Schneier on Security
A blog covering security and security technology.
« Me on EconTalk |
| SIMON and SPECK: New NSA Encryption Algorithms »
June 28, 2013
Friday Squid Blogging: Man Pulled Under by Squids
Video story on Animal Planet.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Posted on June 28, 2013 at 4:07 PM
• 25 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Somewhat relevant to the paranoia we live in today
"A Texas teenager has been jailed since March 27 over comments he made on Facebook after playing a League of Legends match. In February, an argument 18-year-old Justin Carter had with another League of Legends player spilled onto Facebook, where Carter made a comment referencing a school shooting."
Rather more chillingly he was charged with "terrorism" so is still in jail - no bail for terrorists of course.
How long before a parking ticket is "terrorism"?
1) Don't make threats you aren't going to follow through on.
2) Assume that others will assume the above.
3) Expect to be punished. Especially in today's day & age.
>Don't make threats
You would hope a grown-up govt would understand the difference between quoting a Clash song and ordering a terrorist attack
How long will it be before companies review their confidentiality agreements and their ability to enforce or insure their purpose. I see a whole host of information disclosure problems under current contractual law. Especially probematic is the issue of due diligence given what is known about the art. Partnerships, memorandums of understanding, or even rules of contractual engagement. If I am a company executive guaranting the propriety and sensitivity respecting the care of some "data" or information that has crossed a telephone line or an ISP/NAP gateway--the answer today is all bets are off. Better call your legal department before signing any contract today or in the future.
Yeah, all federal agents are lyrics geeks for 80s bands.
Point stands. Don't do it. It's serious business. "I was only joking" is no excuse. (Assuming the cretin was actually joking in the first place, and not desperately searching for an out after getting caught.) Because the first time the "joke" is assumed to be a joke, or a Clash song, or whatever, and it *isn't* a joke, and people get killed, then what? Laught it off?
then what? Laught it off?
--No more people get killed, time & resources wasted, trust is shattered, more lives ruined, humanity will suffer in the long term.
The police are out of control, even my dad (who normally argues against me) is beginning to think a revolution may be brewing. Not a fucking joke.
snake, i don't believe you should serve an 8-year prison sentence for saying something stupid. humans say stupid, irrational, horrible stuff all the time, and when they realize it, they usually say, "just kidding", just like he did. the only difference is that now, humans do a lot of their living on facebook. should he be charged with the same crime if he says the same thing to a friend out loud and someone happens to overhear him?
also, calling an 18-year-old a "cretin" is ridiculous and childish. you were undoubtedly an idiot at 18, just like me, just like him. if you can't realize this i think this speaks to your level of self-awareness.
can't edit, so double posting -
dont get me wrong, what he did was very stupid and is indeed a huge red flag. but the situation can be handled better than giving a 18-year-old an 8-year prison sentence. this is PRISON we're talking about and he's an 18-year-old gamer. the reality is that he will get victimized until he either requests PC (after getting beaten/raped), decides to become some convict's wife, learns to victimize others to defend himself (possibly getting killed in the process), or kills himself. for saying something dumb on the internet.
Can't wait for the next church congregation singing "Onward Christian Soldiers" - presumably that will result in a cruise missile strike
As reported by the Guardian this week, article on the snooper's charter in the UK. Doesn't have a snowball's chance in purgatory, by Alan Travis.
Quote from EU advisor Caspar Bowden
He said the disclosures had serious implications for the corporate and individual stampede towards the use of "cloud computing" storage, much of which was housed in the US. He said that there was a real danger now that Britain would be left in an exposed position, with the rest of Europe not willing to allow their data to be stored through the UK. "Keep your cloudbase close and local and keep it in your jurisdiction," he said, adding that encryption was very limited as a defence.
Additionally he added:
Bowden, who has worked as an adviser to the EU on its new data protection directive, which has yet to come into force principally because of British opposition, said he had secured an amendment giving protection for whistleblowers.
He had also argued for a warning "pop-up" to be required when data was being transferred outside the EU's borders.
"1) Don't make threats you aren't going to follow through on."
I'm gonna blow up the planet you live on and scatter its ashes on the moons of Jupiter.
"Because the first time the "joke" is assumed to be a joke, or a Clash song, or whatever, and it *isn't* a joke, and people get killed, then what? Laught it off?"
Then we consider that maybe, just maybe, it's worth the other 99999 times that you didn't waste people's time, money, life, liberty etc.
Security at all costs is no security at all. It just costs you everything and you're still left insecure, cause that's life. One has to strike a reasonable balance between costs and benefit, even if these are measured (in part) in lives.
"Security at all costs is no security at all. It just costs you everything and you're still left insecure, cause that's life. One has to strike a reasonable balance between costs and benefit, even if these are measured (in part) in lives." (a nonny bunny)
Well said. I'll add that anything we do should consider human nature. It's human nature to joke around with threats, one up people, form cliques, etc. Whether or not another group likes it, the behavior should be allowed if it's not harmful and paranoid reactions minimized. Simply put, people are going to be people. People are also going to behave in nonconformist ways at times. Good and bad has come of this in the past. Denying opportunity for one denies opportunity for the other. This country wouldn't even exist had British security mongers had their way.
So, those worried about their "security" need to stop trying to control people in every way and just deal with those who cross the line causing real harm.
Spotted in a compilation of tweets tagged #overlyhonestmethods-- science meets national security:
"Reagent became unavailable in 2002 because nobody wanted to order more and risk being added to terrorist watchlists."
"The samples incubated at room temperature in a remote border customs office for 5 months."
Regarding the facebook comment by Justing Carter who was jailed after this:
Act and punishment look way out of proportion to me.
The following words attributed to Cardinal Richelieu are frightening given the ubiquitous surveillance of today:
"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."
Presumed innocent has become history.
> you were undoubtedly an idiot at 18, just like me, just
> like him. if you can't realize this i think this speaks to your
> level of self-awareness.
When I was 18 I was legally an adult, had a job, residence, and car, and voted in a Presidential election.
Perhaps we had higher expectations of maturity in the 1970s.
"adding that encryption was very limited as a defence.
Could minds more enlightened than mine explain why this is so in the context of cloud computing other than the generic "well, everything has its limitations"? Generally speaking, encryption is a strong defense not a limited one, assuming that one encrypts the data before storing it in the cloud.
Is the theory that once the encrypted data is stored in the cloud the NSA could copy it and then go to work on it at their leisure rather than having to seize it from the more traditional hard drive? That seems rather implausible to me.
I don't get. How does storing it an encrypted document in the could make it all of a sudden limited?
To my surprise, when I encrypt documents using Microsft Word the file also contamts the salt. Isn't this problematic? Hope some one on this blog can clear this up for me.
I'm surprised this hasn't been mentioned before - a major security flaw was found in GNU (this is why Open is good) ZRTPCPP, and has been fixed 6 days ago.
If you haven't heard of the library perhaps you've heard of applications that use it.
Some of the Ostel clients (they use CSipSimple)
Anything using the GNU ccRTP with ZRTP enabled
Three flaws were discovered
during an audit by Mark Dowd (Azimuth Security).
Kudos to the maintainer/co-author, Werner Dittman for rapidly fixing them. Likewise Phil Zimmerman of Silent Circle (also one of the original developers of the library).
SilentCircle has been updated, see Google and Apple's app-stores.
n.w.f.o.r. The salt is always publicaly available, it's not a secret. It's purpose is to add entropy to the password to prevent the use of pre-calculated hash tables
I don't get. How does storing it an encrypted document in the could make it all of a sudden limited.
As Dirk indicated it has been discussed in numerous ways in the past on this blog. However it all boils down to what is behind the expression "Data at Rest" and the implications that are not immediatly obvious.
Put simply encryption/decryption that is NOT,
1, Fully issolated from external networks.
2, Fully under your control.
Is open to one or more attacks which range from weakness in specifications, protocols and implementations.
As Bruce and others have pointed out befor an algorithm might be deemed secure (enough for use) but most implementations are not. For instance right from day one the majority of AES implementations were insecure, simply because the NSA/NIST organised competition was in effect rigged, in that example code showing "efficient use" had to be supplied FOC as part of the competition.
The result was AES code on the NIST web site was optomised for speed not security, the "efficiency" had negitivly effected security via a time based side channel that could be used to leak key information either local to the CPU or considerably worse to another machine connected to the same network.
This efficient code was copied as the NSA well knew it would be into just about every implementation and code library and many implementations are many years later still riddled with such issues.
Thus you would be very ill advised to do encryption or decryption on any computer that is connected directly or indirectly to a network private or public.
Then there is the thorny issue of what is and is not random, in the way of numbers used for encryption keys and nonces used in various protocols and standards. Most people do not know the difference between a True Random Number Generator (TRNG) a Cryptographicaly Secure Psudo Random Number Generator (CSPRNG) and most of the other Random Number Generators out there. Even those that are aware of the difference are often not aware of many of the implications of the "care and feeding of such beasts".
Security is both very hard and in many respects ephemeral, and as Bruce has famously ;-) noted "attacks only improve with time".
OK, so the Post Office is photographing each and every letter that they process. The way that I address, stamp, and return address any letter I send is a unique artistic work of my own design and features the copyright symbol next to my name.
I will allow the Post Office free use of my artwork for the purposes of delivering them to their destination, but any other use or storage will require a royalty payment. Say, 46 cents each--I'm not greedy.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.