I wrote about the DHS's color-coded threat alert system in 2003, in Beyond Fear: The color-coded threat alerts issued by the Department of Homeland Security are useless today, but may become useful in the future. The U.S. military has a similar system; DEFCON 1-5 corresponds to the five threat alerts levels: Green, Blue, Yellow, Orange, and Red. The difference is...

Using a 3D printer. Impressive. At the end of the day he talked the officers into trying the key on their handcuffs and … it did work! At least the Dutch Police now knows there is a plastic key on the market that will open their handcuffs. A plastic key undetectable by metal detectors…....

Skein is one of the 14 SHA-3 candidates chosen by NIST to advance to the second round. As part of the process, NIST allowed the algorithm designers to implement small "tweaks" to their algorithms. We've tweaked the rotation constants of Skein. This change does not affect Skein's performance in any way. The revised Skein paper contains the new rotation constants,...

Back in 2002, science fiction author Robert J. Sawyer wrote an essay about the trade-off between privacy and security, and came out in favor of less privacy. I disagree with most of what he said, and have written pretty much the opposite essay -- and others on the value of privacy and the future of privacy -- several times since...

It's a mushroom: Pseudocolus fusiformis....

Here's a video of a talk I gave at an OWASP meeting in August....

Me from 2006....

On September 30, 2001, I published a special issue of Crypto-Gram discussing the terrorist attacks. I wrote about the novelty of the attacks, airplane security, diagnosing intelligence failures, the potential of regulating cryptography -- because it could be used by the terrorists -- and protecting privacy and liberty. Much of what I wrote is still relevant today: Appalled by the...

File deletion is all about control. This used to not be an issue. Your data was on your computer, and you decided when and how to delete a file. You could use the delete function if you didn't care about whether the file could be recovered or not, and a file erase program -- I use BCWipe for Windows --...

The BBC has a video demonstration of a 16-ounce bottle of liquid blowing a hole in the side of a plane. I know no more details other than what's in the video....

Three of the UK liquid bombers were convicted Monday. NSA-intercepted e-mail was introduced as evidence in the trial: The e-mails, several of which have been reprinted by the BBC and other publications, contained coded messages, according to prosecutors. They were intercepted by the NSA in 2006 but were not included in evidence introduced in a first trial against the three...

Interesting video: A new class of global actors is playing an increasingly important role in globalization: smugglers, warlords, guerrillas, terrorists, gangs, and bandits of all stripes. Since the end of the Cold War, the global illicit economy has consistently grown at twice the rate of the licit global economy. Increasingly, illicit actors will represent not just an economic but a...

Very interesting hour-long interview. Australian-born David Kilcullen was the senior advisor to US General David Petraeus during his time in Iraq, advising on counterinsurgency. The implementation of his strategies are now regarded as a major turning point in the war. Here, in a fascinating discussion with human rights lawyer Julian Burnside at the Melbourne Writers' Festival, he talks about the...

Fascinating video....

Blog post from Ed Felten: Usually when the threat model mentions subpoenas, the bigger threats in reality come from malicious intruders or insiders. The biggest risk in storing my documents on CloudCorp's servers is probably that somebody working at CloudCorp, or a contractor hired by them, will mess up or misbehave. So why talk about subpoenas rather than intruders or...

If there's actually a cult out there, I want to hear about it. In an essay by that name, John Viega writes about the dangers of relying on Applied Cryptography to design cryptosystems: But, after many years of evaluating the security of software systems, I'm incredibly down on using the book that made Bruce famous when designing the cryptographic aspects...

Access control is difficult in an organizational setting. On one hand, every employee needs enough access to do his job. On the other hand, every time you give an employee more access, there's more risk: he could abuse that access, or lose information he has access to, or be socially engineered into giving that access to a malfeasant. So a...

Blog post from Steve Bellovin: It is vital that the keystream values (a) be truly random and (b) never be reused. The Soviets got that wrong in the 1940s; as a result, the U.S. Army's Signal Intelligence Service was able to read their spies' traffic in the Venona program. The randomness requirement means that the values cannot be generated by...

Good article, which basically says our policies are based more on fear than on reality. On cyber-terrorism: So why is there so much concern about “cyber-terrorism”? Answering a question with a question: who frames the debate? Much of the data are gathered by ultra-secretive government agencies—which need to justify their own existence—and cyber-security companies—which derive commercial benefits from popular anxiety....

Interesting: So how many bits are in this instance of H1N1? The raw number of bits, by my count, is 26,022; the actual number of coding bits approximately 25,054 -- I say approximately because the virus does the equivalent of self-modifying code to create two proteins out of a single gene in some places (pretty interesting stuff actually), so it’s...