Bruce Schneier

You are currently browsing articles tagged Bruce Schneier.

The day of the ransomware WannaCry attack, I wrote that a “world in which everything is a computer–even our brains–is a fraught one.” We live in a time when we hold what are essentially supercomputers in our hands, but more and more we’re in their grip. When the Internet of Things becomes the thing, linking all items and enabling them to incessantly collect information, pretty much everything from refrigerators to roads will be hackable. A permanent cat and (computer) mouse game will begin in earnest, and this time we’ll be inside the machine.

As Bruce Schneier writes in his wise and wary Washington Post essay on the subject: “Solutions aren’t easy and they’re not pretty.” An excerpt:

Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much-hyped Internet of Things (IoT). It’s coming, and it’s coming faster than you might think. And as these devices connect to the Internet, they become vulnerable to ransomware and other computer threats.

It’s only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working.

This isn’t just theoretical. Researchers have already demonstrated a ransomware attack against smart thermostats, which may sound like a nuisance at first but can cause serious property damage if it’s cold enough outside. If the device under attack has no screen, you’ll get the message on the smartphone app you control it from.•

Tags:

So much has been written about the Internet of Things, the pluses and minuses, but Bruce Schneier does an impressive job of analyzing its challenges in a new Forbes piece. We won’t just log into the machine–the machine will be everything, though it will be so quiet, not even a hum, that we’ll barely notice it. The writer identifies the IoT as a “world-sized robot” and calls for the establishment of a “Department of Technology Policy.” The opening:

The Internet of Things is the name given to the computerization of everything in our lives. Already you can buy Internet-enabled thermostats, light bulbs, refrigerators, and cars. Soon everything will be on the Internet: the things we own, the things we interact with in public, autonomous things that interact with each other.

These “things” will have two separate parts. One part will be sensors that collect data about us and our environment. Already our smartphones know our location and, with their onboard accelerometers, track our movements. Things like our thermostats and light bulbs will know who is in the room. Internet-enabled street and highway sensors will know how many people are out and about—and eventually who they are. Sensors will collect environmental data from all over the world.

The other part will be actuators. They’ll affect our environment. Our smart thermostats aren’t collecting information about ambient temperature and who’s in the room for nothing; they set the temperature accordingly. Phones already know our location, and send that information back to Google Maps and Waze to determine where traffic congestion is; when they’re linked to driverless cars, they’ll automatically route us around that congestion. Amazon already wants autonomous drones to deliver packages. The Internet of Things will increasingly perform actions for us and in our name. 

Increasingly, human intervention will be unnecessary.•

Tags:

It’s not silly on the order of trying to color code terrorism as we did in the wake of 9/11, but metal detectors installed at stadiums by Major League Baseball the season after the Boston Marathon bombing, aren’t likely to do much good. Bruce Schneier, security expert in matters both online and off, writes of the new measure at the Washington Post. The opening:

Fans attending Major League Baseball games are being greeted in a new way this year: with metal detectors at the ballparks. Touted as a counterterrorism measure, they’re nothing of the sort. They’re pure security theater: They look good without doing anything to make us safer. We’re stuck with them because of a combination of buck passing, CYA thinking and fear.

As a security measure, the new devices are laughable. The ballpark metal detectors are much more lax than the ones at an airport checkpoint. They aren’t very sensitive — people with phones and keys in their pockets are sailing through and there are no X-ray machines. Bags get the same cursory search they’ve gotten for years. And fans wanting to avoid the detectors can opt for alight pat-down searchinstead.

There’s no evidence that this new measure makes anyone safer. A halfway competent ticketholder would have no trouble sneaking a gun into the stadium. For that matter, a bomb exploded at a crowded checkpoint would be no less deadly than one exploded in the stands. These measures will, at best, be effective at stopping the random baseball fan who’s carrying a gun or knife into the stadium. That may be a good idea, but unless there’s been a recent spate of fan shootings and stabbings at baseball games — and there hasn’t — this is a whole lot of time and money being spent to combat an imaginary threat.•

Tags:

A passage from a new Wired interview by Alex Pasternack with security expert Bruce Schneier about safety vulnerabilities, the physical kinds and virtual ones:

Wired:

What about attacks that affect infrastructure? Obviously the past few years have shown that industry, cities, utilities, even vehicles are vulnerable to hacking. Are those serious threats?

 Bruce Schneier:

There are threats to all embedded systems. We’ve seen groups mostly at universities hacking into medical devices, hacking into automobiles, into various security cameras, and demonstrating the vulnerabilities. There’s not a lot of fixing at this time. The industries are still largely ignoring the problem, maybe very much like the computer industry did maybe twenty years ago, when they belittled the problem, pretended it wasn’t there. But we’ll get there.

When I look at the bigger embedded systems, the power grids, various infrastructure systems in cities, there are vulnerabilities. I worry about them a little less because they’re so obscure. But I still think we need to start figuring out how to fix them, because I think there are a lot of hidden vulnerabilities in embedded systems.

 Wired:

Are there particular security concerns right now that you think the public, given its misunderstanding about security, doesn’t appreciate enough?

 Bruce Schneier:

I’m most worried about potential security vulnerabilities in the powerful institutions we’re trusting with our data, with our security. I’m worried about companies like Google and Microsoft and Facebook. I’m worried about governments, the US and other governments. I’m worried about how they are using our data, how they’re storing our data, and what happens to it. I’m less worried about the criminals. I think we’ve kinda got cyber-crime under control, it’s not zero but it never will be. I’m much more worried about the powerful abusing us than the un-powerful abusing us.”

Tags: ,

Bruce Schneier, a security expert (online and offline), just did an Ask Me Anything at Reddit. The following is an exchange about post-9/11 airport security:

“Question:

I am of the opinion that our airport security is poorly designed and for the hassle passengers go through, we get minimal benefit. I feel like we react to specific circumstances to create an illusion of security and that perception is more important to the TSA than creating a constructive plan to deal with threats. I know you are a proponent of the fail well philosophy which accepts failure and tries to compartmentalize and minimize the damage. Based on this theory what should be the security steps that airports should be taking?

Bruce Schneier:

I think airport security should be rolled back to pre-9/11 levels, and all the money saved should be spent on things that work: intelligence, investigation, and emergency response.

Only two things have improved airplane security since 9/11: reinforcing the cockpit doors, and teaching passengers that they have to fight back. Everything else has been security theater.”

 

Tags:

Like all places where pioneers land, someday the Internet will be relatively civilized. Not completely, but relatively. I’m not talking about mean comments and trolling but about the larger issues of control. That’s both a good and bad thing. You certainly don’t want cybercrimes and predatory behavior, but the unfettered, decentralized, anonymous rush of the new medium was exhilarating and led to all kinds of insurgent creativity. Bruce Schneier, the Internet security expert, just published an article for the Atlantic about the struggle for power over the Internet, which he sees as tilting in favor of corporations and governments over individuals. It’s hard to argue with his scorekeeping. The opening:

“We’re in the middle of an epic battle for power in cyberspace. On one side are the traditional, organized, institutional powers such as governments and large multinational corporations. On the other are the distributed and nimble: grassroots movements, dissident groups, hackers, and criminals. Initially, the Internet empowered the second side. It gave them a place to coordinate and communicate efficiently, and made them seem unbeatable. But now, the more traditional institutional powers are winning, and winning big. How these two side fare in the long term, and the fate of the rest of us who don’t fall into either group, is an open question—and one vitally important to the future of the Internet.

In the Internet’s early days, there was a lot of talk about its ‘natural laws’—how it would upend traditional power blocks, empower the masses, and spread freedom throughout the world. The international nature of the Internet bypassed circumvented national laws. Anonymity was easy. Censorship was impossible. Police were clueless about cybercrime. And bigger changes seemed inevitable. Digital cash would undermine national sovereignty. Citizen journalism would topple traditional media, corporate PR, and political parties. Easy digital copying would destroy the traditional movie and music industries. Web marketing would allow even the smallest companies to compete against corporate giants. It really would be a new world order.

This was a utopian vision, but some of it did come to pass. Internet marketing has transformed commerce. The entertainment industries have been transformed by things like MySpace and YouTube, and are now more open to outsiders. Mass media has changed dramatically, and some of the most influential people in the media have come from the blogging world. There are new ways to organize politically and run elections. Crowdfunding has made tens of thousands of projects possible to finance, and crowdsourcing made more types of projects possible. Facebook and Twitter really did help topple governments.

But that is just one side of the Internet’s disruptive character. The Internet has emboldened traditional power as well.”

Tags:

Russ Roberts of EconTalk did an interesting interview with security expert Bruce Schneier in the days between the Boston Marathon bombings and the Snowden leaks. Schneier suggested back then that the NSA might be using its Utah data center to spy on all Americans, but he couldn’t say conclusively. I’m not nearly as informed as Schneier is, but I thought it was definitely going on. And I don’t know that new legislation will ever make it go away, not with the ever-improving tools we have at our disposal. Just a couple more of the interesting topics from the podcast:

  • Google could in theory use its search capacity to try to tip an election. If it willfully returned more negative articles about one candidate over many months, it might have some influence. And it wouldn’t be illegal, any more than it is for Fox News to slant the news in favor of conservatives. It’s not mentioned on the show, but there are market forces that might prevent this from happening. Whereas Fox has a niche (if very profitable) audience, Google’s “audience” is every person, and it can’t alienate a large section of them. Still, not impossible.
  • Corporate spying on American citizens is driven by many of the same forces that led to our economic collapse. Managers within corporations may be enticed by short-term bonuses to cross lines, not worrying about the big picture of the company because of their own personal goals for themselves. Despite Mitt Romney’s claim, corporations are not people but are run by many of them who have conflicting goals.

 

Tags: ,