Page 398

Survey on What Americans Fear

Interesting data:

Turning to the crime section of the Chapman Survey on American Fears, the team discovered findings that not only surprised them, but also those who work in fields pertaining to crime.

“What we found when we asked a series of questions pertaining to fears of various crimes is that a majority of Americans not only fear crimes such as, child abduction, gang violence, sexual assaults and others; but they also believe these crimes (and others) have increased over the past 20 years,” said Dr. Edward Day who led this portion of the research and analysis. “When we looked at statistical data from police and FBI records, it showed crime has actually decreased in America in the past 20 years. Criminologists often get angry responses when we try to tell people the crime rate has gone down.”

Despite evidence to the contrary, Americans do not feel like the United States is becoming a safer place. The Chapman Survey on American Fears asked how they think prevalence of several crimes today compare with 20 years ago. In all cases, the clear majority of respondents were pessimistic; and in all cases Americans believe crime has at least remained steady. Crimes specifically asked about were: child abduction, gang violence, human trafficking, mass riots, pedophilia, school shootings, serial killing and sexual assault.

EDITED TO ADD (11/13): Direct link to the data as well as the survey methodology.

Tags: , , ,

Posted on October 28, 2014 at 1:03 PMView Comments

Apple Copies Your Files Without Your Knowledge or Consent

The latest version of Apple’s OS automatically syncs your files to iCloud Drive, even files you choose to store locally. Apple encrypts your data, both in transit and in iCloud, with a key it knows. Apple, of course, complies with all government requests: FBI warrants, subpoenas, and National Security Letters—as well as NSA PRISM and whatever-else-they-have demands.

EDITED TO ADD (10/28): See comments. This seems to be way overstated. I will look at this again when I have time, probably tomorrow.

EDITED TO ADD (10/28): This is a more nuanced discussion of this issue. At this point, it seems clear that there is a lot less here than described in the blog post below.

EDITED TO ADD (10/29): There is something here. It only affects unsaved documents, and not all applications. But the OS’s main text editor is one of them. Yes, this feature has been in the OS for a while, but that’s not a defense. It’s both dangerous and poorly documented.

Tags: , , , , , ,

Posted on October 28, 2014 at 6:21 AMView Comments

US Intelligence "Second Leaker" Identified

There’s a report that the FBI has identified a second leaker:

The case in question involves an Aug. 5 story published by The Intercept, an investigative website co-founded by Glenn Greenwald, the reporter who first published sensitive NSA documents obtained from Snowden.

Headlined “Barack Obama’s Secret Terrorist-Tracking System, by the Numbers,” the story cited a classified government document showing that nearly half the people on the U.S. government’s master terrorist screening database had “no recognized terrorist affiliation.”

The story, co-authored by Jeremy Scahill and Ryan Devereaux, was accompanied by a document “obtained from a source in the intelligence community” providing details about the watch-listing system that were dated as late as August 2013, months after Snowden fled to Hong Kong and revealed himself as the leaker of thousands of top secret documents from the NSA.

I think this is “Leaker #3” on my list, even though it’s probably the “second leaker” discussed in the documentary Citizen Four.

Tags: , , , , ,

Posted on October 27, 2014 at 4:08 PMView Comments

Spritz: A New RC4-Like Stream Cipher

Last week, Ron Rivest gave a talk at MIT about Spritz, a new stream cipher by him and Jacob Schuldt. It’s basically a redesign of RC4, given current cryptographic tools and knowledge.

RC4 is an example of what I think of as a too-good-to-be-true cipher. It looks so simple. It is so simple. In classic cryptographic terms, it’s a single rotor machine. It’s a single self-modifying rotor, but it modifies itself very slowly. Even so, it’s very hard to cryptanalyze. Even though the single rotor leaks information about its internal state with every output byte, its self-modifying structure always seems to stay ahead of analysis. But RC4 been around for over 25 years, and the best attacks are at the edge of practicality. When I talk about what sorts of secret cryptographic advances the NSA might have, a practical RC4 attack is one of the possibilities.

Spritz is Rivest and Schuldt’s redesign of RC4. It retains all of the problems that RC4 had. It’s built on a 256-element array of bytes, making it less than ideal for modern 32-bit and 64-bit CPUs. It’s not very fast. (It’s 50% slower than RC4, which was already much slower than algorithms like AES and Threefish.) It has a long key setup. But it’s a very clever design.

Here are the cores of RC4 and Spritz:

RC4:

1: i = i + 1
2: j = j + S[i]
3: SWAP(S[i];S[j])
4: z = S[S[i] + S[j]]
5: Return z

Spritz:

1: i = i + w
2: j = k + S[j + S[i]]
2a: k = i + k + S[j]
3: SWAP(S[i];S[j])
4: z = S[j + S[i + S[z + k]]]
5: Return z

S is an 8-bit permutation. In theory, it can be any size, which is nice for analysis, but in practice, it’s a 256-element array. RC4 has two pointers into the array: i and j. Spritz adds a third: k. The parameter w is basically a constant. It’s always 1 in RC4, but can be any odd number in Spritz (odd because that means it’s always relatively prime to 256). In both ciphers, i slowly walks around the array, and j—or j and k—bounce around wildly. Both have a single swap of two elements of the array. And both produce an output byte, z, a function of all the other parameters. In Spritz, the previous z is part of the calculation of the current z.

That’s the core. There are also functions for turning the key into the initial array permutation, using this as a stream cipher, using it as a hash function, and so on. It’s basically a sponge function, so it has a lot of applications.

What’s really interesting here is the way Rivest and Schuldt chose their various functions. They basically tried them all (given some constraints), and chose the ones with the best security properties. This is the sort of thing that can only be done with massive computing power.

I have always really liked RC4, and am happy to see a 21st-century redesign. I don’t know what kind of use it’ll get with its 8-bit word size, but surely there’s a niche for it somewhere.

Tags: , , , ,

Posted on October 27, 2014 at 9:55 AMView Comments

Analysis of Printer Watermarking Techniques

Interesting paper: Maya Embar, Louis M. McHough IV, and William R. Wesselman, “Printer watermark obfuscation,” Proceeding
RIIT ’14: Proceedings of the 3rd annual conference on Research in information technology:

Abstract: Most color laser printers manufactured and sold today add “invisible” information to make it easier to determine when a particular document was printed and exactly which printer was used. Some manufacturers have acknowledged the existence of the tracking information in their documentation while others have not. None of them have explained exactly how it works or the scope of the information that is conveyed. There are no laws or regulations that require printer companies to track printer users this way, and none that prevent them from ceasing this practice or providing customers a means to opt out of being tracked. The tracking information is coded by patterns of yellow dots that the printers add to every page they print. The details of the patterns vary by manufacturer and printer model.

EDITED TO ADD (11/14): List of printers and whether or not they display tracking dots (may not be up to date).

Tags: , , , ,

Posted on October 24, 2014 at 8:36 AMView Comments

The NSA's Role in Commercial Cybersecurity

Susan Landau has a new paper on the NSA’s increasing role in commercial cybersecurity. She argues that the NSA is the wrong organization to do this, and we need a more public and open government agency involved in commercial cybersecurity.

EDITED TO ADD (11/13): David Elliott Bell has a related paper. Also read this review of both papers.

Tags: , , ,

Posted on October 23, 2014 at 8:28 AMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.