There’s a new article on NSA’s Technology Transfer Program, a 1990s-era program to license NSA patents to private industry. I was pretty dismissive about the offerings in the article, but I didn’t find anything interesting in the catalog. Does anyone see something I missed?
My guess is that the good stuff remains classified, and isn’t “transferred” to anyone.
Slashdot thread.
Warmer waters are moving squid fishing up the California coast.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
There’s a Reuters article on new types of fraud using stolen medical records. I don’t know how much of this is real and how much is hype, but I’m certain that criminals are looking for new ways to monetize stolen data.
This is a good essay on the security trade-offs with cloud backup:
iCloud backups have not eliminated this problem, but they have made it far less common. This is, like almost everything in tech, a trade-off:
- Your data is far safer from irretrievable loss if it is synced/backed up, regularly, to a cloud-based service.
- Your data is more at risk of being stolen if it is synced/backed up, regularly, to a cloud-based service.
Ideally, the companies that provide such services minimize the risk of your account being hijacked while maximizing the simplicity and ease of setting it up and using it. But clearly these two goals are in conflict. There’s no way around the fact that the proper balance is somewhere in between maximal security and minimal complexity.
Further, I would wager heavily that there are thousands and thousands more people who have been traumatized by irretrievable data loss (who would have been saved if they’d had cloud-based backups) than those who have been victimized by having their cloud-based accounts hijacked (who would have been saved if they had only stored their data locally on their devices).
It is thus, in my opinion, terribly irresponsible to advise people to blindly not trust Apple (or Google, or Dropbox, or Microsoft, etc.) with “any of your data” without emphasizing, clearly and adamantly, that by only storing their data on-device, they greatly increase the risk of losing everything.
It’s true. For most people, the risk of data loss is greater than the risk of data theft.
Inevitably we’re going to see articles pointing at this and at Heartbleed and claim a trend in vulnerabilities in open-source software. If anyone has any actual data other than these two instances and the natural human tendency to generalize, I’d like to see it.
Julian Sanchez of the Cato Institute has a lengthy audio interview on NSA surveillance and reform. Worth listening to.
Interesting article on the arms race between creating robot “handwriting” that looks human, and detecting text that has been written by a robot. Robots will continue to get better, and will eventually fool all of us.
I found the story of the Federal Reserve on 9/11 to be fascinating. It seems they just flipped a switch on all their Y2K preparations, and it worked.
Jonathan Zittrain argues that our military weapons should be built with a kill switch, so they become useless when they fall into enemy hands.
The National Highway Traffic Safety Administration (NHTSA) has released a report titled “Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application.” It’s very long, and mostly not interesting to me, but there are security concerns sprinkled throughout: both authentication to ensure that all the communications are accurate and can’t be spoofed, and privacy to ensure that the communications can’t be used to track cars. It’s nice to see this sort of thing thought about in the beginning, when the system is first being designed, and not tacked on at the end.
Months after it was found in August, scientists have dissected a colossal squid. There’s even video.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Apple claims that they can no longer unlock iPhones, even if the police show up with a warrant. Of course they still have access to everything in iCloud, but it’s a start.
EDITED TO ADD (9/19): Android is doing the same thing.
EDITED TO ADD (9/23): Good analysis of iOS 8 and iCloud security.
Earlier this month, there were a bunch of stories about fake cell phone towers discovered around the US. These seem to be IMSI catchers, like Harris Corporation’s Stingray, and are used to capture location information and potentially phone calls, text messages, and smart-phone Internet traffic. A couple of days ago, the Washington Post ran a story about fake cell phone towers in politically interesting places around Washington DC. In both cases, researchers used security software that’s part of CryptoPhone from the German company GSMK. And in both cases, we don’t know who is running these fake cell phone towers. Is it the US government? A foreign government? Multiple foreign governments? Criminals?
This is the problem with building an infrastructure of surveillance: you can’t regulate who gets to use it. The FBI has been protecting Stingray like it’s an enormous secret, but it’s not a secret anymore. We are all vulnerable to everyone because the NSA wanted us to be vulnerable to them.
We have one infrastructure. We can’t choose a world where the US gets to spy and the Chinese don’t. We get to choose a world where everyone can spy, or a world where no one can spy. We can be secure from everyone, or vulnerable to anyone. And I’m tired of us choosing surveillance over security.
If there’s anything that confuses wannabe cryptographers, it’s one-time pads.
In 2008, Yahoo fought the NSA to avoid becoming part of the PRISM program. It eventually lost the court battle, and at one point was threatened with a $250,000 a day fine if it continued to resist. I am continually amazed at the extent of the government coercion.
According to court documents, Dread Pirate Roberts was identified because a CAPTCHA service used on the Silk Road login page leaked the users’ true location.
What’s interesting about this story is not that the cell phone system can track your location worldwide. That makes sense; the system has to know where you are. What’s interesting about this story is that anyone can do it. Cyber-weapons arms manufacturers are selling the capability to governments worldwide, and hackers have demonstrated the capability.
New Zealand is spying on its citizens. Edward Snowden weighs in personally.
The NSA and GCHQ are mapping the entire Internet, including hacking into Deutsche Telekom and other companies.
EDITED TO ADD (9/18): Marcy Wheeler comments on the second story, noting that the NSA uses this capability to map MAC addresses.
Good article on the insecurity of SHA-1 and the need to replace it sooner rather than later.
A 200-pound dead giant squid was found near the coast of Matagorda, Texas. This is only the third giant squid ever found in the Gulf of Mexico.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Since the beginning, data privacy regulation has focused on collection, storage, and use. You can see it in the OECD Privacy Framework from 1980 (see also this proposed update).
Recently, there has been concerted effort to focus all potential regulation on data use, completely ignoring data collection. Microsoft’s Craig Mundie argues this. So does the PCAST report. And the World Economic Forum. This is lobbying effort by US business. My guess is that the companies are much more worried about collection restrictions than use restrictions. They believe that they can slowly change use restrictions once they have the data, but that it’s harder to change collection restrictions and get the data in the first place.
We need to regulate collection as well as use. In a new essay, Chris Hoofnagle explains why.
Aza Raskin describes a new phishing attack: taking over a background tab on a browser to trick people into entering in their login credentials. Clever.
EDITED TO ADD (9/12): This is not a new attack. The link above is from 2010. Here’s another article from 2010.
WikiLeaks has organized the trove of documents about corporations aiding government surveillance around the world. It’s worth wandering around through all this material.
EDITED TO ADD (9/12): I made a mistake. WikiLeaksdidn’t do the organizing; Silk did.
Good security analysis of Safeplug, which is basically Tor in a box. Short answer: not yet.
A device called Cyborg Unplugged can be configured to prevent any Wi-Fi connection:
Oliver notes on the product’s website that its so-called “All Out Mode”—which prevents surveillance devices from connecting to any Wi-Fi network in the area—is likely illegal, and he advises against its use. Nevertheless, we can imagine activists slipping these little devices into public areas and wreaking a bit of havoc.
Apple is including some sort of automatic credit card payment system with the iPhone 6. It’s using some security feature of the phone and system to negotiate a cheaper transaction fee.
Basically, there are two kinds of credit card transactions: card-present, and card-not-present. The former is cheaper because there’s less risk of fraud. The article says that Apple has negotiated the card-present rate for its iPhone payment system, even though the card is not present. Presumably, this is because of some other security features that reduce the risk of fraud.
Not a lot of detail here, but interesting nonetheless.
Preparing the Ghost: An Essay Concerning the Giant Squid and Its First Photographer, by Matthew Gavin Frank.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
At USENIX Security this year, there were two papers studying the security of password managers:
It’s interesting work, especially because it looks at security problems in something that is supposed to improve security.
I’ve long recommended a password manager to solve the very real problem that any password that can be easily remembered is vulnerable to a dictionary attack. The world got a visceral reminder of this earlier this week, when hackers posted iCloud photos from celebrity accounts. The attack didn’t exploit a flaw in iCloud; the attack exploited weak passwords.
Security is often a trade-off with convenience, and most password managers automatically fill in passwords on browser pages. This turns out to be a difficult thing to do securely, and opens up password managers to attack.
My own password manager, Password Safe, wasn’t mentioned in either of these papers. I specifically designed it not to automatically fill. I specifically designed it to be a standalone application. The fast way to transfer a password from Password Safe to a browser page is by using the operating system’s cut and paste commands.
I still recommend using a password manager, simply because it allows you to choose longer and stronger passwords. And for the few passwords you should remember, my scheme for generating them is here.
EDITED TO ADD (9/12): The second paper was updated to include PasswordSafe. And this 2012 paper on password managers does include PasswordSafe.
JackPair is a clever device encrypts your voice between your headset and the audio jack. The crypto looks competent, and the design looks well-thought-out. I’d use it.
Long article in IEEE Spectrum.
No mention of how good the codes are. My guess is not very.
EDITED TO ADD (9/12): It’s a simple substitution cipher.
Sidebar photo of Bruce Schneier by Joe MacInnis.
