September 22nd, 2017

Posted by Bruce Schneier

The Boston Red Sox admitted to eavesdropping on the communications channel between catcher and pitcher.

Stealing signs is believed to be particularly effective when there is a runner on second base who can both watch what hand signals the catcher is using to communicate with the pitcher and can easily relay to the batter any clues about what type of pitch may be coming. Such tactics are allowed as long as teams do not use any methods beyond their eyes. Binoculars and electronic devices are both prohibited.

In recent years, as cameras have proliferated in major league ballparks, teams have begun using the abundance of video to help them discern opponents' signs, including the catcher's signals to the pitcher. Some clubs have had clubhouse attendants quickly relay information to the dugout from the personnel monitoring video feeds.

But such information has to be rushed to the dugout on foot so it can be relayed to players on the field -- a runner on second, the batter at the plate -- while the information is still relevant. The Red Sox admitted to league investigators that they were able to significantly shorten this communications chain by using electronics. In what mimicked the rhythm of a double play, the information would rapidly go from video personnel to a trainer to the players.

This is ridiculous. The rules about what sorts of sign stealing are allowed and what sorts are not are arbitrary and unenforceable. My guess is that the only reason there aren't more complaints is because everyone does it.

The Red Sox responded in kind on Tuesday, filing a complaint against the Yankees claiming that the team uses a camera from its YES television network exclusively to steal signs during games, an assertion the Yankees denied.

Boston's mistake here was using a very conspicuous Apple Watch as a communications device. They need to learn to be more subtle, like everyone else.

posted by [syndicated profile] krugman_oped_feed at 03:21am on 22/09/2017
September 21st, 2017


Click here to go see the bonus panel!

Hovertext:
I tried this on a seven year old and it didn't work. I think there might be a sweet spot, taking into account trustworthiness and writing ability. Alternatively, you could spend seven years being kind an honest to a nephew or niece, just so you can pull this off.

New comic!
Today's News:

Hey geeks! We've sold 1/3 of all Seattle BAHFest tickets in just a few days. This one's definitely selling out, so buy soon if you want to lock in a spot!

We're also having a pre-show chat with me about Soonish. The tickets are just $1.

Posted by Bruce Schneier

The ISO has decided not to approve two NSA-designed block encryption algorithms: Speck and Simon. It's because the NSA is not trusted to put security ahead of surveillance:

A number of them voiced their distrust in emails to one another, seen by Reuters, and in written comments that are part of the process. The suspicions stem largely from internal NSA documents disclosed by Snowden that showed the agency had previously plotted to manipulate standards and promote technology it could penetrate. Budget documents, for example, sought funding to "insert vulnerabilities into commercial encryption systems."

More than a dozen of the experts involved in the approval process for Simon and Speck feared that if the NSA was able to crack the encryption techniques, it would gain a "back door" into coded transmissions, according to the interviews and emails and other documents seen by Reuters.

"I don't trust the designers," Israeli delegate Orr Dunkelman, a computer science professor at the University of Haifa, told Reuters, citing Snowden's papers. "There are quite a lot of people in NSA who think their job is to subvert standards. My job is to secure standards."

I don't trust the NSA, either.

September 20th, 2017


Click here to go see the bonus panel!

Hovertext:
How am I the only person who's considered this consequence?

New comic!
Today's News:

We're now in our final month promoting Soonish. As ever, we really thank all of you who've preordered. I can't say everything, but those good early sales numbers have really opened some doors for us. So, thank you all!

posted by [syndicated profile] xkcd_feed at 04:00am on 20/09/2017
posted by [syndicated profile] bruce_schneier_feed at 11:12am on 20/09/2017

Posted by Bruce Schneier

New York Times reporter Charlie Savage writes about some bad statistics we're all using:

Among surveillance legal policy specialists, it is common to cite a set of statistics from an October 2011 opinion by Judge John Bates, then of the FISA Court, about the volume of internet communications the National Security Agency was collecting under the FISA Amendments Act ("Section 702") warrantless surveillance program. In his opinion, declassified in August 2013, Judge Bates wrote that the NSA was collecting more than 250 million internet communications a year, of which 91 percent came from its Prism system (which collects stored e-mails from providers like Gmail) and 9 percent came from its upstream system (which collects transmitted messages from network operators like AT&T).

These numbers are wrong. This blog post will address, first, the widespread nature of this misunderstanding; second, how I came to FOIA certain documents trying to figure out whether the numbers really added up; third, what those documents show; and fourth, what I further learned in talking to an intelligence official. This is far too dense and weedy for a New York Times article, but should hopefully be of some interest to specialists.

Worth reading for the details.

September 19th, 2017
posted by [syndicated profile] savagelove_feed at 05:15pm on 19/09/2017

Posted by Dan Savage

Can a straight guy find love with a lady with a penis? by Dan Savage

I am a 35-year-old straight guy. I met a nice lady through the normal methods, and we hit it off and have grown closer. I think we are both considering "taking it to the next level." We are on the same intellectual wavelength, enjoy the same social experiences, and have a lot of fun together. So what could be the problem? My friend decided it was the time to inform me that she is transgender, pre-op, and will not be having gender-reassignment surgery. This was quite a shock to me. I'm not homophobic, though I've never had a gay experience. I'm open-minded, yet there is a mental block. I like this person, I like our relationship thus far, and I want to continue this relationship. But I'm in a state of confusion.

Confused Over Complicating Knowledge

Lemme get this out of way first, COCK: The nice lady isn't a man, so sex with her wouldn't be a "gay experience" and homophobia isn't the relevant term.

Moving on...

You're a straight guy, you're attracted to women, and some women—as you now know—have dicks. Are you into dick? Could you develop a taste for dick? Could you see yourself making an exception for her dick? It's fine if "no" is the answer to one or all of these questions, COCK, and not being into dick doesn't make you transphobic. Evan Urquhart, who writes about trans issues for Slate, argues that in addition to being gay, straight, bi, pan, demi, etc., some people are phallophiles and some are vaginophiles—that is, some people (perhaps most) have a strong preference for either partners with dicks or partners with vaginas. And some people—most people—want their dicks on men and their labia on/vaginas in women.

"There's no shame in it, as long as it doesn't come from a place of ignorance or hate," Urquhart writes. "Mature adults should be able to talk plainly about their sexuality, particularly with prospective partners, in a way that doesn't objectify or shame anyone who happens to be packing the non-preferred equipment."

Some straight guys are really into dick (trans women with male partners usually aren't partnered with gay men, and trans women who do sex work typically don't have any gay male clients), some straight guys are willing to make an exception for a particular dick (after falling in love with a woman who has one), but most straight guys aren't into dick (other than their own).

Since you're confused about what to do, COCK, I would encourage you to continue dating this woman, keep an open mind, and keep taking things slow. You've got new information to process, and some things—or one thing—to think about before taking this relationship to the next level. But don't drag it out. If you conclude that the dick is a deal breaker, end this relationship with compassion and alacrity. You don't want to keep seeing her "to be nice" if you know a relationship isn't possible. Because letting someone live in false hope is always a dick move.


A few months ago, I started dating someone. I made it clear early on that I didn't feel comfortable being in a nonmonogamous relationship. They said that's not usually what they're into but they weren't interested in seeing anyone else and they had no problem being monogamous. It's not that I don't trust them, and they've never given any indication that they're unhappy with our arrangement, but I can't shake the fears that, though they won't admit it (maybe even to themselves), they'd prefer it if our relationship were more open and I'm taking something important away from them. Can someone who usually doesn't "do" monogamy feel fulfilled in a "closed" relationship? Can it work out, or will they just slowly grow to resent me for this?

Deliriously Anxious Monogamist Nervously Inquires Today

If you stay together forever—what most people mean by "work out"—your partner will definitely grow to resent you. It could be for this reason, DAMNIT, or for some other reason, but all people in long-term relationships resent their partners for something. If it’s not monogamy, it’ll be something else. And if monogamy is the price of admission this person is willing to pay right now, let them pay it. There are a lot of people out there in closed relationships who would rather be in open ones and vice versa. And remember: What works for you as a couple—and what you want as an individual—can change over time. Resentments too.


My relationship with my husband is bad. We have been together for twelve years, and we were married for eight years before getting divorced last year. We have small kids. We reconciled four months after the divorce, despite the affair I had. I have a history of self-sabotage, but in my relationship with him, it has become near constant. Everyone thinks I'm a smart and kind person that occasionally makes mistakes, but I'm not that person with him. With him, I'm awful. I make promises I don't keep and I don't do the right things to make him feel loved even though I do loving things. We have been in couples therapy a number of times, but I always derail the process. I have been in therapy solo a number of times with similar results. I always get the therapists on my side and no real change happens. I want to change but I haven't. I want to stop hurting him but I keep doing it. He doesn't feel like I have ever really fought for him or the relationship. Why can't I change?

My Enraging Self-Sabotaging Yearnings

It's unlikely I'll be able to do for you in print what three couples counselors and all those therapists couldn't do for you in person, i.e., help you change your ways—if, indeed, it's your ways that require changing. Have you ever entertained the thought that maybe there's a reason every counselor or therapist you see winds up taking your side? Is it possible that you're not the problem? Are you truly awful, MESSY, or has your husband convinced you that you're awful in order to have the upper hand in your relationship? (Yeah, yeah, you had an affair. Lots of people do and lots of marriages survive them.)

If you're not being manipulated—if you're not the victim of an expert gaslighter—and you're awful and all your efforts to change have been in vain, MESSY, perhaps you should stop trying. You are who you are, your husband knows who you are, and if he wants to be with you, as awful as you are (or as awful as he's managed to convince you that you are), that's his choice and he needs to take some responsibility for it. By "stop trying" I don't mean you should stop making an effort to be a better person or a more loving partner—we should all constantly strive to be better people and more loving partners—but you can't spend the rest of your life on a therapist's couch. Or the rack.

If you truly make your husband miserable, he should leave you. If your marriage makes you miserable (or if he does), you should leave him. But if neither of you is going anywhere, MESSY, then you'll both just have to make the best of your messy selves and your messy marriage.


On the Lovecast, Dan chats with Slate writer Mark Joseph Stern about left-wing anti-Semitism: savagelovecast.com.

mail@savagelove.net

@fakedansavage

ITMFA.org

[ Comment on this story ]

[ Subscribe to the comments on this story ]



Click here to go see the bonus panel!

Hovertext:
And you rode to the ball in a pumpkin? No wonder you were covered in orange slime.

New comic!
Today's News:

New BAHFEST DAY! In which Beth Bearce proposes a new method of bosonoception:

posted by [syndicated profile] bruce_schneier_feed at 11:44am on 19/09/2017

Posted by Bruce Schneier

This is a good interview with Apple's SVP of Software Engineering about FaceID.

Honestly, I don't know what to think. I am confident that Apple is not collecting a photo database, but not optimistic that it can't be hacked with fake faces. I dislike the fact that the police can point the phone at someone and have it automatically unlock. So this is important:

I also quizzed Federighi about the exact way you "quick disabled" Face ID in tricky scenarios -- like being stopped by police, or being asked by a thief to hand over your device.

"On older phones the sequence was to click 5 times [on the power button], but on newer phones like iPhone 8 and iPhone X, if you grip the side buttons on either side and hold them a little while -- we'll take you to the power down [screen]. But that also has the effect of disabling Face ID," says Federighi. "So, if you were in a case where the thief was asking to hand over your phone -- you can just reach into your pocket, squeeze it, and it will disable Face ID. It will do the same thing on iPhone 8 to disable Touch ID."

That squeeze can be of either volume button plus the power button. This, in my opinion, is an even better solution than the "5 clicks" because it's less obtrusive. When you do this, it defaults back to your passcode.

More:

It's worth noting a few additional details here:

  • If you haven't used Face ID in 48 hours, or if you've just rebooted, it will ask for a passcode.

  • If there are 5 failed attempts to Face ID, it will default back to passcode. (Federighi has confirmed that this is what happened in the demo onstage when he was asked for a passcode -- it tried to read the people setting the phones up on the podium.)
  • Developers do not have access to raw sensor data from the Face ID array. Instead, they're given a depth map they can use for applications like the Snap face filters shown onstage. This can also be used in ARKit applications.
  • You'll also get a passcode request if you haven't unlocked the phone using a passcode or at all in 6.5 days and if Face ID hasn't unlocked it in 4 hours.

Also be prepared for your phone to immediately lock every time your sleep/wake button is pressed or it goes to sleep on its own. This is just like Touch ID.

Federighi also noted on our call that Apple would be releasing a security white paper on Face ID closer to the release of the iPhone X. So if you're a researcher or security wonk looking for more, he says it will have "extreme levels of detail" about the security of the system.

Here's more about fooling it with fake faces:

Facial recognition has long been notoriously easy to defeat. In 2009, for instance, security researchers showed that they could fool face-based login systems for a variety of laptops with nothing more than a printed photo of the laptop's owner held in front of its camera. In 2015, Popular Science writer Dan Moren beat an Alibaba facial recognition system just by using a video that included himself blinking.

Hacking FaceID, though, won't be nearly that simple. The new iPhone uses an infrared system Apple calls TrueDepth to project a grid of 30,000 invisible light dots onto the user's face. An infrared camera then captures the distortion of that grid as the user rotates his or her head to map the face's 3-D shape­ -- a trick similar to the kind now used to capture actors' faces to morph them into animated and digitally enhanced characters.

It'll be harder, but I have no doubt that it will be done.

More speculation.

I am not planning on enabling it just yet.

September 18th, 2017


Click here to go see the bonus panel!

Hovertext:
To see today's normal update, please just click back. Sorry for all the recent nags, but we're in the final month before book launch.

New comic!
Today's News:

Click here to see it!

posted by [syndicated profile] xkcd_feed at 04:00am on 18/09/2017
posted by [syndicated profile] bruce_schneier_feed at 11:58am on 18/09/2017

Posted by Bruce Schneier

A bunch of Bluetooth vulnerabilities are being reported, some pretty nasty.

BlueBorne concerns us because of the medium by which it operates. Unlike the majority of attacks today, which rely on the internet, a BlueBorne attack spreads through the air. This works similarly to the two less extensive vulnerabilities discovered recently in a Broadcom Wi-Fi chip by Project Zero and Exodus. The vulnerabilities found in Wi-Fi chips affect only the peripherals of the device, and require another step to take control of the device. With BlueBorne, attackers can gain full control right from the start. Moreover, Bluetooth offers a wider attacker surface than WiFi, almost entirely unexplored by the research community and hence contains far more vulnerabilities.

Airborne attacks, unfortunately, provide a number of opportunities for the attacker. First, spreading through the air renders the attack much more contagious, and allows it to spread with minimum effort. Second, it allows the attack to bypass current security measures and remain undetected, as traditional methods do not protect from airborne threats. Airborne attacks can also allow hackers to penetrate secure internal networks which are "air gapped," meaning they are disconnected from any other network for protection. This can endanger industrial systems, government agencies, and critical infrastructure.

Finally, unlike traditional malware or attacks, the user does not have to click on a link or download a questionable file. No action by the user is necessary to enable the attack.

Fully patched Windows and iOS systems are protected; Linux coming soon.

September 17th, 2017


Click here to go see the bonus panel!

Hovertext:
Alternate formulation: kids have energy but no power. Adults have power, but are tired and would like to sit and drink coffee for a few hours.

New comic!
Today's News:

Seattle BAHFest tickets are selling fast. Don't miss your chance to see me, Henry Reich, Sarah Andersen, and more!

September 16th, 2017
posted by [syndicated profile] smbc_comics_feed at 11:00am on 16/09/2017


Click here to go see the bonus panel!

Hovertext:
Now, tell Siri you're sorry for all those dirty pictures you made her send.

New comic!
Today's News:

We have extraordinarily awesome lineups for this year's shows. I hope to see you there!

September 15th, 2017

Posted by Bruce Schneier

A new dental imagery method, using squid ink, light, and ultrasound.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted by Bruce Schneier

The Flannery family have caught four giant squid, two this year.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

April

SunMonTueWedThuFriSat
        1
 
2
 
3
 
4
 
5
 
6
 
7
 
8
 
9
 
10
 
11
 
12
 
13 14
 
15
 
16
 
17
 
18
 
19
 
20
 
21
 
22
 
23
 
24
 
25
 
26
 
27
 
28
 
29
 
30