CRYPTO-GRAM, March 15, 2011

Bruce Schneier schneier at SCHNEIER.COM
Mon Mar 14 23:23:43 PDT 2011 

                 CRYPTO-GRAM

                March 15, 2011

              by Bruce Schneier
      Chief Security Technology Officer, BT
             schneier at schneier.com
            http://www.schneier.com


A free monthly newsletter providing summaries, analyses, insights, and  
commentaries on security: computer and otherwise.

For back issues, or to subscribe, visit  
<http://www.schneier.com/crypto-gram.html>.

You can read this issue on the web at  
<http://www.schneier.com/crypto-gram-1103.html>.  These same essays and  
news items appear in the "Schneier on Security" blog at  
<http://www.schneier.com/blog>, along with a lively comment section.  An  
RSS feed is available.


** *** ***** ******* *********** *************

In this issue:
     Anonymous vs. HBGary
     News
     Schneier News
     NIST Defines New Versions of SHA-512


** *** ***** ******* *********** *************

     Anonymous vs. HBGary



One of the effects of writing a book is that I don't have the time to  
devote to other writing.  So while I've been wanting to write about  
Anonymous vs. HBGary, I don't think I will have time.  Here's an excellent 
series of posts on the topic from ArsTechnica.

In cyberspace, the balance of power is on the side of the attacker.  
Attacking a network is *much* easier than defending a network.  That may  
change eventually -- there might someday be the cyberspace equivalent of  
trench warfare, where the defender has the natural advantage -- but not  
anytime soon.

 
http://arstechnica.com/tech-policy/news/2011/02/anonymous-to-security-firm-working-with-fbi-youve-angered-the-hive.ars 
or http://tinyurl.com/5t35y7m
 
http://arstechnica.com/tech-policy/news/2011/02/how-one-security-firm-tracked-anonymousand-paid-a-heavy-price.ars 
or http://tinyurl.com/6xhleht
 
http://arstechnica.com/tech-policy/news/2011/02/virtually-face-to-face-when-aaron-barr-met-anonymous.ars 
or http://tinyurl.com/4n8rohh
 
http://arstechnica.com/tech-policy/news/2011/02/the-ridiculous-plan-to-attack-wikileaks.ars 
or http://tinyurl.com/4nv4jat
 
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars 
or http://tinyurl.com/6579grz
 
http://arstechnica.com/tech-policy/news/2011/02/black-ops-how-hbgary-wrote-backdoors-and-rootkits-for-the-government.ars 
or http://tinyurl.com/6fw4s5u

This is a really good piece by Paul Roberts on Anonymous vs. HBGary: not  
the tactics or the politics, but what HBGary demonstrates about the IT  
security industry.
 
http://threatpost.com/en_us/blogs/rsa-2011-winning-war-losing-our-soul-022211 
or http://tinyurl.com/48tgfee

Stephen Colbert on HBGary:
 
http://www.colbertnation.com/the-colbert-report-videos/375428/february-24-2011/corporate-hacker-tries-to-take-down-wikileaks 
or http://tinyurl.com/46gaa9d
 
http://www.colbertnation.com/the-colbert-report-videos/375429/february-24-2011/corporate-hacker-tries-to-take-down-wikileaks---glenn-greenwald 
or http://tinyurl.com/4p4zp3l

Another article:
 
http://www.h-online.com/security/features/Anonymous-makes-a-laughing-stock-of-HBGary-1198176.html 
or http://tinyurl.com/63fekyp


** *** ***** ******* *********** *************

     News


Interesting article from Wired: "How a Remote Town in Romania Has Become  
Cybercrime Central."
http://www.wired.com/magazine/2011/01/ff_hackerville_romania/all/1

Recently declassified: "Historical Study: The National Security Agency  
Scientific Advisory Board 1952b1963."
http://www.governmentattic.org/4docs/NSA-SAB52-63_1965.pdf

A physical biometric wallet: $825.
 
http://www.dunhill.com/en-us/shoponline/leather/wallets/biometric-wallet-qgk0169 
or http://tinyurl.com/4f2f345
 
http://www.thetechherald.com/article.php/201105/6754/Dunhill-biometric-wallet-provides-protection-for-the-rich 
or http://tinyurl.com/4n8v53e
I don't think I understand the threat model.  If your wallet is stolen,  
you're going to replace all your ID cards and credit cards and you're not 
going to get your cash back -- whether it's a normal wallet or this  
wallet.  I suppose this wallet makes it less likely that someone will use 
your stolen credit cards quickly, before you cancel them.  But you're not 
going to be liable for costs incurred during that delay in any case.

Interesting story about a con man who conned the U.S. government, and how 
the government is trying to hide its dealings with him.
http://www.nytimes.com/2011/02/20/us/politics/20data.html

Susan Landau's testimony before the House Judiciary Committee,  
Subcommittee on Crime, Terrorism, and Homeland Security on government  
eavesdropping.
http://judiciary.house.gov/hearings/hear_02172011.html

The testimony of Valerie Caproni, General Counsel of the FBI, on the same 
topic.
 
http://www.fbi.gov/news/testimony/going-dark-lawful-electronic-surveillance-in-the-face-of-new-technologies 
or http://tinyurl.com/46l49am

Good article about the terrorist non-threat from Reason:
http://reason.com/archives/2011/02/15/what-islamist-terrorist-threat

"Reliably Erasing Data From Flash-Based Solid State Drives," by Michael  
Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson.
http://www.usenix.org/events/fast11/tech/full_papers/Wei.pdf
News article:
http://www.theregister.co.uk/2011/02/21/flash_drive_erasing_peril/
Video of talk:
http://www.usenix.org/multimedia/fast11wei

NIST has finally published its rationale for selecting the five SHA-3  
finalists.
 
http://csrc.nist.gov/groups/ST/hash/sha-3/Round2/documents/Round2_Report_NISTIR_7764.pdf 
 or http://tinyurl.com/4zte3e2

Pickpocketing as a trade is dying out in America, because there's no one  
to train newer pickpockets in the craft.
http://www.slate.com/id/2286010/pagenum/all/

Interesting research in using animals to detect substances.  Basically,  
sniffer dogs respond to unconscious cues from their handlers, and generate 
false alarms because of them.  It makes sense, as dogs are so attuned to 
humans.  I'll bet bomb-sniffing bees don't make the same mistakes.
http://www.economist.com/blogs/babbage/2011/02/animal_behaviour
Full paper:
http://www.springerlink.com/content/j477277481125291/fulltext.pdf
Bomb-sniffing bees:
http://www.livescience.com/4605-bees-trained-bomb-sniffers.html

"American Cryptography During the Cold War 1945-1989; Book IV: Cryptologic 
Rebirth 1981-1989."  Document was first declassified in 2009.   Here are 
some newly declassified pages.
http://www.governmentattic.org/4docs/NSA_AmerCryptColdWarBk4_1999.pdf
http://www.governmentattic.org/4docs/oNSAAmerCryptColdWarBk4_1999.pdf

Criminals are stealing cars by calling tow trucks.  It's a clever hack,  
but an old problem: the authentication in these sorts of normal operations 
isn't good enough to prevent abuse.
http://www.wsmv.com/news/26878155/detail.html

A programmer installed malware into the Whack-a-Mole arcade game as a form 
of job security.  It didn't work.
http://www.wftv.com/news/26986709/detail.html

Wired.com has a good three-part story on full-body scanners.
http://www.wired.com/threatlevel/2011/02/scanners-part1/
http://www.wired.com/threatlevel/2011/03/scanners-part2/
http://www.wired.com/threatlevel/2011/03/scanners-part3/

Another attempt to sort out scanner claims:
http://www.okianwarrior.com/MathView/BackscatterSafety/

Using language patterns to identify anonymous email.  It only works when  
there's a limited number of potential authors.
http://www.schneier.com/blog/archives/2011/03/using_language.html


** *** ***** ******* *********** *************

     Schneier News



I'm speaking at Black Hat Europe in Barcelona on March 17.
http://www.blackhat.com/html/bh-eu-11/bh-eu-11-home.html

I'm speaking at the Oracle Chief Security Officer Summit in New York City 
on March 30.
http://www.oracle.com/us/dm/65212-wwmk09121721mpp414-se-281577.html

This three-part video interview with me was conducted at the RSA  
Conference last month.
 
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1528091,00.html 
or http://tinyurl.com/4q9vt45
 
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1528245,00.html 
or http://tinyurl.com/4dezbsk
 
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1528160,00.html 
or http://tinyurl.com/4bawfzq

I was interviewed on chomp.fm.
http://chomp.fm/008/


** *** ***** ******* *********** *************

     NIST Defines New Versions of SHA-512



NIST has just defined two new versions of SHA-512.  They're SHA-512/224  
and SHA-512/256: 224- and 256-bit truncations of SHA-512 with a new IV.  
They've done this because SHA-512 is faster than SHA-256 on 64-bit CPUs, so 
these new SHA variants will be faster.

This is a good thing, and exactly what we did in the design of Skein. We 
defined different outputs for the same state size, because it makes sense 
to decouple the internal workings of the hash function from the output 
size.

http://csrc.nist.gov/publications/drafts/fips180-4/FRN_Draft-FIPS180-4.pdf  
or http://tinyurl.com/47fta7g
http://csrc.nist.gov/publications/PubsDrafts.html#fips-180-4


** *** ***** ******* *********** *************

Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing  
summaries, analyses, insights, and commentaries on security: computer and 
otherwise.  You can subscribe, unsubscribe, or change your address on the 
Web at <http://www.schneier.com/crypto-gram.html>.  Back issues are also 
available at that URL.

Please feel free to forward CRYPTO-GRAM, in whole or in part, to  
colleagues and friends who will find it valuable.  Permission is also  
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is the author of the  
best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies,"  
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,  
Threefish, Helix, Phelix, and Skein algorithms.  He is the Chief Security 
Technology Officer of BT BCSG, and is on the Board of Directors of the 
Electronic Privacy Information Center (EPIC).  He is a frequent writer and 
lecturer on security topics.  See <http://www.schneier.com>.

Crypto-Gram is a personal newsletter.  Opinions expressed are not  
necessarily those of BT.

Copyright (c) 2011 by Bruce Schneier.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the cypherpunks-legacy mailing list