Schneier on Security
A blog covering security and security technology.
« Disguising Tor Traffic as Skype Video Calls |
| Friday Squid Blogging: Squid Fiction »
April 13, 2012
Me at RSA 2012
This is not a video of my talk at the RSA Conference earlier this year. This is a 16-minute version of that talk -- TED-like -- that the conference filmed the day after for the purpose of putting it on the Internet.
Today's Internet threats are not technical; they're social and political. They aren't criminals, hackers, or terrorists. They're the government and corporate attempts to mold the Internet into what they want it to be, either to bolster their business models or facilitate social control. Right now, these two goals coincide, making it harder than ever to keep the Internet free and open.
Posted on April 13, 2012 at 2:11 PM
• 14 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"Today's Internet threats are not technical ... They aren't criminals, hackers, or terrorists."
That is strange, there are countless hacker attacks on the internet. Bruce didn't have to deny that, just in order to assert that governments/companies are ALSO a threat. That is, unless "internet threats" are conveniently redefined.
Right now I am reading "The Shadow World: Inside the Global Arms Trade" (which I highly recommend) and I am amazed how the pure power and money plays I see and how strong the parallels are to the internet. One of the classic ways arms deals happen is one third-party selling to two separate entities who are often enemies in order to profit, a model that we have and will most definitely see an increase in. (I'm thinking along the lines of 0-day exploits for sale particularly)
Besides the pure money/profit motive though, I think the power motive is one not looked at closely enough. My personal opinion is that the internet itself is increasingly seen as a threat to the powers that be, primarily because it removes their ability to do one particularly important thing: control information. This is not just about controlling the data that an individual leaks about themselves, this is about the massive, decentralized dissemination of data to the people themselves. Wikileaks comes to mind. When I get into this discussion with friends I just go back to through the various forms of communication that humans have developed over time, (language, writing, printing press, radio, telegram, tv, internet, etc) and when you look at the history of those mediums it becomes starkly clear that the internet is unique because it's fundamental model is one of decentralization, which flies in the face of the methods used to control the other mediums.
But let's get down to the real issue. Government. Speaking from an American perspective, the reality is that the people do not have control over their government, and that sadly there are bigger wrongs going on with our implicit backing than the various threats to the internet we talk about. Fundamental issues (civil rights, constitutional rights, human rights, etc) are being compromised left and right by the left and right at every turn, and the people are increasingly under the spell of the gatekeepers of their "information bubbles" which restrict their ability and desire to gain control of it.
Essentially I would argue that we will lose the fight you talk about in the video if we approach it as the only issue, and that the only path to making progress is in the retaking of government by the people. From there, the conversation is simply about tactics. What is the best way to do this? Do we form our own massive lobbying system? How effective would it be? How do we break through peoples information bubbles to get them to see the bigger picture? When do we decide to work on reverse engineering elections and legal processes ourselves?
And the biggest question is how far do we take it all and what are our limits?
Thank you, Bruce.
You stated those points in a really clear, and I think powerful, way.
Nice talk indeed.
@ Bruce, its very difficult to get all your book-collections on socio-political and
Fortunately, we follow in India:
1)Text on socio-political issues-
Liars and Outliers,
Secret and Lies
2) Books on core-crypto security subject-
Its true that the basic motive behind the Internet was sharing of knowledge beyond the political and geographical boundries. Knowledge
and information should be free but it can be misused and/or sold for personal gains. In the last few years the Govts. have seen aggitations leading to major shifts in the politcal arena in many nations. The convergance of telcom into the Internet became out of control for the Law inforcement systems across the globe, in recent past.
It is like the man going wild with the power(boon) of the Internet....
Also, nice shirt. I finally get where the tagline "The closest thing the security industry has to a rock star" comes from.
Great presentation Bruce. I've already forwarded it to a number of my family and friends! :-) Agreed with Mailman - nice shirt!
@Frank Ch. Eigler I think that this was not what Bruce was saying. These are threats directed against companies, or people, that use the internet as a support. Those are carried out by hackers/terrorist/etc.
On the other hand the only real threats to the Internet itself come from governments.
As a tech geek, an armchair economist, and a libertarian/voluntarist, the risks you identify really resonate with me. Also, I really appreciate your "whole picture" analysis (not just looking at the technology, but also the people, economics and politics).
I would probably distinguish two sub-risks in your first bucket: (1A) bad feature trade-offs by companies (security, privacy, etc.) and (1B) lobbying by companies.
This distinction helps to see that risks 1B, 2 and 3 are all related to governments intervention on the internet. The internet has been as close to a free market as we ever had, but there government has been increasingly encroaching (and not just in China, Iran, etc.). Let's keep political power off the grid and keep it a voluntary and collaborative place.
When it comes to 1A I am less worried as the market and the competitive process provide effective corrective mechanisms. Companies are free to build privacy-sensitive, secure, anonymous and un-walled/un-locked product offerings and promote them as alternative to "Big Data" products. The same holds for cloud providers. Better feature sets and trade-offs will emerge over time. The real danger is if coercion enters the game (via lobbying and government) to prevent or limit what competitors can do.
Do you have any ideas on how to mitigate risk 3 (armament race)?
@qdii, I don't see that in his talk. He spent a lot of time talking about loss of privacy inherent in storing tons of personal info out in the cloud. Indeed that is a problem. But the Internet was already around decades before this, and would still be if Facebook & Google &c. were to disappear.
In the trivial sense of police/laws shutting down all ISPs or transnational connections, OK, but that's not very interesting.
I hope RSA puts the real video up soon so I can watch the entire audience bolt out en-masse to snag a free copy of your book XD
I dislike the use of the term "Internet threat" here. What it means is "threats directed toward the internet" but what it reads as is "threats from or representing the internet". I assume (hope?) this is due to a lack of context.
Bruce, let me repost:
Are there Laws (federal or state) which regulate information brokers activities (e.g. legitimate sources of information collected including Internet service providers, legitimate usage/distribution of profiles created, etc.) or it is just Wild West area?
I did not share the idea that government is ALWAYS the source of the problem.
It can and should be the part of the solution, e.g. with reasonable and uniform privacy protection through legislation.
The problem is not with the government itself but with the people working for the government utilizing their authority for personal gain or with government - private business partnership with information brokers to bypass restrictions on government activity to create massive electronic profiles on law abiding citizens just for usage of their constitutional rights (they still could not distiguish dissent and disloyalty, unfortunately).
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.