Bruce Schneier

 

Home

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

Contact Information

 

Schneier on Security

A blog covering security and security technology.

Cyberattacks Against NASA

It's been going on for a while.

Posted on December 4, 2008 at 1:04 PM5 CommentsView Blog Reactions

Credit Card with One-Time Password Generator

This is a nifty little device: a credit card with an onboard one-time password generator. The idea is that the user enters his PIN every time he makes an online purchase, and enters the one-time code on the screen into the webform. The article doesn't say if the code is time-based or just sequence-based, but in either case the credit card company will be able to verify it remotely.

The idea is that this cuts down on card-not-present credit card fraud.

The efficacy of this countermeasure depends a lot on how much these new credit cards cost versus the amount of this type of fraud that happens, but in general it seems like a really good idea. Certainly better than that three-digit code printed on the back of cards these days.

According to the article, Visa will be testing this card in 2009 in the UK.

Posted on December 4, 2008 at 6:17 AM42 CommentsView Blog Reactions

Hacking a Teleprompter

Funny.

EDITED TO ADD (12/4): Consensus is that it's faked.

Posted on December 3, 2008 at 1:59 PM21 CommentsView Blog Reactions

Who Falls for those Nigerian 419 Scams Anyway?

This is the story of a woman who sent the scammers $400K:

She wiped out her husband's retirement account, mortgaged the house and took a lien out on the family car. Both were already paid for.

For more than two years, Spears sent tens and hundreds of thousands of dollars. Everyone she knew, including law enforcement officials, her family and bank officials, told her to stop, that it was all a scam. She persisted.

Spears said she kept sending money because the scammers kept telling her that the next payment would be the last one, that the big money was inbound. Spears said she became obsessed with getting paid.

An undercover investigator who worked on the case said greed helped blind Spears to the reality of the situation, which he called the worst example of the scam he's ever seen.

Posted on December 3, 2008 at 8:20 AM59 CommentsView Blog Reactions

TSA Aiding Luggage Thieves

In this story about luggage stealing at Los Angeles International Airport, we find this interesting paragraph:

They both say there are organized rings of thieves, who identify valuables in your checked luggage by looking at the TSA x-ray screens, then communicate with baggage handlers by text or cell phone, telling them exactly what to look for.

Someone should investigate the extent to which the TSA's security measures facilitate crime.

Posted on December 2, 2008 at 2:15 PM54 CommentsView Blog Reactions

Evolutionary Perspectives of War

This looks like it was a very interesting conference.

And here's a random paper on the subject.

Posted on December 2, 2008 at 7:53 AM23 CommentsView Blog Reactions

Communications During Terrorist Attacks are Not Bad

Twitter was a vital source of information in Mumbai:

News on the Bombay attacks is breaking fast on Twitter with hundreds of people using the site to update others with first-hand accounts of the carnage.

The website has a stream of comments on the attacks which is being updated by the second, often by eye-witnesses and people in the city. Although the chatter cannot be verified immediately and often reflects the chaos on the streets, it is becoming the fastest source of information for those seeking unfiltered news from the scene.

But we simply have to be smarter than this:

In the past hour, people using Twitter reported that bombings and attacks were continuing, but none of these could be confirmed. Others gave details on different locations in which hostages were being held.

And this morning, Twitter users said that Indian authorities was asking users to stop updating the site for security reasons.

One person wrote: "Police reckon tweeters giving away strategic info to terrorists via Twitter".

Another link:

I can't stress enough: people can and will use these devices and apps in a terrorist attack, so it is imperative that officials start telling us what kind of information would be relevant from Twitter, Flickr, etc. (and, BTW, what shouldn't be spread: one Twitter user in Mumbai tweeted me that people were sending the exact location of people still in the hotels, and could tip off the terrorists) and that they begin to monitor these networks in disasters, terrorist attacks, etc.

This fear is exactly backwards. During a terrorist attack -- during any crisis situation, actually -- the one thing people can do is exchange information. It helps people, calms people, and actually reduces the thing the terrorists are trying to achieve: terror. Yes, there are specific movie-plot scenarios where certain public pronouncements might help the terrorists, but those are rare. I would much rather err on the side of more information, more openness, and more communication.

Posted on December 1, 2008 at 12:02 PM40 CommentsView Blog Reactions

Lessons from Mumbai

I'm still reading about the Mumbai terrorist attacks, and I expect it'll be a long time before we get a lot of the details. What we know is horrific, and my sympathy goes out to the survivors of the dead (and the injured, who often seem to get ignored as people focus on death tolls). Without discounting the awfulness of the events, I have some initial observations:

  • Low-tech is very effective. Movie-plot threats -- terrorists with crop dusters, terrorists with biological agents, terrorists targeting our water supplies -- might be what people worry about, but a bunch of trained (we don't really know yet what sort of training they had, but it's clear that they had some) men with guns and grenades is all they needed.

  • At the same time, the attacks were surprisingly ineffective. I can't find exact numbers, but it seems there were about 18 terrorists. The latest toll is 195 dead, 235 wounded. That's 11 dead, 13 wounded, per terrorist. As horrible as the reality is, that's much less than you might have thought if you imagined the movie in your head. Reality is different from the movies.

  • Even so, terrorism is rare. If a bunch of men with guns and grenades is all they really need, then why isn't this sort of terrorism more common? Why not in the U.S., where it's easy to get hold of weapons? It's because terrorism is very, very rare.

  • Specific countermeasures don't help against these attacks. None of the high-priced countermeasures that defend against specific tactics and specific targets made, or would have made, any difference: photo ID checks, confiscating liquids at airports, fingerprinting foreigners at the border, bag screening on public transportation, anything. Even metal detectors and threat warnings didn't do any good:

    "If I look at what we had, which all of us complained about, it could not have stopped what took place," he told CNN. "It's ironic that we did have such a warning, and we did have some measures."

    He said people were told to park away from the entrance and had to go through a metal detector. But he said the attackers came through a back entrance.

    "They knew what they were doing, and they did not go through the front. All of our arrangements are in the front," he said.

If there's any lesson in these attacks, it's not to focus too much on the specifics of the attacks. Of course, that's not the way we're programmed to think. We respond to stories, not analysis. I don't mean to be unsympathetic; this tendency is human and these deaths are really tragic. But 18 armed people intent on killing lots of innocents will be able to do just that, and last-line-of-defense countermeasures won't be able to stop them. Intelligence, investigation, and emergency response. We have to find and stop the terrorists before they attack, and deal with the aftermath of the attacks we don't stop. There really is no other way, and I hope that we don't let the tragedy lead us into unwise decisions about how to deal with terrorism.

Posted on December 1, 2008 at 8:03 AM140 CommentsView Blog Reactions

Friday Squid Blogging: Cooking a Humboldt Squid

I thought that large squid were too chewy and not very tasty, but this person cooked a 30-pound Humboldt squid.

Posted on November 28, 2008 at 4:09 PM9 CommentsView Blog Reactions

Terrorism Survival Bundle for Windows Mobile

Seems not to be a joke.

Posted on November 28, 2008 at 11:39 AM42 CommentsView Blog Reactions

1941 Pencil-and-Paper Cipher

Fascinating photo and explanation.

Posted on November 28, 2008 at 6:30 AM29 CommentsView Blog Reactions

FBI Stoking Fear

Another unsubstantiated terrorist plot:

An internal memo obtained by The Associated Press says the FBI has received a "plausible but unsubstantiated" report that al-Qaida terrorists in late September may have discussed attacking the subway system.

[...]

The internal bulletin says al-Qaida terrorists "in late September may have discussed targeting transit systems in and around New York City. These discussions reportedly involved the use of suicide bombers or explosives placed on subway/passenger rail systems," according to the document.

"We have no specific details to confirm that this plot has developed beyond aspirational planning, but we are issuing this warning out of concern that such an attack could possibly be conducted during the forthcoming holiday season," according to the warning dated Tuesday.

[...]

Rep. Peter King, the top Republican on the House Homeland Security Committee, said authorities "have very real specifics as to who it is and where the conversation took place and who conducted it."

"It certainly involves suicide bombing attacks on the mass transit system in and around New York and it's plausible, but there's no evidence yet that it's in the process of being carried out," King said.

Knocke, the DHS spokesman, said the warning was issued "out of an abundance of caution going into this holiday season."

Got that: "plausible but unsubstantiated," "may have discussed attacking the subway system," "specific details to confirm that this plot has developed beyond aspirational planning," "attack could possibly be conducted," "it's plausible, but there's no evidence yet that it's in the process of being carried out."

I have no specific details, but I want to warn everybody today that fiery rain might fall from the sky. Terrorists may have discussed this sort of tactic, possibly at one of their tequila-fueled aspirational planning sessions. While there is no evidence yet that the plan in the process of being carried out, I want to be extra-cautious this holiday season. Ho ho ho.

Posted on November 27, 2008 at 12:27 PM47 CommentsView Blog Reactions

Powered by Movable Type. Photo at top by Steve Woit.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
whole site

Blog Home Page
100 Latest Comments

Archives

December 2008
November 2008
Complete Archive
Support Blogger's Rights!
New Book
Schneier on Security

more books by Bruce Schneier

Syndication
RSS 1.0 (full text)
RSS 2.0 (excerpts)
Translations
German
Italian (selected entries)
Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more