Schneier on Security

Blog

Page 502

Authentication Stories

Anecdotes from Asia on seals versus signatures on official documents.

Tags: authentication, seals, signatures

Posted on October 3, 2012 at 10:00 AM • View Comments

Keccak is SHA-3

NIST has just announced that Keccak has been selected as SHA-3.

It’s a fine choice. I’m glad that SHA-3 is nothing like the SHA-2 family; something completely different is good.

Congratulations to the Keccak team. Congratulations—and thank you—to NIST for running a very professional, interesting, and enjoyable competition. The process has increased our understanding about the cryptanalysis of hash functions by a lot.

I know I just said that NIST should choose “no award,” mostly because too many options makes for a bad standard. I never thought they would listen to me, and—indeed—only made that suggestion after I knew it was too late to stop the choice. Keccak is a fine hash function; I have absolutely no reservations about its security. (Or the security of any of the four SHA-2 function, for that matter.) I have to think more before I make specific recommendations for specific applications.

Again: great job, NIST. Let’s do a really fast stream cipher next.

Tags: contests, hashes, NIST, SHA-3, Skein

Posted on October 2, 2012 at 4:50 PM • View Comments

2013 U.S. Homeland Security Budget

Among other findings in this CBO report:

Funding for homeland security has dropped somewhat from its 2009 peak of $76 billion, in inflation-adjusted terms; funding for 2012 totaled $68 billion. Nevertheless, the nation is now spending substantially more than what it spent on homeland security in 2001.

Note that this is just direct spending on homeland security. This does not include DoD spending—which would include the costs of the wars in Iraq and Afghanistan—and Department of Justice spending. John Mueller estimates that we have spent $1.1 trillion over the ten years between 2002 and 2011.

Tags: DHS, economics of security, homeland security, national security policy

Posted on October 2, 2012 at 9:41 AM • View Comments

Security Question Cartoon

Funny.

Tags: comics, humor, security questions

Posted on October 1, 2012 at 1:12 PM • View Comments

Scary Android Malware Story

This story sounds pretty scary:

Developed by Robert Templeman at the Naval Surface Warfare Center in Indiana and a few buddies from Indiana University, PlaceRader hijacks your phone’s camera and takes a series of secret photographs, recording the time, and the phone’s orientation and location with each shot. Using that information, it can reliably build a 3D model of your home or office, and let cyber-intruders comb it for personal information like passwords on sticky notes, bank statements laying out on the coffee table, or anything else you might have lying around that could wind up the target of a raid on a later date.

It’s just a demo, of course. but it’s easy to imagine what this could mean in the hands of criminals.

Yes, I get that this is bad. But it seems to be a mashup of two things. One, the increasing technical capability to stitch together a series of photographs into a three-dimensional model. And two, an Android bug that allows someone to remotely and surreptitiously take pictures and then upload them. The first thing isn’t a problem, and it isn’t going away. The second is bad, irrespective of what else is going on.

EDITED TO ADD (10/1): I mistakenly wrote this up as an iPhone story. It’s about the Android phone. Apologies.

Tags: Android, cell phones, iPhone, malware, privacy, theft

Posted on October 1, 2012 at 6:52 AM • View Comments

Friday Squid Blogging: Octonaut

A space-traveling squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.

Tags: science fiction, squid

Posted on September 28, 2012 at 4:37 PM • View Comments

NPR on Biometric Data Collection

Interesting Talk of the Nation segment.

Tags: audio, biometrics, face recognition, FBI, privacy, surveillance

Posted on September 27, 2012 at 1:14 PM • View Comments

Replacing Alice and Bob

A proposal to replace cryptography’s Alice and Bob with Sita and Rama:

Any book on cryptography invariably involves the characters Alice and Bob. It is always Alice who wants to send a message to Bob. This article replaces the dramatis personnae of cryptography with characters drawn from Hindu mythology.

Tags: cryptography

Posted on September 27, 2012 at 9:10 AM • View Comments

Using Agent-Based Simulations to Evaluate Security Systems

Kay Hamacher and Stefan Katzenbeisser, “Public Security: Simulations Need to Replace Conventional Wisdom,” New Security Paradigms Workshop, 2011.

Abstract: Is more always better? Is conventional wisdom always the right guideline in the development of security policies that have large opportunity costs? Is the evaluation of security measures after their introduction the best way? In the past, these questions were frequently left unasked before the introduction of many public security measures. In this paper we put forward the new paradigm that agent-based simulations are an effective and most likely the only sustainable way for the evaluation of public security measures in a complex environment. As a case-study we provide a critical assessment of the power of Telecommunications Data Retention (TDR), which was introduced in most European countries, despite its huge impact on privacy. Up to now it is unknown whether TDR has any benefits in the identification of terrorist dark nets in the period before an attack. The results of our agent-based simulations suggest, contrary to conventional wisdom, that the current practice of acquiring more data may not necessarily yield higher identification rates.

Both the methodology and the conclusions are interesting.

Tags: academic papers, data retention, privacy, security policies, surveillance, terrorism

Posted on September 26, 2012 at 7:11 AM • View Comments