national security policy – WindowsTechs.com

The Scale of Geoblocking by Nation

Posted on November 22, 2024 by Bruce Schneier

Interesting analysis:

We introduce and explore a little-known threat to digital equality and freedomwebsites geoblocking users in response to political risks from sanctions. U.S. policy prioritizes internet freedom and access to information in repressive regimes. Clarifying distinctions between free and paid websites, allowing trunk cables to repressive states, enforcing transparency in geoblocking, and removing ambiguity about sanctions compliance are concrete steps the U.S. can take to ensure it does not undermine its own aims.

The paper: “…

Continue reading The Scale of Geoblocking by Nation→

NIST Releases First Post-Quantum Encryption Algorithms

Posted on August 15, 2024 by Bruce Schneier

From the Federal Register:

After three rounds of evaluation and analysis, NIST selected four algorithms it will standardize as a result of the PQC Standardization Process. The public-key encapsulation mechanism selected was CRYSTALS-KYBER, along with three digital signature schemes: CRYSTALS-Dilithium, FALCON, and SPHINCS+.

These algorithms are part of three NIST standards that have been finalized:

FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard
FIPS 204: Module-Lattice-Based Digital Signature Standard
FIPS 205: Stateless Hash-Based Digital Signature Standard…

Continue reading NIST Releases First Post-Quantum Encryption Algorithms→

Problems with Georgia’s Voter Registration Portal

Posted on August 7, 2024 by Bruce Schneier

It’s possible to cancel other people’s voter registrations:

On Friday, four days after Georgia Democrats began warning that bad actors could abuse the state’s new online portal for canceling voter registrations, the Secretary of State’s Office acknowledged to ProPublica that it had identified multiple such attempts…

…the portal suffered at least two security glitches that briefly exposed voters’ dates of birth, the last four digits of their Social Security numbers and their full driver’s license numbers—the exact information needed to cancel others’ voter registrations…

Continue reading Problems with Georgia’s Voter Registration Portal→

On the CSRB’s Non-Investigation of the SolarWinds Attack

Posted on July 8, 2024 by Bruce Schneier

ProPublica has a long investigative article on how the Cyber Safety Review Board failed to investigate the SolarWinds attack, and specifically Microsoft’s culpability, even though they were directed by President Biden to do so.
Continue reading On the CSRB’s Non-Investigation of the SolarWinds Attack→

James Bamford on Section 702 Extension

Posted on June 28, 2024 by Bruce Schneier

Longtime NSA-watcher James Bamford has a long article on the reauthorization of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
Continue reading James Bamford on Section 702 Extension→

The US Is Banning Kaspersky

Posted on June 26, 2024 by Bruce Schneier

This move has been coming for a long time.

The Biden administration on Thursday said it’s banning the company from selling its products to new US-based customers starting on July 20, with the company only allowed to provide software updates to existing customers through September 29. The ban—the first such action under authorities given to the Commerce Department in 2019—follows years of warnings from the US intelligence community about Kaspersky being a national security threat because Moscow could allegedly commandeer its all-seeing antivirus software to spy on its customers…

Continue reading The US Is Banning Kaspersky→

Espionage with a Drone

Posted on June 6, 2024 by Bruce Schneier

The US is using a World War II law that bans aircraft photography of military installations to charge someone with doing the same thing with a drone.
Continue reading Espionage with a Drone→

Microsoft and Security Incentives

Posted on April 23, 2024 by Bruce Schneier

Former senior White House cyber policy director A. J. Grotto talks about the economic incentives for companies to improve their security—in particular, Microsoft:

Grotto told us Microsoft had to be “dragged kicking and screaming” to provide logging capabilities to the government by default, and given the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best.

[…]

“The government needs to focus on encouraging and catalyzing competition,” Grotto said. He believes it also needs to publicly scrutinize Microsoft and make sure everyone knows when it messes up…

Continue reading Microsoft and Security Incentives→

Backdoor in XZ Utils That Almost Happened

Posted on April 11, 2024 by Bruce Schneier

Last week, the Internet dodged a major nation-state attack that would have had catastrophic cybersecurity repercussions worldwide. It’s a catastrophe that didn’t happen, so it won’t get much attention—but it should. There’s an important moral to the story of the attack and its discovery: The security of the global Internet depends on countless obscure pieces of software written and maintained by even more obscure unpaid, distractible, and sometimes vulnerable volunteers. It’s an untenable situation, and one that is being exploited by malicious actors. Yet precious little is being done to remedy it…

Continue reading Backdoor in XZ Utils That Almost Happened→

OpenAI Is Not Training on Your Dropbox Documents—Today

Posted on December 19, 2023 by Bruce Schneier

There’s a rumor flying around the Internet that OpenAI is training foundation models on your Dropbox documents.

Here’s CNBC. Here’s Boing Boing. Some articles are more nuanced, but there’s still a lot of confusion.

It seems not to be true. Dropbox isn’t sharing all of your documents with OpenAI. But here’s the problem: we don’t trust OpenAI. We don’t trust tech corporations. And—to be fair—corporations in general. We have no reason to.

Simon Willison nails it in a tweet:

“OpenAI are training on every piece of data they see, even when they say they aren’t” is the new “Facebook are showing you ads based on overhearing everything you say through your phone’s microphone.”…

Continue reading OpenAI Is Not Training on Your Dropbox Documents—Today→