Essays Tagged "ZDNet"

Page 1 of 1

Debunking Virus-Based Fixes

  • Bruce Schneier
  • ZDNet
  • July 31, 2000

The latest tale of security gaps in Microsoft Corp.’s software is a complicated story, and there are a lot of lessons to take away … so let’s take it chronologically.

On June 27, Georgi Guninski discovered a new vulnerability in Internet Explorer (4.0 or higher) and Microsoft Access (97 or 2000) running on Windows 95, 98, NT 4.0 or 2000. An attacker can compromise a user’s system by getting the user to read an HTML e-mail message (not an attachment) or visit a Web site.

This is a serious problem, and it could result in new and virulent mailware. But it requires Microsoft Access to be installed on the victim’s computer, which, while common, is by no means universal. A virus that exploits this vulnerability will not spread as widely as, say, Melissa. In any case, Microsoft published a fix on July 14, and I urge everyone to install it…

DVD Encryption Broken

  • Bruce Schneier
  • ZDNet
  • November 1999

A version of this article appeared as a guest commentary on ZDNet.

The scheme to protect DVDs has been broken. There are now freeware programs on the net that remove the copy protection on DVDs, allowing them to be played, edited, and copied without restriction.

This should be no surprise to anyone, least of all to the entertainment industry.

The protection scheme is seriously flawed in several ways. Each DVD is encrypted with something called Content Scrambling System (CCS). It has a 40-bit key. (I have no idea why. The NSA and the FBI shouldn’t care about DVD encryption. There aren’t any encrypted terrorist movies they need to watch.) It’s not even a very good algorithm. But even if the encryption were triple-DES, this scheme would be flawed…

Web-Based Encrypted E-Mail

  • Bruce Schneier
  • ZDNet
  • August 1999

A version of this essay appeared on ZDNet.com.

The idea is enticing. Just as you can log onto Hotmail with your browser to send and receive e-mail, there are Web sites you can log on to to send and receive encrypted e-mail. HushMail, ZipLip, YNN-mail, ZixMail. No software to download and install…it just works.

But how well?

HushMail <http://www.hushmail.com> is basically a PGP or S/MIME-like e-mail application that uses Java (although oddly enough, HushMail is not compatible with either). The sender logs onto the HushMail Web site, and encrypts messages using a Java applet that is automatically downloaded onto his machine. Both the sender and receiver need to have HushMail accounts for this to work. Accounts can be anonymous…

NIST AES News

  • Bruce Schneier
  • ZDNet
  • August 1999

A version of this essay appeared on ZDNet.com.

AES is the Advanced Encryption Standard, the encryption algorithm that will eventually replace DES. In 1997, the U.S. government (NIST, actually), solicited candidate algorithms for this standard. By June 1998 (the submission deadline), NIST received fifteen submissions. NIST asked for comments on these algorithms, with the intention of pruning the list to five finalists. NIST held an AES conference in Rome in April (this was the second AES conference, the first was the previous August in California), the comment deadline was in June, and last Monday NIST announced the finalists…

Sidebar photo of Bruce Schneier by Joe MacInnis.