February 15, 2012
by Bruce Schneier
A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at <http://www.schneier.com/crypto-gram-1202.html>. These same essays and news items appear in the "Schneier on Security" blog at <http://www.schneier.com/blog>, along with a lively comment section. An RSS feed is available.
In this issue:
Liars and Outliers is available. Amazon and Barnes & Noble have been shipping the book since the beginning of the month. Both the Kindle and the Nook versions are available for download. (Yes, Amazon's webpage claims that the book will be published on February 21, 2012, but they ship copies as soon as they get them -- this ain't Harry Potter.) I have received 250 books myself. Everyone who read and commented on a draft will get a copy in the mail. And as of today, I have shipped books to everyone who ordered a signed copy.
I've seen five more reviews. And there's one print and one audio (there's also a transcript) interview about the book.
A bunch of people on Twitter have announced that they're enjoying the book. Right now, there are only three reviews on Amazon. Please, leave a review on Amazon. (I'll write about the problem of fake reviews on these sorts of sites in another post.)
I'm not sure, but I think the Kindle price is going to increase. So if you want the book at the current $10 price, now is the time to buy it.
At the end of February, I'll be at the RSA Conference in San Francisco. In addition to my other speaking events, Davi Ottenheimer will interview me about the book at something called The Author's Studio. I'll be doing two one-hour book signings at the conference bookstore. And, and this is the best news of all, HP has bought 1,000 copies of the book and will be giving them away at their booth. I'll be doing a couple of signings there as well.
The book's webpage:
Ordering a signed copy:
1. TSA screener finds two pipes in passenger's bags.
2. Screener determines that they're not a threat.
3. Screener confiscates them anyway, because of their "material and appearance."
4. Because they're not actually a threat, screener leaves them at the checkpoint.
5. Everyone forgets about them.
6. Six hours later, the next shift of TSA screeners notices the pipes and -- not being able to explain how they got there and, presumably, because of their "material and appearance" -- calls the police bomb squad to remove the pipes.
7. TSA does not evacuate the airport, or even close the checkpoint, because -- well, we don't know why.
I don't even know where to begin.
A merchant is suing his bank, claiming that the PCI standard "force[s] merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized." The PCI standards are probably the biggest non-government security standard. It'll be interesting to see how this turns out.
Thankfully, this doesn't happen very often: "A US man who had been convicted on a second-degree murder charge will get a new trial after a computer virus destroyed transcripts of court proceedings."
I wrote about the technique of using false alarms to disable security in my book, "Beyond Fear." Here it is being used to rob an art gallery.
Continuing the militarization of the U.S. police, the state of Texas gets an armed patrol boat.
The NSF is funding research on giving organizations information-security risk ratings, similar to credit ratings for individuals.
Supreme Court rules about GPS tracking without a warrant. I originally wrote that the ruling forces the police to get a warrant before placing a GPS tracking device on a car. Actually, the ruling is much more complicated and nuanced.
On my blog, there was an interesting story about two British tourists detained at the U.S. border for their tweets.
Some errors in forensic science may be the result of the biases of the examiners.
The Idaho Loophole is -- if you believe the theory -- "a 50-square-mile swath of Idaho in which one can commit felonies with impunity."
Really good article on the huge incarceration rate in the U.S., its causes, its effects, and its value.
The problems of too much information sharing. Yes, it's fake. But it's funny.
"Solving the Underlying Economic Problem of Internet Piracy"
Interesting paper about the security risks of smaller aircraft.
Funny essay on captchas.
Dumb risk of the day: geotagged images of children:
Last month, a U.S. court demanded that a defendant surrender the encryption key to a laptop so the police could examine it.
Now it seems that she's forgotten the key.
What happens now? It seems as if this excuse would always be available to someone who doesn't want the police to decrypt her files. On the other hand, it might be hard to realistically forget a key. It's less credible for someone to say "I have no idea what my password is," and more likely to say something like "it was the word 'telephone' with a zero for the o and then some number following -- four digits, with a six in it -- and then a punctuation mark like a period." And then a brute-force password search could be targeted. I suppose someone could say "it was a random alphanumeric password created by an automatic program; I really have no idea," but I'm not sure a judge would believe it.
DARPA is funding research into new forms of biometrics that authenticate people as they use their computer: things like keystroke patterns, eye movements, mouse behavior, reading speed, and surfing and e-mail response behavior. The idea -- and I think this is a good one -- is that the computer can continuously authenticate people, and not just authenticate them once when they first start using their computers.
I remember reading a science fiction story about a computer worm that searched for people this way: going from computer to computer, trying to identify a specific individual.
I am the Hal Clement Science Speaker at Boskone 49, Feb 17-19, in Boston.
I am speaking at the Messaging Anti-Abuse Working Group 24th General Meeting, Feb 22, in San Francisco.
I am speaking at the RSA Conference 2012, Feb 27-Mar 2, in San Francisco.
In 2005, I wrote an essay called "The Failure of Two-Factor Authentication," where I predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint.
This article describes exactly that.
My 2005 essay:
The solution is to authenticate the transaction, not the person.
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies," and "Applied Cryptography," and an inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security Technology Officer of BT BCSG, and is on the Board of Directors of the Electronic Privacy Information Center (EPIC). He is a frequent writer and lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of BT.
Copyright (c) 2012 by Bruce Schneier.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.