This should come as no surprise:
Alas, our findings suggest that secure communications haven’t yet attracted mass adoption among journalists. We looked at 2,515 Washington journalists with permanent credentials to cover Congress, and we found only 2.5 percent of them solicit end-to-end encrypted communication via their Twitter bios. That’s just 62 out of all the broadcast, newspaper, wire service, and digital reporters. Just 28 list a way to reach them via Signal or another secure messaging app. Only 22 provide a PGP public key, a method that allows sources to send encrypted messages. A paltry seven advertise a secure email address. In an era when anything that can be hacked will be and when the president has declared outright war on the media, this should serve as a frightening wake-up call.
When journalists don’t step up, sources with sensitive information face the burden of using riskier modes of communication to initiate contact — and possibly conduct all of their exchanges — with reporters. It increases their chances of getting caught, putting them in danger of losing their job or facing prosecution. It’s burden enough to make them think twice about whistleblowing.
I forgive them for not using secure e-mail. It’s hard to use and confusing. But secure messaging is easy.
Posted on August 31, 2017 at 6:52 AM •
New paper: “Policy measures and cyber insurance: a framework,” by Daniel Woods and Andrew Simpson, Journal of Cyber Policy, 2017.
Abstract: The role of the insurance industry in driving improvements in cyber security has been identified as mutually beneficial for both insurers and policy-makers. To date, there has been no consideration of the roles governments and the insurance industry should pursue in support of this public-private partnership. This paper rectifies this omission and presents a framework to help underpin such a partnership, giving particular consideration to possible government interventions that might affect the cyber insurance market. We have undertaken a qualitative analysis of reports published by policy-making institutions and organisations working in the cyber insurance domain; we have also conducted interviews with cyber insurance professionals. Together, these constitute a stakeholder analysis upon which we build our framework. In addition, we present a research roadmap to demonstrate how the ideas described might be taken forward.
Posted on August 30, 2017 at 1:22 PM •
New research: “Verified Correctness and Security of mbedTLS HMAC-DRBG,” by Katherine Q. Ye, Matthew Green, Naphat Sanguansin, Lennart Beringer, Adam Petcher, and Andrew W. Appel.
Abstract: We have formalized the functional specification of HMAC-DRBG (NIST 800-90A), and we have proved its cryptographic security — that its output is pseudorandom — using a hybrid game-based proof. We have also proved that the mbedTLS implementation (C program) correctly implements this functional specification. That proof composes with an existing C compiler correctness proof to guarantee, end-to-end, that the machine language program gives strong pseudorandomness. All proofs (hybrid games, C program verification, compiler, and their composition) are machine-checked in the Coq proof assistant. Our proofs are modular: the hybrid game proof holds on any implementation of HMAC-DRBG that satisfies our functional specification. Therefore, our functional specification can serve as a high-assurance reference.
Posted on August 30, 2017 at 6:37 AM •
Interesting post-Snowden reading, just declassified.
(U) External Communication will address at least one of “fresh look” narratives:
- (U) NSA does not access everything.
- (U) NSA does not collect indiscriminately on U.S. Persons and foreign nationals.
- (U) NSA does not weaken encryption.
- (U) NSA has value to the nation.
There’s lots more.
Posted on August 30, 2017 at 6:15 AM •
Ross Anderson gave a talk on the history of the Crypto Wars in the UK. I am intimately familiar with the US story, but didn’t know as much about Britain’s version.
Hour-long video. Summary.
Posted on August 29, 2017 at 6:38 AM •
Researchers demonstrated a really clever hack: they hid malware in a replacement smart phone screen. The idea is that you would naively bring your smart phone in for repair, and the repair shop would install this malicious screen without your knowledge. The malware is hidden in touchscreen controller software, which is trusted by the phone.
The concern arises from research that shows how replacement screens — one put into a Huawei Nexus 6P and the other into an LG G Pad 7.0 — can be used to surreptitiously log keyboard input and patterns, install malicious apps, and take pictures and e-mail them to the attacker. The booby-trapped screens also exploited operating system vulnerabilities that bypassed key security protections built into the phones. The malicious parts cost less than $10 and could easily be mass-produced. Most chilling of all, to most people, the booby-trapped parts could be indistinguishable from legitimate ones, a trait that could leave many service technicians unaware of the maliciousness. There would be no sign of tampering unless someone with a background in hardware disassembled the repaired phone and inspected it.
Academic paper. BoingBoing post.
Posted on August 28, 2017 at 6:22 AM •
Paleontologists have discovered a prehistoric toothless dolphin that fed by vacuuming up squid:
There actually are modern odontocetes that don’t really use their teeth either. Male beaked whales, for example, usually have one pair of teeth that is only used to fight for females, whose teeth stay completely hidden in their gums. Beaked whales, along with pilot whales and sperm whales, also catch squid by sucking them into their mouths. But all of these whales evolved recently. Inermorostrum xenops seems to have evolved its toothless suction-feeding independently and much, much earlier than modern suction-feeding whales. “It’s a highly specialized species but it’s essentially a dead end,” says Boessenecker. Evolution, far from being some linear progression, often works this way, hitting dead ends and retrying failed experiments from millions of years earlier.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Posted on August 25, 2017 at 4:48 PM •
This very interesting essay looks at the future of military robotics and finds many analogs in nature:
Imagine a low-cost drone with the range of a Canada goose, a bird that can cover 1,500 miles in a single day at an average speed of 60 miles per hour. Planet Earth profiled a single flock of snow geese, birds that make similar marathon journeys, albeit slower. The flock of six-pound snow geese was so large it formed a sky-darkening cloud 12 miles long. How would an aircraft carrier battlegroup respond to an attack from millions of aerial kamikaze explosive drones that, like geese, can fly hundreds of miles? A single aircraft carrier costs billions of dollars, and the United States relies heavily on its ten aircraft carrier strike groups to project power around the globe. But as military robots match more capabilities found in nature, some of the major systems and strategies upon which U.S. national security currently relies — perhaps even the fearsome aircraft carrier strike group — might experience the same sort of technological disruption that the smartphone revolution brought about in the consumer world.
Posted on August 25, 2017 at 6:34 AM •
Seems to be incompetence rather than malice, but a good example of the dangers of blindly trusting the cloud.
Posted on August 24, 2017 at 6:30 AM •
Shonin is a personal bodycam up on Kickstarter.
There are a lot of complicated issues surrounding bodycams — for example, it’s obvious that police bodycams reduce violence — but the one thing everyone is certain about is that they will proliferate. I’m not sure society is fully ready for the ramifications of this level of recording.
Posted on August 23, 2017 at 6:41 AM •
Sidebar photo of Bruce Schneier by Joe MacInnis.