When Tonia Mullins decided to hire a hit man to kidnap and murder her lover's wife, she didn't scour the local underworld dives. She texted.

A federal judge will rule Monday on whether the case against a 39-year-old woman accused in a deadly MySpace hoax can go to the jury, after testimony shows the defendant never saw the MySpace terms-of-service she's accused of criminally violating.

Some Verizon Wireless workers are suspended after peeking at the president-elect's calling records.

The young woman who typed the final, cruel message to 13-year-old Megan Meier the day she killed herself says on the stand that it was she -- and not defendant Lori Drew -- who came up with the idea to create the fake MySpace account.

Pembroke Pines police in Florida are investigating the apparent suicide death of a 19-year-old teenager whose death was seen on a live Justin.tv feed

Data-mining companies have no free-speech right to buy and analyze prescription data in order to market drugs to doctors, a federal appeals court ruled Monday. The ruling clears the way for other states to mimic New Hampshire's landmark law prohibiting the widespread practice of buying and selling prescription information.

Criminals better watch their steps, as a Univerisity of Buffalo computer science professor develops a search engine for shoe prints left at crime scenes. With funding from the Justice Department, professor Sargur Srihari hopes his computational forensics will make life easier for shoe-identification experts, and harder for criminals.

A member of the Army's controversial combat anthropology program is accused of second-degree murder for killing Kandahar native Abdul Salam in Afghanistan. Don Ayala supposedly shot the Afghani villager in the head, after Salam set one of Ayala's Human Terrain Team co-workers on fire.

You might not have realized it, but the next great battle of cryptography began this month. It's not a political battle over export laws or key escrow or NSA eavesdropping, but an academic battle over who gets to be the creator of the next hash standard.

Hash functions are the most commonly used cryptographic primitive, and the most poorly understood. You can think of them as fingerprint functions: They take an arbitrary long data stream and return a fixed length, and effectively unique, string. The security comes from the fact that while it's easy to generate the fingerprint from a file, it's infeasible to go the other way and generate a file given a fingerprint.

Originally created to make digital signatures more efficient, hashes are now used to secure the very fundamentals of our information infrastructure: in password logins, secure web connections, encryption key management, virus and malware scanning, and almost every cryptographic protocol in current use. Without cryptographic hash functions, the internet would simply not work. At the same time, there isn't a good theory of hash functions. Unlike encryption algorithms, there are no secret keys involved; this makes it harder to mathematically define exactly what hash functions are.

The National Institute of Standards and Technology, NIST, is holding a competition to replace the SHA family of hash functions. "SHA" stands for "Secure Hash Algorithm." It was developed by the NSA in 1993 to replace the commercial MD4 and MD5 algorithms, and has been updated several times since then. All the SHA algorithms are very similar, and have been increasingly under attack, so NIST wants to replace them.

The competition is important because, unlike other technological standards, committee design — balancing the interests of diverse constituents — isn't conducive to good security. Security is best when it's designed by expert teams and then subjected to public review. And cryptography is best when it's chosen by competition.

In 1997, NIST held a competition for a block cipher to replace DES. Fifteen candidates and three-and-a-half years later, Rijndael became the new Advanced Encryption Standard — AES. NIST is doing the same thing for what it's calling SHA-3 (not, for some unexplained reason, the Advanced Hash Standard or AHS).

The deadline was October 31, and NIST received 64 submissions. This isn't surprising — I predicted 80 — as most of the 15 AES submitters were professors, whose students at the time have become professors themselves, with their own students. (If NIST does a stream cipher competition in another ten years, they should expect about 256 submissions.) These submissions came from academia, from industry, and from hobbyists. CIO magazine recently interviewed one of the submitters, who is 15. Twenty-eight submissions have been made public by the submitters, and six of those have been broken.

NIST is going through all the submissions right now, making sure they are complete and proper. Their goal is to publish all accepted submissions by the end of November, in advance of the First Hash Function Candidate Conference, to be held in Belgium right after the Fast Software Encryption workshop in February.

The group expects to quickly make a first cut of algorithms — hopefully to about a dozen — and give the community a year of cryptanalysis before making a second cut in 2010. After another year of cryptanalysis, NIST will choose a winner in 2011. Expect a final standard by 2012.

My advice for software developers is to let the process run its course. While it's tempting to use the new cool algorithms in your designs, it's far too soon to trust any of them. This process is likely to result in all sorts of new research results in hash function security, and some real cryptanalytic surprises. Give the community a few years to figure out which ones are good and which aren't.

I've previously called this sort of thing a cryptographic demolition derby: The last one left standing wins. But that's only partially true. Certainly all the groups will spend the next few years trying to cryptanalyze each other, but in the end there will be a bunch of unbroken algorithms. NIST will select one based on performance and features.

NIST has stated that the goal of this process is not to choose the best standard but to choose a good standard. I think that's smart; in this process, the best is the enemy of the good. While there's no rush to choose a new standard — the SHA-2 algorithms will remain secure for the foreseeable future — we don't want to analyze the candidates forever.

Personally, I was part of a group of eight cryptographers that submitted Skein to the competition. A decade ago, writing Twofish and participating in the AES process was the most fun I had ever had in cryptography. These next few years promise to be even more fun.

---

Bruce Schneier is chief security technology officer of BT. His new book is Schneier on Security.

The National Review Online is courting financial contributions by offering "new opportunities for access" to its editors and writers. Not to be outdone, here's the skinny on Threat Level's new sponsorship drive. Break out your wallet. We're going cheap.