NODAPL lessonsNovember 23, 2016 8:34 AM

Thanks for this. Very nice to see a North American expert defining security as the civilized world does: protecting humans from an overreaching state. It's also encouraging that IEEE has someplace he can present this kind of heterodoxy.

shouldn't be requiredNovember 24, 2016 8:38 PM

The paper makes sense except the part about the best way to defend against domestic spying being to require putting a valid phone number(mandatory 2factor authentication through SMS which has downgrade attack with export cipher, search "fake base station" if you think this is just paranoia". Also the part about trusting Google and Microsoft and your local telcom to protect you from domestic spying, and the part about sendinv attachments through the cloud (Google Drive, etc.) instead of simply abandoning attachments (do you really NEED PDFs and documents with builtin macros?), not to mention that enabling javascript (needed by Google Drive) is almost as dangerous as opening random PDF attachments.

Schneier fanNovember 24, 2016 9:03 PM

Most of your advice is great, I've recommended you to many, but the article you just recommended is advocating for proxies, VPN's, Tor and I2P to all be criminalized;
"Companies’ collaborative efforts to share information about threats is another important move. So, too, is the growing sophistication of other methods of acting on signals of user identity, such as requiring authentication when unfamiliar devices[ANY OS-FINGERPRINT SCRAMBLER], locations[ANY KIND OF ANONYMIZING SERVICE], and browsers[ANY USER AGENT RANDOMIZER] are detected.
In this article, I emphasized default-on two-factor[THIS IS A CALL FOR GOVERNMENT TO TAKE DOWN ANY WEBSITE THAT DOESN'T REQUIRE EVERYONE TO SUBMIT WORKING PHONE NUMBERS AS PART OF REGISTRATION] authentication as a similarly important goal, despite its associated costs.
'It wasn’t until seat belts became standard in cars and required by law that people started to use them ubiquitously'[A CALL TO FINE OR INCARCERATE ANYONE WHO DOESN'T GO OUT OF THEIR WAY TO DEANONYMIZE EVERYONE]"

The parts in [] are my summaries of the article.

CuriousNovember 25, 2016 3:58 AM

Presumably, anti virus software is still great for when surfing pr0n, even though some people apparently disapprove of anti virus software for whatever reason. Heh, let me know if you think otherwise.

KevinDecember 4, 2016 8:55 PM

Dear Bruce,
Thanks for all your incredible work over the years. I recently attended a breakfast "Keeping Secrets Secret" that had Chuck Archer, former FBI Assistant Director as keynote speaker. I am not a security expert but I do have some concerns for the security of medical information with the 2012 introduction of the Personally Controlled Electronic Health Record in Australia. I am speaking later this week at the Digital Hospital of the Future Conference at the Intercontinental Hotel in Sydney.

I think the main reason Australians have not adopted the newly named "My Health Record" is one of privacy. I would be keen to quote you during this conference if you have any comments you would like to make on this important topic.

I hope you have a Merry Christmas or Happy Holiday whichever you prefer.

Kind regards

Kevin M Reid

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.