July 15, 2016

by Bruce Schneier
CTO, Resilient, an IBM Company

A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit <>.

You can read this issue on the web at <>. These same essays and news items appear in the "Schneier on Security" blog at <>, along with a lively and intelligent comment section. An RSS feed is available.

In this issue:

CIA Director John Brennan Pretends Foreign Cryptography Doesn't


Last week, CIA director John Brennan told a Senate committee that there wasn't any strong cryptography outside of the US.

CIA director John Brennan told US senators they shouldn't worry about mandatory encryption backdoors hurting American businesses.
And that's because, according to Brennan, there's no one else for people to turn to: if they don't want to use US-based technology because it's been forced to use weakened cryptography, they'll be out of luck because non-American solutions are simply "theoretical."

Here's the quote:

"US companies dominate the international market as far as encryption technologies that are available through these various apps, and I think we will continue to dominate them," Brennan said.
"So although you are right that there's the theoretical ability of foreign companies to have those encryption capabilities available to others, I do believe that this country and its private sector are integral to addressing these issues."

Is he actually lying there? I suppose it is possible that he's simply that ignorant. Strong foreign cryptography hasn't been "theoretical" for decades. And earlier this year, I released a survey of foreign cryptography products, listing 546 non-theoretical products from 54 countries outside the US.

I know Sen. Wyden knows about my survey. I hope he asks Brennan about it.

Blog entry URL:

Herb Lim comments:

My survey:


Report on the Vulnerabilities Equities Process

I have written before on the vulnerabilities equities process (VEP): the system by which the US government decides whether to disclose and fix a computer vulnerability or keep it secret and use it offensively. Ari Schwartz and Rob Knake, both former Directors for Cybersecurity Policy at the White House National Security Council, have written a report describing the process as we know it, with policy recommendations for improving it.

Basically, their recommendations are focused on improving the transparency, oversight, and accountability (three things I repeatedly recommend) of the process. In summary:

* The President should issue an Executive Order mandating government-wide compliance with the VEP.

* Make the general criteria used to decide whether or not to disclose a vulnerability public.

* Clearly define the VEP.

* Make sure any undisclosed vulnerabilities are reviewed periodically.

* Ensure that the government has the right to disclose any vulnerabilities it purchases.

* Transfer oversight of the VEP from the NSA to the DHS.

* Issue an annual report on the VEP.

* Expand Congressional oversight of the VEP.

* Mandate oversight by other independent bodies inside the Executive Branch.

* Expand funding for both offensive and defensive vulnerability research.

These all seem like good ideas to me. This is a complex issue, one I wrote about in "Data and Goliath" (pages 146-50), and one that's only going to get more important in the Internet of Things.

My writings:


This essay argues that teaching computer science at the K-12 level is a matter of national security. I think the argument is even broader. Computers, networks, and algorithms are at the heart of all of our complex social and political issues. We need broader literacy for all sorts of political and social reasons.

xkcd phishing cartoon. (The mouseover is the best part.)

The New York Times is reporting that some women in China are being forced to supply nude photos of themselves as collateral for getting a loan. Aside from the awfulness of this practice, it's really bad collateral because it's impossible to ever get it back.

Security behavior of pro-ISIS groups on social media:

Ronald V. Clarke argues for more situational awareness in crime prevention. Turns out if you make crime harder, it goes down. And this has profound policy implications.

Amy Zegert has some good questions about how to prevent lone-wolf terrorism, comparing the Orlando Pulse massacre to the Fort Hood massacre from 2009.

IPv4 addresses are valuable, so criminals are figuring out how to buy or steal them.

Micah Lee has a nice comparison among Signal, WhatsApp, and Allo.
BTW, don't use Telegram.

Stories of burglars using social media to figure out who's on vacation are old hat. Now financial investigators are using social media to find hidden wealth.

There's an app that allows people to submit photographs of hotel rooms around the world into a centralized database. The idea is that photographs of victims of human trafficking are often taken in hotel rooms, and the database will help law enforcement find the traffickers. I can't speak to the efficacy of the database -- in particular, the false positives -- but it's an interesting crowdsourced approach to the problem.

Facebook seems to be using physical location to suggest friends.
Facebook backtracks:

Interesting research: Mark G. Stewart and John Mueller, "Risk-based passenger screening: risk and economic assessment of TSA PreCheck increased security at reduced cost?"

Peter Maas interviewed the former NSA official who wrote the infamous "I Hunt Sysadmins" memo. It's interesting, but I wanted to hear less of Peter Maas -- I already know his views -- and more from the NSA hacker.

This anti-paparazzi scarf reflects light from camera flashes.

Funny: "Dogs Raise Fireworks Threat Level to 'Gray'"

Interesting research: Debora Halbert, "Intellectual property theft and national security: Agendas and assumptions":
Preliminary version, no paywall:

The New York Times wrote a good piece comparing airport security around the world, and pointing out that moving the security perimeter doesn't make any difference if the attack can occur just outside the perimeter. Mark Stewart has the good quote: "'Perhaps the most cost-effective measure is policing and intelligence -- to stop them before they reach the target,' Mr. Stewart said." Sounds like something I would say.

Interesting research: "Characterizing and Avoiding Routing Detours Through Surveillance States," by Anne Edmundson, Roya Ensafi, Nick Feamster, and Jennifer Rexford.

BBC has a story about hijacking someone's Facebook account with a fake passport copy. The confusion is that a scan of a passport is much easier to forge than an actual passport. This is a truly hard problem: how do you give people the ability to get back into their accounts after they've lost their credentials, while at the same time prohibiting hackers from using the same mechanism to hijack accounts? Demanding an easy-to-forge copy of a hard-to-forge document isn't a good solution.

Two researchers have discovered over 100 Tor nodes that are spying on hidden services.

Dallas police used a robot to kill a person. It seems to be a first.

Interesting paper: "Anonymization and Risk," by Ira S. Rubinstein and Woodrow Hartzog.

In a truly terrible ruling, the US 9th Circuit Court ruled that using someone else's password with their permission but without the permission of the site owner is a federal crime. This means that if you give someone else your Netflix password without Netflix's permission, you're a criminal.

While we're on the subject of terrible 9th Circuit Court rulings, visiting a website against the owner's wishes is also a federal crime:
Both of these ruling demonstrate how badly written the Computer Fraud and Abuse Act is.

Security effectiveness of the Israeli West Bank barrier:

Schneier News

I have joined the Board of Directors of the Tor Project.

I'm giving a keynote talk at RSA Asia in Singapore on 21 July.

I was a guest on an "Adam Ruins Everything" podcast.

I was a guest on "The Legal Edition," where I talked about encryption and the going-dark debate.

Apple's Differential Privacy

At the Apple Worldwide Developers Conference earlier this week, Apple talked about something called "differential privacy." We know very little about the details, but it seems to be an anonymization technique designed to collect user data without revealing personal information.

What we know about anonymization is that it's much harder than people think, and it's likely that this technique will be full of privacy vulnerabilities. (See, for example, the excellent work of Latanya Sweeney.) As expected, security experts are skeptical. Here's Matt Green trying to figure it out.

So while I applaud Apple for trying to improve privacy within its business models, I would like some more transparency and some more public scrutiny.


Here's a slide deck from the WWDC.

Latanya Sweeney:

Google's Post-Quantum Cryptography

News has been bubbling about an announcement by Google that it's starting to experiment with public-key cryptography that's resistant to cryptanalysis by a quantum computer. Specifically, it's experimenting with the New Hope algorithm.

It's certainly interesting that Google is thinking about this, and probably okay that it's available in the Canary version of Chrome, but this algorithm is by no means ready for operational use. Secure public-key algorithms are *very* hard to create, and this one has not had nearly enough analysis to be trusted. Lattice-based public-key cryptosystems such as New Hope are particularly subtle -- and we cryptographers are still learning a lot about how they can be broken.

Targets are important in cryptography, and Google has turned New Hope into a good one. Consider this an opportunity to advance our cryptographic knowledge, not an offer of a more-secure encryption option. And this is the right time for this area of research, before quantum computers make discrete-logarithm and factoring algorithms obsolete.

Google announcement:

New Hope algorithm:

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. You can subscribe, unsubscribe, or change your address on the Web at <>. Back issues are also available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier. Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 13 books -- including his latest, "Data and Goliath" -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Resilient, an IBM Company. See <>.

Crypto-Gram is a personal newsletter. Opinions expressed are not necessarily those of Resilient, an IBM Company.

Copyright (c) 2016 by Bruce Schneier.

Sidebar photo of Bruce Schneier by Joe MacInnis.