Slashdot Mirror

← Back to Stories (view on slashdot.org)

Schneier: Either Everyone Is Cyber-secure Or No One Is

Posted by Soulskill on from the nobody's-safe-except-the-amish dept.

Presto Vivace sends a new essay from Bruce Schneier called "The Democratization of Cyberattack." Quoting: When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well. ... We can't choose a world where the U.S. gets to spy but China doesn't, or even a world where governments get to spy and criminals don't. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It's security or surveillance.

19 of 130 comments (clear)

  1. Stating the obvious by Anonymous Coward · · Score: 5, Informative

    Its always seemed obvious to me that the system that you *know* grants unauthorised access cannot be considered to be secure. I never thought I was saying anything profound or even worthwhile, but apparently this fact is lost on a good number of people.

    1. Re: Stating the obvious by AHuxley · · Score: 3, Informative

      world wide wiretap AC

      --
      Domestic spying is now "Benign Information Gathering"
  2. Insecure by phantomfive · · Score: 3, Insightful

    Right now there's not really an option, we're all insecure. And we will continue to be insecure as long as we favor features over security (which probably won't change).

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Insecure by phantomfive · · Score: 2

      Unplug the network.

      Seriously though, Daniel Bernstein has put a lot of thought into that question. You can start here.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Insecure by StikyPad · · Score: 2

      This doesn't really need to be the case. We're used to carrying keys to access our cars and homes -- we could carry digital encryption keys to access our emails and data. The bug/feature is that losing the keys necessarily means permanently losing access to the data, from the past anyway. But that's not actually very different from today -- much of our data rots for other reasons anyway. Photos and documents disappear when we buy a new phone, or when our hard drives bite the dust. Endpoint encryption would actually allow secure online storage without worrying who might access the data, because nobody else has a copy of the keys.

      One way to accomplish this without sacrificing convenience, for those who value it over security, would be to solve the specific problem instead of the general problem. Default to external keys only, and "bury" an option in the settings to store a copy of the key(s) on-device, or online, for convenience. Encourage good habits by making it the norm, but allow people to exercise bad habits if they need or choose to and accept the risks.

      I do applaud Schneier for coming out strongly in favor of security. In past speeches he's equivocated and said he doesn't have the answers, just the facts, but there really is only one answer in this case. We must choose security. We fought this battle in the late 90s and early aughts -- the so-called crypto wars -- but apparently we need to fight it again for a new generation. Let the battle begin.

      --
      https://www.eff.org/https-everywhere
  3. Re:someone else can be first by Anonymous Coward · · Score: 4, Informative

    Zero day vulnerability even if you don't visit an infected website.

  4. Hey Bruce by 93+Escort+Wagon · · Score: 3, Interesting

    You're preaching to the choir here... but it'd sure be great if you got a chance to explain this to the President and to Congress, though.

    --
    #DeleteChrome
    1. Re:Hey Bruce by losfromla · · Score: 2

      Have you forgotten where you are? Your friends who think you are cool here would still think you were cool if you started eating boogers on a regular basis. Nerd-cred matters but cool hardly does. Still, the joke was lame so it was smart of you to disassociate yourself from it.

      --
      Only I can judge you.
  5. Re:TFS is correct by mwvdlee · · Score: 5, Insightful

    It's already implemented.
    The powers that be have chosen "No one is cyber-secure" for you.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  6. Re:Conventional weapons? by bigfinger76 · · Score: 2

    Taking advantage of broken infrastructure (weakened crypto, for example) is easy. Creating and maintaining ICBM technology is not.

  7. Re:facts please ! by Programming+Ace · · Score: 5, Informative

    The guardian team has spoken before, they raise all of their publications to the Department of Defense and NSA for comment before releasing to the public. This is why some of the information coming from the Guardian is still redacted. They're trying to make sure they're not putting anyone's lives at risk in the process of disclosure.

  8. Re:Top Secret? by PhilHibbs · · Score: 4, Insightful

    It's not the idea that was top secret. It's the specific implementation and the fact that they were using it and what for that was secret.

  9. misleading headline by Tom · · Score: 5, Insightful

    What's with the clickbait headlines? By itself, the headline is total BS. The actual statement made, however, is spot on. The hole in your security doesn't care who exploits it. There's no "good guy" flag in IP headers (though I'm sure some April 1st RFC will soon introduce it).

    What worries me most is that we could win this fight, if it weren't for our own governments deciding to betray us. There are vastly more people interested in secure communication and other people not being able to spy on or subvert our computers and mobile devices than there are people interested in compromised communications and systems (basically only criminals and some deluded, criminal-if-the-laws-were-right elements of governments).

    There is just one problem to Bruce's argument: The largest and most powerful spy agency in the world disagrees with his fundamental assumption. We often forget that the NSA has two missions, and they are exactly the two things that Bruce argues cannot co-exist: To secure the computing infrastructure of the US against foreign espionage, and to provide espionage on foreign communication.
    The NSA believes, and/or is tasked with exactly these two things that Bruce says (and I agree) are mutually exclusive. No surprise they've gone rogue, their very mission statement is a recipe for a mental breakdown through cognitive dissonance.

    --
    Assorted stuff I do sometimes: Lemuria.org
  10. Re:someone else can be first by monkeyxpress · · Score: 3, Insightful

    not sure how packet injection breaks into my computer.

    It's not about hacking into your computer. It's about the fact that the govt spy agencies had quite sophisticated spying infrastructure installed into key parts of the internet. Why this is a surprise to anybody is beyond me. Other than the negative PR value (which I'm sure some 'we're protecting you from pedophiles rhetoric' would fix I don't even know why the govt particularly cared if people found out.

  11. This is something David Cameron is unaware of by GauteL · · Score: 2

    For those that don't know or have forgotten. The British PM made a statement that he wants to ban communication which cannot be intercepted and deciphered by the government. We may as well just send all our communication in plain text ascii.

  12. Re:someone else can be first by Wootery · · Score: 2

    Sounds like another argument in favour of HTTPS for everything.

  13. It's just not that simple by Anonymous Coward · · Score: 2, Insightful

    We choose security for our homes but why don't we all live in bank vaults? cost? aesthetics?

    There are some types of security that the average person simply can't have. Most of us have no choice but to use a commercial provider for our internet access and as long as we can't own and control every point between us and our target node and the development and manufacturer of every critical component in our devices - our governments will always be able to subvert our trust and spy on us anyway.

    You're expecting companies that only care about making money to care about our security. They only care so far - to the point that people are satisfied enough to buy the service. For enough money or with threats of their profits or ability to do business being affected - There's very few businesses that won't comply and those that don't suddenly find themselves restricted in such a way as to lose out to their competitors. The shareholders won't be happy and they're more important to businesses than morality - or you.

    There is nothing that anybody can do or say that will represent undeniable evidence that at some point in the chain, be it in your chips or your wires; security has not been compromised.

    Remember - they're not protecting us, they're protecting themselves. It's not your elected officials that are making these decisions, it's unelected heads of powerful branches of government that are unaffected by elections.

    Vote for whoever you like but the true power lies with agencies such as the NSA, CIA, GHCQ, MI5, MI6, Mossad.

    No vote you cast will topple those pyramids and they live for control and power over you, foreign states and each other.

    You want true security? fire every last single person from the top to the bottom in every last government connected office and replace them with randomly selected, suitable candidates. It's the only way you'll weed out the corruption that's the true heart of all the decisions that are made on 'our behalf'.

  14. Re:someone else can be first by MachineShedFred · · Score: 4, Insightful

    Sounds like an argument for IPSec for anything that matters - as long as you're Doing It Right you get message integrity and authenticity. That's the whole point.

    Now, if someone's cracked IKEv2, SHA, or AES all bets are off.

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  15. Re:facts please ! by swell · · Score: 2

    "The guardian team has spoken before, they raise all of their publications to the Department of Defense and NSA for comment before releasing to the public. This is why some of the information coming from the Guardian is still redacted. They're trying to make sure they're not putting anyone's lives at risk in the process of disclosure."

    Thanks. The Guardian and other publishers are still slowly releasing documents after careful scrutiny. Partly, as you say, to avoid putting lives at risk. I had not been aware of them actually inviting the enemy to scrutinize their findings. It's worrisome.

    The press is pretty much our only check on government and at least since the Vietnam war the mainstream press has been a tool of government and others with power. Hearst and Murdoch are obvious examples of press manipulation. Novels & movies offer more. Even the old rock song "Dirty Laundry" reminds us how we are distracted by trivia from what's relevant in current events.

    My local daily paper is just a mouthpiece for a powerful developer who has a right wing agenda of corporate welfare. OTOH we have a left wing radio station that's all about environment, women's rights, workers rights, immigration issues... Slashdot has its own perspective on news. One treads lightly through modern media trying to sort the wheat from the chaff. One hopes the Guardian/Schneier is not overly influenced by their new advisers. Thanks again for your informative comment.

    --
    ...omphaloskepsis often...