Bruce Schneier – WindowsTechs.com

New Lattice Cryptanalytic Technique

Posted on April 15, 2024 by Bruce Schneier

A new paper presents a polynomial-time quantum algorithm for solving certain hard lattice problems. This could be a big deal for post-quantum cryptographic algorithms, since many of them base their security on hard lattice problems.

A few things to note. One, this paper has not yet been peer reviewed. As this comment points out: “We had already some cases where efficient quantum algorithms for lattice problems were discovered, but they turned out not being correct or only worked for simple special cases.”

Two, this is a quantum algorithm, which means that it has not been tested. There is a wide gulf between quantum algorithms in theory and in practice. And until we can actually code and test these algorithms, we should be suspicious of their speed and complexity claims…

Continue reading New Lattice Cryptanalytic Technique→

Upcoming Speaking Engagements

Posted on April 14, 2024 by Bruce Schneier

This is a current list of where and when I am scheduled to speak:

I’m speaking twice at RSA Conference 2024 in San Francisco. I’ll be on a panel on software liability on May 6, 2024 at 8:30 AM, and I’m giving a keynote on AI and demo… Continue reading Upcoming Speaking Engagements→

Friday Squid Blogging: The Awfulness of Squid Fishing Boats

Posted on April 12, 2024 by Bruce Schneier

It’s a pretty awful story.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Continue reading Friday Squid Blogging: The Awfulness of Squid Fishing Boats→

Backdoor in XZ Utils That Almost Happened

Posted on April 11, 2024 by Bruce Schneier

Last week, the internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it…

Continue reading Backdoor in XZ Utils That Almost Happened→

In Memoriam: Ross Anderson, 1956-2024

Posted on April 10, 2024 by Bruce Schneier

Last week I posted a short memorial of Ross Anderson. The Communications of the ACM asked me to expand it. Here’s the longer version.
EDITED TO ADD (4/11): Two weeks before he passed away, Ross gave an 80-minute interview where he told his life s… Continue reading In Memoriam: Ross Anderson, 1956-2024→

US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack

Posted on April 9, 2024 by Bruce Schneier

US Cyber Safety Review Board released a report on the summer 2023 hack of Microsoft Exchange by China. It was a serious attack by the Chinese government that accessed the emails of senior U.S. government officials.

From the executive summary:

The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations. The Board reaches this conclusion based on:…

Continue reading US Cyber Safety Review Board on the 2023 Microsoft Exchange Hack→

Security Vulnerability of HTML Emails

Posted on April 8, 2024 by Bruce Schneier

This is a newly discovered email vulnerability:

The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in your inbox, it changed. The innocent pretext disappeared and the real phishing email became visible. A phishing email you had to trust because you knew the sender and they even confirmed that they had forwarded it to you.

This attack is possible because most email clients allow CSS to be used to style HTML emails. When an email is forwarded, the position of the original email in the DOM usually changes, allowing for CSS rules to be selectively applied only when an email has been forwarded…

Continue reading Security Vulnerability of HTML Emails→

Friday Squid Blogging: SqUID Bots

Posted on April 5, 2024 by Bruce Schneier

They’re AI warehouse robots.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Continue reading Friday Squid Blogging: SqUID Bots→

Maybe the Phone System Surveillance Vulnerabilities Will Be Fixed

Posted on April 5, 2024 by Bruce Schneier

It seems that the FCC might be fixing the vulnerabilities in SS7 and the Diameter protocol:

On March 27 the commission asked telecommunications providers to weigh in and detail what they are doing to prevent SS7 and Diameter vulnerabilities from being misused to track consumers’ locations.

The FCC has also asked carriers to detail any exploits of the protocols since 2018. The regulator wants to know the date(s) of the incident(s), what happened, which vulnerabilities were exploited and with which techniques, where the location tracking occurred, and if known the attacker’s identity…

Continue reading Maybe the Phone System Surveillance Vulnerabilities Will Be Fixed→

Surveillance by the New Microsoft Outlook App

Posted on April 4, 2024 by Bruce Schneier

The ProtonMail people are accusing Microsoft’s new Outlook for Windows app of conducting extensive surveillance on its users. It shares data with advertisers, a lot of data:

The window informs users that Microsoft and those 801 third parties use their data for a number of purposes, including to:

Store and/or access information on the user’s device

Develop and improve products

Personalize ads and content

Measure ads and content

Derive audience insights

Obtain precise geolocation data

Identify users through device scanning

Commentary.

… Continue reading Surveillance by the New Microsoft Outlook App→