Schneier on Security

Page 387

NSA Using Hacker Research and Results

In the latest article based on the Snowden documents, the Intercept is reporting that the NSA and GCHQ are piggy-backing on the work of hackers:

In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches. “Hackers are stealing the emails of some of our targets…by collecting the hackers’ ‘take,’ we…get access to the emails themselves,” reads one top secret 2010 National Security Agency document.

Not surprising.

Tags: Edward Snowden, GCHQ, hacking, intelligence, NSA, privacy, surveillance

Posted on February 6, 2015 at 9:39 AM • View Comments

GPG Financial Difficulties

Werner Koch, who has been maintaining the GPG e-mail encryption program since 1997, is going broke and considering quitting.

Updates to the article say that, because of the article, he has received substantial contributions to continue.

Slashdot thread. Hacker News thread.

EDITED TO ADD (2/7): Now, what to do with all that money. Slashdot thread. Hacker News thread.

Tags: email, encryption, PGP

Posted on February 5, 2015 at 7:50 PM • View Comments

Tracking Bitcoin Scams

Interesting paper: “There’s No Free Lunch, Even Using Bitcoin: Tracking the Popularity and Profits of Virtual Currency Scams,” by Marie Vasek and Tyler Moore.

Abstract: We present the first empirical analysis of Bitcoin-based scams: operations established with fraudulent intent. By amalgamating reports gathered by
voluntary vigilantes and tracked in online forums, we identify 192 scams and categorize them into four groups: Ponzi schemes, mining scams, scam wallets and fraudulent exchanges. In 21% of the cases, we also found the associated Bitcoin addresses, which enables us to track payments into and out of the scams. We find that at least $11 million has been contributed to the scams from 13 000 distinct victims. Furthermore, we present evidence that the most successful scams depend on large contributions from a very small number of victims. Finally, we discuss ways in which the scams could be countered.

News article.

Tags: academic papers, bitcoin, scams

Posted on February 4, 2015 at 7:02 AM • View Comments

Obama Says Terrorism Is Not an Existential Threat

In an interview this week, President Obama said that terrorism does not pose an existential threat:

What I do insist on is that we maintain a proper perspective and that we do not provide a victory to these terrorist networks by overinflating their importance and suggesting in some fashion that they are an existential threat to the United States or the world order. You know, the truth of the matter is that they can do harm. But we have the capacity to control how we respond in ways that do not undercut what’s the—you know, what’s essence of who we are.

He said something similar in January.

On one hand, what he said is blindingly obvious; and overinflating terrorism’s risks plays into the terrorists’ hands. Climate change is an existential threat. So is a comet hitting the earth, intelligent robots taking over the planet, and genetically engineered viruses. There are lots of existential threats to humanity, and we can argue about their feasibility and probability. But terrorism is not one of them. Even things that actually kill tens of thousands of people each year—car accidents, handguns, heart disease—are not existential threats.

But no matter how obvious this is, until recently it hasn’t been something that serious politicians have been able to say. When Vice President Biden said something similar last year, one commentary carried the headline “Truth or Gaffe?” In 2004, when presidential candidate John Kerry gave a common-sense answer to a question about the threat of terrorism, President Bush used those words in an attack ad. As far as I know, these comments by Obama and Biden are the first time major politicians are admitting that terrorism does not pose an existential threat and are not being pilloried for it.

Overreacting to the threat is still common, and exaggeration and fear still make good politics. But maybe now, a dozen years after 9/11, we can finally start having rational conversations about terrorism and security: what works, what doesn’t, what’s worth it, and what’s not.

Tags: national security policy, risk assessment, risks, terrorism

Posted on February 3, 2015 at 6:15 AM • View Comments

Texas School Overreaction

Seems that a Texas school has suspended a 9-year-old for threatening another student with a replica One Ring. (Yes, that One Ring.)

I’ve written about this sort of thing before:

These so-called zero-tolerance policies are actually zero-discretion policies. They’re policies that must be followed, no situational discretion allowed. We encounter them whenever we go through airport security: no liquids, gels or aerosols. Some workplaces have them for sexual harassment incidents; in some sports a banned substance found in a urine sample means suspension, even if it’s for a real medical condition. Judges have zero discretion when faced with mandatory sentencing laws: three strikes for drug offenses and you go to jail, mandatory sentencing for statutory rape (underage sex), etc. A national restaurant chain won’t serve hamburgers rare, even if you offer to sign a waiver. Whenever you hear “that’s the rule, and I can’t do anything about it”—and they’re not lying to get rid of you—you’re butting against a zero discretion policy.

These policies enrage us because they are blind to circumstance. Editorial after editorial denounced the suspensions of elementary school children for offenses that anyone with any common sense would agree were accidental and harmless. The Internet is filled with essays demonstrating how the TSA’s rules are nonsensical and sometimes don’t even improve security. I’ve written some of them. What we want is for those involved in the situations to have discretion.

However, problems with discretion were the reason behind these mandatory policies in the first place. Discretion is often applied inconsistently. One school principal might deal with knives in the classroom one way, and another principal another way. Your drug sentence could depend considerably on how sympathetic your judge is, or on whether she’s having a bad day.

My guess is that the school administration ended up trapped by its own policies, probably even believing that they were correctly being applied. You can hear that in this hearsay quote reported by the boy’s father:

Steward said the principal said threats to another child’s safety would not be tolerated – whether magical or not.

Slashdot thread. Reddit thread.

Tags: overreactions, security policies

Posted on February 2, 2015 at 12:37 PM • View Comments

Hiding a Morse Code Message in a Pop Song

In Colombia:

The team began experimenting with Morse code using various percussion instruments and a keyboard. They learned that operators skilled in Morse code can often read the signals at a rate of 40 words per minute but played that fast, the beat would sound like a European Dance track. “We discovered the magic number was 20,” says Portela. “You can fit approximately 20 Morse code words into a piece of music the length of a chorus, and it sounds okay.”

[…]

Portela says they played with the Morse code using Reason software, which gives each audio channel or instrument its own dedicated track. With a separate visual lane for certain elements, it was possible to match the code to the beat of the song—and, crucially, blend it in.

Hiding the Morse code took weeks, with constant back-and-forth with Col. Espejo and the military to make sure their men could understand the message. “It was difficult because Morse code is not a musical beat. Sometimes it was too obvious,” says Portela. “Other times the code was not understood. And we had to hide it three times in the song to make sure the message was received.”

Tags: Colombia, cryptography, kidnapping, music, steganography

Posted on February 2, 2015 at 7:01 AM • View Comments

Friday Squid Blogging: Large Squid Washes up on Greek Beach

No mention of the species, but the photo is a depressing one.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: squid

Posted on January 30, 2015 at 4:15 PM • View Comments

Co3 Systems Is Expanding into Europe

This was supposed to be a secret until the middle of February, but we’ve been found out.

We already have European customers; this is our European office.

And, by the way, we’re hiring, primarily in the Boston area.

Tags: Co3 Systems, incident response

Posted on January 30, 2015 at 2:57 PM • View Comments

Operating a Fake Bank

Here’s a story of a fake bank in China—a real bank, not an online bank—that stole $32m from depositors over a year. Pro tip: real banks never offer 2%/week interest.

Tags: banking, China, cons, scams, theft

Posted on January 30, 2015 at 6:49 AM • View Comments

← Earlier Entries Later Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.