Cooper on The Doghouse: ADE 651:

I also remember WOM chips from back in the 70's. The ones I designed with were not a block of wood though, they were a DIP and we sourced them from Signetics.

Ye ol' data sheet can be found here: http://www.national.com/rap/files/datasheet.pdf

November 6, 2009 2:25 PM

bob on The Doghouse: ADE 651:

Reminds me of the WOM (Write Only Memory) we had waaaaay back. Huge quantity of storage, it could store >1GB back when 4kB was alot. Of course, it was just a block of wood with 2 wires attached, and since it was WRITE only there was no way read anything back to prove it was or was not storing anything...

November 6, 2009 1:52 PM

Brian Chess on Fear and Overreaction :

It is dangerous to claim that evolution has created a particular trait for a particular purpose. Just because a trait has a security function does not mean the trait is "for" security.

This is a major difference between our approach to security and nature's approach to security. We humans treat security as a specialty. Nature integrates security as a continuous part of the whole.

November 6, 2009 1:43 PM

Shane on The Doghouse: ADE 651:

Well, I know *my* ESP works much better when everyone in the vicinity already believes it does...

*explodes*

November 6, 2009 1:24 PM

D0R on The Doghouse: ADE 651:

"Proponents of the wand often argue that errors stem from the human operator, who they say must be rested, with a steady pulse and body temperature, before using the device."

That's exactly what people with self-proclaimed ESP powers say when they fail. They say they failed due to "wrong mind waves" from skeptic observers, or whatever.

November 6, 2009 1:06 PM

EdT. on The Doghouse: ADE 651:

I wonder if they have been selling a similar device to LE agencies in Louisiana and east Texas for use in locating "drug money" in the cars of African-Americans.

~EdT.

November 6, 2009 12:18 PM

Kevin G. Austin on The Doghouse: ADE 651:

I don't know what your problem with this is. It almost certainly uses the same technology that the Acme Homing Missile does. It probably even has a large dial on it with settings like "rabbit" and "roadrunner".

November 6, 2009 12:10 PM

Lars Vargas on The Doghouse: ADE 651:

One has to wonder how they managed to design 650 BAD iterations of this wodnerful product.

At least the 651 is good for one thing. Reading about it caused my bullsh!t detector to go off. Which begs the question, if you're searching for bullsh!t, will the ADE 651 find itself?

November 6, 2009 12:08 PM

TimH on The Doghouse: ADE 651:

Another thought: If an LEO used this to work around warrantless search to fake probable cause, the LEO had better be prepared to plant the evidence too. If speed detectors can be challenged for accuracy, the PC detector can be challenged too. Love to see it proved working in court!

November 6, 2009 12:06 PM

BF Skinner on The Doghouse: ADE 651:

Of course this is the kind of thing that govt can controll (where they ARE our tax dollars) by putting a clause stating no monies will be used to buy the ADE...of course as soon as you do this the free market freebooters begin beating their chests about unfair constraints.

The market only delivers what the people want right? People WANT shoddy merchandise sold by unethical firms.

November 6, 2009 12:06 PM

Magnus Redin on The Doghouse: ADE 651:

Why do people living in a country that believe in lie detectors laugh about an electrostatic divining rod?

November 6, 2009 12:03 PM

TimH on The Doghouse: ADE 651:

I think its also targetting LA police and African regimes for customers. At least it says it will detect "Black Power" in the 2-page brochure http://www.prosec.com/docs/ADE651.pdf referred to mt Mike.

November 6, 2009 11:53 AM

jb on Fear and Overreaction :

The Pauline Kael theory of security -- all the birds Bruce knows voted for McGovern, so he must have won, right? How much time have you spent watching birds at feeders? More than a few seconds, total, in your life? And you reach a conclusion about the efficacy of millenia of response? I think the birds are smarter about their own security than you are. If they're wrong once, they're dead. That sort of ups the ante for a correct response, and reduces the attraction of taking a shot on staying put.

November 6, 2009 11:53 AM

A Nony Mouse on The Doghouse: ADE 651:

I think Another Kevin has hit the nail on the head. The device is a "scientific" excuse to conduct searchs where they wouldn't otherwise have cause.

November 6, 2009 11:23 AM

Leo Tohill on The Doghouse: ADE 651:

We'll probably find that the company is owned by the people who are placing the orders, billing their government. How else could you sell a $16,000 divining rod?

November 6, 2009 11:13 AM

Emiliano Zapata on The Doghouse: ADE 651:

Hi, the army in Mexico has some of this kind of devices, in some towns in the southern part of Mexico this has detectec ammunitions and weapons, the person walks in the street with the device, and this thing alerts when there is a house or place with traces of explosive substances.

Some times it can detect non-hazardous materials, as this has erroneous detected explosives in a dairy products transport truck that was confiscated by error.

November 6, 2009 11:07 AM

kog999 on The Doghouse: ADE 651:

this reminds me of a simpsons quote

Homer: Not a bear in sight. The Bear Patrol must be working like a charm! Lisa: That’s specious reasoning, Dad. Homer: Why thank you, honey.
Lisa: By your logic, I could claim that this rock keeps tigers away.
Homer: Hmm. How does it work?
Lisa: It doesn’t work; it’s just a stupid rock!
Homer: Uh-huh.
Lisa: But I don’t see any tigers around, do you?
Homer: Hmm... Lisa, I want to buy your rock.

November 6, 2009 11:07 AM

Jouser on Risks of Cloud Computing:

NIST, along with their definition, has an excellent presentation on the advantages and challenges of cloud computing:
http://csrc.nist.gov/groups/SNS/cloud-computing/

November 6, 2009 10:47 AM

Dom De Vitto on The Doghouse: ADE 651:

Bruce,

Next thing you'll be telling me that my ADE650 (which is fantastic and keeps crocodiles from approaching up to a mile from my house) doesn't work either !!!

Dom De Vitto
#5 Dune way,
Central Sahara

November 6, 2009 10:45 AM

Ed Hurst on The Doghouse: ADE 651:

Please don't confuse all this hokum with the detection of very real magnetic fields generated by buried pipes and cables made from various metals. Depending on the type of detection you use, they can be sensed at surprising depths using fairly inexpensive equipment.

November 6, 2009 10:38 AM

Xyz on The Doghouse: ADE 651:

I would like to sell them some of these metal detectors: http://www.fisher-price.com/us/products/...

November 6, 2009 10:04 AM

jouser on Cloud Computing:

NIST, along with their definition, has an excellent presentation on the advantages and challenges of cloud computing:
http://csrc.nist.gov/groups/SNS/cloud-computing/...

November 6, 2009 9:56 AM

Over and Over on Report on Chinese Cyberwarfare Capability:

So when is NGC going to profile Israel whose parade
of agents penetrating the US military and gov is seemingly endless. Do you think Mossad has not pulled the evil maid (or bellboy) trick on every Vitter type Republican and Foggo-Kerik type appointee?

November 6, 2009 9:50 AM

pegr on The Doghouse: ADE 651:

It's just as effective as the polygraph, and for the same reasons, too!

November 6, 2009 9:48 AM

nick on The Doghouse: ADE 651:

Remember not to be overly hard on the Iraqi government without also saving some criticism for the West. Some US police forces use lie detectors of various varieties, which are just divining rods at worst, or anxiety tests at best. The French even use handwriting analysts to screen job applicants. How insane is that?

November 6, 2009 9:40 AM

Jason on The Doghouse: ADE 651:

Apply directly the the forehead.

November 6, 2009 9:37 AM

Grande Mocha on The Doghouse: ADE 651:

I grew up on a small family farm. I remember being amazed when I watched my grandfather use a dowsing rod to locate a site for a new well. They drilled and found water just like he had predicted. When I got older, and learned about aquifers, I realized that they could have drilled anywhere in the vicinity and found water.

Maybe when you live in a war ravaged country, you can search any random person and have good odds of finding some sort of contraband...

November 6, 2009 9:19 AM

yet_another_coward on The Doghouse: ADE 651:

> It comes with a hardware three year warranty.

So... how do you tell if it requires maintenance or replacement under the warranty?

November 6, 2009 9:17 AM

nick on The Doghouse: ADE 651:

@alanS: "I guess the question is whether the rods were detecting water or just reflecting their own acute sense of judgment in such matters and local knowledge of where the drains would be located."

Actually, that's not the question. There isn't really a question there at all. The obvious fact is that divining rods really work thanks to having 48% more magic than regular rods.

PS: Your dad was deluded.

November 6, 2009 9:07 AM

jouser on Mossad Hacked Syrian Official's Computer:

If you're traveling unless you plan to keep your machine with you at all times you have to take a loaner or spare laptop with you instead. You can't trust anyone (evil maid) or anything (hotel safe).

November 6, 2009 9:06 AM

Vincent on The Doghouse: ADE 651:

This reflects a cultural aversion to dogs as much as anything. It's just as expensive and not remotely as effective, but at least you can find people willing to use the thing and actually sit to be searched.

I've been putting a bunch of money into drug sniffing snake research... sooner or later that big oil state Iraqi defense contract is going to come my way.

November 6, 2009 9:02 AM

spaceman spiff on The Doghouse: ADE 651:

I think someone is laughing all the way to the bank. With luck, they'll get blown up by a suicide bomber because of their perfidy...

November 6, 2009 8:58 AM

Clive Robinson on Friday Squid Blogging: Humboldt Squid in Canada:

November 6, 2009 8:57 AM

db Cooper on The Doghouse: ADE 651:

Why would the company take up James Randi on his offer of a $1M prize? The reporting says they have already made over $85M in sales.

First I miss out on inventing pet rocks, now this.

November 6, 2009 8:53 AM

shadowfirebird on The Doghouse: ADE 651:

You would think that the "international community" (whatever that is) would demand that each country vet their security companies for just such a scam and punish the wrongdoers -- given that security products are usually life-threatening if they go wrong, and "caveat emptor" vary rarely helps the victim in these cases.

It seems to me that there is no downside to this, nothing that a given country would have to lose.

So much for sanity.

November 6, 2009 8:50 AM

fraudbuster on The Doghouse: ADE 651:

Here is Cumberland's write up. They'll pull it down soon, I'm sure.

http://www.cumberlandindustries.com/content/...

Darkness gathers. The demons begin to stir.

November 6, 2009 8:30 AM

Clive Robinson on The Doghouse: ADE 651:

@ AlanS,

"I guess the question is whether the rods were detecting water or just reflecting their own acute sense of judgment in such matters and local knowledge of where the drains would be located."

It's the latter.

You could regard them as being "gut feeling" magnifiers.

The way you are supposed to use them makes them fairly sensitive to small shoulder muscle movments.

The thing about "looking across the tips" is a way to make your brain's sub concious free ascociate on the info coming in from your eyes, whilst occupying the concious mind with an unrelated task.

So the devices would possibly work as a "sensing hinky" amplifier as well.

But they cannot actually detect a thing, they only alow you to get at your subconcious thinking.

November 6, 2009 8:26 AM

TFBW on The Doghouse: ADE 651:

"What happened to the days when you can buy a divining rod for $100?"

Bear in mind that these are _military grade_ divining rods which detect _any substance_. You pay a premium for that.

November 6, 2009 8:22 AM

Mailman on The Doghouse: ADE 651:

This scam reminds me of the "sniffing planes" political scandal that happened in France in the early 1980s.
Some people claimed that had invented a device that you could put inside a plane to detect oil fields just by flying over them.
At the time, a French satirical newspaper coined the term "avions renifleurs" (sniffing planes) and it stuck.

November 6, 2009 8:13 AM

Another Kevin on The Doghouse: ADE 651:

This device might not be effective at detecting explosives, but I cynically suspect that it's a Fourth Amendment defeating device. Have the divining rod alert the cop on the scene, and presto, he has probable cause to conduct an exigent search. It's like a bomb-and-drug-sniffing dog delivering a false alert, only without the dog. Any bets that the US judiciary is scientifically illiterate enough (or biased enough in favour of cops, however corrupt) to go for it?

November 6, 2009 8:11 AM

AlanS on The Doghouse: ADE 651:

@Bruce

"What happened to the days when you can buy a divining rod for $100?"

You can make them yourself. My dad used to use two "L" shaped wire rods made from fencing wire when he was digging out drains. He was a complete skeptic when it came to religion and all sorts of quackery (which the ADE 651 clearly is). What I remember as a child watching him is that it seemed to work although I now read that experiments haven't shown much evidence for it. Anyway, I don't remember him digging out many holes and not finding a drain. Who knows how or why. Most of the people we knew who dowsed were farmers and others whose families had lived on the land for generations (this was in the UK). They were a very pragmatic lot. I guess the question is whether the rods were detecting water or just reflecting their own acute sense of judgment in such matters and local knowledge of where the drains would be located.

November 6, 2009 8:10 AM

Clive Robinson on Friday Squid Blogging: Humboldt Squid in Canada:

@ Bruce,

Off topic but,

Have you looked into the SSL/TLS protocol error issue that hit the news over the past couple of days.

Part of it can be seen at,

http://extendedsubset.com/?p=8

It does not look good as it is a protocol error, it kind of means all SSL/TSL using systems will have to be patched/replaced.

November 6, 2009 8:09 AM

Techowiz on The Doghouse: Sniffex:

The New York Times has published an article saying what we have all been saying for years, that the ADE651 is a total scam, the link is as follows:
http://www.nytimes.com/2009/11/04/world/...
Whilst it mentions the Iraqi Police and Army, it does not mention that the Lebanese Army also bought into this scam.
I bet the Israelis are still laughing to this day, but perhaps not as much as Mr Jim.
regards

November 6, 2009 8:07 AM

Romeo Vitelli on The Doghouse: ADE 651:

"What happened to the days when you can buy a divining rod for $100?"

Buy? The old-style diviners used to whittle the rods from wood that they took from the trees themselves. The idea that the wood was freshly-cut was supposed to have been part of what made dowsing work.

November 6, 2009 7:57 AM

sooth sayer on The Doghouse: ADE 651:

2 Weeks ago on an International TV Channel I heard a Pakistani expert claiming that technology to detect a bomber (in a car) 300-400 meters away was cheaply available. He quoted a price of $15K - He also said that their government was buying it and was only concerned that they didn't have enough trained operators!

Now I know what he was basing his expertise one!

Your tax $'s at work -- BHO just signed a $7.5B Bill for Pakistan.

November 6, 2009 7:52 AM

Arno on The Doghouse: ADE 651:

I wonder why these people do not go to prison for an extended time and have their ill-gotten gains conficscated and returned to the victims...

November 6, 2009 7:43 AM

Rr on The Doghouse: ADE 651:

It's all fun and games until someone loses a life ... plenty of blogs about this type of device, and this wonderful video of what I guess the manufacturers would call 'operator error' (warning, pretty graphic):

http://video.mthai.com/player.php?...

What a joke (except that it's not a funny joke) indeed *sigh*

November 6, 2009 7:41 AM

JH on The Doghouse: ADE 651:

@Joshua not so cheap - they sell for $16,000 to $60,000

November 6, 2009 7:30 AM

Mike W on The Doghouse: ADE 651:

According to this (http://www.prosec.com/docs/ADE651.pdf) it works up to 5000 meters on aircraft, and can detect everything from THC to people. lol what a joke

November 6, 2009 7:26 AM

Joshua on The Doghouse: ADE 651:

Seems like when people go looking for cheap and effective, they often forget the effective part. No doubt this device is much cheaper than maintaining a sufficient number of sniffing dogs. But there's the pesky little fact that sniffing dogs actually find bombs, while these can't except by pure luck.

November 6, 2009 6:16 AM

BF Skinner on Mossad Hacked Syrian Official's Computer:

@how incompetent third world governments are

Yeah, right? Like the laptop left in the backseat of a car while two soliders stopped for a pint. The car which got broken into the laptop which got stolen ... only contained classified war plans during the first Gulf War.

The endless stories of classifed USB drives ending up in the souk in Afghanistan.

The 50,000 odd laptops that go missing in American airports every year (likely some are carrying classified information.
Any security manager can give you more stories of people mishandling classified information.

Glad to know this is all caused by the 3rd world.

I know you don't like to hear this but security is not a technological issue. Indeed instead it is technology that is a security issue.

November 6, 2009 5:22 AM

Clive Robinson on The Problems with Unscientific Security:

@ JonS,

"notes that techniques involving mechanical marks from tools, teeth, etc are very poor."

That is true in that it depends a lot on the materials involved.

However the point I was making is that the testing methods do stand up to the basic requirments of the scientific method in such areas as repeatability etc. The fact that the output has a low level of accuracy is another issue.

In the not to distant past we used blood types, the method of determining them is a well established procedure, the fact that the result tells you very little (unless they don't match) does not effect the scientific credability of the tests.

There are however a number of forensic methods that have so little science behind them they tend to make the Victorian ides of "criminal type ear lobes" look more credable.

Importantly some destroy the evidence they are testing or render the evidence unavailable for other tests. This is highly undesirable as the test results cannot be chalenged in an apropriate manner.

The thing is that in many many court cases the forensic evidence is used as a "show item" to lend unwarented credence to the procedings. The prosecution get away with this as judges generally do not like the word of "expert witnesses" to be called into doubt on "technical argument" as it supposadly confusess the "jury" (though they rarely mention the "judge").

We have seen to many supposed experts use their or somebody elses "pet theory" to find inocent people guilty by suggestion of crimes that if true would be quite appaling and thus get harsh sentancing (death of infants for instance).

November 6, 2009 4:57 AM

Clive Robinson on The Problems with Unscientific Security:

@ Brandioch Conner,

"How can adding additional characters WEAKEN a "very strong" password?

Over and above Boba Fett's example.

It may be the way the measurment is made.

For instance it might be expressing it against the total length of the password.

So say you have a password that contains only what the system thinks are high entropy charecters, if you then add in two 'e' chars you have increased the potential password space quite considerably (say equivalent to adding 13bits) but you have only added maybe 1-1.5 bits of entropy.

After all the most common method of estimating entropy is rated on how frequently a charecter is used. It is therefore possible for a very rarely used char to have more bits of entropy than the number of bits required to represent it.

For instance the tild (~) charecter almost never appears in ordinary plain text so it might appear say once in every 125,000 chars so effectivly is a 1 in 2^17 probability, but actualy only needs 7 bits to represent it.

Which raises the question of how do you measure entropy for passwords.

The first problem with using character frequency is "context" of the sample texts used to colate it.

For instance the forward slash (/) is not common in ordinary english text, but in a well commented C++ program it is very common so would have considerably lower entropy in that context.

In plain text english without capitalisation issues you would find the expression,

EAT ON IRISH LID

an easy way of remembering the order of frequency (some lists sometimes reverse AT or RS depending on the source material and age).

November 6, 2009 1:08 AM

Will on Mossad Hacked Syrian Official's Computer:

@nick:
"Remember the researcher who operated a TOR exit node and intercepted SSL coming from Arab governments? They just click "OK" when they get SSL errors"
This is as backwards as the original 'researcher'. What the researcher saw was hackers accessing hacked accounts across the world using TOR to hide their tracts.
The alternative - that people are using TOR to access things legitimately or that they know enough to use TOR but not enough to understand the messages or implications ... now that I find contradictory.

November 5, 2009 9:53 PM

Arik on Mossad Hacked Syrian Official's Computer:

@bob

http://en.wikipedia.org/wiki/Eli_Cohen

-- Arik

November 5, 2009 8:25 PM

JonS on The Problems with Unscientific Security:

@ Clive Robinson
"... there are some techniques that do stand up to scientific scruitiny such as those involving mechanical marks from tools, teeth ..."

Well, the PM article linked upstream notes that techniques involving mechanical marks from tools, teeth, etc are very poor.

Regards
Jon

November 5, 2009 7:36 PM

Louis Rovner, Ph.D. on The Problems with Unscientific Security:

Several comments here reveal the authors' ignorance of polygraph testing. If a test is done prorperly (i.e. with a single-issue test - preferably the Utah Zone of Comparison Test) accuracy will be somewhere in the mid-90% range. The report of the National Academy of Sciences acknowledges this. Before attacking a useful and scientifically valid technique, people should do a little reading.

Louis Rovner, Ph.D.
PolygraphReality.wordpress.com

November 5, 2009 6:38 PM

pfogg on Mossad Hacked Syrian Official's Computer:

From a distance, displayed with a suitable font, a glance at the title gives you "Moose Hacked Syrian Official's Computer". Which is an attention-grabber, I can tell you.

November 5, 2009 6:04 PM

Steven W on Self-Defense Pen:

Any titanium nibbed fountain pen will do the trick. Never seen the Casino film with Joe Pesci in it? Best of all it is legal as a self defence weapon. you can test it on a can of coke.

November 5, 2009 5:57 PM

Vincent on Mossad Hacked Syrian Official's Computer:

Evil maids are a pita. They've been known to let people in for a $20 bribe to swipe your belongings as well. Clearly the solution here is to kill all of the maids.

November 5, 2009 5:48 PM

NobodySpecial on Mossad Hacked Syrian Official's Computer:

@how incompetent third world governments are

True, good job the US, UK governments are so good at security. I found a USB key in a carpark the other day and was shocked to discover it didn't have confidential data on it.

November 5, 2009 4:55 PM

DC on Mossad Hacked Syrian Official's Computer:

@Henning,
Of course you'd probably be right, and why else need a trojan if not to get data later on?

Or it could be manufactured to protect the real leak, but maybe even both could be true? Mossad is pretty good at this stuff. Or at least they were when I was in the community.

November 5, 2009 4:00 PM

JT on The FBI and Wiretaps:

@ Carlos

Dont expect much from the Obama camp on defending our civil rights.
Pre election:
http://news.cnet.com/8301-10784_3-9845595-7.html
Post election:
http://www.eff.org/deeplinks/2009/04/...

November 5, 2009 3:52 PM

Scorpius on "Evil Maid" Attacks on Encrypted Hard Drives:

Please type "laptop pci keylogger" into google and browse the results.
Ex. http://masbuchin.com/...

All you have to do is to open laptop, insert this card.
Wait and get 1 minute access to laptop later to retrieve card.

I believe TPM would help here.

November 5, 2009 3:39 PM

Brandioch Conner on The Problems with Unscientific Security:

@Boba
"See, much weaker."

No, I don't see that.

You're trying to make the case that adding characters can make a password easier to crack by getting it on a dictionary list.

That would only be the case where the variations in punctuation and capitalization of the dictionary list were FEWER than the variations available in the smaller password.

And on my keyboard I have 94 easily typed characters.

November 5, 2009 3:14 PM

Badtux on Detecting Terrorists by Smelling Fear:

This device sounds a lot like the Iraq bomb detection device (see http://www.nytimes.com/2009/11/04/world/... ). Utter nonsense, in other words. Snake oil, period. The notion that terrorists are any more scared than anybody else (especially with all the headlines about bad airline pilots lately) is a notion that, as far as I know, is utterly unsupported by any scientific data. Someone who believes Allah is going to give him 100 virgins in heaven for blowing up an airliner isn't scared, he's exultant, maybe, eager, but scared? Probably not.

Of course, given the fact that we have only had a handful of terrorist attacks in the past two decades and that the people who perpetrated them are by and large dead, I do suppose it's hard to conduct a scientific study. But this sounds more like a scam based on pseudo-science than anything else.

November 5, 2009 3:02 PM

Mike on The Doghouse: Crypteto:

A million digit combination lock safe made of cardboard is less secure than a three digit combination safe made of steel. TOUAREG should go back to the drawingboard.

November 5, 2009 2:49 PM

nick on Mossad Hacked Syrian Official's Computer:

I don't think you guys understand how incompetent third world governments are when it comes to IT. Remember the researcher who operated a TOR exit node and intercepted SSL coming from Arab governments? They just click "OK" when they get SSL errors; I'm sure they aren't careful with their digital data.

November 5, 2009 2:35 PM

spaceman spiff on Mossad Hacked Syrian Official's Computer:

Even if the system is protected well enough to thwart planting trojans or other spyware on the system, if you have access to the device then it is trivial to make a bit-image copy of the hard drive and decrypt it at your leisure.

November 5, 2009 2:30 PM

bob on Mossad Hacked Syrian Official's Computer:

Or at least a "leak" to divert suspicion from a highly placed humint asset. Wasnt it Syria that Israel infiltrated to like the #3 guy back in the 60s?

November 5, 2009 2:28 PM

Sure... on Mossad Hacked Syrian Official's Computer:

Like such plans would be on a laptop in a foreign hotel, unattended. Sure, I'll believe that.
Sounds more like a 'leak' made up to justify the bombing.

November 5, 2009 2:16 PM

bob on Mossad Hacked Syrian Official's Computer:

While it does not prevent hardware-based attacks, anyone who has something to protect should use a remote access tool booted from a PC, such as this one provided by the government: http://spi.dod.mil/lipose.htm

I use this whenever I login from hotel rooms or libraries or such. Not the fastest thing in the world, since it boots from a CD, but it would prevent evil maids who can't solder from getting your passwords...

November 5, 2009 1:54 PM

Boba Fett on The Problems with Unscientific Security:

@ Brandioch

Strong password:
aR7H.Vade

And adding 2 letters:
DaR7H.Vader

See, much weaker.

November 5, 2009 1:52 PM

Peter on The Problems with Unscientific Security:

@Damian

The question of how to measure strength is an interesting one. But more fundamental is: where is the evidence showing that people with weak passwords are getting hacked?

Password strength and rules is probably the single biggest annoyance for users, and with a proper lockout policy it just doesn't seem necessary. Is there evidence to contradict the view that mediocre passwords are fine if there's no offline attack?

November 5, 2009 1:51 PM

Henning Makholm on Mossad Hacked Syrian Official's Computer:

Bruce: Perhaps that level of detail was not on the laptop at the time it was unguarded. But, perhaps after the laptop returned to returned to Syria and logged on to a trusted network, the trojan could start copying data the official viewed on it.

November 5, 2009 1:37 PM

Bruce Clement on Mossad Hacked Syrian Official's Computer:

What on earth was a laptop containing that kind of detail doing unguarded outside the official's own country?

November 5, 2009 1:34 PM

BF Skinner on Mossad Hacked Syrian Official's Computer:

Law 3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.

The original formulation of Microsoft's 10 immutable laws of security don't seem to have changed much... http://technet.microsoft.com/en-us/magazine/...

But it's why I will always recommend egress blocking port 80.

November 5, 2009 1:29 PM

Arno on Mossad Hacked Syrian Official's Computer:

Really no surprise here. Not even that "officials" cannot be trusted with computers.

November 5, 2009 12:52 PM

Brandioch Conner on The Problems with Unscientific Security:

@Damian
"For example they stablish that www.passwordmeter.com is a good metric, but I say that the quantity of good passwords (of 8 characters) is so small and could be computed fastly."

Interesting site. But has serious problems.

I tried a few of my passwords on it. Initially they were rated as "very strong" (88%)... until I put in two identical characters. At which point they became "very weak". And they finally ended at 0%.

How can adding additional characters WEAKEN a "very strong" password?

November 5, 2009 12:52 PM

BF Skinner on The Problems with Unscientific Security:

@damian "research about password strength metrics."

You might check out "NIST Special Publication 800-63, Electronic Authentication Guideline" Appendix A has an interesting article on estimating password strength based on entropy.

November 5, 2009 12:20 PM

Clive Robinson on The Problems with Unscientific Security:

@ anonymouscrat,

"Forensic science was not developed by scientists. It was mostly created by cops, who were guided by little more than common sense."

Err "common sense" had little to do with it, and it is still abscent in most forensics today.

For instance finger prints, there is little if any science involved (one of the main reasons it's been so hard to computerise) it is at best an 'art' in which a person uses their supposed 'best judgment' to 'offer opinion' to a court on if the distorted ink print of the suspect matches what is usually a partial and likewise distorted pattern of protien and greese that has be "dusted" with aluminium powder or some chemical reagent.

Importantly in most cases the tribunal of truth (the jury) does not see either image in a way they can make judgment as to if they agree with the 'opinion' or not...

More importantly the equipment in use these days is more sensitive than the normaly expected background levels or "noise" so the chances are they will indicate (correctly) that the checmical is present.

But importantly none of the equipment can say how a substance came to be at a scene or on a suspect or their cloths or other posecions.

Again a suposed expert offers an opinion which is usually little more than X contains substance Y and Y was found on the swabs of the suspects hands. It is often expressed in such a way as to make the jury members think X is the most probable source of Y.

For instance a statment such as,

"The swabs taken from the suspects hands showed traces of amonium nitrate. Which indicates the suspect had prior to their arrest handled amonium nitrate. The home made explosives used in the bomb where amonium nitrate based."

Sounds convincing till sombody points out that cured meats such as bacon have fairly high levels of amonium nitrate, and that ordinary house hold cleaning agents when mixed on a cleaning cloth may well produce amonium nitrate, or that it is produced as part of the natural break down of organic materials such as would be found in a garden refuse / compost bin or in animal waste products, oh and many brands of tabbaco product and the papers used to make smokes of various forms.

I suspect that if you tested 100 people at random and swabed their hands that the majority would show positive for amonium nitrate or cocaine or both at the levels of sensitivity the equipment can detect...

Even if all that can be ruled out (which is very doubtful) there is then the issues of cross contamination.

A forensic worker simply coughing may well be enough to cause samples of things they have handled (or smoked) to get into the air and onto the swabs or other items such as clothing.

The fact that something is present at the "scene of the crime" and on the "suspect" does not actually tell you anything other than that. It in no way indicates that the two where ever together. Even in the case of very rare substances all it indicates is that there might be a causal link between the two but not what it is. At low levels it is just as likley to have occured due to a third party or item as it is to have happened by direct contact at the "scene of the crime".

That aside there are some techniques that do stand up to scientific scruitiny such as those involving mechanical marks from tools, teeth and to a lesser extent other objects.

November 5, 2009 12:18 PM

Damian on The Problems with Unscientific Security:

Hi Bruce, I'm so impressed by this phrase:

"In absence of systematic research, users will base their evaluation on data generated by field use. Because people tend to follow heuristics rather than the rules of probability theory, perceived effectiveness can substantially differ from true effectiveness (Tversky & Kahneman, 1973)"

It is exactly what I'm trying to teach to my colleages. And recently we had a bitter discussion on password strength, and I'm wondering if you know some research about password strength metrics.

For example they stablish that www.passwordmeter.com is a good metric, but I say that the quantity of good passwords (of 8 characters) is so small and could be computed fastly.