Page 441

New Book: Carry On

I have a new book. It’s Carry On: Sound Advice from Schneier on Security, and it’s my second collection of essays. This book covers my writings from March 2008 to June 2013. (My first collection of essays, Schneier on Security, covered my writings from April 2002 to February 2008.)

There’s nothing in this book that hasn’t been published before, and nothing you can’t get free off my website. But if you’re looking for my recent writings in a convenient-to-carry hardcover-book format, this is the book for you.

I’m also happy with the cover.

The Kindle and Nook versions are available now, and they’re 50% off for some limited amount of time.

Unfortunately, the paper book isn’t due in stores—either online or brick-and-mortar—until 12/27, which makes it a pretty lousy Christmas gift, though Amazon and B&N both claim it’ll be in stock there on December 16. And if you don’t mind waiting until after the new year, I will sell you a signed copy of the book here.

Suggestions for a title of my third collection of essays, to be published in five-ish years, are appreciated.

Tags: , , ,

Posted on December 6, 2013 at 2:47 PMView Comments

Telepathwords: A New Password Strength Estimator

Telepathwords is a pretty clever research project that tries to evaluate password strength. It’s different from normal strength meters, and I think better.

Telepathwords tries to predict the next character of your passwords by using knowledge of:

  • common passwords, such as those made public as a result of security breaches
  • common phrases, such as those that appear frequently on web pages or in common search queries
  • common password-selection behaviors, such as the use of sequences of adjacent keys

Password-strength evaluators have generally been pretty poor, regularly assessing weak passwords as strong (and vice versa). I like seeing new research in this area.

Tags: ,

Posted on December 6, 2013 at 6:19 AMView Comments

Heartwave Biometric

Here’s a new biometric I know nothing about:

The wristband relies on authenticating identity by matching the overall shape of the user’s heartwave (captured via an electrocardiogram sensor). Unlike other biotech authentication methods—like fingerprint scanning and iris-/facial-recognition tech—the system doesn’t require the user to authenticate every time they want to unlock something. Because it’s a wearable device, the system sustains authentication so long as the wearer keeps the wristband on.

EDITED TO ADD (12/13): A more technical explanation.

Tags: , , ,

Posted on December 5, 2013 at 1:16 PMView Comments

The Problem with EULAs

Some apps are being distributed with secret Bitcoin-mining software embedded in them. Coins found are sent back to the app owners, of course.

And to make it legal, it’s part of the end-user license agreement (EULA):

COMPUTER CALCULATIONS, SECURITY: as part of downloading a Mutual Public, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by WBT or our affiliates are the sole property of WBT and our affiliates.

This is a great example of why EULAs are bad. The stunt that resulted in 7,500 people giving Gamestation.co.uk their immortal souls a few years ago was funny, but hijacking users’ computers for profit is actually bad.

Tags: , ,

Posted on December 5, 2013 at 6:58 AMView Comments

Evading Airport Security

The news is reporting about Evan Booth, who builds weaponry out of items you can buy after airport security. It’s clever stuff.

It’s not new, though. People have been explaining how to evade airport security for years.

Back in 2006, I—and others—explained how to print your own boarding pass and evade the photo-ID check, a trick that still seems to work. In 2008, I demonstrated carrying two large bottles of liquid through airport security. Here’s a paper about stabbing people with stuff you can take through airport security. And here’s a German video of someone building a bomb out of components he snuck through a full-body scanner. There’s lots more if you start poking around the Internet.

So, what’s the moral here? It’s not like the terrorists don’t know about these tricks. They’re no surprise to the TSA, either. If airport security is so porous, why aren’t there more terrorist attacks? Why aren’t the terrorists using these, and other, techniques to attack planes every month?

I think the answer is simple: airplane terrorism isn’t a big risk. There are very few actual terrorists, and plots are much more difficult to execute than the tactics of the attack itself. It’s the same reason why I don’t care very much about the various TSA mistakes that are regularly reported.

Tags: , , , , ,

Posted on December 4, 2013 at 6:28 AMView Comments

Keeping Track of All the Snowden Documents

As more and more media outlets from all over the world continue to report on the Snowden documents, it’s harder and harder to keep track of what has been released. The EFF, ACLU, and Cryptome are all trying.

None of them is complete, I believe. Please post additions in the comments, and I will do my best to feed the information back to the compilers.

EDITED TO ADD (12/4): Here’s another compilation. And this mind map of the NSA leaks is very comprehensive.

EDITED TO ADD (12/5): Wikipedia also has an exhaustive list.

EDITED TO ADD (12/13): This is also good.

Tags: , , ,

Posted on December 3, 2013 at 6:14 AMView Comments

The TQP Patent

One of the things I do is expert witness work in patent litigations. Often, it’s defending companies against patent trolls. One of the patents I have worked on for several defendants is owned by a company called TQP Development. The patent owner claims that it covers SSL and RC4, which it does not. The patent owner claims that the patent is novel, which it is not. Despite this, TQP has managed to make $45 million off the patent, almost entirely as a result of private settlements. One company, Newegg, fought and lost—although they’re planning to appeal. The story is here.

There is legislation pending in the U.S. to help stop patent trolls. Help support it.

Tags:

Posted on December 2, 2013 at 12:48 PMView Comments

How Antivirus Companies Handle State-Sponsored Malware

Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we’ve been wondering if it’s done anything to antivirus products. Given that it engages in offensive cyberattacks—and launches cyberweapons like Stuxnet and Flame—it’s reasonable to assume that it’s asked antivirus companies to ignore its malware. (We know that antivirus companies have previously done this for corporate malware.)

My guess is that the NSA has not done this, nor has any other government intelligence or law enforcement agency. My reasoning is that antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies. So while the NSA could certainly pressure McAfee or Symantec—both Silicon Valley companies—to ignore NSA malware, it could not similarly pressure Kaspersky Labs (Russian), F-Secure (Finnish), or AVAST (Czech). And the governments of Russia, Finland, and the Czech Republic will have comparable problems.

Even so, I joined a group of security experts to ask antivirus companies explicitly if they were ignoring malware at the behest of a government. Understanding that the companies could certainly lie, this is the response so far: no one has admitted to doing so.

Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply. All the aforementioned companies believe there is no such thing as harmless malware.

Tags: , , , , , , , ,

Posted on December 2, 2013 at 6:05 AMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.