Page 405
WikiLeaks has organized the trove of documents about corporations aiding government surveillance around the world. It’s worth wandering around through all this material.
EDITED TO ADD (9/12): I made a mistake. WikiLeaksdidn’t do the organizing; Silk did.
Good security analysis of Safeplug, which is basically Tor in a box. Short answer: not yet.
A device called Cyborg Unplugged can be configured to prevent any Wi-Fi connection:
Oliver notes on the product’s website that its so-called “All Out Mode”—which prevents surveillance devices from connecting to any Wi-Fi network in the area—is likely illegal, and he advises against its use. Nevertheless, we can imagine activists slipping these little devices into public areas and wreaking a bit of havoc.
Apple is including some sort of automatic credit card payment system with the iPhone 6. It’s using some security feature of the phone and system to negotiate a cheaper transaction fee.
Basically, there are two kinds of credit card transactions: card-present, and card-not-present. The former is cheaper because there’s less risk of fraud. The article says that Apple has negotiated the card-present rate for its iPhone payment system, even though the card is not present. Presumably, this is because of some other security features that reduce the risk of fraud.
Not a lot of detail here, but interesting nonetheless.
Preparing the Ghost: An Essay Concerning the Giant Squid and Its First Photographer, by Matthew Gavin Frank.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
At USENIX Security this year, there were two papers studying the security of password managers:
It’s interesting work, especially because it looks at security problems in something that is supposed to improve security.
I’ve long recommended a password manager to solve the very real problem that any password that can be easily remembered is vulnerable to a dictionary attack. The world got a visceral reminder of this earlier this week, when hackers posted iCloud photos from celebrity accounts. The attack didn’t exploit a flaw in iCloud; the attack exploited weak passwords.
Security is often a trade-off with convenience, and most password managers automatically fill in passwords on browser pages. This turns out to be a difficult thing to do securely, and opens up password managers to attack.
My own password manager, Password Safe, wasn’t mentioned in either of these papers. I specifically designed it not to automatically fill. I specifically designed it to be a standalone application. The fast way to transfer a password from Password Safe to a browser page is by using the operating system’s cut and paste commands.
I still recommend using a password manager, simply because it allows you to choose longer and stronger passwords. And for the few passwords you should remember, my scheme for generating them is here.
EDITED TO ADD (9/12): The second paper was updated to include PasswordSafe. And this 2012 paper on password managers does include PasswordSafe.
JackPair is a clever device encrypts your voice between your headset and the audio jack. The crypto looks competent, and the design looks well-thought-out. I’d use it.
Long article in IEEE Spectrum.
No mention of how good the codes are. My guess is not very.
EDITED TO ADD (9/12): It’s a simple substitution cipher.
Squid are color-blind, but may detect color directly through their skin. A researcher is working on a system to detect colored light the way squid do.
Sidebar photo of Bruce Schneier by Joe MacInnis.
