kottke.org posts about Bruce Schneier
Edward Snowden's leak of NSA documents keeps paying dividends. The latest report (in the Guardian, the NY Times, and Pro Publica) alleges that the NSA has cracked or circumvented many of the internet security protocols designed to keep communications private from third parties. From the Pro Publica piece:
The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.
Many users assume -- or have been assured by Internet companies -- that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.
Cryptographer Matthew Green speculates on exactly how the NSA might have achieved these results and what the implications are.
Probably the biggest concern in all this is the evidence of collaboration between the NSA and unspecified 'telecom providers'. We already know that the major US (and international) telecom carriers routinely assist the NSA in collecting data from fiber-optic cables. But all this data is no good if it's encrypted.
While software compromises and weak standards can help the NSA deal with some of this, by far the easiest way to access encrypted data is to simply ask for -- or steal -- the keys. This goes for something as simple as cellular encryption (protected by a single key database at each carrier) all the way to SSL/TLS which is (most commonly) protected with a few relatively short RSA keys.
If you're concerned about the privacy of your communications, security expert Bruce Schneier has some suggestions for keeping secure.
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.
2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections -- and it may have explicit exploits against these protocols -- you're much better protected than if you communicate in the clear.
Charles Mann visits the airport with security expert Bruce Schneier and a fake boarding pass. What he finds is a lot of security theater and not much security.
"The only useful airport security measures since 9/11," he says, "were locking and reinforcing the cockpit doors, so terrorists can't break in, positive baggage matching" -- ensuring that people can't put luggage on planes, and then not board them -- "and teaching the passengers to fight back. The rest is security theater."
I don't know if this is sadly hilarious or hilariously sad. Jeffrey Goldberg took all sorts of crazy stuff through airport security -- "al-Qaeda T-shirts, Islamic Jihad flags, Hezbollah videotapes, inflatable Yasir Arafat dolls (really), pocketknives, matches from hotels in Beirut and Peshawar, dust masks, lengths of rope, cigarette lighters, nail clippers, eight-ounce tubes of toothpaste (in my front pocket), bottles of Fiji Water (which is foreign), and, of course, box cutters" -- and almost nothing was ever taken away from him or was a source of concern for airport security personnel.
We took our shoes off and placed our laptops in bins. Schneier took from his bag a 12-ounce container labeled "saline solution."
"It's allowed," he said. Medical supplies, such as saline solution for contact-lens cleaning, don't fall under the TSA's three-ounce rule.
"What's allowed?" I asked. "Saline solution, or bottles labeled saline solution?"
"Bottles labeled saline solution. They won't check what's in it, trust me."
They did not check. As we gathered our belongings, Schneier held up the bottle and said to the nearest security officer, "This is okay, right?" "Yep," the officer said. "Just have to put it in the tray."
"Maybe if you lit it on fire, he'd pay attention," I said, risking arrest for making a joke at airport security. (Later, Schneier would carry two bottles labeled saline solution-24 ounces in total-through security. An officer asked him why he needed two bottles. "Two eyes," he said. He was allowed to keep the bottles.)
So hard to pick just one excerpt from this one...it's full of ridiculousness. I don't care how many blogs the TSA launches, this is a farce. (thx, anthony)
Bruce Schneier on the Portrait of the Modern Terrorist as an Idiot. "Terrorism is a real threat, and one that needs to be addressed by appropriate means. But allowing ourselves to be terrorized by wannabe terrorists and unrealistic plots -- and worse, allowing our essential freedoms to be lost by using them as an excuse -- is wrong."
Did President Bush get his watch stolen in Albania while shaking hands with people in the crowd? Bruce Schneier: "At 0.50 minutes into the clip, Bush has a watch. At 1.04 minutes into the clip, he had a watch."
Update: Tony Snow is saying that Bush put the watch in his pocket. (thx, hal)
The inept security theater at the airport. "For theater on a grand scale, you can't do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration."
Even though the most popular password on MySpace is "password1" (the 5th most popular password is "blink182"), most users' passwords are pretty good...and better than corporate employees' passwords.
Bruce Schneier: "It's time we calm down and fight terror with antiterror. Our job is to think critically and rationally, and to ignore the cacophony of other interests trying to use terrorism to advance political careers or increase a television show's viewership."
Q. Is it possible to use a wireless Internet connection on a plane?
A. Yes, if you happen to be flying on an airline that offers the service. International carriers like Korean Air, Lufthansa and Singapore Airlines already have wireless broadband service on many routes; fees for using it vary. Check with your airline to see if it offers in-flight Internet.
So says the NY Times. While it may not be possible to use wireless Internet connections on the plane, it is possible to use wireless connections. Apple laptops can create networks which other computers with wireless capability can join. Bluetooth capable devices like laptops and cellphones can communicate with each other over smaller distances.
Since 9/11, I've often thought that this would be an effective way for a group of people to coordinate some nefarious action on a plane without attracting any attention. Five or six people scattered about the plane on laptops, iChatting plans to one another, wouldn't be unusual at all. Of course, a properly trained group wouldn't need to communicate with each other at all after boarding the plane. Nor, says Bruce Schneier, should we ban things like cellphones and Internet access on airplanes for security reasons.
Bruce Schneier on the sorry state of airport security. "Exactly two things have made airline travel safer since 9/11: reinforcement of cockpit doors, and passengers who now know that they may have to fight back. Everything else...is security theater."
Bruce Schneier on how to mitigate identity theft. "If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions."