DOCSLIB.ORG

Declaration of Bruce Schneier

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Declaration of Bruce Schneier Case 1:17-cv-02016-RC Document 10-4 Filed 10/11/17 Page 1 of 60 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA ) UNITED TO PROTECT DEMOCRACY et al. ) ) Plaintiffs, ) v. ) Civil No. 17-02016 (RC) ) ) PRESIDENTIAL ADVISORY COMMISSION ) ON ELECTION INTEGRITY et al. ) ) ) Defendants. ) ) DECLARATION OF BRUCE SCHNEIER Laurence M. Schwartztol Danielle Conley (D.C. Bar #503345) (Pro hac vice pending) Lynn Eisenberg (D.C. Bar #1017511) Justin Florence (D.C. Bar #988953) Jason Hirsch ( Pro hac vice forthcoming) THE PROTECT DEMOCRACY PROJECT Michael Posada (Pro hac vice pending) 10 Ware Street WILMER CUTLER PICKERING Cambridge, MA 02138 HALE & DORR LLP (202) 856-9191 1875 Pennsylvania Avenue NW Washington, D.C. 20006 (202) 663 -6000 Case 1:17-cv-02016-RC Document 10-4 Filed 10/11/17 Page 2 of 60 DECLARATION OF BRUCE SCHNEIER I, Bruce Schneier, declare as follows: 1. I am a security technologist with expertise in how complex data systems can be secured against, or vulnerable to, hacking or other security breaches. 2. I have over 30 years of experience studying these issues as a scholar, engineer, consultant, writer, and public commentator. 3. I currently serve as Chief Technology Officer to IBM Resilient in Cambridge, MA. I am also currently a Lecturer at the John F. Kennedy School of Government at Harvard University, a Research Fellow in the Science, Technology, and Public Policy program at the Belfer Center for Science and International Affairs at the Kennedy School, and a Fellow in the Berkman Klein Center for Internet and Society at Harvard University. I currently serve as a board member for the Electronic Frontier Foundation, Access Now, and the Tor Project. I am also on the Advisory Board of the Electronic Privacy Information Center and VerifiedVoting.org. 4. I have authored or co-authored 14 books focusing on issues relating to cybersecurity and cryptology, including, most recently, Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World. I have written hundreds of articles in scholarly and popular publications on these issues. I have also testified numerous times before the US Congress and national legislative bodies in other countries on issues relating to data security. 5. I publish a blog, Schneier on Security, and a related electronic newsletter, Crypto-Gram, that focus on issues relating to data security. They are regularly read by over 250,000 people. 6. I received a Bachelor of Science from University of Rochester in 1984. In 1986, I earned my Masters in Science in Computer Science from American University. 7. My CV is attached hereto as Exhibit A. 8. I am aware that on June 28, 2017, the Presidential Advisory Commission on Election Integrity sent letters to state election officials around the country seeking voter registration data (“the June 28 letters”). It is my understanding that the letter asked those officials to provide, to the extent they were “publicly available” under state law, “the full first and last names of all registrants, middle names or initials if available, addresses, dates of birth, political party (if recorded in your state), last four digits of social security number if available, voter history (elections voted in) from 2006 onward, active/inactive status, cancelled status, information regarding any felony convictions, information regarding voter registration in another state, information regarding military status, and overseas citizen information.” 9. It is my opinion that any effort to collect records for millions or hundreds of millions of voters along the lines described in the Commission’s June 28 letters would create very Case 1:17-cv-02016-RC Document 10-4 Filed 10/11/17 Page 3 of 60 serious security concerns. The magnitude and probability of any harm flowing from the collection of that data would depend in significant part on front-end decisions regarding the transmission, storage, and maintenance of that data. 10. Assembling a national database of voter registration data creates very serious security risks. These risks take a number of forms. Criminals seeking to engage in identify theft may target such a significant aggregation of data involving personal information, including even partial Social Security Number information. Any number of actors, including nation-states, may seek the information to interfere with future elections. They could do this, for example, by examining voter registration patterns to plan hacking attacks against individual registration databases or voting systems. They might also leak falsified or altered records obtained from the database in order to manufacture uncertainty or lack of confidence in election systems—for example, by purporting to show that ineligible voters are participating in elections or that identifiable individuals are voting multiple times. Foreign intelligence services may also seek the data to further their interests in maintaining large databases of personal information on Americans for counterintelligence or espionage purposes. 11. The fact that the underlying data exists in some “publicly available” form does not mitigate these harms. The efficiency of accessing one database with millions or hundreds of millions of voter records differs by orders of magnitude from any existing channels to access the underlying data in a piecemeal fashion. 12. Pointing out these data risks does not mean that any effort to collect this information is equally vulnerable to these attacks. To the contrary, the systems in place to manage the data will carry tremendous significance in assessing the nature and extent of the risks inherent in assembling such a database. 13. If asked to assess the risks posed by an effort to collect the data described in the Commission’s June 28 letters, there are several factors I would assess. First, I would assess the system in place for states to transmit the data to the Commission. This would include the transmission protocols and systems, as well as the Commission’s intake procedures. Second, I would assess the infrastructure in place for storing the information. This includes how the database is configured, the underlying IT infrastructure for the database, access control procedures, and any encryption measures. Risks here are not just confidentiality, but integrity as well. Third, I would assess the protocols in place for accessing and using the information by members of the Commission, its staff, or others who may be granted access. This includes auditing and logging. Fourth, I would assess the protocols in place for sharing or cross-referencing the data with other actors within or outside the federal government. 14. The questions outlined above represent the kinds of considerations that most security technologists or data security experts would deem significant in assessing the risks associated with an effort to collect the data described in the June 28 letters. Different experts will surely approach those considerations in distinct ways and may reach different conclusions about the security risks posed by any particular approach. Nonetheless, without information setting forth the Commission’s approach to the questions outlined Case 1:17-cv-02016-RC Document 10-4 Filed 10/11/17 Page 4 of 60 above, members of the public are not equipped to understand or assess the extent to which the Commission’s data collection efforts put the public at risk. Under penalty of perjury, I declare that the foregoing is true and correct to the best of my knowledge and belief. Bruce Schneier Executed this 4th day of October, 2017 Case 1:17-cv-02016-RC Document 10-4 Filed 10/11/17 Page 5 of 60 Exhibit A Case 1:17-cv-02016-RC Document 10-4 Filed 10/11/17 Page 6 of 60 Bruce Schneier Contact: [email protected] Background Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of 14 books—including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World—as well as hundreds of articles, essays, and academic papers. His influential newsletter Crypto-Gram and blog Schneier on Security are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet and Society at Harvard University, a Lecturer in Public Policy at the Harvard Kennedy School, a board member of the Electronic Frontier Foundation and the Tor Project, and an advisory board member of EPIC and VerifiedVoting.org. He is also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient. Professional Experience 2016+, Chief Technology Officer, IBM Resilient (formerly Resilient: an IBM Company) and special advisor to IBM Security, Cambridge, MA. 2014–2016, Chief Technology Officer, Resilient Systems, Inc. (formerly called Co3 Systems, Inc.), Cambridge, MA. 2006–2013, Chief Security Technology Officer, British Telecom, London, UK. 1999–2006, Chief Technology Officer, Counterpane Internet Security, Inc., Cupertino, CA. 1993–1999, President, Counterpane Systems, Oak Park, IL and Minneapolis, MN. 1991–1993, Member of Technical Staff, AT&T Bell Labs., Schaumburg, IL. 1990, Director of Operations, Intelligent Resources Information Systems, Inc., Chicago, IL. 1987–1990, Program Manager, Space and Naval Warfare Systems Command, Arlington, VA. 1984–1987, Electronics Engineer, Naval Electronics Systems Security Engineering Center, Washington, DC. Case 1:17-cv-02016-RC Document 10-4 Filed 10/11/17 Page 7 of 60 Bruce Schneier CV: Academic Experience 2 Academic Experience 2016+, Lecturer, John F. Kennedy School of Government, Harvard University. 2016+, Research Fellow in the Science, Technology, and Public Policy program at the Belfer Center for Science and International Affairs, Kennedy School of Government, Harvard University. 2013+, Fellow, Berkman Klein Center for Internet and Society, Harvard University. Board Membership 2016+, Board Member, Tor Project, Cambridge, MA. 2013+, Board Member, Electronic Frontier Foundation, San Francisco, CA. 2004–2013, Board Member, Electronic Privacy Information Center, Washington DC.
Load more

Recommended publications
  • Blockchain Beyond Cryptocurrency Or Is Private Chain a Hoax Or How I Lose Money in Bitcoin but Still Decide to Get in the Research
    Blockchain Beyond Cryptocurrency Or Is Private Chain a Hoax Or How I Lose Money in Bitcoin but still Decide to Get in the Research Hong Wan Edward P. Fitts Department of Industrial and Systems Engineering Sept 2019 In this talk: • Blockchain and trust • Different kinds of blockchain • Cases and Examples • Discussions First Things First https://images.app.goo.gl/JuNznV8dZKTaHWEf9 Disclaimer Block and Chain https://youtu.be/SSo_EIwHSd4 https://youtu.be/SSo_EIwHSd4 Blockchain Design Questions • Who can access data: Private vs. Public • Who can validate data/add block: Permissioned vs Permissionless • Consensus to be used: Trade-off among security and efficiency. https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwinjN2s7_DkAhXlmeAKHXxhAIUQjRx6BAgBEAQ&url=ht tps%3A%2F%2F101blockchains.com%2Fconsensus-algorithms-blockchain%2F&psig=AOvVaw23pKh4qS8W_xgyajJ3aFl9&ust=1569669093339830 Bad News First • “Private blockchains are completely uninteresting… -- the only reason to operate one is to ride on the blockchain hype…” Bruce Schneier Tonight we will talk about cryptocurrencies… .everything you don’t understand money combined by everything you don’t understand about computers…. Cryptocurrencies: Last Week Tonight with John Oliver (HBO) https://www.schneier.com/blog/archives/2019/02/blockchain_and_.html http://shorturl.at/ahsRU, shorturl.at/gETV2 https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&ved=2ahUKEwj- https://d279m997dpfwgl.cloudfront.net/wp/2017/11/Trustp72L7vDkAhVjQt8KHU18CjsQjRx6BAgBEAQ&url=https%3A%2F%2Fwww.wbur.org%2Fonpoint%2F2017%2F11%2F20%2Fwho-can-cropped.jpg-you-
    [Show full text]
  • Impossible Differentials in Twofish
    Twofish Technical Report #5 Impossible differentials in Twofish Niels Ferguson∗ October 19, 1999 Abstract We show how an impossible-differential attack, first applied to DEAL by Knudsen, can be applied to Twofish. This attack breaks six rounds of the 256-bit key version using 2256 steps; it cannot be extended to seven or more Twofish rounds. Keywords: Twofish, cryptography, cryptanalysis, impossible differential, block cipher, AES. Current web site: http://www.counterpane.com/twofish.html 1 Introduction 2.1 Twofish as a pure Feistel cipher Twofish is one of the finalists for the AES [SKW+98, As mentioned in [SKW+98, section 7.9] and SKW+99]. In [Knu98a, Knu98b] Lars Knudsen used [SKW+99, section 7.9.3] we can rewrite Twofish to a 5-round impossible differential to attack DEAL. be a pure Feistel cipher. We will demonstrate how Eli Biham, Alex Biryukov, and Adi Shamir gave the this is done. The main idea is to save up all the ro- technique the name of `impossible differential', and tations until just before the output whitening, and applied it with great success to Skipjack [BBS99]. apply them there. We will use primes to denote the In this report we show how Knudsen's attack can values in our new representation. We start with the be applied to Twofish. We use the notation from round values: [SKW+98] and [SKW+99]; readers not familiar with R0 = ROL(Rr;0; (r + 1)=2 ) the notation should consult one of these references. r;0 b c R0 = ROR(Rr;1; (r + 1)=2 ) r;1 b c R0 = ROL(Rr;2; r=2 ) 2 The attack r;2 b c R0 = ROR(Rr;3; r=2 ) r;3 b c Knudsen's 5-round impossible differential works for To get the same output we update the rule to com- any Feistel cipher where the round function is in- pute the output whitening.
    [Show full text]
  • NSA's Efforts to Secure Private-Sector Telecommunications Infrastructure
    Under the Radar: NSA’s Efforts to Secure Private-Sector Telecommunications Infrastructure Susan Landau* INTRODUCTION When Google discovered that intruders were accessing certain Gmail ac- counts and stealing intellectual property,1 the company turned to the National Security Agency (NSA) for help in securing its systems. For a company that had faced accusations of violating user privacy, to ask for help from the agency that had been wiretapping Americans without warrants appeared decidedly odd, and Google came under a great deal of criticism. Google had approached a number of federal agencies for help on its problem; press reports focused on the company’s approach to the NSA. Google’s was the sensible approach. Not only was NSA the sole government agency with the necessary expertise to aid the company after its systems had been exploited, it was also the right agency to be doing so. That seems especially ironic in light of the recent revelations by Edward Snowden over the extent of NSA surveillance, including, apparently, Google inter-data-center communications.2 The NSA has always had two functions: the well-known one of signals intelligence, known in the trade as SIGINT, and the lesser known one of communications security or COMSEC. The former became the subject of novels, histories of the agency, and legend. The latter has garnered much less attention. One example of the myriad one could pick is David Kahn’s seminal book on cryptography, The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet.3 It devotes fifty pages to NSA and SIGINT and only ten pages to NSA and COMSEC.
    [Show full text]
  • Rotational Cryptanalysis of ARX
    Rotational Cryptanalysis of ARX Dmitry Khovratovich and Ivica Nikoli´c University of Luxembourg [email protected], [email protected] Abstract. In this paper we analyze the security of systems based on modular additions, rotations, and XORs (ARX systems). We provide both theoretical support for their security and practical cryptanalysis of real ARX primitives. We use a technique called rotational cryptanalysis, that is universal for the ARX systems and is quite efficient. We illustrate the method with the best known attack on reduced versions of the block cipher Threefish (the core of Skein). Additionally, we prove that ARX with constants are functionally complete, i.e. any function can be realized with these operations. Keywords: ARX, cryptanalysis, rotational cryptanalysis. 1 Introduction A huge number of symmetric primitives using modular additions, bitwise XORs, and intraword rotations have appeared in the last 20 years. The most famous are the hash functions from MD-family (MD4, MD5) and their descendants SHA-x. While modular addition is often approximated with XOR, for random inputs these operations are quite different. Addition provides diffusion and nonlinearity, while XOR does not. Although the diffusion is relatively slow, it is compensated by a low price of addition in both software and hardware, so primitives with relatively high number of additions (tens per byte) are still fast. The intraword rotation removes disbalance between left and right bits (introduced by the ad- dition) and speeds up the diffusion. Many recently design primitives use only XOR, addition, and rotation so they are grouped into a single family ARX (Addition-Rotation-XOR).
    [Show full text]
  • Almost Gone: the Vanishing Fourth Amendment's Allowance Of
    GEE- TO PRINT (DO NOT DELETE) 5/21/2019 4:05 PM ALMOST GONE: THE VANISHING FOURTH AMENDMENT’S ALLOWANCE OF STINGRAY SURVEILLANCE IN A POST-CARPENTER AGE HARVEY GEE* TABLE OF CONTENTS I. FOURTH AMENDMENT JURISPRUDENCE AND THE LACK OF POLICE ACCOUNTABILITY IN TRAFFIC STOPS .......... 412 II. BEYOND TERRY V. OHIO: FROM ONE-ON-ONE ENCOUNTERS TO PROACTIVE LARGE-SCALE STOP AND FRISKS ON THE STREETS WITHIN A POLICE STATE ......................................................................................... 417 III. DIGITAL UPGRADE: SURVEILLANCE STATE TECHNOLOGY AND REFRAMING THE SUPREME COURT’S FOURTH AMENDMENT JURISPRUDENCE ........ 420 A. CARPENTER V. UNITED STATES: POSITIONING A RESILIENT FOURTH AMENDMENT ON A PRO-PRIVACY TRAJECTORY IN THE DIGITAL AGE ............................................................. 423 IV. PRIVACY AND THE FOURTH AMENDMENT AFTER CARPENTER: ARGUING AGAINST THE UNCONSTITUTIONAL USE OF STINGRAY SURVEILLANCE TECHNOLOGY ........................................... 430 * The author is an attorney in San Francisco. He previously served as an Attorney with the Office of the Federal Public Defender in Las Vegas and Pittsburgh, the Federal Defenders of the Middle District of Georgia, and the Office of the Colorado State Public Defender. LL.M, The George Washington University Law School; J.D., St. Mary’s School of Law; B.A., Sonoma State University. The author thanks Taylor Francis, Elvira Razzano, Austin Smith, and the Southern California Review of Law and Social Justice for their assistance and hard work in the preparation of this article. 409 410 REVIEW OF LAW AND SOCIAL JUSTICE [Vol. 28:3 A. THE SECRET USE OF STINGRAY SURVEILLANCE TECHNOLOGY BY LAW ENFORCEMENT ................................ 431 B. CALLS FOR A WARRANT REQUIREMENT FOR THE USE OF STINGRAY CELL-SITE SIMULATORS FROM LEGAL SCHOLARS ............................................................................
    [Show full text]
  • A Matter of Security, Privacy and Trust
    A matter of security, privacy and trust: A study of the principles and values of encryption in New Zealand Michael Dizon Ryan Ko Wayne Rumbles Patricia Gonzalez Philip McHugh Anthony Meehan Acknowledgements This study was funded by grants from the New Zealand Law Foundation and the University of Waikato. We would like to express our gratitude to our project collaborators and members of the Advisory Board – Prof Bert-Jaap Koops (Tilburg University), Prof Lyria Bennett Moses (UNSW Sydney), Prof Alana Maurushat (Western Sydney University), and Associate Professor Alex Sims (University of Auckland) – for their support as well as feedback on specific parts of this report. We would also like to thank Patricia Gonzalez, Joseph Graddy, Philip McHugh, Anthony Meehan, Jean Murray and Peter Upson for their valuable research assistance and other contributions to this study. Michael Dizon, Ryan Ko and Wayne Rumbles Principal investigators December 2019 Executive summary Cybersecurity is crucial for ensuring the safety and well-being of the general public, businesses, government, and the country as a whole. New Zealand has a reasonably comprehensive and well-grounded legal regime and strategy for dealing with cybersecurity matters. However, there is one area that deserves further attention and discussion – encryption. Encryption is at the heart of and underpins many of the technologies and technical processes used for computer and network security, but current laws and policies do not expressly cover this significant technology. The principal objective of this study is to identify the principles and values of encryption in New Zealand with a view to informing future developments of encryption- related laws and policies.
    [Show full text]
  • State of the Art in Lightweight Symmetric Cryptography
    State of the Art in Lightweight Symmetric Cryptography Alex Biryukov1 and Léo Perrin2 1 SnT, CSC, University of Luxembourg, [email protected] 2 SnT, University of Luxembourg, [email protected] Abstract. Lightweight cryptography has been one of the “hot topics” in symmetric cryptography in the recent years. A huge number of lightweight algorithms have been published, standardized and/or used in commercial products. In this paper, we discuss the different implementation constraints that a “lightweight” algorithm is usually designed to satisfy. We also present an extensive survey of all lightweight symmetric primitives we are aware of. It covers designs from the academic community, from government agencies and proprietary algorithms which were reverse-engineered or leaked. Relevant national (nist...) and international (iso/iec...) standards are listed. We then discuss some trends we identified in the design of lightweight algorithms, namely the designers’ preference for arx-based and bitsliced-S-Box-based designs and simple key schedules. Finally, we argue that lightweight cryptography is too large a field and that it should be split into two related but distinct areas: ultra-lightweight and IoT cryptography. The former deals only with the smallest of devices for which a lower security level may be justified by the very harsh design constraints. The latter corresponds to low-power embedded processors for which the Aes and modern hash function are costly but which have to provide a high level security due to their greater connectivity. Keywords: Lightweight cryptography · Ultra-Lightweight · IoT · Internet of Things · SoK · Survey · Standards · Industry 1 Introduction The Internet of Things (IoT) is one of the foremost buzzwords in computer science and information technology at the time of writing.
    [Show full text]
  • Episode 230: Click Here to Kill Everybody
    Episode 230: Click Here to Kill Everybody Stewart Baker: [00:00:03] Welcome to Episode 230 of The Cyberlaw Podcast brought to you by Steptoe & Johnson. We are back and full of energy. Thank you for joining us. We're lawyers talking about technology, security, privacy, and government. And if you want me to talk about hiking through the rain forest of Costa Rica and just how tough my six-year-old granddaughter is, I'm glad to do that too. But today I'm joined by our guest interviewee Bruce Schneier, an internationally renowned technologist, privacy and security guru, and the author of the new book, Click Here to Kill Everybody: Security and Survival in a Hyper-Connected World. We'll be talking to him shortly. For the News Roundup, we have Jamil Jaffer, who's the founder of the estimable and ever-growing National Security Institute. He's also an adjunct professor at George Mason University. Welcome, Jamil. Jamil Jaffer: [00:00:57] Thanks, Stewart. Good to be here. Stewart Baker: [00:00:58] And David Kris, formerly the assistant attorney general in charge of the Justice Department's National Security Division. David, welcome. David Kris: [00:01:07] Thank, you. Good to be here. Stewart Baker: [00:01:08] And he is with his partner in their latest venture, Nate Jones, veteran of the Justice Department, the National Security Council, and Microsoft where he was an assistant general counsel. Nate, welcome. Nate Jones: [00:01:23] Thank you. Stewart Baker: [00:01:25] I'm Stewart Baker, formerly with the NSA and DHS and the host of today's program.
    [Show full text]
  • Security Evaluation of the K2 Stream Cipher
    Security Evaluation of the K2 Stream Cipher Editors: Andrey Bogdanov, Bart Preneel, and Vincent Rijmen Contributors: Andrey Bodganov, Nicky Mouha, Gautham Sekar, Elmar Tischhauser, Deniz Toz, Kerem Varıcı, Vesselin Velichkov, and Meiqin Wang Katholieke Universiteit Leuven Department of Electrical Engineering ESAT/SCD-COSIC Interdisciplinary Institute for BroadBand Technology (IBBT) Kasteelpark Arenberg 10, bus 2446 B-3001 Leuven-Heverlee, Belgium Version 1.1 | 7 March 2011 i Security Evaluation of K2 7 March 2011 Contents 1 Executive Summary 1 2 Linear Attacks 3 2.1 Overview . 3 2.2 Linear Relations for FSR-A and FSR-B . 3 2.3 Linear Approximation of the NLF . 5 2.4 Complexity Estimation . 5 3 Algebraic Attacks 6 4 Correlation Attacks 10 4.1 Introduction . 10 4.2 Combination Generators and Linear Complexity . 10 4.3 Description of the Correlation Attack . 11 4.4 Application of the Correlation Attack to KCipher-2 . 13 4.5 Fast Correlation Attacks . 14 5 Differential Attacks 14 5.1 Properties of Components . 14 5.1.1 Substitution . 15 5.1.2 Linear Permutation . 15 5.2 Key Ideas of the Attacks . 18 5.3 Related-Key Attacks . 19 5.4 Related-IV Attacks . 20 5.5 Related Key/IV Attacks . 21 5.6 Conclusion and Remarks . 21 6 Guess-and-Determine Attacks 25 6.1 Word-Oriented Guess-and-Determine . 25 6.2 Byte-Oriented Guess-and-Determine . 27 7 Period Considerations 28 8 Statistical Properties 29 9 Distinguishing Attacks 31 9.1 Preliminaries . 31 9.2 Mod n Cryptanalysis of Weakened KCipher-2 . 32 9.2.1 Other Reduced Versions of KCipher-2 .
    [Show full text]
  • Comment Submitted by David Crawley Comment View Document
    Comment Submitted by David Crawley Comment View document: The notion that my social media identifier should have anything to do with entering the country is a shockingly Nazi like rule. The only thing that this could facilitate anyway is trial by association - something that is known to ensnare innocent people, and not work. What is more this type of thing is repugnant to a free society. The fact that it is optional doesn't help - as we know that this "optional" thing will soon become not-optional. If your intent was to keep it optional - why even bother? Most importantly the rules that we adopt will tend to get adopted by other countries and frankly I don't trust China, India, Turkey or even France all countries that I regularly travel to from the US with this information. We instead should be a beacon for freedom - and we fail in our duty when we try this sort of thing. Asking for social media identifier should not be allowed here or anywhere. Comment Submitted by David Cain Comment View document: I am firmly OPPOSED to the inclusion of a request - even a voluntary one - for social media profiles on the I-94 form. The government should NOT be allowed to dip into users' social media activity, absent probable cause to suspect a crime has been committed. Bad actors are not likely to honor the request. Honest citizens are likely to fill it in out of inertia. This means that the pool of data that is built and retained will serve as a fishing pond for a government looking to control and exploit regular citizens.
    [Show full text]
  • Analysis of Arx Round Functions in Secure Hash Functions
    ANALYSIS OF ARX ROUND FUNCTIONS IN SECURE HASH FUNCTIONS by Kerry A. McKay B.S. in Computer Science, May 2003, Worcester Polytechnic Institute M.S. in Computer Science, May 2005, Worcester Polytechnic Institute A Dissertation submitted to the Faculty of The School of Engineering and Applied Science of The George Washington University in partial satisfaction of the requirements for the degree of Doctor of Science May 15, 2011 Dissertation directed by Poorvi L. Vora Associate Professor of Computer Science The School of Engineering and Applied Science of The George Washington University certifies that Kerry A. McKay has passed the Final Examination for the degree of Doctor of Science as of March 25, 2011. This is the final and approved form of the dissertation. ANALYSIS OF ARX ROUND FUNCTIONS IN SECURE HASH FUNCTIONS Kerry A. McKay Dissertation Research Committee: Poorvi L. Vora, Associate Professor of Computer Science, Dissertation Director Gabriel Parmer, Assistant Professor of Computer Science, Committee Member Rahul Simha, Associate Professor of Engineering and Applied Science, Committee Member Abdou Youssef, Professor of Engineering and Applied Science, Committee Member Lily Chen, Mathematician, National Institute of Standards and Technology, Committee Member ii Dedication To my family and friends, for all of their encouragement and support. iii Acknowledgements This work was supported in part by the NSF Scholarship for Service Program, grant DUE-0621334, and NSF Award 0830576. I would like to thank my collaborators Niels Ferguson and Stefan Lucks for our collaborative research on the analysis of the CubeHash submission to the SHA-3 competition. I would also like to thank the entire Skein team for their support.
    [Show full text]
  • Bruce Schneier 2
    Committee on Energy and Commerce U.S. House of Representatives Witness Disclosure Requirement - "Truth in Testimony" Required by House Rule XI, Clause 2(g)(5) 1. Your Name: Bruce Schneier 2. Your Title: none 3. The Entity(ies) You are Representing: none 4. Are you testifying on behalf of the Federal, or a State or local Yes No government entity? X 5. Please list any Federal grants or contracts, or contracts or payments originating with a foreign government, that you or the entity(ies) you represent have received on or after January 1, 2015. Only grants, contracts, or payments related to the subject matter of the hearing must be listed. 6. Please attach your curriculum vitae to your completed disclosure form. Signatur Date: 31 October 2017 Bruce Schneier Background Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of 14 books—including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World—as well as hundreds of articles, essays, and academic papers. His influential newsletter Crypto-Gram and blog Schneier on Security are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet and Society at Harvard University, a Lecturer in Public Policy at the Harvard Kennedy School, a board member of the Electronic Frontier Foundation and the Tor Project, and an advisory board member of EPIC and VerifiedVoting.org. He is also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient.
    [Show full text]