Schneier on Security

Page 460

Security Analysis of Children

This is a really good paper describing the unique threat model of children in the home, and the sorts of security philosophies that are effective in dealing with them. Stuart Schechter, “The User IS the Enemy, and (S)he Keeps Reaching for that Bright Shiny Power Button!” Definitely worth reading.

Abstract: Children represent a unique challenge to the security and privacy considerations of the home and technology deployed within it. While these challenges posed by children have long been researched, there is a gaping chasm between the traditional approaches technologists apply to problems of security and privacy and the approaches used by those who deal with this adversary on a regular basis. Indeed, addressing adversarial threats from children via traditional approaches to computer and information security would be a recipe for disaster: it is rarely appropriate to remove a child’s access to the home or its essential systems; children require flexibility; children are often threats to themselves; and children may use the home as a theater of conflict with each other. Further, the goals of security and privacy must be adjusted to account for the needs of childhood development. A home with perfect security—one that prevented all inappropriate behavior or at least ensured that it was recorded so that the adversary could be held accountable—could severely stunt children’s moral and personal growth. We discuss the challenges posed by children and childhood on technologies for the home, the philosophical gap between parenting and security technologists, and design approaches that technology designers could borrow when building systems to be deployed within homes containing this special class of user/adversary.

Tags: academic papers, children, generations, Microsoft, threat models

Posted on July 2, 2013 at 12:08 PM • View Comments

NSA E-Mail Eavesdropping

More Snowden documents analyzed by the Guardian—two articles—discuss how the NSA collected e-mails and data on Internet activity of both Americans and foreigners. The program might have ended in 2011, or it might have continued under a different name. This is the program that resulted in that bizarre tale of Bush officials confronting then-Attorney General John Ashcroft in his hospital room; the New York Times story discusses that. What’s interesting is that the NSA collected this data under one legal pretense. When that justification evaporated, they searched around until they found another pretense.

This story is being picked up a bit more than the previous story, but it’s obvious that the press is fatiguing of this whole thing. Without the Ashcroft human interest bit, it would be just another story of the NSA eavesdropping on Americans—and that’s lasts week’s news.

Tags: Edward Snowden, laws, leaks, national security policy, New York Times, NSA, privacy, surveillance

Posted on July 2, 2013 at 6:49 AM • View Comments

I've Joined the EFF Board

I’m now on the board of directors of the EFF.

Tags: EFF, Schneier news

Posted on July 1, 2013 at 2:06 PM • View Comments

How the NSA Eavesdrops on Americans

Two weeks ago, the Guardian published two new Snowden documents. These outline how the NSA’s data-collection procedures allow it to collect lots of data on Americans, and how the FISA court fails to provide oversight over these procedures.

The documents are complicated, but I strongly recommend that people read both the Guardian analysis and the EFF analysis—and possibly the USA Today story.

Frustratingly, this has not become a major news story. It isn’t being widely reported in the media, and most people don’t know about it. At this point, the only aspect of the Snowden story that is in the news is the personal story. The press seems to have had its fill of the far more important policy issues.

I don’t know what there is that can be done about this, but it’s how we all lose.

Tags: courts, Edward Snowden, FISA, intelligence, leaks, national security policy, NSA, privacy, searches, surveillance

Posted on July 1, 2013 at 12:16 PM • View Comments

SIMON and SPECK: New NSA Encryption Algorithms

The NSA has published some new symmetric algorithms:

Abstract: In this paper we propose two families of block ciphers, SIMON and SPECK, each of which comes in a variety of widths and key sizes. While many lightweight block ciphers exist, most were designed to perform well on a single platform and were not meant to provide high performance across a range of devices. The aim of SIMON and SPECK is to fill the need for secure, flexible, and analyzable lightweight block ciphers. Each offers excellent performance on hardware and software platforms, is flexible enough to admit a variety of implementations on a given platform, and is amenable to analysis using existing techniques. Both perform exceptionally well across the full spectrum of lightweight applications, but SIMON is tuned for optimal performance in hardware, and SPECK for optimal performance in software.

It’s always fascinating to study NSA-designed ciphers. I was particularly interested in the algorithms’ similarity to Threefish, and how they improved on what we did. I was most impressed with their key schedule. I am always impressed with how the NSA does key schedules. And I enjoyed the discussion of requirements. Missing, of course, is any cryptanalytic analysis.

I don’t know anything about the context of this paper. Why was the work done, and why is it being made public? I’m curious.

Tags: academic papers, algorithms, cryptanalysis, cryptography, encryption, NSA, Threefish

Posted on July 1, 2013 at 6:24 AM • View Comments

Friday Squid Blogging: Man Pulled Under by Squids

Video story on Animal Planet.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: squid

Posted on June 28, 2013 at 4:07 PM • View Comments

Me on EconTalk

Another audio interview; this one is mostly about security and power.

Tags: audio, interviews, power, Schneier news

Posted on June 28, 2013 at 2:44 PM • View Comments

My Talk at Google

Last week, I gave a talk at Google. It’s another talk about power and security, my continually evolving topic-of-the-moment that could very well become my next book. This installment is different than the previous talks and interviews, but not different enough that you should feel the need to watch it if you’ve seen the others.

There are things I got wrong. There are contradictions. There are questions I couldn’t answer. But that’s my process, and I’m okay with doing it semi-publicly. As always, I appreciate comments, criticisms, reading suggestions, and so on.

EDITED TO ADD (6/30): Two commentaries on the talk.

EDITED TO ADD (8/1): To date, 14,000 people have watched the talk.

Tags: Google, interviews, power, Schneier news, videos

Posted on June 28, 2013 at 2:42 PM • View Comments

Preventing Cell Phone Theft through Benefit Denial

Adding a remote kill switch to cell phones would deter theft.

Here we can see how the rise of the surveillance state permeates everything about computer security. On the face of it, this is a good idea. Assuming it works—that 1) it’s not possible for thieves to resurrect phones in order to resell them, and 2) that it’s not possible to turn this system into a denial-of-service attack tool—it would deter crime. The general category of security is “benefit denial,” like ink tags attached to garments in retail stores and car radios that no longer function if removed. But given what we now know, do we trust that the government wouldn’t abuse this system and kill phones for other reasons? Do we trust that media companies won’t kill phones it decided were sharing copyrighted materials? Do we trust that phone companies won’t kill phones from delinquent customers? What might have been a straightforward security system becomes a dangerous tool of control, when you don’t trust those in power.

Tags: benefit denial, cell phones, control, crime, power, surveillance, trust

Posted on June 28, 2013 at 1:37 PM • View Comments

Malware that Foils Two-Factor Authentication

This is an interesting article about a new breed of malware that also hijack’s the victim’s phone text messaging system, to intercept one-time passwords sent via that channel.

Tags: cell phones, cybercrime, malware, two-factor authentication

Posted on June 28, 2013 at 5:31 AM • View Comments

← Earlier Entries Later Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.