Bruce Shneier's Blog

Subscribe to Bruce Shneier's Blog feed
A blog covering security and security technology. Movable Type Pro
Updated: 2 days 9 hours ago

Google Login Security for High-Risk Users

Mon, 10/30/2017 - 12:23
Google has a new login service for high-risk users. it's good, but unforgiving. Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google's malware scanners will use a... Bruce Schneier
Categories: Security News

Friday Squid Blogging: Steel Mesh Giant Squid Used as Artificial Reef

Fri, 10/27/2017 - 16:28
Researchers in the British Virgin Islands have sunk a giant squid made out of steel mesh to serve as an artificial reef. As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Security News

FBI Increases Its Anti-Encryption Rhetoric

Fri, 10/27/2017 - 14:45
Earlier this month, Deputy Attorney General Rod Rosenstein gave a speech warning that a world with encryption is a world without law -- or something like that. The EFF's Kurt Opsahl takes it apart pretty thoroughly. Last week, FBI Director Christopher Wray said much the same thing. This is an idea that will not die.... Bruce Schneier
Categories: Security News

The Science of Interrogation

Thu, 10/26/2017 - 05:09
Fascinating article about two psychologists who are studying interrogation techniques. Now, two British researchers are quietly revolutionising the study and practice of interrogation. Earlier this year, in a meeting room at the University of Liverpool, I watched a video of the Diola interview alongside Laurence Alison, the university's chair of forensic psychology, and Emily Alison, a professional counsellor. My permission... Bruce Schneier
Categories: Security News

CSE Releases Malware Analysis Tool

Wed, 10/25/2017 - 06:07
The Communications Security Establishment of Canada -- basically, Canada's version of the NSA -- has released a suite of malware analysis tools: Assemblyline is described by CSE as akin to a conveyor belt: files go in, and a handful of small helper applications automatically comb through each one in search of malicious clues. On the way out, every file is... Bruce Schneier
Categories: Security News

Reaper Botnet

Tue, 10/24/2017 - 06:01
It's based on the Mirai code, but much more virulent: While Mirai caused widespread outages, it impacted IP cameras and internet routers by simply exploiting their weak or default passwords. The latest botnet threat, known as alternately as IoT Troop or Reaper, has evolved that strategy, using actual software-hacking techniques to break into devices instead. It's the difference between checking... Bruce Schneier
Categories: Security News

Hacking Back

Mon, 10/23/2017 - 06:16
Hacking back is a terrible idea that just will not die. Josephine Wolff takes apart the new hacking back bill that was introduced in the House recently.... Bruce Schneier
Categories: Security News

Friday Squid Blogging: "How the Squid Lost Its Shell"

Fri, 10/20/2017 - 16:24
Interesting essay by Danna Staaf, the author of Squid Empire. (I mentioned the book two weeks ago.) As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered. Read my blog posting guidelines here.... Bruce Schneier
Categories: Security News

Wondermark on Security

Fri, 10/20/2017 - 14:46
Another comic.... Bruce Schneier
Categories: Security News

Denuvo DRM Cracked within a Day of Release

Fri, 10/20/2017 - 09:17
Denuvo is probably the best digital-rights management system, used to protect computer games. It's regularly cracked within a day. If Denuvo can no longer provide even a single full day of protection from cracks, though, that protection is going to look a lot less valuable to publishers. But that doesn't mean Denuvo will stay effectively useless forever. The company has... Bruce Schneier
Categories: Security News

Security Flaws in Children's Smart Watches

Thu, 10/19/2017 - 09:18
The Norwegian Consumer Council has published a report detailing a series of security and privacy flaws in smart watches marketed to children. Press release. News article. This is the same group that found all those security and privacy vulnerabilities in smart dolls. EDITED TO ADD (10/21): Slashdot thread.... Bruce Schneier
Categories: Security News

IoT Cybersecurity: What's Plan B?

Wed, 10/18/2017 - 09:58
In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn't regulate the IoT market. It doesn't single out any industries for particular attention, or force any companies to do anything. It doesn't even modify the liability laws for embedded... Bruce Schneier
Categories: Security News

Security Flaw in Infineon Smart Cards and TPMs

Tue, 10/17/2017 - 09:24
A security flaw in Infineon smart cards and TPMs allows an attacker to recover private keys from the public keys. Basically, the key generation algorithm sometimes creates public keys that are vulnerable to Coppersmith's attack: While all keys generated with the library are much weaker than they should be, it's not currently practical to factorize all of them. For example,... Bruce Schneier
Categories: Security News