Schneier on Security References

This document is also available in PDF format.

What the Terrorists Want

Incidents:
http://www.dailymail.co.uk/pages/live/articles/news/...
http://news.bbc.co.uk/2/hi/uk_news/england/5267884.stm
http://www.cbsnews.com/stories/2006/08/17/national/...
http://www.cbc.ca/story/canada/national/2006/08/18/...
http://www.heraldnet.com/stories/06/08/16/...
http://www.miami.com/mld/miamiherald/news/local/...
http://www.usatoday.com/news/nation/...
http://www.theage.com.au/articles/2006/08/17/...
http://www.guardian.co.uk/uklatest/story/...
http://news.bbc.co.uk/2/hi/europe/5283476.stm
http://forums.worldofwarcraft.com/thread.html?...

There have been many more incidents since I wrote this--all false alarms. I've stopped keeping a list.

The chemical unreality of the plot:
http://www.theregister.co.uk/2006/08/17/...
http://www.interesting-people.org/archives/...
http://www.boingboing.net/2006/08/14/...
http://www.timesonline.co.uk/article/...
http://www.cnn.com/2006/US/08/10/us.security/index.html
http://www.wondermark.com/d/220.html
http://kfmonkey.blogspot.com/2006/08/...

This essay also makes the same point that we're overreacting, as well as describing a 1995 terrorist plot that was remarkably similar in both materials and modus operandi--and didn't result in a complete ban on liquids:
http://www.salon.com/opinion/feature/2006/08/17/...

My previous related writings:
http://www.schneier.com/essay-096.html
http://www.schneier.com/essay-038.html
http://www.schneier.com/blog/archives/2006/08/...
http://www.schneier.com/essay-087.html
http://www.schneier.com/essay-045.html

This essay originally appeared in Wired:
http://www.wired.com/news/columns/0,71642-0.html

Movie-Plot Threats

This essay was originally published in Wired:
http://www.wired.com/news/business/0,1367,68789,00.html

Fixing Intelligence Failures

My original articles:
http://www.counterpane.com/crypto-gram-0109a.html#4
http://www.counterpane.com/crypto-gram-0109a.html#8

Data Mining for Terrorists

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,70357-0.html

TIA:
http://www.epic.org/privacy/profiling/tia/
http://www.fas.org/sgp/congress/2003/tia.html

Its return:
http://nationaljournal.com/about/njweekly/stories/...

GAO report:
http://www.epic.org/privacy/profiling/gao_dm_rpt.pdf

MATRIX:
http://www.aclu.org/privacy/spying/...

Base rate fallacy:
http://www.cia.gov/csi/books/19104/art15.html#ft145

The New York Times on the NSA eavesdropping program:
http://www.schneier.com/blog/archives/2006/01/...

The Architecture of Security

The New York Times article about the change:
http://www.nytimes.com/2006/10/07/nyregion/...

This essay originally appeared on Wired.com.
http://www.wired.com/news/columns/0,71968-0.html

The War on the Unexpected

Ad campaigns:
http://www.mta.info/mta/security/index.html
http://www.manchestereveningnews.co.uk/news/s/1000/...
http://www.schneier.com/blog/archives/2007/04/...

Administration comments:
http://www.washingtonpost.com/wp-srv/nation/...
http://www.usatoday.com/news/washington/...
http://query.nytimes.com/gst/fullpage.html?...

Incidents:
http://news.bbc.co.uk/1/hi/northern_ireland/6387857.stm
http://www.schneier.com/blog/archives/2007/09/...
http://www.lineofduty.com/content/view/84004/128/
http://www.schneier.com/blog/archives/2007/05/...
http://www.startribune.com/462/story/826056.html
http://dir.salon.com/story/tech/col/smith/2004/07/...
http://www.schneier.com/blog/archives/2006/10/...
http://www.schneier.com/blog/archives/2007/10/...
http://www.msnbc.msn.com/id/20441775/
http://www.thisisbournemouth.co.uk/...
http://alternet.org/rights/50939/
http://www.schneier.com/blog/archives/2007/04/...
http://www.mercurynews.com/breakingnews/ci_7084101?...
http://www.boston.com/news/globe/city_region/...
http://www.postgazette.com/pg/06081/674773.stm
http://www.schneier.com/blog/archives/2007/04/...

CYA:
http://www.schneier.com/blog/archives/2007/02/...

Public campaigns:
http://www.schneier.com/blog/archives/2005/12/...
http://www.winnipegfirst.ca/article/2007/09/24/...
http://www.underwatertimes.com/print.php?...
http://en.wikipedia.org/wiki/Operation_TIPS

Law protecting tipsters:
http://www.post-gazette.com/pg/07245/813550-37.stm

Successful tips:
http://www.washingtonpost.com/wp-dyn/content/...
http://www.pe.com/localnews/publicsafety/stories/...

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Some links didn't make it into the original article. There's this creepy "if you see a father holding his child's hands, call the cops" campaign:
http://www.bloggernews.net/18108

There's this story of an iPod found on an airplane:
http://forums.worldofwarcraft.com/thread.html?...

There's this story of an "improvised electronics device" trying to get through airport security:
http://www.makezine.com/blog/archive/2007/09/...

This is a good essay on the "war on electronics":
http://www.cnet.com/surveillance-state/...

Portrait of the Modern Terrorist as an Idiot

There are a zillion links associated with this essay. You can find them on the online version:
http://www.schneier.com/blog/archives/2007/06/...

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Correspondent Inference Theory and Terrorism

http://www.mitpressjournals.org/doi/pdf/10.1162/...
http://en.wikipedia.org/wiki/...

Cognitive biases:
http://www.healthbolt.net/2007/02/14/...

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

The Security Threat of Unchecked Presidential Power

This essay was published on December 21, 2005 as an op-ed in the Minneapolis Star Tribune:
http://www.startribune.com/562/story/138326.html

Here's the opening paragraph of the Yoo memo. Remember, think of this power in the hands of your least favorite politician when you read it:

"You have asked for our opinion as to the scope of the President's authority to take military action in response to the terrorist attacks on the United States on September 11, 2001. We conclude that the President has broad constitutional power to use military force. Congress has acknowledged this inherent executive power in both the War Powers Resolution, Pub. L. No. 93-148, 87 Stat. 555 (1973), codified at 50 U.S.C. §§ 1541-1548 (the "WPR"), and in the Joint Resolution passed by Congress on September 14, 2001, Pub. L. No. 107-40, 115 Stat. 224 (2001). Further, the President has the constitutional power not only to retaliate against any person, organization, or State suspected of involvement in terrorist attacks on the United States, but also against foreign States suspected of harboring or supporting such organizations. Finally, the President may deploy military force preemptively against terrorist organizations or the States that harbor or support them, whether or not they can be linked to the specific terrorist incidents of September 11."

There's a similar reasoning in the Braybee memo, which was written in 2002 about torture:

Yoo memo:
http://www.usdoj.gov/olc/warpowers925.htm

Braybee memo:
http://www.washingtonpost.com/wp-srv/nation/...

This story has taken on a life of its own. But there are about a zillion links and such listed here:
http://www.schneier.com/blog/archives/2005/12/...

I am especially amused by the bit about NSA shift supervisors making decisions legally reserved for the FISA court.

NSA and Bush's Illegal Eavesdropping

A version of this essay originally appeared in Salon:
http://www.salon.com/opinion/feature/2005/12/20/...

Text of FISA:
http://www.law.cornell.edu/uscode/html/uscode50/...

Summary of annual FISA warrants:
http://www.epic.org/privacy/wiretap/stats/...

Rockefeller's secret memo:
http://talkingpointsmemo.com/docs/rock-cheney1.html

Much more here:
http://www.schneier.com/blog/archives/2005/12/...

Private Police Forces

http://www.washingtonpost.com/wp-dyn/content/...
http://www.nlg-npap.org/html/research/...

This op-ed originally appeared in the Minneapolis Star-Tribune:
http://www.startribune.com/562/story/1027072.html

Recognizing "Hinky" vs. Citizen Informants

Hinky:
http://www.schneier.com/blog/archives/2005/07/...

RIT story:
http://www.nj.com/news/ledger/morris/index.ssf?/...

Casino security and the "Just Doesn't Look Right (JDLR)" principle:
http://www.casinosurveillancenews.com/jdlr.htm

Commentary:
http://www.cato-at-liberty.org/2007/04/26/...

The blog post has many more links to the specific things mentioned in the essay:
http://www.schneier.com/blog/archives/2007/04/...

When I posted this on my blog, I got a lot of negative comments from Libertarians who believe that somehow, the market makes private policemen more responsible to the public than government policemen. I'm sorry, but this is nonsense. Best Buy is going to be responsive to its customers; an apartment complex is going to be responsive to its renters. Petty criminals who prey on those businesses are an economic externality; they're not going to enter into the economic arguments. After all, people might be more likely to shop at Best Buy if their security guards save them money by keeping crime down--who cares if they crack a few non-customer heads while doing it.

None of this is meant to imply that public police forces are magically honorable and ethical; just that the economic forces are different. So people can consider carefully which is the lesser of two evils, here's Radley Balko's paper "Overkill: The Rise of Paramilitary Police Raids in America":
http://www.cato.org/pub_display.php?pub_id=6476

And an interactive map of public police raids gone bad:
http://www.cato.org/raidmap/

Dual-Use Technologies and the Equities Issue

Estonia's cyberwar:
http://www.wired.com/politics/security/magazine/...
http://blog.wired.com/27bstroke6/2008/01/...

Cyberwar, cyberterrorism, etc.:
http://www.schneier.com/blog/archives/2007/06/...

NSA and DHS cybersecurity initiatives:
http://www.schneier.com/blog/archives/2007/01/...
http://www.nsa.gov/selinux/
http://www.eweek.com/c/a/Security/...
http://www.schneier.com/blog/archives/2007/01/...

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Identity-Theft Disclosure Laws

California's SB 1386:
http://info.sen.ca.gov/pub/01-02/bill/sen/...

Existing state disclosure laws:
http://www.pirg.org/consumer/credit/statelaws.htm
http://www.cwalsh.org/cgi-bin/blosxom.cgi/2006/04/...

HR 4127 - Data Accountability and Trust Act:
http://thomas.loc.gov/cgi-bin/query/C?c109:./temp/...

HR 3997:
http://thomas.loc.gov/cgi-bin/query/C?c109:./temp/...

ID Analytics study:
http://www.idanalytics.com/news_and_events/20051208.htm

My essay on identity theft:
http://www.schneier.com/blog/archives/2005/04/...

A version of this essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,70690-0.html

Academic Freedom and Security

This essay was originally published in the San Jose Mercury News:
http://www.mercurynews.com/mld/mercurynews/...

Sensitive Security Information (SSI)

Background on SSI:
http://www.cjog.net/...

TSA's Regulation on the Protection of SSI:
http://www.fas.org/sgp/news/2004/05/fr051804.html

Controversies surrounding SSI:
http://www.fas.org/sgp/crs/RS21727.pdf

My essay explaining why secrecy is often bad for security:
http://www.schneier.com/crypto-gram-0205.html#1

The Director of the National Security Archive at George Washington University on the problems of too much secrecy:
http://www.gwu.edu/

Fingerprinting Foreigners

A version of this essay originally appeared in Newsday:
http://www.newsday.com/news/opinion/...

Office of Homeland Security webpage for the program:
http://www.dhs.gov/dhspublic/interapp/editorial/...

News articles:
http://www.washtimes.com/national/...
http://www.washtimes.com/national/...
http://www.nytimes.com/reuters/news/...
http://gcn.com/vol1_no1/daily-updates/24536-1.html
http://www.sunspot.net/news/custom/attack/...
http://www.cnn.com/2004/US/01/04/visit.program/
http://www.nytimes.com/2004/01/05/national/...
http://www.ilw.com/lawyers/immigdaily/doj_news/...
http://www.theage.com.au/articles/2004/01/06/...
http://www.thestar.co.za/index.php?...
http://www.ilw.com/lawyers/articles/...

Opinions:
http://news.mysanantonio.com/story.cfm?...
http://www.rockymountainnews.com/drmn/opinion/...
http://www.shusterman.com/pdf/advocacy61703.pdf
http://www.washingtontechnology.com/ad_sup/...

Brazil fingerprints U.S. citizens in retaliation:
http://reprints.msnbc.com/id/3875747/

U.S. Medical Privacy Law Gutted

News article:
http://www.nytimes.com/2005/06/07/politics/...

Swire's essay:
http://www.americanprogress.org/site/pp.asp?...

Airport Passenger Screening

http://archives.cnn.com/2002/US/03/25/airport.security/
http://www.msnbc.msn.com/id/11863165/
http://www.msnbc.msn.com/id/11878391/

A version of this essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,70470-0.html

No-Fly List

Additional information:
http://www.aclu.org/SafeandFree/SafeandFree.cfm?...
http://www.wired.com/news/privacy/0,1848,58386,00.html
http://www.salon.com/tech/feature/2003/04/10/capps/...
http://www.commondreams.org/headlines02/0927-01.htm
http://www.truthout.org/cgi-bin/artman/exec/...
http://www.belleville.com/mld/newsdemocrat/8371700.htm

Kennedy's story:
http://www.msnbc.msn.com/id/5765143
http://abcnews.go.com/wire/US/reuters20040820_78.html

Getting off the list by using your middle name:
http://www.contracostatimes.com/mld/cctimes/news/...

This essay originally appeared in Newsday:
http://www.newsday.com/news/opinion/...

Trusted Traveler Program

This essay originally appeared in The Boston Globe:
http://www.boston.com/news/globe/editorial_opinion/...

Screening People with Clearances

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/1,71906-0.html

Forge Your Own Boarding Pass

This is my 30th essay for Wired.com:
http://www.wired.com/news/columns/0,72045-0.html

News:
http://j0hn4d4m5.bravehost.com
http://slightparanoia.blogspot.com/2006/10/...
http://slightparanoia.blogspot.com/2006/10/...
http://blog.wired.com/27bstroke6/2006/10/...
http://markey.house.gov/index.php?...
http://blog.wired.com/27bstroke6/2006/10/...

Older mentions of the vulnerability:
http://www.csoonline.com/read/020106/caveat021706.html
http://www.slate.com/id/2113157/fr/rss/
http://www.senate.gov/~schumer/SchumerWebsite/...
http://www.schneier.com/crypto-gram-0308.html#6

No-fly list:
http://www.schneier.com/blog/archives/2005/12/...
http://www.schneier.com/blog/archives/2005/09/...
http://www.schneier.com/blog/archives/2006/10/...
http://www.schneier.com/blog/archives/2005/08/...

Our Data, Ourselves

This essay previously appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

The Value of Privacy

A version of this essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,70886-0.html

Daniel Solove comments:
http://www.concurringopinions.com/archives/2006/05/...

The Future of Privacy

This essay was originally published in the Minneapolis Star-Tribune:
http://www.startribune.com/562/story/284023.html

Privacy and Power

The inherent value of privacy:
http://www.schneier.com/essay-114.html

Erik Crespo story:
http://www.nytimes.com/2007/12/08/nyregion/08about.html
http://abcnews.go.com/TheLaw/wireStory?id=3968795

Cameras catch a policeman:
http://www.officer.com/web/online/Top-News-Stories/...

Security and control:
http://www.schneier.com/essay-203.html

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Commentary/rebuttal by David Brin:
http://www.wired.com/politics/security/news/2008/03/...

Security vs. Privacy

McConnell article from New Yorker:
http://www.newyorker.com/reporting/2008/01/21/...
http://arstechnica.com/news.ars/post/...
http://blog.wired.com/27bstroke6/2008/01/...

Trading off security and privacy:
http://www.huffingtonpost.com/ka-taipale/...
http://www.huffingtonpost.com/marc-rotenberg/...
http://findarticles.com/p/articles/mi_m0GER/...
http://www.rasmussenreports.com/public_content/...
http://www.scu.edu/ethics/publications/briefings/...
http://www.csmonitor.com/2002/1015/p11s02-coop.html

False dichotomy:
http://www.schneier.com/crypto-gram-0109a.html#8
http://www.wired.com/politics/law/commentary/...

Donald Kerr's comments:
http://www.schneier.com/blog/archives/2007/11/...

Related essays:
http://www.schneier.com/essay-008.html
http://www.schneier.com/essay-096.html
http://www.schneier.com/essay-036.html
http://www.schneier.com/essay-160.html
http://www.schneier.com/essay-100.html
http://www.schneier.com/essay-108.html
http://www.schneier.com/essay-163.html
http://arstechnica.com/news.ars/post/...
http://www.schneier.com/blog/archives/2007/09/...
http://www.schneier.com/blog/archives/2007/06/...
http://www.schneier.com/blog/archives/2006/05/...

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Is Big Brother a Big Deal?

This essay appeared in the May 2007 issue of Information Security, as the second half of a point/counterpoint with Marcus Ranum:
http://informationsecurity.techtarget.com/magItem/...

Marcus's half:
http://www.ranum.com/security/computer_security/...

How to Fight

Privacy International's Stupid Security Awards:
http://www.privacyinternational.org/activities/...

Stupid Security Blog:
http://www.stupidsecurity.com/

Companies Cry "Security" to Get A Break From the Government:
http://online.wsj.com/article_email/...

Gilmore's suit:
http://freetotravel.org/

Relevant Minnesota pharmacist rules:
http://www.revisor.leg.state.mn.us/arule/6800/3110.html

How you can help right now:

Tell Congress to Get Airline Security Plan Under Control!
http://actioncenter.ctsg.com/admin/adminaction.asp?...

TIA Update: Ask Your Senators to Support the Data-Mining Moratorium Act of 2003!
http://actioncenter.ctsg.com/admin/adminaction.asp?...

Congress Takes Aim at Your Privacy
http://actioncenter.ctsg.com/admin/adminaction.asp?...

Total Information Awareness: Public Hearings Now!
http://actioncenter.ctsg.com/admin/adminaction.asp?...

Don't Let the INS Violate Your Privacy
http://actioncenter.ctsg.com/admin/adminaction.asp?...

Demand the NCIC Database Be Accurate
http://www.petitiononline.com/mod_perl/signed.cgi?ncic

Citizens' Guide to the FOIA
http://www.fas.org/sgp/foia/citizen.html

Toward Universal Surveillance

This essay originally appeared on CNet:
http://news.com.com/2010-1028-5150325.html

Kafka and the Digital Person

The book's website:
http://www.law.gwu.edu/facweb/dsolove/...

Order the book on Amazon:
http://www.amazon.com/exec/obidos/ASIN/0814798462/...

CCTV Cameras

CCTV research:
http://electronics.howstuffworks.com/...
http://www.scotcrim.u-net.com/researchc2.htm
http://news.bbc.co.uk/1/hi/uk/2192911.stm
http://www.homeoffice.gov.uk/rds/pdfs05/hors292.pdf
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/...
http://www.temple.edu/cj/misc/PhilaCCTV.pdf
http://archives.cnn.com/2002/LAW/10/21/ctv.cameras/
http://www.guardian.co.uk/uk/2008/may/06/ukcrime1

London's cameras:
http://www.channel4.com/news/articles/society/...
http://www.ico.gov.uk/upload/documents/library/...

CCTV abuses:
http://news.bbc.co.uk/2/hi/uk_news/england/...
http://www.timesonline.co.uk/tol/news/uk/...
http://community.seattletimes.nwsource.com/archive/?...
http://news.bbc.co.uk/2/hi/europe/4849806.stm

Orwellian cameras:
http://wuntvor.mirror.waffleimages.com/files/44/...
http://lifeandhealth.guardian.co.uk/family/story/...

Privacy concerns:
http://epic.org/privacy/surveillance/
http://www.aclu.org/privacy/spying/...

Surveillance in China:
http://www.rollingstone.com/politics/story/20797485/...

This essay was:
http://www.guardian.co.uk/technology/2008/jun/26/...

Anonymity and Accountability

This essay originally appeared in Wired:
http://www.wired.com/news/columns/0,70000-0.html

Kelly's original essay:
http://www.edge.org/q2006/q06_4.html

Gary T. Marx on anonymity:
http://web.mit.edu/gtmarx/www/anon.html

Facebook and Data Control

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,71815-0.html
http://www.danah.org/papers/FacebookAndPrivacy.html
http://www.motherjones.com/interview/2006/09/...
http://www.nytimes.com/2006/09/10/fashion/...
http://blog.facebook.com/blog.php?post=2208197130
http://blog.facebook.com/blog.php?post=2208562130
http://mashable.com/2006/08/25/facebook-profile

Facebook privacy policy:
http://www.facebook.com/policy.php

The Death of Ephemeral Conversation

This essay originally appeared on Forbes.com:
http://www.forbes.com/security/2006/10/18/...

Automated Targeting System

News articles:
http://news.yahoo.com/s/ap_travel/20061208/ap_tr_ge/...
http://www.washingtonpost.com/wpdyn/content/article/...
http://www.ledger-enquirer.com/mld/ledgerenquirer/...

Federal Register posting:
http://edocket.access.gpo.gov/2006/06-9026.htm

Comments from civil liberties groups:
http://www.epic.org/privacy/pdf/ats_comments.pdf
http://www.eff.org/Privacy/ats/ats_comments.pdf
http://www.aclu.org/privacy/gen/27593leg20061201.html
http://www.epic.org/privacy/travel/ats/default.html
http://www.epic.org/privacy/surveillance/spotlight/...

Automated terror profiling:
http://www.schneier.com/essay-108.html
http://www.schneier.com/essay-115.html
http://www.newyorker.com/fact/content/articles/...
http://www.cato.org/pub_display.php?pub_id=6784

No-fly list:
http://alternet.org/story/42646/
http://www.aclu.org/safefree/resources/...

Secure Flight:
http://www.schneier.com/blog/archives/2005/07/...

Total Information Awareness:
http://www.epic.org/privacy/profiling/tia/

ATS may be illegal:
http://hasbrouck.org/IDP/IDP-ATS-comments.pdf
http://www.washingtonpost.com/wp-dyn/content/...
http://www.wired.com/news/technology/0,72250-0.html
http://www.ledger-enquirer.com/mld/ledgerenquirer/...
http://leahy.senate.gov/press/200612/120606.html

This essay, without the links, was published in Forbes:
http://www.forbes.com/forbes/2007/0108/032_print.html

They also published a rebuttal by William Baldwin, although it doesn't seem to rebut any of the actual points. "Here's an odd division of labor: a corporate data consultant argues for more openness, while a journalist favors more secrecy." It's only odd if you don't understand security.
http://www.forbes.com/forbes/2007/0108/014.html

Anonymity and the Netflix Dataset

http://www.cs.utexas.edu/~shmat/...
http://www.cs.utexas.edu/~shmat/netflix-faq.html
http://www.securityfocus.com/news/11497
http://arxivblog.com/?p=142

2001 IEEE paper:
http://people.cs.vt.edu/~naren/papers/ppp.pdf

De-anonymizing the AOL data:
http://query.nytimes.com/gst/fullpage.html?...
http://www.securityfocus.com/brief/286

Census data de-anonymization:
http://privacy.cs.cmu.edu/dataprivacy/papers/...
http://crypto.stanford.edu/~pgolle/papers/census.pdf

Anonymous cell phone data:
http://arxivblog.com/?p=88

Wholesale surveillance and data collection:
http://www.schneier.com/blog/archives/2006/03/...
http://www.schneier.com/blog/archives/2007/05/...

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Does Secrecy Help Protect Personal Information?

This essay appeared in the January 2007 issue of Information Security, as the second half of a point/counterpoint with Marcus Ranum:
http://informationsecurity.techtarget.com/magItem/...

Marcus's half:
http://www.ranum.com/security/computer_security/...

Risks of Data Reuse

Individual data and the Japanese internment:
http://www.sciam.com/article.cfm?...
http://www.usatoday.com/news/nation/...
http://www.homelandstupidity.us/2007/04/05/...
http://rawstory.com/news/afp/...

Marketing databases:
http://www.wholesalelists.net
http://www.usdatacorporation.com/pages/...

Secure Flight:
http://www.epic.org/privacy/airtravel/secureflight.html

Florida disenfranchisement in 2000:
http://www.thenation.com/doc/20010430/lantigua

This article originally appeared on Wired.com:
http://www.wired.com/politics/onlinerights/...

National ID Cards

This essay originally appeared in the Minneapolis Star Tribune:
http://www.startribune.com/stories/1519/4698350.html

Kristof's essay in the The New York Times:
http://www.nytimes.com/2004/03/17/opinion/...

My earlier essay on National ID cards:
http://www.schneier.com/crypto-gram-0112.html#1

My essay on identification and security:
http://www.schneier.com/crypto-gram-0402.html#6

REAL-ID: Costs and Benefits

REAL-ID:
http://thomas.loc.gov/cgi-bin/bdquerytr/z?d109:HR01268:

The REAL-ID Act: National Impact Analysis:
http://www.nga.org/Files/pdf/0609REALID.pdf

There's REAL-ID news. Maine became the first state to reject REAL-ID. This means that a Maine state driver's license will not be recognized as valid for federal purposes, although I'm sure the Feds will back down over this. My guess is that Montana will become the second state to reject REAL-ID, and New Mexico will be the third.
http://www.northcountrygazette.org/articles/2007/...
http://www.usatoday.com/news/nation/...

More info on REAL-ID:
http://www.realnightmare.org

RFID Passports

http://news.com.com/...
http://www.theregister.co.uk/2004/05/20/us_passports/

The Security of RFID Passports

Government announcement:
http://edocket.access.gpo.gov/2005/05-21284.htm

RFID privacy problems:
http://www.epic.org/privacy/rfid/
http://rfidkills.com/

My previous writings on RFID passports:
http://www.schneier.com/essay-060.html
http://www.schneier.com/blog/archives/2005/04/...
http://www.schneier.com/blog/archives/2005/08/...

This essay previously appeared on Wired.com:
http://www.wired.com/news/privacy/0,1848,69453,00.html

Multi-Use ID Cards

This essay originally appeared on Wired.com:
http://www.wired.com/news/technology/0,70167-0.html

Giving Driver's Licenses to Illegal Immigrants

This op-ed originally appeared in the Detroit Free Press:
http://www.schneier.com/essay-205.html

Voting Technology and Security

This essay originally appeared on Forbes.com:
http://www.forbes.com/home/security/2006/11/10/...
http://www.schneier.com/essay-068.html
http://www.schneier.com/blog/archives/2004/11/...
http://www.votingintegrity.org/archive/news/...
http://www.verifiedvoting.org/article.php?id=997
http://www.ecotalk.org/VotingMachineErrors.htm
http://evote-mass.org/pipermail/...
http://avirubin.com/vote/analysis/index.html
http://www.freedom-to-tinker.com/?p=1080
http://www.freedom-to-tinker.com/?p=1081
http://www.freedom-to-tinker.com/?p=1064
http://www.freedom-to-tinker.com/?p=1084
http://www.bbvforums.org/cgi-bin/forums/...
http://itpolicy.princeton.edu/voting
http://www.ss.ca.gov/elections/voting_systems/...
http://www.blackboxvoting.org
http://www.brennancenter.org/dynamic/subpages/...
http://avirubin.com/judge2.html
http://avirubin.com/judge.html
http://www.usatoday.com/news/washington/...

How to Steal an Election:
http://arstechnica.com/articles/culture/evoting.ars

Florida 13:
http://www.heraldtribune.com/apps/pbcs.dll/article?...
http://www.heraldtribune.com/apps/pbcs.dll/article?...
http://www.heraldtribune.com/apps/pbcs.dll/article?...
http://www.nytimes.com/2006/11/10/us/politics/...
http://www.lipsio.com/...

Value of stolen elections:
http://www.schneier.com/essay-046.html

Perception:
http://www.npr.org/templates/story/story.php?...

Voter suppression:
http://blackprof.com/stealingd.html

ID requirements:
http://www.lwvwi.org/cms/images/stories/PDFs/...
http://www.demos.org/page337.cfm

Foxtrot cartoon:
http://www.gocomics.com/foxtrot/2006/10/29

Avi Rubin wrote a good essay on voting for Forbes as well:
http://www.forbes.com/home/free_forbes/2006/0904/...

Computerized and Electronic Voting

CRS Report on Electronic Voting:
http://www.epic.org/privacy/voting/crsreport.pdf

Voting resource pages:
http://www.epic.org/privacy/voting/
http://www.eff.org/Activism/E-voting/
http://www.verifiedvoting.org/
http://electioncentral.blog-city.com/index.cfm

Bills in U.S. Congress to force auditable balloting:
http://graham.senate.gov/pr120903.html
http://holt.house.gov/issues2.cfm?id=5996

Virginia story:
http://www.washingtonpost.com/ac2/wp-dyn?...

Indiana story:
http://www.indystar.com/articles/1/089939-1241-014.html

Nevada story:
http://www.lasvegassun.com/sunbin/stories/lv-gov/...

California Secretary of State's statement on e-voting paper trail requirement:
http://www.ss.ca.gov/executive/press_releases/2003/...

Maryland story:
http://www.gazette.net/200350/montgomerycty/state/...

More opinions:
http://www.pbs.org/cringely/pulpit/pulpit20031204.html
http://www.securityfocus.com/columnists/198
http://www.sacbee.com/content/opinion/story/...

Voter Confidence and Increased Accessibility Act of 2003
http://www.wired.com/news/print/0,1294,61298,00.html
http://www.theorator.com/bills108/hr2239.html

My older essays on this topic:
http://www.schneier.com/crypto-gram-0012.html#1
http://www.schneier.com/crypto-gram-0102.html#10

Why Election Technology is Hard

This essay originally appeared in the San Francisco Chronicle:
http://www.sfgate.com/cgibin/article.cgi?file=/chronicle/archive/2004/10/31/EDG229GREK1.DTL or
http://makeashorterlink.com/?J353212C9

Also read Avi Rubin's op-ed on the subject:
http://www.avirubin.com/vote/op-ed.html

Electronic Voting Machines

A version of this essay appeared on openDemocracy.com:
http://www.opendemocracy.com/debates/...
http://avirubin.com/judge2.html
http://www.eff.org/deeplinks/archives/cat_evoting.php
http://votingintegrity.org/archive/news/e-voting.html
http://www.blackboxvoting.org/
http://www.verifiedvoting.org/
http://www.dailykos.com/story/2004/11/3/04741/7055
http://www.alternet.org/election04/20416/
http://www.newstarget.com/002076.html
http://ustogether.org/Florida_Election.htm
http://www.washingtondispatch.com/spectrum/archives/...
http://www.michigancityin.com/articles/2004/11/04/...
http://edition.cnn.com/2004/ALLPOLITICS/11/05/...
http://www.palmbeachpost.com/politics/content/news/...
http://www.ansiblegroup.org/furtherleft/index.php?...
http://www.truthout.org/docs_04/110504V.shtml
http://www.truthout.org/docs_04/110604Z.shtml
http://www.commondreams.org/views04/1106-30.htm
http://www.truthout.org/docs_04/110804A.shtml

Revoting

Florida 13th:
http://www.heraldtribune.com/apps/pbcs.dll/article?...
http://www.nytimes.com/2006/11/10/us/politics/...
http://www.newsbackup.com/about496345.html

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,72124-0.html

Hacking the Papal Election

Rules for a papal election:
http://www.vatican.va/holy_father/john_paul_ii/...

There's a picture of choir dress on this page:
http://dappledphotos.blogspot.com/2005/01/...

First Responders

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

In blog comments, people pointed out that training and lack of desire to communicate are bigger problems than technical issues. This is certainly true. Just giving first responders interoperable radios won't automatically solve the problem; they need to want to talk to other groups as well.

Minneapolis rescue workers:
http://www.cnn.com/2007/US/08/02/bridge.responders/
http://www.ecmpostreview.com/2007/August/8irprt.html
http://www.cnn.com/2007/US/08/02/bridge.collapse/...
http://michellemalkin.com/2007/08/01/...
http://www.cnn.com/2007/US/08/02/...

Utah rescue-worker deaths:
http://www.boston.com/news/nation/articles/2007/08/...

1996 report:
http://ntiacsd.ntia.doc.gov/pubsafe/publications/...

Dennis Smith:
http://www.amazon.com/...
http://www.9-11commission.gov/hearings/hearing11/...

9/11 Commission Report:
http://www.gpoaccess.gov/911/index.html

Wasted security measures:
http://www.schneier.com/blog/archives/2006/03/...
http://blog.wired.com/defense/2007/08/...
http://www.cnsnews.com/ViewPolitics.asp?Page=/...
http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/...

Minnesota and interoperable communications:
https://www.dps.state.mn.us/comm/press/newPRSystem/...

Stanek quote:
http://www.washingtonpost.com/wp-dyn/content/...

Katrina:
http://www.nationaldefensemagazine.org/issues/2006/...
http://katrina.house.gov/

Conference of Mayors report:
http://www.usmayors.org/72ndAnnualMeeting/...

Collective action problem:
http://en.wikipedia.org/wiki/...

Jerry Brito paper:
http://www.jerrybrito.com/2007/01/30/...

Me on overly specific terrorism defense:
http://www.schneier.com/essay-087.html

More research:
http://www.infospheres.caltech.edu/crisis_web/...

Security at the Olympics

News articles:
http://www.cnn.com/2004/TECH/08/10/...
http://www.elecdesign.com/Articles/ArticleID/8484/...
http://cryptome.org/nyt-athens.htm
http://www.smh.com.au/olympics/articles/2004/07/27/...
http://www.news24.com/News24/Olympics2004/...

A version of this essay originally appeared in the Sydney Morning Herald, during the Olympics:
http://smh.com.au/articles/2004/08/25/...

Blaster and the August 14th Blackout

A preliminary version of this essay appeared on news.com:
http://news.com.com/2010-7343-5117862.html

Interim Report: Causes of the August 14th Blackout in the United States and Canada:
https://reports.energy.gov/814BlackoutReport.pdf

The relevant data is on pages 28-29 of the report.

FirstEnergy was hit by Slammer:
http://www.securityfocus.com/news/6868
http://www.computerworld.com/securitytopics/...

How worms can infect internal networks:
http://www.networm.org/faq/#enterprise

Blackout not caused by worm:
http://news.com.com/2100-7355_3-5111816.html

News article on the report:
http://www.iht.com/articles/118457.html

Geoff Shively talked about possible Blaster/blackout links just a few days after the blackout:
http://seclists.org/lists/bugtraq/2003/Sep/0053.html

Avian Flu and Disaster Planning

http://www.computerworld.com/action/article.do?...
http://www.computerworld.com/action/article.do?...
http://www.computerworld.com/action/article.do?...
http://www.computerworld.com/blogs/node/5854

Family disaster planning:
http://nielsenhayden.com/makinglight/archives/...
http://nielsenhayden.com/makinglight/archives/...
http://www.sff.net/people/doylemacdonald/emerg_kit.htm

Disaster Recovery Journal:
http://www.drj.com

Bird flu:
http://www.cdc.gov/flu/avian/
http://infectiousdiseases.about.com/od/faqs/f/...
http://www.msnbc.msn.com/id/6861065/
http://news.bbc.co.uk/2/hi/health/4295649.stm
http://www.cnn.com/2004/HEALTH/11/25/...

Blogger comments:
http://www.computerworld.com/blogs/node/5854

Man-eating badgers:
http://news.bbc.co.uk/1/hi/world/middle_east/...

A good rebuttal to this essay:
http://www.computerweekly.com/blogs/david_lacey/...

This essay originally appeared on Wired.com:
http://www.wired.com/print/politics/security/...

Economics and Information Security

Links to all the WEIS papers are available here:
http://weis2006.econinfosec.org

Ross Anderson's, "Why Information Security Is Hard--An Economic Perspective":
http://www.cl.cam.ac.uk/ftp/users/rja14/econ.pdf

Aligning Interest with Capability

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,71032-0.html

National Security Consumers

This essay originally appeared, in a shorter form, on News.com:
http://news.com.com/2010-7348-5204924.html

Liabilities and Software Vulnerabilities

Schmidt's comments:
http://news.zdnet.co.uk/software/developer/...

SlashDot thread on Schmidt's concerns:
http://developers.slashdot.org/article.pl?sid=05/10/...

Dan Farber has a good commentary on my essay:
http://blogs.zdnet.com/BTL/?p=2046

This essay originally appeared on Wired.com:
http://www.wired.com/news/privacy/0,1848,69247,00.html

There has been some confusion about this in the comments--both in Wired and on my blog--that somehow this means that software vendors will be expected to achieve perfection and that they will be 100% liable for anything short of that. Clearly that's ridiculous, and that's not the way liabilities work. But equally ridiculous is the notion that software vendors should be 0% liable for defects. Somewhere in the middle there is a reasonable amount of liability, and that's what I want the courts to figure out.

Howard Schmidt writes: "It is unfortunate that my comments were reported inaccurately; at least Dan Farber has been trying to correct the inaccurate reports with his blog I do not support PERSONAL LIABILITY for the developers NOR do I support liability against vendors. Vendors are nothing more than people (employees included) and anything against them hurts the very people who need to be given better tools, training and support."

Howard wrote this essay on the topic, to explain what he really thinks. He is against software liabilities.
http://news.com.com/...

But the first sentence of his last paragraph nicely sums up what's wrong with this argument: "In the end, what security requires is the same attention any business goal needs." If security is to be a business goal, then it needs to make business sense. Right now, it makes more business sense not to produce secure software products than it does to produce secure software products. Any solution needs to address that fundamental market failure, instead of simply wishing it were true.

Lock-In

Apple and the iPhone:
http://www.nytimes.com/2007/09/29/technology/...
http://www.bloomberg.com/apps/news?...
http://www.engadget.com/2007/10/17/...
http://www.engadget.com/2008/01/28/...

Shapiro and Varian's book:
http://www.amazon.com/...

Microsoft and Trusted Computing:
http://schneier.com/crypto-gram-0208.html#1
http://www.cl.cam.ac.uk/~rja14/Papers/tcpa.pdf
http://www.microsoft.com/technet/archive/security/...
http://www.schneier.com/blog/archives/2005/08/...

Commentary:
http://yro.slashdot.org/yro/08/02/07/2138201.shtml
http://stumble.kapowaz.net/post/25792347
http://www.kryogenix.org/days/2008/02/08/...
http://girtby.net/archives/2008/2/8/vendor-lock-in

This essay previously appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Third Parties Controlling Information

Internet Archive:
http://www.archive.org/

Greatest Journal:
http://dropbeatsnotbombs.vox.com/library/post/...
http://barry095.vox.com/library/post/...

Other hacks:
http://www.schneier.com/blog/archives/2005/02/...
http://www.wired.com/politics/security/news/2008/01/...

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Who Owns Your Computer?

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/1,70802-0.html

Trusted computing:
http://www.schneier.com/crypto-gram-0208.html#1

A Security Market for Lemons

Risks of data in small packages:
http://www.wired.com/politics/security/commentary/...

Secustick and review:
http://www.secustick.nl/engels/index.html
http://tweakers.net/reviews/683

Snake oil:
http://www.schneier.com/crypto-gram-9902.html#snakeoil
http://www.schneier.com/...

"A Market for Lemons":
http://en.wikipedia.org/wiki/The_Market_for_Lemons
http://www.students.yorku.ca/~siccardi/...

Kingston USB drive:
http://www.kingston.com/flash/dt_secure.asp

Slashdot thread:
http://it.slashdot.org/article.pl?sid=07/04/19/140245

This essay originally appeared in Wired:
http://www.wired.com/politics/security/commentary/...

Websites, Passwords, and Consumers

Phishing:
http://www.msnbc.msn.com/id/5184077/
http://www.internetweek.com/e-business/...

The Trojan:
http://news.com.com/...
http://www.pcworld.com/news/article/...

A shorter version of this essay originally appeared in IEEE Security and Privacy:
http://csdl.computer.org/comp/mags/sp/2004/04/...

The Feeling and Reality of Security

Getting security trade-offs wrong:
http://www.schneier.com/essay-162.html

Cognitive biases that affect security:
http://www.schneier.com/essay-155.html

"In Praise of Security Theater":
http://www.schneier.com/essay-154.html

The security lemon's market:
http://www.schneier.com/essay-165.html

Airline security and agenda:
http://www.schneier.com/blog/archives/2005/08/...

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Behavioral Assessment Profiling

This article originally appeared in The Boston Globe:
http://www.boston.com/news/globe/editorial_opinion/...
http://news.airwise.com/stories/2004/11/1100157618.html
http://www.usatoday.com/travel/news/...

In Praise of Security Theater

This essay appeared on Wired.com, and is dedicated to my new godson, Nicholas Quillen Perry:
http://www.wired.com/news/columns/0,72561-0.html

Infant abduction:
http://www.saione.com/ispletter.htm

Blog entry URL:
http://www.schneier.com/blog/archives/2007/01/...

CYA Security

http://www.schneier.com/blog/archives/2007/02/...

Airplane security:
http://www.schneier.com/blog/archives/2006/08/...

Searching bags in subways:
http://www.schneier.com/blog/archives/2005/07/...

No-fly list:
http://www.schneier.com/essay-052.html

More CYA security:
http://entertainment.iafrica.com/news/929710.htm
http://www.news24.com/News24/Entertainment/Oscars/...
http://www.schneier.com/blog/archives/2005/09/...
http://www.schneier.com/blog/archives/2006/03/...
http://www.schneier.com/blog/archives/2007/01/...
http://www.slate.com/id/2143104/

Commentary:
http://www.networkworld.com/community/?q=node/11746
http://yro.slashdot.org/yro/07/02/22/214246.shtml

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,72774-0.html

Copycats

http://www.philly.com/mld/inquirer/news/local/...
http://kyw1060.com/pages/254744.php?...
http://www.delawareonline.com/apps/pbcs.dll/article?...
http://www.nbc10.com/news/11155984/detail.html?...

Dan Cooper and the Cooper Vane:
http://www.crimelibrary.com/criminal_mind/scams/...
http://en.wikipedia.org/wiki/Cooper_Vane

Green-card lawyers:
http://www.wired.com/news/politics/0,1283,19098,00.html

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,72887-0.html

Blog entry URL:
http://www.schneier.com/blog/archives/2007/03/post.html

Rare Risk and Overreactions

Irrational reactions:
http://arstechnica.com/news.ars/post/...
http://www.boingboing.net/2007/05/03/...
http://www.yaledailynews.com/articles/view/20843
http://yaledailynews.com/articles/view/20913
http://www.msnbc.msn.com/id/18645623/

Risks of school shootings from 2000:
http://www.cdc.gov/HealthyYouth/injury/pdf/...

Crime statistics--strangers vs. acquaintances:
http://www.fbi.gov/ucr/05cius/offenses/...

Me on the psychology of risk and security:
http://www.schneier.com/essay-155.html

Risk of shark attacks:
http://www.oceanconservancy.org/site/DocServer/...

Ashcroft speech:
http://www.highbeam.com/doc/1G1-107985887.html

Me on security theater:
http://www.schneier.com/essay-154.html

Baseball beer ban:
http://blogs.csoonline.com/baseballs_big_beer_ban

Nicholas Taub essay:
http://www.fooledbyrandomness.com/nyt2.htm
http://www.telegraph.co.uk/opinion/main.jhtml?xml=/...

VA Tech and gun control:
http://abcnews.go.com/International/wireStory?...
http://www.cnn.com/2007/US/04/19/commentary.nugent/...

VA Tech hindsight:
http://news.independent.co.uk/world/americas/...
http://www.mercurynews.com/charliemccollum/ci_5701552

John Stewart video:
http://www.comedycentral.com/motherload/...

Me on movie-plot threats:
http://www.schneier.com/essay-087.html

Another opinion:
http://www.socialaffairsunit.org.uk/blog/archives/...

This essay originally appeared on Wired.com, my 42nd essay on that site:
http://www.wired.com/politics/security/commentary/...

French translation:
http://archiloque.net/spip.php?...

Tactics, Targets, and Objectives

Safari security advice:
http://www.cybertracker.co.za/DangerousAnimals.html

School shooter security advice:
http://www.ucpd.ucla.edu/ucpd/zippdf/2007/...

Burglar security advice:
http://www.pfadvice.com/2007/02/05/...
http://www.pfadvice.com/2007/03/06/...

Me on terrorism:
http://www.schneier.com/essay-096.html
http://www.schneier.com/blog/archives/2006/08/...
http://www.schneier.com/blog/archives/2005/09/...
http://www.schneier.com/blog/archives/2006/08/...

Learning behavior in tigers:
http://www.cptigers.org/animals/species.asp?speciesID=9

This essay originally appeared on Wired.com:
http://www.wired.com/print/politics/security/...

The Security Mindset

SmartWater:
http://www.smartwater.com/products/...
http://www.schneier.com/blog/archives/2005/02/...

CSE484:
http://www.cs.washington.edu/education/courses/484/...
http://cubist.cs.washington.edu/Security/2007/11/22/...

CSE484 blog:
http://cubist.cs.washington.edu/Security/
http://cubist.cs.washington.edu/Security/category/...
http://cubist.cs.washington.edu/Security/2008/03/14/...

Britney Spears's medical records:
http://www.msnbc.msn.com/id/23640143

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Comments:
http://www.freedom-to-tinker.com/?p=1268
http://blog.ungullible.com/2008/03/...
http://www.daemonology.net/blog/...

My Open Wireless Network

RIAA data:
http://www.sptimes.com/2007/10/02/Business/...
http://www.npd.com/press/releases/press_0703141.html
http://www.guardian.co.uk/technology/2007/mar/22/...

Rulings on "stealing" bandwidth:
http://www.ibls.com/...
http://arstechnica.com/news.ars/post/...

Amusing story of someone playing with a bandwidth stealer:
http://www.ex-parrot.com/~pete/upside-down-ternet.html

ISPs:
http://w2.eff.org/Infrastructure/...
http://www.nytimes.com/2007/04/14/technology/...

Fon:
http://www.iht.com/articles/2006/01/30/business/...
http://www.fon.com/en/

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

It has since generated a lot of controversy:
http://hardware.slashdot.org/article.pl?sid=08/01/...

Opposing essays:
http://wifinetnews.com/archives/008126.html
http://www.dslreports.com/shownews/...
http://www.networkworld.com/community/node/23714

And here are supporting essays:
http://www.boingboing.net/2008/01/10/...
http://techdirt.com/articles/20080110/100007.shtml
http://blogs.computerworld.com/open_wireless_oh_my

Presumably there will be a lot of back and forth in the blog comments section here as well:
http://www.schneier.com/blog/archives/2008/01/...

Debating Full Disclosure

This essay originally appeared on CSOOnline:
http://www2.csoonline.com/exclusives/column.html?...

It was part of a series of essays on the topic. Marcus Ranum wrote against the practice of disclosing vulnerabilities:
http://www2.csoonline.com/exclusives/column.html?...

Mark Miller of Microsoft wrote in favor of responsible disclosure:
http://www2.csoonline.com/exclusives/column.html?...

These are sidebars to a very interesting article in CSO Magazine, "The Chilling Effect," about the confluence of forces that are making it harder to research and disclose vulnerabilities in web-based software:
http://www.csoonline.com/read/010107/fea_vuln.html

All the links are worth reading in full.

A Simplified Chinese translation by Xin Li:
http://blog.delphij.net/archives/001694.html

Doping in Professional Sports

http://www.msnbc.msn.com/id/14059185/

Armstrong's case:
http://www.schneier.com/blog/archives/2005/09/...

Baseball and HGH:
http://sports.yahoo.com/mlb/news?...
http://sports.yahoo.com/mlb/news?...

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,71566-0.html

Do We Really Need a Security Industry?

http://software.silicon.com/security/...
http://www.techworld.com/security/blogs/index.cfm?...
http://techdigest.tv/2007/04/security_guru_q.html
http://www.itbusinessedge.com/blogs/top/?p=114

Complexity and security:
http://www.schneier.com/crypto-gram-0003.html#8

Commentary on essay:
http://www.networkworld.com/community/?q=node/14813
http://it.slashdot.org/it/07/05/03/1936237.shtml
http://matt-that.com/?p=5

This essay originally appeared in Wired:
http://www.wired.com/politics/security/commentary/...

Basketball Referees and Single Points of Failure

This is my 50th essay for Wired.com:
http://www.wired.com/politics/security/commentary/...
http://sports.espn.go.com/espn/page2/story?...
http://sports.espn.go.com/nba/columns/story?...
http://sports.espn.go.com/nba/columns/story?...
http://sports.espn.go.com/nba/columns/story?...
http://msn.foxsports.com/nba/story/7047984
http://sports.espn.go.com/espn/blog/index?...
http://www.eog.com/news/industry.aspx?id=28416
http://sports.espn.go.com/nba/news/story?...

Chemical Plant Security and Externalities

Risks:
http://www.usatoday.com/news/washington/...
http://www.chemsafety.gov/index.cfm?...
http://www.bt.cdc.gov/agent/phosgene/basics/facts.asp
http://www.opencrs.com/document/M20050627/...
http://digital.library.unt.edu/govdocs/crs/...
http://www.washingtonmonthly.com/features/2007/...

Regulations:
http://www.boston.com/news/nation/washington/...
http://www.usatoday.com/printedition/news/20070427/...

This essay previously appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Mitigating Identity Theft

This essay was previously published on CNet:
http://www.news.com/Mitigating-identity-theft/...

LifeLock and Identity Theft

LifeLock:
http://www.lifelock.com

FACTA:
http://www.ftc.gov/opa/2004/06/factaidt.shtm
http://www.treasury.gov/offices/domestic-finance/...

Fraud alerts:
http://www.consumersunion.org/creditmatters/...

The New York Times article:
http://www.nytimes.com/2008/05/24/business/...

Lawsuits:
http://www.networkworld.com/news/2008/...
http://www.insidetech.com/news/...

Identity theft:
http://www.schneier.com/crypto-gram-0504.html#2
http://www.ftc.gov/opa/2007/11/idtheft.shtm
http://www.consumer.gov/sentinel/pubs/...
http://www.privacyrights.org/ar/...

Free credit reports:
http://www.annualcreditreport.com/
http://blog.washingtonpost.com/securityfix/2005/09/...
http://www.msnbc.msn.com/id/7803368/
http://ezinearticles.com/?...

Defending yourself:
http://www.nytimes.com/2008/05/24/business/...
http://www.savingadvice.com/blog/2008/06/04/...

This essay originally appeared in Wired:
http://www.wired.com/politics/security/commentary/...

Phishing

California law:
http://www.msnbc.msn.com/id/9547692/

Definitions:
http://en.wikipedia.org/wiki/Phishing
http://en.wikipedia.org/wiki/Pharming
http://www-03.ibm.com/industries/financialservices/...
http://www-03.ibm.com/industries/financialservices/...

Who pays for identity theft:
http://www.informationweek.com/showArticle.jhtml?...

Me on semantic attacks:
http://www.schneier.com/crypto-gram-0010.html#1

Me on economics and security:
http://www.schneier.com/book-sandl-intro2.html

Me on identity theft:
http://www.schneier.com/blog/archives/2005/04/...

Discussion of my essay:
http://it.slashdot.org/article.pl?sid=05/10/06/...

This essay originally appeared in Wired:
http://www.wired.com/news/politics/0,1283,69076,00.html

Bot Networks

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,71471-0.html

Distributed.net:
http://www.distributed.net

SETI@home:
http://setiathome.berkeley.edu

MafiaBoy:
http://www.infoworld.com/articles/hn/xml/01/01/18/...

1.5-million-node bot network:
http://www.techweb.com/wire/security/172303160

Cyber-Attack

http://www.fcw.com/article98016-03-22-07-Web

Allowing the entertainment industry to hack:
http://www.politechbot.com/docs/...
http://www.freedom-to-tinker.com/?cat=6

Clarke's comments:
http://www.usatoday.com/tech/news/2002/02/14/...

This essay originally appeared in Wired:
http://www.wired.com/politics/security/commentary/...

Counterattack

Automated law enforcement:
http://www.foxnews.com/story/0,2933,64688,00.html

Mullen's essay:
http://www.hammerofgod.com/strikeback.txt

Berman legislation:
http://www.counterpane.com/crypto-gram-0208.html#5

Cyberwar

My previous essay on cyberterrorism:
http://www.schneier.com/crypto-gram-0306.html#1

Militaries and Cyberwar

My interview in the Iranian newspaper (to be honest, I have no idea what it says):
http://www.jamejamdaily.net/shownews2.asp?n=26454&t=com

The Truth About Chinese Hackers

Article originally published in Discovery Tech:
http://dsc.discovery.com/technology/my-take/...

Safe Personal Computing

Others have disagreed with these recommendations:
http://www.getluky.net/archives/000145.html
http://www.berylliumsphere.com/security_mentor/2004/...

My original essay on the topic:
http://www.schneier.com/crypto-gram-0105.html#8

This essay previously appeared on CNet:
http://news.com.com/...

How to Secure Your Computer, Disks, and Portable Drives

This essay previously appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Why was the U.K. event such a big deal? Certainly the scope: 40% of the British population. Also the data: bank account details; plus information about children. There's already a larger debate on the issue of a database on kids that this feeds into. And it's a demonstration of government incompetence (think Hurricane Katrina). In any case, this issue isn't going away anytime soon. Prime Minister Gordon Brown has apologized. The head of the Revenue and Customs office has resigned. More fallout is probably coming. U.K.'s privacy Chernobyl:
http://www.timesonline.co.uk/tol/news/uk/...
http://news.bbc.co.uk/1/hi/uk_politics/7104945.stm
http://politics.guardian.co.uk/economics/story/...
http://www.timesonline.co.uk/tol/news/uk/...
http://www.theregister.co.uk/2007/11/21/...

U.S. VA privacy breach:
http://www.wired.com/techbiz/media/news/2006/05/70961

PGP Disk:
http://www.pgp.com/products/wholediskencryption/

Choosing a secure password:
http://www.schneier.com/blog/archives/2007/01/...
http://www.iusmentis.com/security/passphrasefaq/

Risks of losing small memory devices:
http://www.schneier.com/blog/archives/2005/07/...

Laptop snatching:
http://www.sfgate.com/cgi-bin/article.cgi?file=/...

Microsoft BitLocker:
http://www.schneier.com/blog/archives/2006/05/...

TrueCrypt:
http://www.truecrypt.org/

Crossing Borders with Laptops and PDAs

My advice on choosing secure passwords:
http://www.schneier.com/essay-148.html

This essay originally appeared in The Guardian:
http://www.guardian.co.uk/technology/2008/may/15/...

Choosing Secure Passwords

Analyzing 24,000 MySpace passwords:
http://www.wired.com/news/columns/0,72300-0.html

Choosing passwords:
http://psychology.wichita.edu/surl/usabilitynews/81/...
http://www.microsoft.com/windows/IE/community/...
http://www.brunching.com/passwordguide.html

AccessData:
http://www.accessdata.com

Password Safe:
http://www.schneier.com/passsafe.html

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/1,72458-0.html

Secrecy, Security, and Obscurity

Kerckhoffs' Paper (in French):
http://www.cl.cam.ac.uk/~fapp2/kerckhoffs/...

Another essay along similar lines:
http://online.securityfocus.com/columnists/80

More on Two-Factor Authentication

This essay previously appeared in Network World as a "Face Off":
http://www.nwfusion.com/columnists/2005/...

Joe Uniejewski of RSA Security wrote an opposing position:
http://www.nwfusion.com/columnists/2005/...

Another rebuttal:
http://www.eweek.com/article2/0,1759,1782435,00.asp

My original essay:
http://www.schneier.com/essay-083.html

Home Users: A Public Health Problem?

This essay is the first half of a point/counterpoint with Marcus Ranum in the September 2007 issue of Information Security. You can read his reply here:
http://www.ranum.com/security/computer_security/...

Security Products: Suites vs. Best-of-Breed

This essay originally appeared as the second half of a point/counterpoint with Marcus Ranum in Information Security:
http://searchsecurity.techtarget.com/...

Marcus's half:
http://searchsecurity.techtarget.com/...

Separating Data Ownership and Device Ownership

New timing attack on RSA:
http://www.newscientisttech.com/article/dn10609
http://eprint.iacr.org/2006/351.pdf

My essay on side-channel attacks:
http://www.schneier.com/crypto-gram-9806.html#side

My paper on data/device separation:
http://www.schneier.com/paper-smart-card-threats.html

Street-performer protocol: an alternative to DRM:
http://www.schneier.com/paper-street-performer.html

Ontario lottery fraud:
http://www.cbc.ca/canada/toronto/story/2006/10/26/...

This essay originally appeared on Wired.com:
http://www.wired.com/news/columns/0,72196-0.html

Assurance

California reports:
http://www.sos.ca.gov/elections/elections_vsr.htm

Commentary and blog posts:
http://www.freedom-to-tinker.com/?p=1181
http://blog.wired.com/27bstroke6/2007/07/...
http://www.schneier.com/blog/archives/2007/07/...
http://www.freedom-to-tinker.com/?p=1184
http://blog.wired.com/27bstroke6/2007/08/...
http://avi-rubin.blogspot.com/2007/08/...
http://www.crypto.com/blog/ca_voting_report/
http://twistedphysics.typepad.com/...
http://www.schneier.com/blog/archives/2007/08/...

California's recertification requirements:
http://arstechnica.com/news.ars/post/...

DefCon reports:
http://www.defcon.org/
http://www.physorg.com/news105533409.html
http://blog.wired.com/27bstroke6/2007/08/...
http://www.newsfactor.com/news/...
http://blog.wired.com/27bstroke6/2007/08/...

US-VISIT database vulnerabilities:
http://www.washingtonpost.com/wpdyn/content/article/...

RFID passport hacking:
http://www.engadget.com/2006/08/03/...
http://www.rfidjournal.com/article/articleview/2559/...
http://www.wired.com/politics/security/news/2007/08/...
http://money.cnn.com/2007/08/03/news/rfid/?...

How common are bugs:
http://www.rtfm.com/bugrate.pdf

Diebold patch:
http://www.schneier.com/blog/archives/2007/08/...

Brian Snow on assurance:
http://www.acsac.org/2005/papers/Snow.pdf

Books on secure software development:
http://www.amazon.com/...
http://www.amazon.com/...
http://www.amazon.com/...

Microsoft's SDL:
http://www.microsoft.com/MSPress/books/8753.asp

DHS's Build Security In program:
https://buildsecurityin.us-cert.gov/daisy/bsi/home.html

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Sony's DRM Rootkit: The Real Story

This essay originally appeared in Wired:
http://www.wired.com/news/privacy/0,1848,69601,00.html

There are a lot of links in this essay. You can see them on Wired's page. Or here:
http://www.schneier.com/essay-094.html

These are my other blog posts on this:
http://www.schneier.com/blog/archives/2005/11/...
http://www.schneier.com/blog/archives/2005/11/...
http://www.schneier.com/blog/archives/2005/11/...
http://www.schneier.com/blog/archives/2005/11/...

There are lots of other links in these posts.

The Storm Worm

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...
http://www.informationweek.com/news/...
http://www.informationweek.com/...
http://www.informationweek.com/...
http://www.scmagazineus.com/...
http://www.usatoday.com/tech/news/computersecurity/...

Fast flux:
http://ddanchev.blogspot.com/2007/09/...

Storm's attacks:
http://www.spamnation.info/blog/archives/2007/09/...
http://ddanchev.blogspot.com/2007/09/...
http://www.disog.org/2007/09/...

Stewart's analysis:
http://www.secureworks.com/research/threats/storm-worm/

Counterworms:
http://www.schneier.com/crypto-gram-0309.html#8

The Ethics of Vulnerability Research

This was originally published in InfoSecurity Magazine, as part of a pointcounterpoint with Marcus Ranum. You can read Marcus's half here:
http://searchsecurity.techtarget.com/...

Is Penetration Testing Worth It?

This essay appeared in the March 2007 issue of Information Security, as the first half of a point/counterpoint with Marcus Ranum:
http://informationsecurity.techtarget.com/magItem/...

Marcus's half:
http://www.ranum.com/security/computer_security/...

Anonymity and the Tor Network

This essay previously appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

Tor:
https://tor.eff.org/
http://tor.eff.org/overview.html.en
http://wiki.noreply.org/noreply/TheOnionRouter/...

Onion routing:
http://www.onion-router.net/

Egerstad's work:
http://www.derangedsecurity.com/...
http://www.heise-security.co.uk/news/95778
http://www.securityfocus.com/news/11486
http://www.derangedsecurity.com/...
http://www.wired.com/politics/security/news/2007/09/...

Sassaman's paper:
http://www.cosic.esat.kuleuven.be/publications/...

Anonymity research:
http://www.cs.utexas.edu/~shmat/abstracts.html#netflix
http://www.nd.edu/~netsci/TALKS/Kleinberg.pdf
http://citeseer.ist.psu.edu/novak04antialiasing.html
http://www.cl.cam.ac.uk/~sjm217/papers/...
http://www.nytimes.com/2006/08/09/technology/09aol.html

Dark Web:
http://www.nsf.gov/news/news_summ.jsp?cntn_id=110040

Tor users:
http://advocacy.globalvoicesonline.org/wp-content/...
http://blog.wired.com/27bstroke6/2007/07/...

Tor server operator shuts down after police raid:
http://www.heise.de/english/newsticker/news/96107

Tools for identifying the source of Tor data:
http://www.securityfocus.com/news/11447

Kill Switches and Remote Control

Kill switches:
http://www.informationweek.com/news/mobility/...
http://www.nypost.com/seven/06082008/news/...
http://blog.wired.com/defense/2008/06/...
http://spectrum.ieee.org/may08/6171

Digital Manners Policies:
http://arstechnica.com/news.ars/post/...
http://appft1.uspto.gov/netacgi/nph-Parser?...

This essay originally appeared on Wired.com:
http://www.wired.com/politics/security/commentary/...

up to Schneier on Security

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..