Friday Squid Blogging: Global Squid Shortage

There's a squid shortage along the Pacific coast of the Americas.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on April 29, 2016 at 4:05 PM92 Comments

I'm Writing a Book on Security

I'm writing a book on security in the highly connected Internet-of-Things World. Tentative title:

Click Here to Kill Everybody
Peril and Promise in a Hyper-Connected World

There are two underlying metaphors in the book. The first is what I have called the World-Sized Web, which is that combination of mobile, cloud, persistence, personalization, agents, cyber-physical systems, and the Internet of Things. The second is what I'm calling the "war of all against all," which is the recognition that security policy is a series of "wars" between various interests, and that any policy decision in any one of the wars affects all the others. I am not wedded to either metaphor at this point.

This is the current table of contents, with three of the chapters broken out into sub-chapters:

  • Introduction
  • The World-Sized Web
  • The Coming Threats
    • Privacy Threats
    • Availability and Integrity Threats
    • Threats from Software-Controlled Systems
    • Threats from Interconnected Systems
    • Threats from Automatic Algorithms
    • Threats from Autonomous Systems
    • Other Threats of New Technologies
    • Catastrophic Risk
    • Cyberwar
  • The Current Wars
    • The Copyright Wars
    • The US/EU Data Privacy Wars
    • The War for Control of the Internet
    • The War of Secrecy
  • The Coming Wars
    • The War for Your Data
    • The War Against Your Computers
    • The War for Your Embedded Computers
    • The Militarization of the Internet
    • The Powerful vs. the Powerless
    • The Rights of the Individual vs. the Rights of Society
  • The State of Security
  • Near-Term Solutions
  • Security for an Empowered World
  • Conclusion

That will change, of course. If the past is any guide, everything will change.

Questions: Am I missing any threats? Am I missing any wars?

Current schedule is for me to finish writing this book by the end of September, and have it published at the end of April 2017. I hope to have pre-publication copies available for sale at the RSA Conference next year. As with my previous book, Norton is the publisher.

So if you notice me blogging less this summer, this is why.

Posted on April 29, 2016 at 1:02 PM108 Comments

Documenting the Chilling Effects of NSA Surveillance

In Data and Goliath, I talk about the self-censorship that comes along with broad surveillance. This interesting research documents this phenomenon in Wikipedia: "Chilling Effects: Online Surveillance and Wikipedia Use," by Jon Penney, Berkeley Technology Law Journal, 2016.

Abstract: This article discusses the results of the first empirical study providing evidence of regulatory "chilling effects" of Wikipedia users associated with online government surveillance. The study explores how traffic to Wikipedia articles on topics that raise privacy concerns for Wikipedia users decreased after the widespread publicity about NSA/PRISM surveillance revelations in June 2013. Using an interdisciplinary research design, the study tests the hypothesis, based on chilling effects theory, that traffic to privacy-sensitive Wikipedia articles reduced after the mass surveillance revelations. The Article finds not only a statistically significant immediate decline in traffic for these Wikipedia articles after June 2013, but also a change in the overall secular trend in the view count traffic, suggesting not only immediate but also long-term chilling effects resulting from the NSA/PRISM online surveillance revelations. These, and other results from the case study, not only offer compelling evidence for chilling effects associated with online surveillance, but also offer important insights about how we should understand such chilling effects and their scope, including how they interact with other dramatic or significant events (like war and conflict) and their broader implications for privacy, U.S. constitutional litigation, and the health of democratic society. This study is among the first to demonstrate -- using either Wikipedia data or web traffic data more generally­ how government surveillance and similar actions impact online activities, including access to information and knowledge online.

Two news stories.

Posted on April 29, 2016 at 6:28 AM41 Comments

Amazon Unlimited Fraud

Amazon Unlimited is a all-you-can-read service. You pay one price and can read anything that's in the program. Amazon pays authors out of a fixed pool, on the basis of how many people read their books. More interestingly, it pays by the page. An author makes more money if someone reads his book through to page 200 than if they give up at page 50, and even more if they make it through to the end. This makes sense; it doesn't pay authors for books people download but don't read, or read the first few pages of and then decide not to read the rest.

This payment structure requires surveillance, and the Kindle does watch people as they read. The problem is that the Kindle doesn't know if the reader actually reads the book -- only what page they're on. So Kindle Unlimited records the furthest page the reader synched, and pays based on that.

This opens up the possibility for fraud. If an author can create a thousand-page book and trick the reader into reading page 1,000, he gets paid the maximum. Scam authors are doing this through a variety of tricks.

What's interesting is what while Amazon is definitely concerned about this kind of fraud, it doesn't affect its bottom line. The fixed payment pool doesn't change; just who gets how much of it does.

EDITED TO ADD: John Scalzi comments.

Posted on April 28, 2016 at 8:20 AM30 Comments

Two Good Readings on the Encryption "Going Dark" Debate

Testimonies of Matt Blaze and Danny Weitzner, both on April 19th before the House Energy and Commerce Committee. And the hearing.

Posted on April 27, 2016 at 6:46 AM59 Comments

People Trust Robots, Even When They Don't Inspire Trust

Interesting research:

In the study, sponsored in part by the Air Force Office of Scientific Research (AFOSR), the researchers recruited a group of 42 volunteers, most of them college students, and asked them to follow a brightly colored robot that had the words "Emergency Guide Robot" on its side. The robot led the study subjects to a conference room, where they were asked to complete a survey about robots and read an unrelated magazine article. The subjects were not told the true nature of the research project.

In some cases, the robot -- which was controlled by a hidden researcher --- led the volunteers into the wrong room and traveled around in a circle twice before entering the conference room. For several test subjects, the robot stopped moving, and an experimenter told the subjects that the robot had broken down. Once the subjects were in the conference room with the door closed, the hallway through which the participants had entered the building was filled with artificial smoke, which set off a smoke alarm.

When the test subjects opened the conference room door, they saw the smoke - and the robot, which was then brightly-lit with red LEDs and white "arms" that served as pointers. The robot directed the subjects to an exit in the back of the building instead of toward the doorway - marked with exit signs - that had been used to enter the building.

"We expected that if the robot had proven itself untrustworthy in guiding them to the conference room, that people wouldn't follow it during the simulated emergency," said Paul Robinette, a GTRI research engineer who conducted the study as part of his doctoral dissertation. "Instead, all of the volunteers followed the robot's instructions, no matter how well it had performed previously. We absolutely didn't expect this."

The researchers surmise that in the scenario they studied, the robot may have become an "authority figure" that the test subjects were more likely to trust in the time pressure of an emergency. In simulation-based research done without a realistic emergency scenario, test subjects did not trust a robot that had previously made mistakes.

Our notions of trust depend on all sorts of cues that have nothing to do with actual trustworthiness. I would be interested in seeing where the robot fits in in the continuum of authority figures. Is it trusted more or less than a man in a hazmat suit? A woman in a business suit? An obviously panicky student? How do different looking robots fare?

News article. Research paper.

Posted on April 26, 2016 at 9:33 AM52 Comments

Graffiti by Drone

Drones can graffiti walls that no person can reach.

(Note that wired.com blocks ad blockers. My trick is to copy the page and then paste it into my text editor.)

Posted on April 25, 2016 at 12:07 PM52 Comments

BlackBerry's Global Encryption Key

Last week, there was a big news story about the BlackBerry encryption key. The news was that all BlackBerry devices share a global encryption key, and that the Canadian RCMP has a copy of it. Stupid design, certainly, but it's not news. As the Register points out, this has been repeatedly reported on since 2010.

And note that this only holds for a individual users. If your organization uses a BlackBerry Enterprise Server (BES), you have your own unique key.

Posted on April 25, 2016 at 5:54 AM30 Comments

Friday Squid Blogging: My Little Cephalopod

I assume this is more amusing to people who know about My Little Pony.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on April 22, 2016 at 4:24 PM157 Comments

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.