Shostack + Friends Blog Archive

 

Quantum Crypto is Quantum Backdoored, But It's Not a Problem

Nature reports that Quantum Cryptography has been completely broken in “Hackers blind quantum cryptographers.” Researcher Vadim Makarov of the Norwegian University of Science and Technology constructed an attack on a quantum cryptography system that “gave 100% knowledge of the key, with zero disturbance to the system,” as Makarov put it. There have been other attacks […]

 

Rights at the "Border"

“I was actually woken up with a flashlight in my face,” recalled Mike Santomauro, 27, a law student who encountered the [Border Patrol] in April, at 2 a.m. on a train in Rochester. Across the aisle, he said, six agents grilled a student with a computer who had only an electronic version of his immigration […]

 

OSF looking for DataLossDB help

The folks running the Open Security Foundation’s DataLossDB are asking for some fully tax-deuctible help meeting expenses. I’ve blogged repeatedly about the value of this work, and hope that interested EC readers can assist in supporting it. With new FOIA-able sources of information becoming available, now seems to be a great time to help out.

 

Transparency, India, Voting Machines

India’s EVMs are Vulnerable to Fraud. And for pointing that out, Hari Prasad has been arrested by the police in India, who wanted to threaten and intimidate him question him about where he got the machine that he studied. That’s a shame. The correct response is to fund Hari Prasad’s work, not use the police […]

 

Wikileaks

Friday night an arrest warrant went out, and was then rescinded, for Wikileaks founder Julian Assange. He commented “We were warned to expect “dirty tricks”. Now we have the first one.” Even the New York Times was forced to call it “strange.” I think that was the wrong warning. Wikileaks is poking at a very […]

 

Measurement Theory & Risk Posts You Should Read

These came across the SIRA mailing list. They were so good, I had to share: https://eight2late.wordpress.com/2009/07/01/cox%E2%80%99s-risk-matrix-theorem-and-its-implications-for-project-risk-management/ http://eight2late.wordpress.com/2009/12/18/visualising-content-and-context-using-issue-maps-an-example-based-on-a-discussion-of-coxs-risk-matrix-theorem/ http://eight2late.wordpress.com/2009/10/06/on-the-limitations-of-scoring-methods-for-risk-analysis/ Thanks to Kevin Riggins for finding them and pointing them out.

 

P != NP and Security

There’s been a lot of discussion about the paper written by mathematician Vinay Deolalikar on this interesting problem. The P!=NP problem is so interesting that there’s a million-dollar prize for solving it. It might even be interesting because there’s a million-dollar prize for solving it. It might also have some applicability to computer science and […]

 

Databases or Arrests?

From Dan Froomkin, “FBI Lab’s Forensic Testing Backlog Traced To Controversial DNA Database,” we see this example of the mis-direction of key funds: The pressure to feed results into a controversial, expansive DNA database has bogged down the FBI’s DNA lab so badly that there is now a two-year-and-growing backlog for forensic DNA testing needed […]

 

How not to address child ID theft

(San Diego, CA) Since the 1980?s, children in the US have been issued Social Security numbers (SSN) at birth. However, by law, they cannot be offered credit until they reach the age of 18. A child?s SSN is therefore dormant for credit purposes for 18 years. Opportunists have found novel ways to abuse these “dormant” […]

 

Dating and InfoSec

So if you don’t follow the folks over at OKCupid, you are missing out on some hot data. In case you’re not aware of it, OKCupid is: the best dating site on earth. Compiling our observations and statistics from the hundreds of millions of user interactions we’ve logged, we use this outlet to explore the […]

 

Bleg: Picture editor?

I used to use “Galerie” on my Mac to put nice pretty frames around pictures I posted here. (See some examples.) Galerie was dependent on … blah, blah, won’t work anymore without some components no longer installed by default. So I’m looking for a replacement that will, with little effort, put pictures in a nice […]

 

Making it up so you don't have to

If you don’t have time to develop a data-driven, business focused security strategy, we sympathize. It’s a lot of hard work. So here to help you is “What the fuck is my information security ‘strategy?’ “: Thanks, N!

 

Jon Callas on Comedies, Tragedy and PKI

Prompted by Peter Gutmann: [0] I’ve never understood why this is a comedy of errors, it seems more like a tragedy of errors to me. Jon Callas of PGP fame wrote the following for the cryptography mail list, which I’m posting in full with his permission: That is because a tragedy involves someone dying. Strictly […]

 

New low in pie charts

It’s not just a 3d pie chart with lighting effects and reflection. Those are common. This one has been squished. It’s wider than it is tall. While I’m looking closely, isn’t “input validation” a superset of “buffer errors” “code injection” and “command injection?” You can get the “Application Security Trends report for Q1-Q2 2010” from […]

 

Transparent Lies about Body Scanners

In “Feds Save Thousands of Body Scan Images,” EPIC reports: In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of […]

 

Illogical Cloud Positivism

Last we learned, Peter Coffee was Director of Platform Research for salesforce.com.  He also blogs on their corporate weblog, CloudBlog, a blog that promises “Insights on the Future of Cloud Computing”. He has a post up from last week that called “Private Clouds, Flat Earths, and Unicorns” within which he tries to “bust some myths” […]

 

What They Know (From the WSJ)

Interesting interactive data app from the Wall Street Journal about your privacy online and what various websites track/know about you. http://blogs.wsj.com/wtk/ Full disclosure, our site uses Mint for traffic analytics.