I previously posted that I am writing a book on security and power. Here are some title suggestions:
- Permanent Record: The Hidden Battles to Capture Your Data and Control Your World
- Hunt and Gather: The Hidden Battles to Capture Your Data and Control Your World
- They Already Know: The Hidden Battles to Capture Your Data and Control Your World
- We Already Know: The Hidden Battles to Capture Your Data and Control Your World
- Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World
- All About You: The Hidden Battles to Capture Your Data and Control Your World
- Tracked: The Hidden Battles to Capture Your Data and Control Your World
- Tracking You: The Forces that Capture Your Data and Control Your World
- Data: The New Currency of Power
My absolute favorite is Data and Goliath, but there's a problem. Malcolm Gladwell recently published a book with the title of David and Goliath. Normally I wouldn't care, but I published my Liars and Outliers soon after Gladwell published Outliers. Both similarities are coincidences, but aping him twice feels like a bit much.
Anyway, comments on the above titles -- and suggestions for new ones -- are appreciated.
The book is still scheduled for February publication. I hope to have a first draft done by the end of June, and a final manuscript by the end of October. If anyone is willing to read and comment on a draft manuscript between those two months, please let me know in e-mail.
Here's my upcoming speaking schedule for April and May:
- Stanford Law School on April 15.
- Brown University in Providence, RI -- two times -- on April 24.
- The Global Summit for Leaders in Information Technology in Washington, DC, on May 7.
- The Institute of World Politics on May 8.
- The University of Zurich on May 21.
- IT Security Inside in Zurich on May 22.
- University of Oregon Eugene on May 28, and then Portland on May 29
Information about all my speaking engagements can be found here.
The important piece of this story is not that GoGo complies with the law, but that it goes above and beyond what is required by law. It has voluntarily decided to violate your privacy and turn your data over to the government.
A little too big for my house.
This is an update to my earlier post.
Cloudflare is reporting that it's very difficult, if not practically impossible, to steal SSL private keys with this attack.
Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.
The reasoning is complicated, and I suggest people read the post. What I have heard from people who actually ran the attack against a various servers is that what you get is a huge variety of cruft, ranging from indecipherable binary to useless log messages to peoples' passwords. The variability is huge.
I have a lot to say about the human aspects of this: auditing of open-source code, how the responsible disclosure process worked in this case, the ease with which anyone could weaponize this with just a few lines of script, how we explain vulnerabilities to the public -- and the role that impressive logo played in the process -- and our certificate issuance and revocation process. This may be a massive computer vulnerability, but all of the interesting aspects of it are human.
EDITED TO ADD (4/12): We have one example of someone successfully retrieving an SSL private key using Heartbleed. So it's possible, but it seems to be much harder than we originally thought.
And we have a story where two anonymous sources have claimed that the NSA has been exploiting Heartbleed for two years.
EDITED TO ADD (4/13): The US intelligence community has denied prior knowledge of Heatbleed. The statement is word-game free:
NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.
The statement also says:
Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.
Since when is "law enforcement need" included in that decision process? This national security exception to law and process is extending much too far into normal police work.
Another point. According to the original Bloomberg article:
Certainly a plausible statement. But if those millions didn't discover something obvious like Heartbleed, shouldn't we investigate them for incompetence?
Finally -- not related to the NSA -- this is good information on which sites are still vulnerable, including historical data.
This is not a surprise:
The Los Angeles Police Commission is investigating how half of the recording antennas in the Southeast Division went missing, seemingly as a way to evade new self-monitoring procedures that the Los Angeles Police Department imposed last year.
The antennas, which are mounted onto individual patrol cars, receive recorded audio captured from an officer’s belt-worn transmitter. The transmitter is designed to capture an officer’s voice and transmit the recording to the car itself for storage. The voice recorders are part of a video camera system that is mounted in a front-facing camera on the patrol car. Both elements are activated any time the car’s emergency lights and sirens are turned on, but they can also be activated manually.
According to the Los Angeles Times, an LAPD investigation determined that around half of the 80 patrol cars in one South LA division were missing antennas as of last summer, and an additional 10 antennas were unaccounted for.
Surveillance of power is one of the most important ways to ensure that power does not abuse its status. But, of course, power does not like to be watched.
Heartbleed is a catastrophic bug in OpenSSL:
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
The bug has been patched. After you patch your systems, you have to get a new public/private key pair, update your SSL certificate, and then change every password that could potentially be affected.
At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.
EDITED TO ADD (4/9): Has anyone looked at all the low-margin non-upgradable embedded systems that use OpenSSL? An upgrade path that involves the trash, a visit to Best Buy, and a credit card isn't going to be fun for anyone.
EDITED TO ADD (4/10): I'm hearing that the CAs are completely clogged, trying to reissue so many new certificates. And I'm not sure we have anything close to the infrastructure necessary to revoke half a million certificates.
Possible evidence that Heartbleed was exploited last year.
EDITED TO ADD (4/10): I wonder if there is going to be some backlash from the mainstream press and the public. If nothing really bad happens -- if this turns out to be something like the Y2K bug -- then we are going to face criticisms of crying wolf.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..