schneier

Why haven't cyberinsurers exerted more pressure on companies to be better at security?

For decades, people (including me) have predicted that cyberinsurers might be a way to get companies to take security seriously. After all, insurers have to live in the real world (which is why terrorism insurance is cheap, because terrorism is not a meaningful risk in America), and in the real world, poor security practices destroy peoples' lives, all the time, in wholesale quantities that beggar the imagination. Read the rest

Notpetya: the incredible story of an escaped US cyberweapon, Russian state hackers, and Ukraine's cyberwar

Andy Greenberg (previously) is Wired's senior security reporter; he did amazing work covering Russian cyberwarfare in Ukraine, which he has expanded into a forthcoming book: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers (I read it for a blurb and a review; it's excellent). Read the rest

Defeating Apple's Faceid's proof-of-life by putting tape over glasses' lenses

Apple's Faceid -- a facial recognition tool that unlocks mobile devices -- has a countermeasure that is designed to prevent attackers from scanning an sleeping/unconscious (or dead) person's face to unlock their phone, by scanning the face for signs of consciousness. Read the rest

Design competition to create graphics to illustrate cybersecurity stories

Illustrating abstract articles is a pain in the ass, and in the age of social media, a post without an illustration is likely to disappear without attaining any kind of readership, which leaves those of us who cover the field endlessly remixing HAL9000 eyes using walls of code, Matrix text-waterfalls, or variations on hacker-in-a-hoodie. Read the rest

Siemens contractor hid "logic bomb" in complicated spreadsheet, guaranteeing future maintenance work

David Tinley developed complex spreadsheets under contract to Siemens, which used them to manage its equipment orders; Tinley hid "logic bombs" in the spreadsheets' scripts that caused them to malfunction every couple of years, which would gin up new work for him as he was called in to fix them. Read the rest

William Barr's terrible, stupid idea to ban working crypto is slightly less terrible and stupid than earlier ideas

Proposals to ban working cryptography were all the rage in the Clinton years, but then they fell out of vogue for a decade, only to come roaring back in the form of bizarre proposals each stupider than the last, with Australia bringing home the gold in the Dumbfuck Olympics. Read the rest

US election security: still a dumpster fire

Securing Our Cyber Future, Stanford Cyber Policy Center's new report on election security, depicts a US electoral system whose glaring vulnerabilities are still in place, three years after the chaos of the 2016 elections. Read the rest

In less than one second, a malicious web-page can uniquely fingerprint an Iphone, Pixel 2 or Pixel 3 without any explicit user interaction

In a new paper for IEEE Security, a trio of researchers (two from Cambridge, one from private industry) identify a de-anonymizing attack on Iphones that exploits minute differences in sensor calibration: an Iphone user who visits a webpage running the attack code can have their phone uniquely identified in less than a second, through queries to the sensors made through automated background processes running on the page. Read the rest

The world's preeminent cryptographers can't get visas to speak at US conferences

Ross Anderson (previously) is one of the world's top cryptographers; the British academic and practitioner was honored by having his classic, Security Engineering, inducted into The Cybersecurity Canon; however, he was not able to attend the awards gala himself because the US government sat on his visa application for months, and ultimately did not grant it in time. Read the rest

Securepairs.org will send debullshitifying security researchers to Right to Repair hearings to fight industry FUD

Dozens of Right to Repair bills were introduced across the USA last year, only to be defeated by hardcore lobbying led by Apple and backed by a rogue's gallery of giant manufacturers of every description; one of the most effective anti-repair tactics is to spread FUD about the supposed security risks of independent repairs. Read the rest

A 40cm-square patch that renders you invisible to person-detecting AIs

Researchers from KU Leuven have published a paper showing how they can create a 40cm x 40cm "patch" that fools a convoluted neural network classifier that is otherwise a good tool for identifying humans into thinking that a person is not a person -- something that could be used to defeat AI-based security camera systems. They theorize that the could just print the patch on a t-shirt and get the same result. Read the rest

Front-line programmers default to insecure practices unless they are instructed to do otherwise

It's always sort of baffling when security breaches reveal that a company has stored millions of users' passwords in unencrypted form, or put their data on an insecure cloud drive, or transmitted it between the users' devices and the company's servers without encryption, or left an API wide open, or some other elementary error: how does anyone in this day and age deploy something so insecure? Read the rest

Security researchers reveal defects that allow wireless hijacking of giant construction cranes, scrapers and excavators

Using software-defined radios, researchers from Trend Micro were able to reverse-engineer the commands used to control massive industrial machines, including cranes, excavators and scrapers; most of these commands were unencrypted, but even the encrypted systems were vulnerable to "replay attacks" that allowed the researchers to bypass the encryption. Read the rest

Letterlocking: the long-lost art of using paper-folding to foil snoops

"Letterlocking" is a term coined by MIT Libraries conservator Jana Dambrogio after she discovered a trove of letters while spelunking in the conservation lab of the Vatican Secret Archives; the letters had been ingeniously folded and sealed so that they couldn't be opened and re-closed without revealing that they had been read. Some even contained "booby traps" to catch the unwary. Read the rest

Using information security to explain why disinformation makes autocracies stronger and democracies weaker

The same disinformation campaigns that epitomize the divisions in US society -- beliefs in voter fraud, vaccine conspiracies, and racist conspiracies about migrants, George Soros and Black Lives Matter, to name a few -- are a source of strength for autocracies like Russia, where the lack of a consensus on which groups and views are real and which are manufactured by the state strengthens the hand of Putin and his clutch of oligarchs. Read the rest

"The End of Trust" - EFF/McSweeney's collaboration on privacy and surveillance - is in stores and free to download now!

The End of Trust (previously) is a special issue of McSweeney's, produced in collaboration with the Electronic Frontier Foundation, on the themes of technology, privacy and surveillance: it's in stores today, and free to download under a Creative Commons license. Read the rest

If you're an American of European descent, your stupid cousins have probably put you in vast commercial genomic databases

Remember when they caught the Golden State Killer by comparing DNA crime-scene evidence to big commercial genomic databases (like those maintained by Ancestry.com, 23 and Me, etc) to find his family members and then track him down? Read the rest

Next page

:)