Friday Squid Blogging: Squidmas Cards
Merry Squidmas.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Russian Military Using Smartphones to Track Troop Movements
Crowdstrike has an interesting blog post about how the Russian military is tracking Ukrainian field artillery units by compromising soldiers' smartphones and tracking them.
News article.
NIST is Continuing to Work on Post-Quantum-Computing Cryptography Standards
NIST is accepting proposals for public-key algorithms immune to quantum computing techniques. Details here. Deadline is the end of November 2017.
I applaud NIST for taking the lead on this, and for taking it now when there is no emergency and we have time to do this right.
Slashdot thread.
The Future of Faking Audio and Video
This Verge article isn't great, but we are certainly moving into a future where audio and video will be easy to fake, and easier to fake undetectably. This is going to make propaganda easier, with all of the ill effects we've already seen turned up to eleven.
I don't have a good solution for this.
The Pro-PGP Position
A few days ago, I blogged an excellent essay by Filippo Valsorda on why he's giving up on PGP. Neal Walkfield wrote a good rebuttal.
I am on Valsorda's side. I don't like PGP, and I use it as little as possible. If I want to communicate securely with someone, I use Signal.
Encryption Working Group Annual Report from the US House of Representatives
The Encryption Working Group of the House Judiciary Committee and the House Energy and Commerce Committee has released its annual report.
Observation #1: Any measure that weakens encryption works against the national interest.
Observation #2: Encryption technology is a global technology that is widely and increasingly available around the world.
Observation #3: The variety of stakeholders, technologies, and other factors create different and divergent challenges with respect to encryption and the "going dark" phenomenon, and therefore there is no one-size-fits-all solution to the encryption challenge.
Observation #4: Congress should foster cooperation between the law enforcement community and technology companies.
Google Releases Crypto Test Suite
Google has released Project Wycheproof a test suite designed to test cryptographic libraries against a series of known attacks. From a blog post:
In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades' worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means
The tool has already found over 40 security bugs in cryptographic libraries, which are (all? mostly?) currently being fixed.
Smartphone Spying as Art
A film student put spyware on a smartphone and then allowed it to be stolen. He made a movie of the results.
EDITED TO ADD (12/20): Slashdot thread.
UN Considering Killer Robot Ban
This would be a good idea, although I can't imagine countries like the US, China, and Russia going along with it -- at least not right now.
Friday Squid Blogging: Woman Throws Squid at Her Boyfriend
This is what passes for news these days.
As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.