Schneier on Security
A blog covering security and security technology.
October 2005 Archives
I continue to be impressed by the turnout at this workshop. There are lots of people here whom I haven't seen in a long time. It's like a cryptographers' family reunion.
The afternoon was devoted to cryptanalysis papers. Nothing earth-shattering; a lot of stuff that's real interesting to me and not very exciting to summarize.
The list of papers is here. NIST promises to put the actual papers online, but they make no promises as to when.
Right now there is a panel discussing how secure SHA-256 is. "How likely is SHA-256 to resist attack for the next ten years?" Some think it will be secure for that long, others think it will fall in five years or so. One person pointed out that if SHA-256 lasts ten years, it will be a world record for a hash function. The consensus is that any new hash function needs to last twenty years, though. It really seems unlikely that any hash function will last that long.
But the real issue is whether there will be any practical attacks. No one knows. Certainly there will be new cryptanalytic techniques developed, especially now that hash functions are a newly hot area for research. But will SHA-256 ever have an attack that's faster than 280?
Everyone thinks that SHA-1 with 160 rounds is a safer choice than SHA-256 truncated to 160 bits. The devil you know, I guess.
Niels Ferguson, in a comment from the floor, strongly suggested that NIST publish whatever analysis on SHA-256 it has. Since this is most likely by the NSA and classified, it would be a big deal. But I agree that it's essential for us to fully evaluate the hash function.
Tom Berson, in another comment, suggested that NIST not migrate to a single hash function, but certify multiple alternatives. This has the interesting side effect of forcing the algorithm agility issue. (We had this same debate regarding AES. Negatives are: 1) you're likely to have a system that is as strong as the weakest choice, and 2) industry will hate it.)
If there's a moral out of the first day of this workshop, it's that algorithm agility is an essential feature in any Internet protocol.
In the morning we had a series of interesting papers: "Strengthening Digital Signatures via Randomized Hashing," by Halevi and Krawczyk; "Herding Hash Functions and the Nostradamus Attack," by Kelsey and Kohno; and "Collision-Resistant usage of MD5 and SHA-1 via Message Preprocessing," by Szydlo and Yin. The first and third papers are suggestions for modifying SHA-1 to make it more secure. The second paper discusses some fascinating and cool, but still theoretical, attacks on hash functions.
The last session before lunch was a panel discussion: "SHA-1: Practical Security Implications of Continued Use." The panel stressed that these are collision attacks and not pre-image attacks, and that many protocols simply don't care. Collision attacks are important for digital signatures, but less so for other uses of hash functions. On the other hand, this difference is only understood by cryptographers; there are issues if the public believes that SHA-1 is "broken."
Niels Ferguson pointed out that the big problem is MD5, which is still used everywhere. (Hell, DES is still everywhere.) It takes much longer to upgrade algorithms on the Internet than most people believe; Steve Bellovin says it takes about one year to get the change through the IETF, and another five to seven years to get it depoloyed. And that's after we all figure out which algorithm they should use.
Georg Illies gave a perspective from Germany, where there is a digital-signature law in effect. In addition to the technology, there are legal considerations that make it harder to switch.
The panel seemed to agree that it's still safe to use SHA-1 today, but that we need to start migrating to something better. It's way easier to change algorithms when you're not in the middle of a panic.
There was more talk about algorithm agility. This problem is larger than SHA. Our Internet protocols simply don't have a secure methodology for migrating from one cryptographic algorithm to another.
Bottom line: Don't use SHA-1 for anything new, and start moving away from it as soon as possible. To SHA-256, probably.
And now it's lunchtime.
I'm in Gaithersburg, MD, at the Cryptographic Hash Workshop hosted by NIST. I'm impressed by the turnout; a lot of the right people are here.
Xiaoyun Wang, the cryptographer who broke SHA-1, spoke about her latest results. They are the same results Adi Shamir presented in her name at Crypto this year: a time complexity of 263.
(I first wrote about Wang's results here, and discussed their implications here. I wrote about results from Crypto here. Here are her two papers from Crypto: "Efficient Collision Search Attacks on SHA-0" and "Finding Collisions in the Full SHA-1 Collision Search Attacks on SHA1.")
Steve Bellovin is now talking about the problems associated with upgrading hash functions. He and his coauthor Eric Rescorla looked at S/MIME, TLS, IPSec (and IKE), and DNSSEC. Basically, these protocols can't change algorithms overnight; it has to happen gradually, over the course of years. So the protocols need some secure way to "switch hit": to use both the new and old hash functions during the transition period. This requires some sort of signaling, which the protocols don't do very well. (Bellovin's and Rescorla's paper is here.)
Federal law enforcement attempts to use cell phones as tracking devices were rebuked twice this month by lower court judges, who say the government cannot get real time tracking information on citizens without showing probable cause.
The Copyright Office of the U.S. Library of Congress is conducting its required regular review of the anti-circumvention provisions of the Digital Millennium Copyright Act. Comments can be submitted over the Internet, and are due December 1st.
Here's a security threat I'll bet you never even considered before: convicted felons with large dogs:
The Contra Costa County board of supervisors [in California] unanimously supported on Tuesday prohibiting convicted felons from owning any dog that is aggressive or weighs more than 20 pounds, making it all but certain the proposal will become law when it formally comes before the board for approval Nov. 15.
These are not felons in jail. These are felons who have been released from jail after serving their time. They're allowed to re-enter society, but letting them own a large dog would be just too much of a risk to the community?
A company called Metacharge has rolled out an e-commerce security service in the United Kingdom. For about $2 per name, website operators can verify their customers against the UK Electoral Roll, the British Telecom directory, and a mortality database.
That's not cheap, and the company is mainly targeting customers in high-risk industries, such as online gaming. But the economics behind this system are interesting to examine. They illustrate externalities associated with fraud and identity theft, and why leaving matters to the companies won't fix the problem.
The mortality database is interesting. According to Metacharge, "the fastest growing form of identity theft is not phishing; it is taking the identities of dead people and using them to get credit."
For a website, the economics are straightforward. It costs $2 to verify that a customer is alive. If the probability the customer is actually dead (and therefore fraudulent) times the average losses due to this dead customer is more than $2, this service makes sense. If it is less, then the service doesn't. For example, if dead customers are one in ten thousand, and they cost $15,000 each, then the service is not worth it. If they cost $25,000 each, or if they occur twice as often, then it is worth it.
Imagine now that there is a similar service that identifies identity fraud among living people. The same economic analysis would also hold. But in this case, there's an externality: there is an additional cost of fraud borne by the victim and not by the website. So if fraud using the identity of living customers occurs at a rate of one in ten thousand, and each one costs $15,000 to the website and another $10,000 to the victim, the website will conclude that the service is not worthwhile, even though paying for it is cheaper overall. This is why legislation is needed: to raise the cost of fraud to the websites.
There's another economic trade-off. Websites have two basic opportunities to verify customers using services such as these. The first is when they sign up the customer, and the second is after some kind of non-payment. Most of the damages to the customer occur after the non-payment is referred to a credit bureau, so it would make sense to perform some extra identification checks at that point. It would certainly be cheaper to the website, as far fewer checks would be paid for. But because this second opportunity comes after the website has suffered its losses, it has no real incentive to take advantage of it. Again, economics drives security.
There's a new Australian anti-terrorism law in the works. It includes such things as:
Missouri will track people's movements through their cell phones.
From The New Scientist:
With half a century's experience of listening to feeble radio signals from space, NASA is helping US security services squeeze super-weak bugging data from Earth-bound buildings.
Wow. (If it works, that is.)
Movie-plot threats aren't limited to terrorism. Bird flu is the current movie-plot threat in the medical world:
Just in time for Halloween, the usual yearly ritual of terror by headline is now playing itself out in medical offices everywhere. Last year it revolved around flu shots; a few years ago it was anthrax and smallpox; a few years before that it was the "flesh-eating bacteria"; and before that it was Ebola virus, and Lyme disease and so on back into the distant past. This year it's the avian flu.
Remember when people were seeing terrorist plots under every rock? The same kind of thing is at work here. When something is in the news, people believe it is common. Then they see it everywhere.
Interesting commentary on digital identification cards.
One of the sillier movie-plot threats I've seen recently:
Kentucky has been awarded a federal Homeland Security grant aimed at keeping terrorists from using charitable gaming to raise money.
I've repeatedly said that two-factor authentication won't stop phishing, because the attackers will simply modify their techniques to get around it. Here's an example where that has happened:
Scandinavian bank Nordea was forced to shut down part of its Web banking service for 12 hours last week following a phishing attack that specifically targeted its paper-based one-time password security system.
From F-Secure's blog:
The fake mails were explaining that Nordea is introducing new security measures, which can be accessed at www.nordea-se.com or www.nordea-bank.net (fake sites hosted in South Korea).
The Register also has a story.
Two-factor authentication won't stop identity theft, because identity theft is not an authentication problem. It's a transaction-security problem. I've written about that already. Solutions need to address the transactions directly, and my guess is that they'll be a combination of things. Some transactions will become more cumbersome. It will definitely be more cumbersome to get a new credit card. Back-end systems will be put in place to identify fraudulent transaction patterns. Look at credit card security; that's where you're going to find ideas for solutions to this problem.
Unfortunately, until financial institutions are liable for all the losses associated with identity theft, and not just their direct losses, we're not going to see a lot of these solutions. I've written about this before as well.
We got them for credit cards because Congress mandated that the banks were liable for all but the first $50 of fraudulent transactions.
EDITED TO ADD: Here's a related story. The Bank of New Zealand suspended Internet banking because of phishing concerns. Now there's a company that is taking the threat seriously.
Since the Patriot Act was passed, administration officials have repeatedly assured the public and Congress that there have not been improper uses of that law. As recently as April 27, 2005, Attorney General Alberto Gonzales testified that "there has not been one verified case of civil liberties abuse."
Documents obtained by EPIC from the FBI describe thirteen cases of possible misconduct in intelligence investigations. The case numbering suggests that there were at least 153 investigations of misconduct at the FBI in 2003 alone.
These documents reveal that the Intelligence Oversight Board has investigated many instances of alleged abuse, and perhaps most critically, may not have disclosed these facts to the Congressional oversight committees charged with evaluating the Patriot Act.
According to The Washington Post
In one case, FBI agents kept an unidentified target under surveillance for at least five years -- including more than 15 months without notifying Justice Department lawyers after the subject had moved from New York to Detroit. An FBI investigation concluded that the delay was a violation of Justice guidelines and prevented the department "from exercising its responsibility for oversight and approval of an ongoing foreign counterintelligence investigation of a U.S. person."
EPIC received these documents under FOIA, and has written to the Senate Judiciary Committee to urge hearings on the matter, and has recommended that the Attorney General be required to report to Congress when the Intelligence Oversight Board receives allegations of unlawful intelligence investigations.
This week marks the four-year anniversary of the enactment of the Patriot Act. Does anyone feel safer because of it?
EDITED TO ADD: There's a New York Times article on the topic.
This is an interesting (six-month-old) story about a supermarket loyalty program.
Person 1 loses a valuable watch in a supermarket. Person 2 finds it and, instead of returning it as required by law, keeps it. Two years later, he brings it in for repair. The repairman checks the serial number against a lost/stolen database. Person 2 doesn't admit he found the watch, but instead claims that he bought it in some sort of used watch store. The police check the loyalty-program records from the supermarket and find that Person 2 was in the supermarket within hours of when Person 1 said he lost the watch.
EDITED TO ADD: Earlier confusion about video surveillance fixed, and two comments pointing out the error deleted. Thank you.
An absolutely great story about phantom ATM withdrawals and British banking from the early 90s. (The story is from the early 90s; it has just become public now.) Read how a very brittle security system, coupled with banks using the legal system to avoid fixing the problem, resulted in lots of innocent people losing money to phantom withdrawals. Read how lucky everyone was that the catastrophic security problem was never discovered by criminals. It's an amazing story.
See also Ross Anderson's page on phantom withdrawals.
Oh, and Alistair Kelman assures me that he did not charge 1,750 pounds per hour, only 450 pounds per hour.
A zombie-preparedness study, commissioned by Pittsburgh Mayor Tom Murphy and released Monday, indicates that the city could easily succumb to a devastating zombie attack. Insufficient emergency-management-personnel training and poorly conceived undead-defense measures have left the city at great risk for all-out destruction at the hands of the living dead, according to the Zombie Preparedness Institute.
From The Onion, of course.
Weird and amusing tour of U.S. government security awareness posters.
Password Safe is my freeware program to help you manage all the passwords you're expected to remember.
There's a nice article in The Washington Post about it.
This is just a lovely essay. Very subtle.
Our surveillance society marches on:
Commercial burglaries have risen in Corona in the past few years. At the same time, security-camera technology has improved, allowing business owners to use Web sites to view their shops or offices from home or while on a trip.
How soon before there's a law requiring these webcams to be built with a police backdoor?
A simply horrible lead sentence in a Manila Times story:
If you see a man aged 17 to 35, wearing a ball cap, carrying a backpack, clutching a cellular phone and acting uneasily, chances are he is a terrorist.
Let's see: Approximately 4.5 million people use the New York City subway every day. Assume that the above profile fits 1% of them. Does that mean that there are 25,000 terrorists riding the New York City subways every single day? Seems unlikely.
The rest of the article gets better, but still....
At least that is how the National Capital Regional Police Office (NCRPO) has "profiled" a terrorist.
My fourth column for Wired discusses liability for software vulnerabilities. Howard Schmidt argued that individual programmers should be liable for vulnerabilities in their code. (There's a Slashdot thread on Schmidt's comments.) I say that it should be the software vendors that should be liable, not the individual programmers.
Click on the essay for the whole argument, but here's the critical point:
If end users can sue software manufacturers for product defects, then the cost of those defects to the software manufacturers rises. Manufacturers are now paying the true economic cost for poor software, and not just a piece of it. So when they're balancing the cost of making their software secure versus the cost of leaving their software insecure, there are more costs on the latter side. This will provide an incentive for them to make their software more secure.
EDITED TO ADD: Dan Farber has a good commentary on my essay. He says I got Schmidt wrong, that Schmidt wants programmers to be accountable but not liable. Be that as it may, I still think that making software vendors liable is a good idea.
There has been some confusion about this in the comments, that somehow this means that software vendors will be expected to achieve perfection and that they will be 100% liable for anything short of that. Clearly that's ridiculous, and that's not the way liabilities work. But equally ridiculous is the notion that software vendors should be 0% liable for defects. Somewhere in the middle there is a reasonable amount of liablity, and that's what I want the courts to figure out.
EDITED TO ADD: Howard Schmidt writes: "It is unfortunate that my comments were reported inaccurately; at least Dan Farber has been trying to correct the inaccurate reports with his blog. I do not support PERSONAL LIABILITY for the developers NOR do I support liability against vendors. Vendors are nothing more then people (employees included) and anything against them hurts the very people who need to be given better tools, training and support."
Howard wrote an essay on the topic.
Two-factor authentication is coming to U.S. banks:
Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.
Here's more details.
This won't help. It'll change the tactics of the criminals, but won't make them go away. I've written about that already (the short version is that two-factor authentication won't mitigate identity theft, because it's not an authentication problem -- it's a problem with fraudulent transactions), and also about what will solve the problem.
With her year-round tan, long blonde hair and designer clothes, Sally Cameron does not look like a threat to national security.
And also to prevent people from taking pictures of motorways:
A Hampshire student was stopped and warned by police under new anti-terror laws -- for taking pictures of the M3.
I get that terrorism is the threat of the moment, and that all sorts of government actions are being justified with terrorism. But this is ridiculous.
Many color laser printers embed secret information in every page they print, basically to identify you by. Here, the EFF has cracked the code of the Xerox DocuColor series of printers.
The DocuColor series prints a rectangular grid of 15 by 8 miniscule yellow dots on every color page. The same grid is printed repeatedly over the entire page, but the repetitions of the grid are offset slightly from one another so that each grid is separated from the others. The grid is printed parallel to the edges of the page, and the offset of the grid from the edges of the page seems to vary. These dots encode up to 14 7-bit bytes of tracking information, plus row and column parity for error correction. Typically, about four of these bytes were unused (depending on printer model), giving 10 bytes of useful data. Below, we explain how to extract serial number, date, and time from these dots. Following the explanation, we implement the decoding process in an interactive computer program.
EDITED TO ADD: News story here.
EDITED TO ADD: And another.
After Italy passed a new antiterrorism package in July, authorities ordered managers offering public communications services, like Mr. Savoni,to make passport photocopies of every customer seeking to use the Internet, phone, or fax.
Here's a phishing scam using an SMS message and a telephone call.
"Mass spectrometry is one of the most sensitive methods for finding drugs, chemicals, pollutants and disease, but the problem is that you have to extract a sample and treat that sample before you can analyze it," said Evan Williams, a chemistry professor at UC Berkeley.
As this kind of technology gets better, the problems of false alarms becomes greater. We already know that a large percentage of U.S. currency bears traces of cocaine, but can a low-budget terrorist close down an airport by spraying trace chemicals randomly at passengers' luggage when they're not looking?
Reuters on the trade-offs of Real ID:
Nobody yet knows how much the Real ID Act will cost to implement or how much money Congress will provide for it. The state of Washington, which has done the most thorough cost analysis, put the bill in that state alone at $97 million in the first two years and believes it will have to raise the price of a driver's license to $58 from $25.
Why does Reuters think that a better ID card will protect against identity theft? The problem with identity theft isn't that ID cards are forgeable, it's that financial institutions don't check them before authorizing transactions.
Boston Globe editorial on RFID and privacy:
It's one of the cutest of those cute IBM Corp. TV commercials, the ones that feature the ever-present help desk. This time, the desk appears smack in the middle of a highway, blocking the path of a big rig.
There's a Slashdot thread on the topic.
I recently performed a rather long reversing session on a piece of software written by Blizzard Entertainment, yes -- the ones who made Warcraft, and World of Warcraft (which has 4.5 million+ players now, apparently). This software is known as the 'warden client' -- its written like shellcode in that it's position independent. It is downloaded on the fly from Blizzard's servers, and it runs about every 15 seconds. It is one of the most interesting pieces of spyware to date, because it is designed only to verify compliance with a EULA/TOS. Here is what it does, about every 15 seconds, to about 4.5 million people (500,000 of which are logged on at any given time):
EDITED TO ADD: Blizzard responds. See also here. Several commenters say that this is no big deal. I think that a program that does all of this without the knowledge or consent of the user is a big deal. This is a program designed to spy on the user and report back to Blizzard. It's pretty benign, but the next company who does this may be less so. It definitely counts as spyware.
EDITED TO ADD: This is a great post by EFF on the topic.
EDITED TO ADD: BBC has an article on the topic.
There are two bills in Congress that would grant the Pentagon greater rights to spy on Americans in the U.S.:
The Pentagon would be granted new powers to conduct undercover intelligence gathering inside the United States -- and then withhold any information about it from the public -- under a series of little noticed provisions now winding their way through Congress.
Congress is talking -- it's just talking, but at least it's talking -- about giving tax breaks to companies with good cybersecurity.
The devil is in the details, and this could be a meaningless handout, but the idea is sound. Rational companies are going to protect their assets only up to their value to that company. The problem is that many of the security risks to digital assets are not risks to the company who owns them. This is an externality. So if we all need a company to protect its digital assets to some higher level, then we need to pay for that extra protection. (At least we do in a capitalist society.) We can pay through regulation or liabilities, which translates to higher prices for whatever the company does. We can pay through directly funding that extra security, either by writing a check or reducing taxes. But we can't expect a company to spend the extra money out of the goodness of its heart.
Great crime story:
An ingenious fraudster is believed to be sunning himself on a beach after persuading leading banks to pay him more than €5 million (£3.5 million) in the belief that he was a secret service agent engaged in the fight against terrorist money-laundering.
Moral: Security is a people problem, not a technology problem
EPIC has information here, mostly on Walt Disney World.
EDITED TO ADD: Disneyworld scans hand geometry, not fingerprints.
This is a great example of a movie-plot threat.
A terrorist plot to attack the subways with bomb-laden baby carriages and briefcases -- the most specific threat ever made against the city -- triggered a massive security crackdown yesterday.
This is not to say that there isn't a real plot that was uncovered, but the specificity of the threat seems a bit ridiculous.
And if we ban baby carriages from the subways, and the terrorists put their bombs in duffel bags instead, have we really won anything?
EDITED TO ADD: The threat was a hoax.
In any security system, it's important to understand who the attacker is and who the defender is. In digital-media copy protection (usually called Digital Rights Management), it can get complicated.
The music industry has been selling the technology to everyone -- Congress, the public -- by claiming that they're defending the rights of musicians. But more and more musicians are realizing that their interests are better served by freely copyable music.
Now, in the most bizarre turn yet in the record industry's piracy struggles, stars Dave Matthews Band, Foo Fighters and Switchfoot -- and even Sony BMG, when the label gets complaints -- are telling fans how they can beat the system.
Read the whole article.
Walter Wolfgang, an 82-year-old political veteran, was forcefully removed from the UK Labour party conference for calling a speaker, Jack Straw, a liar. (Opinions on whether Jack Straw is or is not a liar are irrelevant here.) He was later denied access to the conference on basis of anti-terror laws. Keep in mind that as recently as the 1980s, Labour Party conferences were heated affairs compared with today's media shows.
From The London Times:
A police spokeswoman said that Mr Wolfgang had not been arrested but detained because his security accreditation had been cancelled by Labour officials when he was ejected. She said: "The delegate asked the police officer what powers he was using. The police officer responded that he was using his powers under Section 44 of the Terrorism Act to confirm the delegate's details."
More than 600 people were detained under the Terrorism Act during the Labour party conference, it was reported yesterday.
The Boston Transportation Department, among other duties, hands out parking tickets. If a car has too many unpaid parking tickets, the BTD will lock a
The white SUV in this photo is owned by the Boston Transportation Department. Its job is to locate cars that need to be booted. The two video cameras on top of the vehicle are hooked up to a laptop computer running license plate scanning software. The vehicle drives around the city scanning plates and comparing them with the database of unpaid parking tickets. When a match is found, the BTD officers jump out and boot the offending car. You can sort of see the boot on the front right wheel of the car behind the SUV in the photo.
This is the kind of thing I call "wholesale surveillance," and I've written about license plate scanners in that regard last year.
Technology is fundamentally changing the nature of surveillance. Years ago, surveillance meant trench-coated detectives following people down streets. It was laborious and expensive, and was only used when there was reasonable suspicion of a crime. Modern surveillance is the policeman with a license-plate scanner, or even a remote license-plate scanner mounted on a traffic light and a policeman sitting at a computer in the station. It's the same, but it's completely different. It's wholesale surveillance.
The Boston Globe has written about this program.
Richard M. Smith, who took this photo, made a public request to the BTD last summer for the database of scanned license plate numbers that is being collected by this vehicle. The BTD told him at the time that the database is not a public record, because the database is owned by AutoVu, the Canadian company that makes the license plate scanner software used in the vehicle. This software is being "loaned" to the City of Boston as part of a "beta" test program.
Anyone doubt that AutoVu is going to sell this data to a company like ChoicePoint?
This is a clever piece of research. Turns out you can jam cell phones with SMS messages. Text messages are transmitted on the same channel that is used to set up voice calls, so if you flood the network with one, then the other can't happen. The researchers believe that sending 165 text messages a second is enough to disrupt all the cell phones in Manhattan.
From the paper:
ABSTRACT: Cellular networks are a critical component of the economic and social infrastructures in which we live. In addition to voice services, these networks deliver alphanumeric text messages to the vast majority of wireless subscribers. To encourage the expansion of this new service, telecommunications companies offer connections between their networks and the Internet. The ramifications of such connections, however, have not been fully recognized. In this paper, we evaluate the security impact of the SMS interface on the availability of the cellular phone network. Specifically, we demonstrate the ability to deny voice service to cities the size of Washington D.C. and Manhattan with little more than a cable modem. Moreover, attacks targeting the entire United States are feasible with resources available to medium-sized zombie networks. This analysis begins with an exploration of the structure of cellular networks. We then characterize network behavior and explore a number of reconnaissance techniques aimed at effectively targeting attacks on these systems. We conclude by discussing countermeasures that mitigate or eliminate the threats introduced by these attacks.
My third Wired column is on line. It's about phishing.
Financial companies have until now avoided taking on phishers in a serious way, because it's cheaper and simpler to pay the costs of fraud. That's unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers -- they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers' assets.
EDITED TO ADD: There's a discussion on Slashdot.
RFID car keys (subscription required) are becoming more popular. Since these devices broadcast a unique serial number, it's only a matter of time before a significant percentage of the population can be tracked with them.
Lexus has made what it calls the "SmartAccess" keyless-entry system standard on its new IS sedans, designed to compete with German cars like the BMW 3 series or the Audi A4, as well as rivals such as the Infiniti G35 or the U.S.-made Cadillac CTS. BMW offers what it calls "keyless go" as an option on the new 3 series, and on its higher-priced 5, 6 and 7 series sedans.
Cryptography can be used to make these devices anonymous, but there's no business reason for automobile manufacturers to field such a system. Once again, the economic barriers to security are far greater than the technical ones.
Windows OneCare is the next-generation pervasive security program that will be part of Microsoft Windows. I know nothing about it. Does anyone have any comments or opinions?
And the current rumor is that Ballmer and Nash are speaking at a Microsoft event in Munich. They're supposedly outlining Microsoft's security roadmap. Anyone have any inside information?
We are all more secure because everyone goes through airport screening, and there's no automatic white list.
Do you think we should tell these people that SHA-1 is not an encryption algorithm?
Developed by Lexar, the new security solution is based on a 160-bit encryption technology and uses SHA-1 (Secure Hash Algorithm), a standard approved by the National Institute of Standards and Technology (NIST). The 160-bit encryption technology is among the most effective and widely accepted security solutions available.
This seems not to be a typo. They explain themselves in more detail here:
Lexar has provided us with the following explanation as to how data is protected on the LockTight cards: (we understand that the encryption is carried out on the communications layer between the card and camera/computer rather than the data itself).
An engineer made public a flaw in a computer chip used in the Airbus A380 aircraft. The resultant cover-up is, sadly, predictable.
Powered by Movable Type. Photo at top by Per Ervland.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.