Schneier on Security

Subscribe to Schneier on Security feed
A blog covering security and security technology. Movable Type Pro
Updated: 4 hours 38 min ago

The DMCA and its Chilling Effects on Research

Mon, 04/16/2018 - 7:46am
The Center for Democracy and Technology has a good summary of the current state of the DMCA's chilling effects on security research. To underline the nature of chilling effects on hacking and security research, CDT has worked to describe how tinkerers, hackers, and security researchers of all types both contribute to a baseline level of security in our digital environment... Bruce Schneier

Friday Squid Blogging: Eating Firefly Squid

Fri, 04/13/2018 - 5:24pm
In Tokama, Japan, you can watch the firefly squid catch and eat them in various ways: "It's great to eat hotaruika around when the seasons change, which is when people tend to get sick," said Ryoji Tanaka, an executive at the Toyama prefectural federation of fishing cooperatives. "In addition to popular cooking methods, such as boiling them in salted water,... Bruce Schneier

COPPA Compliance

Fri, 04/13/2018 - 7:43am
Interesting research: "'Won't Somebody Think of the Children?' Examining COPPA Compliance at Scale": Abstract: We present a scalable dynamic analysis framework that allows for the automatic evaluation of the privacy behaviors of Android apps. We use our system to analyze mobile apps' compliance with the Children's Online Privacy Protection Act (COPPA), one of the few stringent privacy laws in the... Bruce Schneier

Cybersecurity Insurance

Thu, 04/12/2018 - 7:36am
Good article about how difficult it is to insure an organization against Internet attacks, and how expensive the insurance is. Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years' worth of experience and claims data in cyberinsurance, underwriters still struggle with... Bruce Schneier

The Digital Security Exchange Is Live

Wed, 04/11/2018 - 7:33am
Last year I wrote about the Digital Security Exchange. The project is live: The DSX works to strengthen the digital resilience of U.S. civil society groups by improving their understanding and mitigation of online threats. We do this by pairing civil society and social sector organizations with credible and trustworthy digital security experts and trainers who can help them keep... Bruce Schneier

DARPA Funding in AI-Assisted Cybersecurity

Tue, 04/10/2018 - 7:11am
DARPA is launching a program aimed at vulnerability discovery via human-assisted AI. The new DARPA program is called CHESS (Computers and Humans Exploring Software Security), and they're holding a proposers day in a week and a half. This is the kind of thing that can dramatically change the offense/defense balance.... Bruce Schneier

Obscure E-Mail Vulnerability

Mon, 04/09/2018 - 7:30am
This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so is the same as is the same as (Note: I do not own any of those email addresses -- if they're even valid.) Netflix doesn't ignore dots, so those are all unique e-mail addresses and... Bruce Schneier

Friday Squid Blogging: Sake Decanters Made of Dried Squid

Fri, 04/06/2018 - 4:59pm
This is interesting. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier

Subverting Backdoored Encrryption

Wed, 04/04/2018 - 9:03am
This is a really interesting research result. This paper proves that two parties can create a secure communications cannel using a communications system with a backdoor. It's a theoretical result, so it doesn't talk about how easy that channel is to create. And the assumptions on the adversary are pretty reasonable: that each party can create his own randomness, and... Bruce Schneier

Public Hearing on IoT Risks

Tue, 04/03/2018 - 7:22am
The US Consumer Product Safety Commission is holding hearings on IoT risks: The U.S. Consumer Product Safety Commission (CPSC, Commission, or we) will conduct a public hearing to receive information from all interested parties about potential safety issues and hazards associated with internet-connected consumer products. The information received from the public hearing will be used to inform future Commission risk... Bruce Schneier

Musical Ciphers

Mon, 04/02/2018 - 7:23am
Interesting history.... Bruce Schneier

Friday Squid Blogging: Market Squid in Alaskan Waters

Fri, 03/30/2018 - 5:17pm
Rising sea temperatures is causing market squid to move north into Alaskan waters. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier

Unlocking iPhones with Dead People's Fingerprints

Fri, 03/30/2018 - 7:11am
It's routine for US police to unlock iPhones with the fingerprints of dead people. It seems only to work with recently dead people.... Bruce Schneier

Facebook and Cambridge Analytica

Thu, 03/29/2018 - 4:50pm
In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we're offline. It buys data about us... Bruce Schneier

Another Branch Prediction Attack

Thu, 03/29/2018 - 7:23am
When Spectre and Meltdown were first announced earlier this year, pretty much everyone predicted that there would be many more attacks targeting branch prediction in microprocessors. Here's another one: In the new attack, an attacker primes the PHT and running branch instructions so that the PHT will always assume a particular branch is taken or not taken. The victim code... Bruce Schneier

Breaking the Anonymity in the Cryptocurrency Monero

Wed, 03/28/2018 - 3:25pm
Researchers have exploited a flaw in the cryptocurrency Monero to break the anonymity of transactions. Research paper. BoingBoing post.... Bruce Schneier

Tracing Stolen Bitcoin

Wed, 03/28/2018 - 7:30am
Ross Anderson has a really interesting paper on tracing stolen bitcoin. From a blog post: Previous attempts to track tainted coins had used either the "poison" or the "haircut" method. Suppose I open a new address and pay into it three stolen bitcoin followed by seven freshly-mined ones. Then under poison, the output is ten stolen bitcoin, while under haircut... Bruce Schneier