Slashdot Mirror
Schneier: Everyone Wants You To Have Security, But Not From Them
An anonymous reader writes: Bruce Schneier has written another insightful piece about the how modern tech companies treat security. He points out that most organizations will tell you to secure your data while at the same time asking to be exempt from that security. Google and Facebook want your data to be safe — on their servers so they can analyze it. The government wants you to encrypt your communications — as long as they have the keys. Schneier says, "... we give lots of companies access to our data because it makes our lives easier. ... The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices. ... We want our data to be secure, but we want someone to be able to recover it all when we forget our password. We'll never solve these security problems as long as we're our own worst enemy.
What he means to say is what most of have known in our darkest heart of hearts since the first help ticket: The vast majority of users are technically illiterate idiots, and you can't fix stupid.
Scruting the inscrutable for over 50 years.
Have control over all the encryption algos of this world? Its hard to believe that all these smart people will let them get away with this .. having saild all that .. The prsident , the director of the NSA and all the pezzenovantes dont make this stuff .. This stuf is made by you and me ..
My 14 year and still running policy of giving fake names, fake e-mails, fake phone numbers etc and no personally identifiable data other than my IP address to most online companies is working great. They ask me for data I don't want them to have and they get useless bullshit. Problem solved.
That's not what he said at all. I mean, I'm not disagreeing with you substantially, but that's completely separate from the actual point of the piece.
It's all about the fact that, in order to do many or most of the things we want to do today, we have no choice but to give someone access to our data—but that almost everyone we could give that access to wants to (ab)use it to make money.
More importantly, that's even true of those who actually want to help keep our data secure from others—even our governments.
The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone—and that there are so many, even those that theoretically should be trying to do so, working directly against that end—is definitely something we need to be concerned about, far beyond simply bemoaning the stupidity of all the "lusers" who will happily give away their data for free because they just don't know any better.
Dan Aris
Fun. Free. Online. RPG. BattleMaster.
A great thought, that--especially when set to some fine blues:
Everybody wants to hear the truth
But yet, everybody wants to tell a lie
I say everybody wants to hear the truth
But still they all want to tell a lie
Oh everybody wants to go to heaven
But nobody wants to die
Albert King
The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone
Apple does this. Look at HealthKit for example, all data is stored locally, Apple doesn't mine it. They allow you to control who has what access to specific parts of the data.
It's not exactly true of all data, but Apple tries to give you specific control of data where it can.
The reason why Apple does this and other companies do not is simple - Apple actually makes money selling hardware. Google and Facebook have no revenue except what they can extract from you data, so they have totally different motivations.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Uh, Linux geek since 1999.
Security is inversely proportional to convenience.
A generation ago,
There was a high barrier to this sort of public information being used. If you wanted to use the libraries' reverse directory, you had to actually go there. Now, with this sort of data on-line, marketers can slice and dice it any way they want for little more than the cost of processing power. But so can the 'bad guys'.
Have gnu, will travel.
This is a good thing. In the past, a company would get breached, and it would have a minimal impact after paying for a PR campaign, definitely forgotten after six months.
However, the Sony hack with E-mails leaked which got celebs mad and data destroyed is different. Before that, a company got hacked... but their data was still there, so a lot of managers just brushed it off. However, if an intrusion means that the entire company is unable to do business and likely will fail in days to weeks [1], security goes from something in the backseat that is perceived as having no ROI, to a major concern.
This is a good thing. We have had solid security concepts since the 1970s, and most enterprise applications and devices can be well locked down. It is just using the functionality involved and making it work for that company/organization's culture.
It also might get vendors focused on security, perhaps being able to standardize on things. For example, it would be nice to have a style of USB cryptographic token that works with anything, be it an AIX machine or a Windows box.
Which means more money for those who can keep pace with security.
[1]: There are a lot of businesses who decided to follow the hype and drop tape, and instead, go with tiers of SANs for backups. Backing up to SANs does provide decent protection against hardware faults.
However, all data accessible comes at a cost. A bad guy can log onto the SAN's backend and purge all data with just a single command. Once this is done, the data is gone, and because there are no backup tapes... there is no recovery possible. Even with SANs that replicate to different physical locations, the deletion will be replicated. Even more insidious is tampering over time where someone logs on a SAN, and just starts overwriting stored data that nobody ever accesses.
It makes me wonder if tape will go from being laughed at as "retro" to being a primary medium for storage again. A pile of tapes stored offline will require physical access to destroy, as opposed to zeroing out everything with just one button. Even cloud "media" is easily destroyed if a blackhat gets enough access.
I don't agree with this. it *IS* possible to change. The internet userbase has already done it!
In the early days of computers, they were difficult to use. They used cryptic commands, offered no gui, and had limited help. But we used them. We made them do amazing things. Then as computers became more powerful, and cheaper, they also came with GUIs and help, making them easier to use.
They didn't have to!
We had already learned how to use the complex computers, so we don't NEED the GUIs.
The same is true for file servers. Up until the mid 2000's, every company that wanted a website had their own web server. Many had internal file servers. They were secure, and they were only accessible by the people who needed to access them. Then, when "the cloud" became a popular buzzword, the companies started relinquishing control of the servers to third parties. THEY DIDN'T HAVE TO! If you want security, keep your servers to yourself!
That's true, but there was no book at the library that listed which articles in the newspaper we decided to read and which ones we decided to skip. The post office didn't make copies of all our letters and the phone company didn't record all our calls. When we used a map to find directions, none of this information used to be recorded. When we had our photographs developed, we could be quite sure the photo lab wasn't making copies of all of them.
Records of our financial transactions were much more limited because most of them were cash. Now we use payment cards for almost everything.