Subscribe: Schneier on Security
http://www.schneier.com/crypto-gram-rss.xml
Added By: Feedage Forager Feedage Grade A rated
Language: English
Tags:
article  attacks  autocratic regimes  data  evidence  government  intelligence  internet filtering  internet  new  regimes  security 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Schneier on Security

Schneier on Security



A blog covering security and security technology.



Updated: 2017-01-16T12:40:19Z

 



Cloudflare's Experience with a National Security Letter

2017-01-16T12:40:19Z

Interesting post on Cloudflare's experience with receiving a National Security Letter. News article....

Interesting post on Cloudflare's experience with receiving a National Security Letter.

News article.




Friday Squid Blogging: 1874 Giant Squid Attack

2017-01-13T22:52:24Z

This article discusses a giant squid attack on a schooner off the coast of Sri Lanka in 1874. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered....

This article discusses a giant squid attack on a schooner off the coast of Sri Lanka in 1874.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.




A Comment on the Trump Dossier

2017-01-13T17:58:31Z

Imagine that you are someone in the CIA, concerned about the future of America. You have this Russian dossier on Donald Trump, which you have some evidence might be true. The smartest thing you can do is to leak it to the public. By doing so, you are eliminating any leverage Russia has over Trump and probably reducing the effectiveness...

Imagine that you are someone in the CIA, concerned about the future of America. You have this Russian dossier on Donald Trump, which you have some evidence might be true. The smartest thing you can do is to leak it to the public. By doing so, you are eliminating any leverage Russia has over Trump and probably reducing the effectiveness of any other blackmail material any government might have on Trump. I believe you do this regardless of whether you ultimately believe the document's findings or not, and regardless of whether you support or oppose Trump. It's simple game-theory.

This document is particularly safe to release. Because it's not a classified report of the CIA, leaking it is not a crime. And you release it now, before Trump becomes president, because doing so afterwards becomes much more dangerous.

MODERATION NOTE: Please keep comments focused on this particular point. More general comments, especially uncivil comments, will be deleted.




Internet Filtering in Authoritarian Regimes

2017-01-13T12:48:42Z

Interesting research: Sebastian Hellmeier, "The Dictator's Digital Toolkit: Explaining Variation in Internet Filtering in Authoritarian Regimes," Politics & Policy, 2016 (full paper is behind a paywall): Abstract: Following its global diffusion during the last decade, the Internet was expected to become a liberation technology and a threat for autocratic regimes by facilitating collective action. Recently, however, autocratic regimes took control...

Interesting research: Sebastian Hellmeier, "The Dictator's Digital Toolkit: Explaining Variation in Internet Filtering in Authoritarian Regimes," Politics & Policy, 2016 (full paper is behind a paywall):

Abstract: Following its global diffusion during the last decade, the Internet was expected to become a liberation technology and a threat for autocratic regimes by facilitating collective action. Recently, however, autocratic regimes took control of the Internet and filter online content. Building on the literature concerning the political economy of repression, this article argues that regime characteristics, economic conditions, and conflict in bordering states account for variation in Internet filtering levels among autocratic regimes. Using OLS-regression, the article analyzes the determinants of Internet filtering as measured by the Open Net Initiative in 34 autocratic regimes. The results show that monarchies, regimes with higher levels of social unrest, regime changes in neighboring countries, and less oppositional competition in the political arena are more likely to filter the Internet. The article calls for a systematic data collection to analyze the causal mechanisms and the temporal dynamics of Internet filtering.




NSA Given More Ability to Share Raw Intelligence Data

2017-01-13T09:18:40Z

President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the US's other 16 intelligence agencies. The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone...

President Obama has changed the rules regarding raw intelligence, allowing the NSA to share raw data with the US's other 16 intelligence agencies.

The new rules significantly relax longstanding limits on what the N.S.A. may do with the information gathered by its most powerful surveillance operations, which are largely unregulated by American wiretapping laws. These include collecting satellite transmissions, phone calls and emails that cross network switches abroad, and messages between people abroad that cross domestic network switches.

The change means that far more officials will be searching through raw data. Essentially, the government is reducing the risk that the N.S.A. will fail to recognize that a piece of information would be valuable to another agency, but increasing the risk that officials will see private information about innocent people.

Here are the new procedures.

This rule change has been in the works for a while. Here are two blog posts from April discussing the then-proposed changes.

From a privacy perspective, this feels like a really bad idea to me.




Twofish Power Analysis Attack

2017-01-12T12:28:23Z

New paper: "A Simple Power Analysis Attack on the Twofish Key Schedule." This shouldn't be a surprise; these attacks are devastating if you don't take steps to mitigate them. The general issue is if an attacker has physical control of the computer performing the encryption, it is very hard to secure the encryption inside the computer. I wrote a paper...

New paper: "A Simple Power Analysis Attack on the Twofish Key Schedule." This shouldn't be a surprise; these attacks are devastating if you don't take steps to mitigate them.

The general issue is if an attacker has physical control of the computer performing the encryption, it is very hard to secure the encryption inside the computer. I wrote a paper about this back in 1999.




Law Enforcement Access to IoT Data

2017-01-11T12:22:15Z

In the first of what will undoubtedly be a large number of battles between companies that make IoT devices and the police, Amazon is refusing to comply with a warrant demanding data on what its Echo device heard at a crime scene. The particulars of the case are weird. Amazon's Echo does not constantly record; it only listens for its...

In the first of what will undoubtedly be a large number of battles between companies that make IoT devices and the police, Amazon is refusing to comply with a warrant demanding data on what its Echo device heard at a crime scene.

The particulars of the case are weird. Amazon's Echo does not constantly record; it only listens for its name. So it's unclear that there is any evidence to be turned over. But this general issue isn't going away. We are all under ubiquitous surveillance, but it is surveillance by the companies that control the Internet-connected devices in our lives. The rules by which police and intelligence agencies get access to that data will come under increasing pressure for change.

Related: A newscaster discussed Amazon's Echo on the news, causing devices in the same room as tuned-in televisions to order unwanted products. This year, the same technology is coming to LG appliances such as refrigerators.




FDA Recommendations on Medical-Device Cybersecurity

2017-01-13T14:27:27Z

The FDA has issued a report giving medical devices guidance on computer and network security. There's nothing particularly new or interesting; it reads like standard security advice: write secure software, patch bugs, and so on. Note that these are "non-binding recommendations," so I'm really not sure why they bothered. EDITED TO ADD (1/13): Why they bothered....

The FDA has issued a report giving medical devices guidance on computer and network security. There's nothing particularly new or interesting; it reads like standard security advice: write secure software, patch bugs, and so on.

Note that these are "non-binding recommendations," so I'm really not sure why they bothered.

EDITED TO ADD (1/13): Why they bothered.




Classifying Elections as "Critical Infrastructure"

2017-01-15T10:50:01Z

I am co-author on a paper discussing whether elections be classified as "critical infrastructure" in the US, based on experiences in other countries: Abstract: With the Russian government hack of the Democratic National Convention email servers, and further leaks expected over the coming months that could influence an election, the drama of the 2016 U.S. presidential race highlights an important...

I am co-author on a paper discussing whether elections be classified as "critical infrastructure" in the US, based on experiences in other countries:

Abstract: With the Russian government hack of the Democratic National Convention email servers, and further leaks expected over the coming months that could influence an election, the drama of the 2016 U.S. presidential race highlights an important point: Nefarious hackers do not just pose a risk to vulnerable companies, cyber attacks can potentially impact the trajectory of democracies. Yet, to date, a consensus has not been reached as to the desirability and feasibility of reclassifying elections, in particular voting machines, as critical infrastructure due in part to the long history of local and state control of voting procedures. This Article takes on the debate in the U.S. using the 2016 elections as a case study but puts the issue in a global context with in-depth case studies from South Africa, Estonia, Brazil, Germany, and India. Governance best practices are analyzed by reviewing these differing approaches to securing elections, including the extent to which trend lines are converging or diverging. This investigation will, in turn, help inform ongoing minilateral efforts at cybersecurity norm building in the critical infrastructure context, which are considered here for the first time in the literature through the lens of polycentric governance.

The paper was speculative, but now it's official. The U.S. election has been classified as critical infrastructure. I am tentatively in favor of this, but what really matter is what happens now. What does this mean? What sorts of increased security will election systems get? Will we finally get rid of computerized touch-screen voting?

EDITED TO ADD (1/16): This is a good article.




Attributing the DNC Hacks to Russia

2017-01-12T17:33:07Z

President Barack Obama's public accusation of Russia as the source of the hacks in the US presidential election and the leaking of sensitive e-mails through WikiLeaks and other sources has opened up a debate on what constitutes sufficient evidence to attribute an attack in cyberspace. The answer is both complicated and inherently tied up in political considerations. The administration is... President Barack Obama's public accusation of Russia as the source of the hacks in the US presidential election and the leaking of sensitive e-mails through WikiLeaks and other sources has opened up a debate on what constitutes sufficient evidence to attribute an attack in cyberspace. The answer is both complicated and inherently tied up in political considerations. The administration is balancing political considerations and the inherent secrecy of electronic espionage with the need to justify its actions to the public. These issues will continue to plague us as more international conflict plays out in cyberspace. It's true that it's easy for an attacker to hide who he is in cyberspace. We are unable to identify particular pieces of hardware and software around the world positively. We can't verify the identity of someone sitting in front of a keyboard through computer data alone. Internet data packets don't come with return addresses, and it's easy for attackers to disguise their origins. For decades, hackers have used techniques such as jump hosts, VPNs, Tor and open relays to obscure their origin, and in many cases they work. I'm sure that many national intelligence agencies route their attacks through China, simply because everyone knows lots of attacks come from China. On the other hand, there are techniques that can identify attackers with varying degrees of precision. It's rarely just one thing, and you'll often hear the term "constellation of evidence" to describe how a particular attacker is identified. It's analogous to traditional detective work. Investigators collect clues and piece them together with known mode of operations. They look for elements that resemble other attacks and elements that are anomalies. The clues might involve ones and zeros, but the techniques go back to Sir Arthur Conan Doyle. The University of Toronto-based organization Citizen Lab routinely attributes attacks against the computers of activists and dissidents to particular Third World governments. It took months to identify China as the source of the 2012 attacks against the New York Times. While it was uncontroversial to say that Russia was the source of a cyberattack against Estonia in 2007, no one knew if those attacks were authorized by the Russian government -- until the attackers explained themselves. And it was the Internet security company CrowdStrike, which first attributed the attacks against the Democratic National Committee to Russian intelligence agencies in June, based on multiple pieces of evidence gathered from its forensic investigation. Attribution is easier if you are monitoring broad swaths of the Internet. This gives the National Security Agency a singular advantage in the attribution game. The problem, of course, is that the NSA doesn't want to publish what it knows. Regardless of what the government knows and how it knows it, the decision of whether to make attribution evidence public is another matter. When Sony was attacked, many security experts -- myself included­ -- were skeptical of both the government's attribution claims and the flimsy evidence associated with it. I only became convinced when the New York Times ran a story about the government's attribution, which talked about both secret evidence inside the NSA and human intelligence assets inside North Korea. In contrast, when the Office of Personnel Management was breached in 2015, the US government decided[...]