---------- Forwarded Message ----------
Subject: CRYPTO-GRAM, March 15, 2011
Date: Tuesday 15 March 2011 01:23
From: Bruce Schneier <schneier@schneier.com>
To: CRYPTO-GRAM-LIST@listserv.modwest.com
CRYPTO-GRAM
March 15, 2011
by Bruce Schneier
Chief Security Technology Officer, BT
schneier@schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1103.html>. These same essays and
news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively comment section. An
RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Anonymous vs. HBGary
News
Schneier News
NIST Defines New Versions of SHA-512
** *** ***** ******* *********** *************
Anonymous vs. HBGary
One of the effects of writing a book is that I don't have the time to
devote to other writing. So while I've been wanting to write about
Anonymous vs. HBGary, I don't think I will have time. Here's an
excellent series of posts on the topic from ArsTechnica.
In cyberspace, the balance of power is on the side of the attacker.
Attacking a network is *much* easier than defending a network. That may
change eventually -- there might someday be the cyberspace equivalent of
trench warfare, where the defender has the natural advantage -- but not
anytime soon.
http://arstechnica.com/tech-policy/news/2011/02/anonymous-to-security-firm-wo
rking-with-fbi-youve-angered-the-hive.ars or http://tinyurl.com/5t35y7m
http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked
-anonymousand-paid-a-heavy-price.ars or http://tinyurl.com/6xhleht
http://arstechnica.com/tech-policy/news/2011/02/virtually-face-to-face-when-a
aron-barr-met-anonymous.ars or http://tinyurl.com/4n8rohh
http://arstechnica.com/tech-policy/news/2011/02/the-ridiculous-plan-to-attack
-wikileaks.ars or http://tinyurl.com/4nv4jat
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-s
tory-of-the-hbgary-hack.ars or http://tinyurl.com/6579grz
http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-ba
ckdoors-and-rootkits-for-the-government.ars or http://tinyurl.com/6fw4s5u
This is a really good piece by Paul Roberts on Anonymous vs. HBGary: not
the tactics or the politics, but what HBGary demonstrates about the IT
security industry.
http://threatpost.com/en_us/blogs/rsa-2011-winning-war-losing-our-soul-022211
or http://tinyurl.com/48tgfee
Stephen Colbert on HBGary:
http://www.colbertnation.com/the-colbert-report-videos/375428/february-24-201
1/corporate-hacker-tries-to-take-down-wikileaks or http://tinyurl.com/46gaa9d
http://www.colbertnation.com/the-colbert-report-videos/375429/february-24-201
1/corporate-hacker-tries-to-take-down-wikileaks---glenn-greenwald or
http://tinyurl.com/4p4zp3l
Another article:
http://www.h-online.com/security/features/Anonymous-makes-a-laughing-stock-of
-HBGary-1198176.html or http://tinyurl.com/63fekyp
** *** ***** ******* *********** *************
News
Interesting article from Wired: "How a Remote Town in Romania Has Become
Cybercrime Central."
http://www.wired.com/magazine/2011/01/ff_hackerville_romania/all/1
Recently declassified: "Historical Study: The National Security Agency
Scientific Advisory Board 1952–1963."
http://www.governmentattic.org/4docs/NSA-SAB52-63_1965.pdf
A physical biometric wallet: $825.
http://www.dunhill.com/en-us/shoponline/leather/wallets/biometric-wallet-qgk0
169 or http://tinyurl.com/4f2f345
http://www.thetechherald.com/article.php/201105/6754/Dunhill-biometric-wallet
-provides-protection-for-the-rich or http://tinyurl.com/4n8v53e
I don't think I understand the threat model. If your wallet is stolen,
you're going to replace all your ID cards and credit cards and you're
not going to get your cash back -- whether it's a normal wallet or this
wallet. I suppose this wallet makes it less likely that someone will
use your stolen credit cards quickly, before you cancel them. But
you're not going to be liable for costs incurred during that delay in
any case.
Interesting story about a con man who conned the U.S. government, and
how the government is trying to hide its dealings with him.
http://www.nytimes.com/2011/02/20/us/politics/20data.html
Susan Landau's testimony before the House Judiciary Committee,
Subcommittee on Crime, Terrorism, and Homeland Security on government
eavesdropping.
http://judiciary.house.gov/hearings/hear_02172011.html
The testimony of Valerie Caproni, General Counsel of the FBI, on the
same topic.
http://www.fbi.gov/news/testimony/going-dark-lawful-electronic-surveillance-i
n-the-face-of-new-technologies or http://tinyurl.com/46l49am
Good article about the terrorist non-threat from Reason:
http://reason.com/archives/2011/02/15/what-islamist-terrorist-threat
"Reliably Erasing Data From Flash-Based Solid State Drives," by Michael
Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson.
http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf
News article:
http://www.theregister.co.uk/2011/02/21/flash_drive_erasing_peril/
Video of talk:
http://www.usenix.org/multimedia/fast11wei
NIST has finally published its rationale for selecting the five SHA-3
finalists.
http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Round2_Report_NIST
IR_7764.pdf or http://tinyurl.com/4zte3e2
Pickpocketing as a trade is dying out in America, because there's no one
to train newer pickpockets in the craft.
http://www.slate.com/id/2286010/pagenum/all/
Interesting research in using animals to detect substances. Basically,
sniffer dogs respond to unconscious cues from their handlers, and
generate false alarms because of them. It makes sense, as dogs are so
attuned to humans. I'll bet bomb-sniffing bees don't make the same
mistakes.
http://www.economist.com/blogs/babbage/2011/02/animal_behaviour
Full paper:
http://www.springerlink.com/content/j477277481125291/fulltext.pdf
Bomb-sniffing bees:
http://www.livescience.com/4605-bees-trained-bomb-sniffers.html
"American Cryptography During the Cold War 1945-1989; Book IV:
Cryptologic Rebirth 1981-1989." Document was first declassified in
2009. Here are some newly declassified pages.
http://www.governmentattic.org/4docs/NSA_AmerCryptColdWarBk4_1999.pdf
http://www.governmentattic.org/4docs/oNSAAmerCryptColdWarBk4_1999.pdf
Criminals are stealing cars by calling tow trucks. It's a clever hack,
but an old problem: the authentication in these sorts of normal
operations isn't good enough to prevent abuse.
http://www.wsmv.com/news/26878155/detail.html
A programmer installed malware into the Whack-a-Mole arcade game as a
form of job security. It didn't work.
http://www.wftv.com/news/26986709/detail.html
Wired.com has a good three-part story on full-body scanners.
http://www.wired.com/threatlevel/2011/02/scanners-part1/
http://www.wired.com/threatlevel/2011/03/scanners-part2/
http://www.wired.com/threatlevel/2011/03/scanners-part3/
Another attempt to sort out scanner claims:
http://www.okianwarrior.com/MathView/BackscatterSafety/
Using language patterns to identify anonymous email. It only works when
there's a limited number of potential authors.
http://www.schneier.com/blog/archives/2011/03/using_language.html
** *** ***** ******* *********** *************
Schneier News
I'm speaking at Black Hat Europe in Barcelona on March 17.
http://www.blackhat.com/html/bh-eu-11/bh-eu-11-home.html
I'm speaking at the Oracle Chief Security Officer Summit in New York
City on March 30.
http://www.oracle.com/us/dm/65212-wwmk09121721mpp414-se-281577.html
This three-part video interview with me was conducted at the RSA
Conference last month.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1528091,0
0.html or http://tinyurl.com/4q9vt45
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1528245,0
0.html or http://tinyurl.com/4dezbsk
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1528160,0
0.html or http://tinyurl.com/4bawfzq
I was interviewed on chomp.fm.
http://chomp.fm/008/
** *** ***** ******* *********** *************
NIST Defines New Versions of SHA-512
NIST has just defined two new versions of SHA-512. They're SHA-512/224
and SHA-512/256: 224- and 256-bit truncations of SHA-512 with a new IV.
They've done this because SHA-512 is faster than SHA-256 on 64-bit
CPUs, so these new SHA variants will be faster.
This is a good thing, and exactly what we did in the design of Skein.
We defined different outputs for the same state size, because it makes
sense to decouple the internal workings of the hash function from the
output size.
http://csrc.nist.gov/publications/drafts/fips180-4/FRN_Draft-FIPS180-4.pdf
or http://tinyurl.com/47fta7g
http://csrc.nist.gov/publications/PubsDrafts.html#fips-180-4
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer
and otherwise. You can subscribe, unsubscribe, or change your address
on the Web at <http://www.schneier.com/crypto-gram.html>. Back issues
are also available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies,"
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
Threefish, Helix, Phelix, and Skein algorithms. He is the Chief
Security Technology Officer of BT BCSG, and is on the Board of Directors
of the Electronic Privacy Information Center (EPIC). He is a frequent
writer and lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.
Copyright (c) 2011 by Bruce Schneier.
-------------------------------------------------------
-- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 ___________________ Nolug mailing list nolug@nolug.orgReceived on 03/15/11
This archive was generated by hypermail 2.2.0 : 03/15/11 EDT