サクサク読めて、アプリ限定の機能も多数!
トップへ戻る
CES 2025
www.schneier.com
Backdoor in XZ Utils That Almost Happened Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global Internet depends on countless obscure piec
Breaking RSA with a Quantum Computer A group of Chinese researchers have just published a paper claiming that they can—although they have not yet done so—break 2048-bit RSA. This is something to take seriously. It might not be correct, but it’s not obviously wrong. We have long known from Shor’s algorithm that factoring with a quantum computer is easy. But it takes a big quantum computer, on the o
John • June 15, 2022 7:05 AM hmm…. This came out of a computer and is not to be doubted or disbelieved! John BrooksT • June 15, 2022 8:44 AM The reporting on this has been terrible. It’s not really an Apple flaw, and it’s not a vulnerability so much as a flaw in a security feature. The design flaw is in the ARM v8.3 architecture, and it just happens that the M1 is the only commercial chip on that
New iPhone Zero-Day Discovered Last year, ZecOps discovered two iPhone zero-day exploits. They will be patched in the next iOS release: Avraham declined to disclose many details about who the targets were, and did not say whether they lost any data as a result of the attacks, but said “we were a bit surprised about who was targeted.” He said some of the targets were an executive from a telephone c
Security and Privacy Implications of Zoom Over the past few weeks, Zoom’s use has exploded since it became the video conferencing platform of choice in today’s COVID-19 world. (My own university, Harvard, uses it for all of its classes. Boris Johnson had a cabinet meeting over Zoom.) Over that same period, the company has been exposed for having both lousy privacy and lousy security. My goal here
Leaked NSA Hacking Tools In 2016, a hacker group calling itself the Shadow Brokers released a trove of 2013 NSA hacking tools and related documents. Most people believe it is a front for the Russian government. Since, then the vulnerabilities and tools have been used by both government and criminals, and put the NSA’s ability to secure its own cyberweapons seriously into question. Now we have lear
Real-Time Attacks Against Two-Factor Authentication Attackers are targeting two-factor authentication systems: Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets’ level of operational security, researchers with security firm Certfa Lab said in a blog post. The email
More Spectre/Meltdown-Like Attacks Back in January, we learned about a class of vulnerabilities against microprocessors that leverages various performance and efficiency shortcuts for attack. I wrote that the first two attacks would be just the start: It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 yea
Chinese Supply Chain Hardware Attack Bloomberg is reporting about a Chinese espionage operating involving inserting a tiny chip into computer products made in China. I’ve written about (alternate link) this threat more generally. Supply-chain security is an insurmountably hard problem. Our IT industry is inexorably international, and anyone involved in the process can subvert the security of the e
Two NSA Algorithms Rejected by the ISO The ISO has rejected two symmetric encryption algorithms: SIMON and SPECK. These algorithms were both designed by the NSA and made public in 2013. They are optimized for small and low-cost processors like IoT devices. The risk of using NSA-designed ciphers, of course, is that they include NSA-designed backdoors. Personally, I doubt that they’re backdoored. An
New Spectre/Meltdown Variants Researchers have discovered new variants of Spectre and Meltdown. The software mitigations for Spectre and Meltdown seem to block these variants, although the eventual CPU fixes will have to be expanded to account for these new attacks. Tags: academic papers, hardware, malware Who? • February 21, 2018 7:01 AM As said some days ago, I am testing Spectre/Meltdown fixes
More on Kaspersky and the Stolen NSA Attack Tools Both the New York Times and the Washington Post are reporting that Israel has penetrated Kaspersky’s network and detected the Russian operation. From the New York Times: Israeli intelligence officers informed the NSA that, in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to
Apple's FaceID This is a good interview with Apple’s SVP of Software Engineering about FaceID. Honestly, I don’t know what to think. I am confident that Apple is not collecting a photo database, but not optimistic that it can’t be hacked with fake faces. I dislike the fact that the police can point the phone at someone and have it automatically unlock. So this is important: I also quizzed Federigh
Someone Is Learning How to Take Down the Internet Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it fee
Frequent Password Changes Is a Bad Security Idea I’ve been saying for years that it’s bad security advice, that it encourages poor passwords. Lorrie Cranor, now the FTC’s chief technologist, agrees: By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like “tarheels#1”, for instance (excluding the quotation
Why We Encrypt Encryption protects our data. It protects our data when it’s sitting on our computers and in data centers, and it protects it when it’s being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And sometimes, it protects our lives. This protection is important for everyone. It’s easy to se
The US Intelligence Community has a Third Leaker Ever since the Intercept published this story about the US government’s Terrorist Screening Database, the press has been writing about a “second leaker”: The Intercept article focuses on the growth in U.S. government databases of known or suspected terrorist names during the Obama administration. The article cites documents prepared by the National
Heartbleed Heartbleed is a catastrophic bug in OpenSSL: “The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop co
Choosing Secure Passwords As insecure as passwords generally are, they’re not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. You need a strategy. The best way to explain how to choose a good password is to explain how they’re broken. The general attack model is what’s known as an offline password-guessing attac
The Strange Story of Dual_EC_DRBG Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you should worry about a new random-number standard that includes a
The Japanese Response to Terrorism Lessons from Japan’s response to Aum Shinrikyo: Yet what’s as remarkable as Aum’s potential for mayhem is how little of it, on balance, they actually caused. Don’t misunderstand me: Aum’s crimes were horrific, not merely the terrible subway gassing but their long history of murder, intimidation, extortion, fraud, and exploitation. What they did was unforgivable,
When Will We See Collisions for SHA-1? On a NIST-sponsored hash function mailing list, Jesse Walker (from Intel; also a member of the Skein team) did some back-of-the-envelope calculations to estimate how long it will be before we see a practical collision attack against SHA-1. I’m reprinting his analysis here, so it reaches a broader audience. According to E-BASH, the cost of one block of a SHA-1
Keccak is SHA-3 NIST has just announced that Keccak has been selected as SHA-3. It’s a fine choice. I’m glad that SHA-3 is nothing like the SHA-2 family; something completely different is good. Congratulations to the Keccak team. Congratulations—and thank you—to NIST for running a very professional, interesting, and enjoyable competition. The process has increased our understanding about the crypt
Did NSA Put a Secret Backdoor in New Encryption Standard? Bruce SchneierWiredNovember 15, 2007 Random numbers are critical for cryptography: for encryption keys, random authentication challenges, initialization vectors, nonces, key-agreement schemes, generating prime numbers and so on. Break the random-number generator, and most of the time you break the entire security system. Which is why you sh
SHA-3 to Be Announced NIST is about to announce the new hash algorithm that will become SHA-3. This is the result of a six-year competition, and my own Skein is one of the five remaining finalists (out of an initial 64). It’s probably too late for me to affect the final decision, but I am hoping for “no award.” It’s not that the new hash functions aren’t any good, it’s that we don’t really need on
So You Want to Be a Security Expert I regularly receive e-mail from people who want advice on how to learn more about computer security, either as a course of study in college or as an IT person considering it as a career choice. First, know that there are many subspecialties in computer security. You can be an expert in keeping systems from being hacked, or in creating unhackable software. You ca
Jonathan Lutz • August 1, 2011 1:01 PM The bitstream encryption on the Virtex IV and Virtex V FPGAs has also been successfully attacked. http://eprint.iacr.org/2011/391.pdf Nick P • August 1, 2011 1:15 PM @ Bruce Schneier Richard Steven Hack posted this on your blog a week or so ago I think. We discussed it a bit there. http://www.schneier.com/blog/archives/2011/07/members_of_anon.html#c564867 Jam
Societal Security Humans have a natural propensity to trust non-kin, even strangers. We do it so often, so naturally, that we don’t even realize how remarkable it is. But except for a few simplistic counterexamples, it’s unique among life on this planet. Because we are intelligently calculating and value reciprocity (that is, fairness), we know that humans will be honest and nice: not for any imme
Eavesdropping on GSM Calls It’s easy and cheap: Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer, and a variety of open source software. The encryption is lousy: Several of
次のページ
このページを最初にブックマークしてみませんか?
『Schneier on Security』の新着エントリーを見る
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く