Friday Squid Blogging: Squid Desk Lamp

Beautiful sculpture.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on February 17, 2012 at 4:37 PM • 33 Comments

Comments

PaulFebruary 17, 2012 5:16 PM

I'm assuming you know the "drunk squid wants to fight you" image ? If not, just google it. I'll never hang my coat or jacket without thinking of that one...

BrandonFebruary 17, 2012 5:22 PM

If the hacker group Anonymous is to be believed, one Middle Eastern dictator's email password is "12345" ... or it was, until they decided to share much of his (and his staff's) email with the world. Can this really be true?

ThunderbirdFebruary 17, 2012 5:33 PM

I'm assuming you know the "drunk squid wants to fight you" image ? If not, just google it. I'll never hang my coat or jacket without thinking of that one...
To save others the problems of finding it, I'll note it appears to be "drunken octopus" instead of "drunken squid." And you're right--it sure will always be in my mind when I see one again.

NobodySpecialFebruary 17, 2012 5:40 PM

1-2-3-4-5? That's the stupidest combination I've ever heard of in my life!
That's the kinda thing an idiot would have on his luggage!

SteveFebruary 17, 2012 6:04 PM

How long do you think it will be before Governments/courts start doing password bounties?

Is there something preventing them from doing this?

Such as password reuse which will cause problems for the person or sensitive information in the password like it could contain a SS#?

Since all you need is the header/parts of the encrypted data those can be given out and anyone can try to crack it. Speaking of... is there any software that hides where the "header" is depending on the password?

DanielFebruary 17, 2012 7:20 PM

The NYT has an article called "How Companies Learn Your Secrets". The short answer seems by bribing, manipulating, and lying to you. But the article takes six web pages to say that, presumably to up the page views for the NYT advertisers.

http://www.nytimes.com/2012/02/19/magazine/...

The LA times has an update on the use of drones in US airspace. Basically they will be able to fly where they want when they want without any non-military oversight.

http://www.latimes.com/business/...

The International Federation of the Phonographic Industry's annual report on the music industry has interesting data both on the amount of piracy taking place and music industry efforts to combat it (second half of .pdf)

http://ifpi.com/content/library/...


A blog readerFebruary 18, 2012 12:06 AM

To protect children, "intensive parenting" (with lots of oversight and restrictions imposed by parents) may not always lead to increased safety and security, and many persons may not be experts at risk assessment. Lenore Skenazy at FreeRangeKids talked about the issue of parents being essentially forced to practice "intensive parenting" due to the possibility of otherwise being charged with child abuse/neglect. Law professor David Pimentel mentioned such factors as media attention towards unusual but spectacular risks, and that this could contribute to prosecutors and jurors coming to view excessively protective and sheltered child-raising as the "legal standard of care."

In other news, the US Justice Department failed for some years to provide Congress with certain records concerning the usage of pen-register/trap-and-trace telephone surveillance. (Also, there was the issue of Congress failing to take action.) On the upcoming Mountain Lion version of the Mac OSX platform, the Gatekeeper technology may disallow the running of applications that are not digitally signed, though users can configure the system to allow unsigned applications.

DanielFebruary 18, 2012 1:44 AM

A few weeks ago I linked to an article about a new device could process a DNA sequence in a day and speculated that we would see that time cut in 1/2 within five years (IIRC).

My bad.

It took one month and we are now down to fifteen minutes in a unit the size of a thumb drive.

http://www.bloomberg.com/news/2012-02-17/...

More technical details here:

http://omicsomics.blogspot.com/2012/02/...

So now I'll say that within five years every beat cop and squad car will have one and within a decade your dna will be encoded on your drivers license.

A Nonny BunnyFebruary 18, 2012 3:31 AM

@Daniel,
15 minutes is only for very short gene sequences. To sequence the whole genome of a person that device would take 6 hours. And it's currently not able to do that, they're still working on the version that can.

NobodySpecialFebruary 18, 2012 11:21 AM

DNA matches don't match the whole sequence. It would be rather pointless anyway since we share rather a lot of our DNA with other individuals (and species) - so they use short sequences of non-coding DNA.

In theory since this DNA doesn't code for any vital function it is more random. In practice if you are from a small genetic population it can be very non-random.

Of course - courts, prosecutors and police are very careful to explain the difference between population and sample statistics to a jury, and most juries are highly expert in Bayesian statistical techniques.

Petréa MitchellFebruary 18, 2012 11:25 PM

There have been several stories over the last few months about the NYPD becoming so paranoid about Muslim terrorists that it's been getting itself military weapons, inviting anti-Islamic fringe "experts" in to give training sessions, working with the CIA to monitor Muslims without cause all over the city, and possibly stepping into the FBI and CIA's jurisdiction through its own efforts.

Well, the cherry on the top of the WTF sundae is that the AP has now found it displaying no regard for its geographical jurisdiction either.

Clive RobinsonFebruary 19, 2012 2:51 AM

OFF Topic:

Of historic interest is John Nash's (he of "A Beautiful Mind" biography/film) letter to the NSA shortly after they were formed. It predicted several advances in the mathmatical outlook in cryptograhpy as much as a quater of a century before they became common in the public cryptographic world.

http://agtb.wordpress.com/2012/02/17/...

Petréa MitchellFebruary 19, 2012 9:43 AM

As an addendum to the NYPD article, my SO adds that it already has an established record of operating even further outside its geographical boundaries. Here's an article on a gun-buying sting in Arizona last year, part of a nationwide operation going back to at least 2006.

Not only was this done without the knowledge of the local authorities or the ATF, the alleged illegal sales are not, according to the ATF agent quoted, actually illegal. The mayor of NYC claims the sting operation broke no laws since the people who actually went to the gun show to perform the sting were all residents of Arizona.

VlesFebruary 19, 2012 10:06 AM

No reporter seems to have asked any questions regarding anything remotely like security.

What about them being implanted against your will or without you being aware?

AnonymouseFebruary 19, 2012 2:05 PM

Looks like the English are going hell for leather towards 1984.

http://www.telegraph.co.uk/technology/internet/...

It's claimed "Direct messages between subscribers to websites such as Twitter would also be stored, as well as communications between players in online video games."
Anyone care to comment on the feasibility of cracking SSL on this scale ? What about breaking DNSSEC ?
And how are they going to decode every web sites protocol to extract the message ?

The trade-off's probably warrent their own article from Bruce :-)

Clive RobinsonFebruary 19, 2012 2:35 PM

@ Anonymouse,

Looks like the English are going hell for leather towards 1984

It's a bit more complicated than it first appears.

First off it needs to be said that the "torygraph" is so far right of center even the US "tea baggers" think it's run by people so right wing they would be embarrassed to be seen in their company.

Also the UK did not think this up by it's self, it comes from an EU Directive... Which it is rumourd was formulated by Ms Merkles friends to get around the restraint of German privacy Laws brought in many years ago to stop a repeate of dictatorships like the "National Socialist Party" (Nazi's and their ilk to the rest of us).

However they say things come "full circle" and in this case the "torygraph's" hate for all things EU has taken it so far right of center it's crossed the political "international dateline" and thus appears in this case to be well to the left of "the loony left"...

AnonymouseFebruary 19, 2012 3:31 PM

@Clive Robinson
This goes well beyond the needs of the EU retention directive (nasty as it is) and well beyond what *any other democracy in the world* feels is needed.
Hell, we didn't even need this when the IRA terrorists were actually *blowing people up every month*.

Richard BirenheideFebruary 20, 2012 2:16 AM

@Nathanel L.
Only the key is encrypted homomorphologic if I understand the website correctly. Data processing is still being done at customer site. More interesting would be homomorphic encryption which allows processing masses of encrypted data (in the cloud).

karrdeFebruary 20, 2012 7:13 AM

This is not the kind of news-story I normally pay attention to, but was forwarded to me by an old acquaintance with a note about information leakage.

http://www.forbes.com/sites/kashmirhill/2012/02/...

This could be viewed as one of the side effects of Big Data. Lots of large corporations collect data automatically, especially corporations selling items to customers.

Thus, a store like Target has the ability to see purchasing patterns associated with large, life-changing events. And it's very hard for a customer to hide this data.

I wonder if Target (or other stores) attempt to track the pay-with-cash-only customers and assign them unique, persistent ID's.

LinkTheValiantFebruary 21, 2012 8:23 AM

I wonder if Target (or other stores) attempt to track the pay-with-cash-only customers and assign them unique, persistent ID's.

Of course they do. This is what customer loyalty cards are for. I'm not sure what other "non-intrusive" measures are possible to track cash customers though. But most cash customers use cash for financial reasons rather than privacy, (so far as I know,) so unless the customer is at least minimally paranoid, stores won't have too much trouble implementing new tracking methods.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..