Schneier on Security
A blog covering security and security technology.
October 1, 2004
Last month I wrote: "Long and interesting review of Windows XP SP2, including a list of missed opportunities for increased security. Worth reading: The Register." Be sure you read this follow-up as well:
Interesting essay on the psychology of terrorist alerts:
Encrypted e-mail client for the Treo:
The Honeynet Project is publishing a bi-annual CD-ROM and newsletter. If you're involved in honeynets, it's definitely worth getting. And even if you're not, it's worth supporting this endeavor.
CIO Magazine has published a survey of corporate information security. I have some issues with the survey, but it's worth reading.
At the Illinois State Capitol, someone shot an unarmed security guard and fled. The security upgrade after the incident is -- get ready -- to change the building admittance policy from a "check IDs" procedure to a "sign in" procedure. First off, identity checking does not increase security. And secondly, why do they think that an attacker would be willing to forge/steal an identification card, but would be unwilling to sign their name on a clipboard?
Security story about the U.S. embassy in New Zealand. It's a good lesson about the pitfalls of not thinking beyond the immediate problem.
The future of worms:
Teacher arrested after a bookmark is called a concealed weapon:
Seems you can open Kryptonite bicycle locks with the cap from a plastic pen. The attack works on what locksmiths call the "impressioning" principle. Tubular locks are especially vulnerable to this because all the pins are exposed, and tools that require little skill to use can be relatively unsophisticated. There have been commercial locksmithing products to do this to circular locks for a long time. Once you get the feel for how to do it, it's pretty easy. I find Kryptonite's proposed solution -- swapping for a smaller diameter lock so a particular brand of pen won't work -- to be especially amusing.
I often talk about how most firewalls are ineffective because they're not configured properly. Here's some research on firewall configuration:
Reading RFID tags from three feet away:
AOL is offering two-factor authentication services. It's not free: $10 plus $2 per month. It's an RSA Security token, with a number that changes every 60 seconds.
Counter-terrorism has its own snake oil:
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.