Category Archives: Security

Trust Me

Posted on by

Bruce Schneier has an extensive collection of links regarding the TSA and current screening procedures.

One thing that seems to get overlooked in all of the stories I’ve read, in which some government official insists that the ever-more-invasive security protocols are needed, in order to prevent attacks like the shoe bomber and Christmas-day bomber, is this: these protocols never would have stopped either of those attempts, because neither passenger boarded a flight originating in the US. They are being used as excuses.

The government says, “Trust us. We need to do this for your safety.” The problem is that the government has no credibility. There’s no incident of a bombing which could have been prevented by these scanners to which they can point, and no statistic of risk they can cite which they could improve upon. They promise that the scanner images aren’t retained, but then we discover that’s false. How could it be true, anyways? The government isn’t going to hang on to potential evidence in case a passenger needs a followup pat-down, or there’s a subsequent problem on a flight? All they have is a manufactured fear they keep promoting.

The Cryptic Kryptos

Posted on by

Clues to Stubborn Secret in C.I.A.’s Backyard

Jim Sanborn, the sculptor who created “Kryptos” and its puzzles, is getting a bit frustrated by the wait. “I assumed the code would be cracked in a fairly short time,” he said, adding that the intrusions on his life from people who think they have solved his fourth puzzle are more than he expected.

So now, after 20 years, Mr. Sanborn is nudging the process along. He has provided The New York Times with the answers to six letters in the sculpture’s final passage. The characters that are the 64th through 69th in the final series on the sculpture read NYPVTT. When deciphered, they read BERLIN.

Bio-Dubious

Posted on by

The Difference Engine: Dubious security

Authentication of a person is usually based on one of three things: something the person knows, such as a password; something physical the person possesses, like an actual key or token; or something about the person’s appearance or behaviour. Biometric authentication relies on the third approach. Its advantage is that, unlike a password or a token, it can work without active input from the user. That makes it both convenient and efficient: there is nothing to carry, forget or lose.

The downside is that biometric screening can also work without the user’s co-operation or even knowledge. Covert identification may be a boon when screening for terrorists or criminals, but it raises serious concerns for innocent individuals. Biometric identification can even invite violence. A motorist in Germany had a finger chopped off by thieves seeking to steal his exotic car, which used a fingerprint reader instead of a conventional door lock.

Plus, you can also fake out scanners with digits made from play-doh or gelatin (after which, especially for the latter, you could eat the evidence). Still waiting for that one to show up on CSI.

Evil Genius Physics

Posted on by

French Thieves Use Vacuums to Suck Thousands from Safes

The key to the thieves’ nearly uninterrupted streak of success, per French reports, is the way that Monoprix delivers money from the checkouts to its safes: Envelopes of cash are funneled in via pneumatic suction tubes. Whereas breaching the safe itself might be considerably difficult, requiring explosives or safecracking, the thieves realized that if they just drilled into the delivery tubes near the safebox and hooked up a powerful vacuum, they could suck the money out and get at it much more easily.

I don’t know the specifics, so there may be a good reason that they haven’t fixed this problem during the four years the thieving has been going on, but it would seem a check valve would be useful here.

Mmmm. Haaaash.

Posted on by

Built on Facts: Sunday Function

Take an integer – one of at least several digits – and multiply it by itself twenty times. The result is going to be some really gargantuan number. Take the last 10 digits of that number. That’s the output of our function, which we’ll call h(n).

The resistance can use this property of hash functions to make their resistance network more secure. Instead of distributing a list of all the agent’s passwords, the resistance can distribute a list of the hashes of their passwords. Thus if Bob knows that Alice’s hash is 7001140801, Alice can verify her identity by saying that her password is 314159, which has that as its hash. But if a Nazi double agent (let’s call her Eve) has managed to steal the list of hashes, she still can’t impersonate Alice. Eve doesn’t know what password to use to generate that hash. She could try thousands or millions of guesses and hope that eventually she found one with a hash that matches Alice’s hash, but with all the possible hashes that would be a herculean task.

I Know That You Know That I Know

Posted on by

Pandora’s Briefcase

“Are spies really of any value?” investigated (mostly) in the context of Operation Mincemeat, a deception to make Germany think an invasion in the Mediterranean would come through Greece, instead of Sicily.

A body that washes up onshore is either the real thing or a plant. The story told by the ambassador’s valet is either true or too good to be true. Mincemeat seems extraordinary proof of the cleverness of the British Secret Intelligence Service, until you remember that just a few years later the Secret Intelligence Service was staggered by the discovery that one of its most senior officials, Kim Philby, had been a Soviet spy for years. The deceivers ended up as the deceived.

But, if you cannot know what is true and what is not, how on earth do you run a spy agency? In the nineteen-sixties, Angleton turned the C.I.A. upside down in search of K.G.B. moles that he was sure were there. As a result of his mole hunt, the agency was paralyzed at the height of the Cold War. American intelligence officers who were entirely innocent were subjected to unfair accusations and scrutiny. By the end, Angleton himself came under suspicion of being a Soviet mole, on the ground that the damage he inflicted on the C.I.A. in the pursuit of his imagined Soviet moles was the sort of damage that a real mole would have sought to inflict on the C.I.A. in the pursuit of Soviet interests.

Just as I Suspected

Posted on by

You were right: It’s a waste of your time. A study says much computer security advice is not worth following.

Please do not change your password

[U]sers are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.

You change passwords for much the same reason you would change codes — to keep ahead of someone who is stealing periodically updated information from you. But it’s not going to help protect static information, like your credit card information and bank account numbers. Once you’re hacked, that will be compromised.

The Art of the Steal

Posted on by

Art of the Steal: On the Trail of World’s Most Ingenious Thief

The most ingenious one they’ve caught, anyway.

Blanchard wasn’t listening. He was noting the motion sensors in the corner, the type of screws on the case, the large windows nearby. To hear Blanchard tell it, he has a savantlike ability to assess security flaws, like a criminal Rain Man who involuntarily sees risk probabilities at every turn. And the numbers came up good for the star. Blanchard knew he couldn’t fence the piece, which he did hear the guide say was worth $2 million. Still, he found the thing mesmerizing and the challenge irresistible.

He began to work immediately, videotaping every detail of the star’s chamber. (He even coyly shot the “No Cameras” sign near the jewel case.) He surreptitiously used a key to loosen the screws when the staff moved on to the next room, unlocked the windows, and determined that the motion sensors would allow him to move — albeit very slowly — inside the castle. He stopped at the souvenir shop and bought a replica of the Sisi Star to get a feel for its size. He also noted the armed guards stationed at every entrance and patrolling the halls.

But the roof was unguarded, and it so happened that one of the skills Blanchard had picked up in his already long criminal career was skydiving. He had also recently befriended a German pilot who was game for a mercenary sortie and would help Blanchard procure a parachute. Just one night after his visit to the star, Blanchard was making his descent to the roof.