Interview with Ross Anderson

Cybersecurity researcher Ross Anderson has a good interview on edge.org.

Posted on May 11, 2017 at 5:58 AM • 16 Comments

Comments

RMay 11, 2017 8:07 AM

I wish D.C. types would read this. There's this blind enthusiasm with self-driving cars with eliminating deaths from manual driving that the scale of safety issues that are introduced by software flaws or malware introduce new safety risks with catastrophic consequences of scale.

Patriot COMSECMay 11, 2017 10:05 AM

What I caught from this interesting article is the Darwinian, consumption-oriented worldview, the physicality, even hunger, of the struggle to control data.

It's an extension of hitting each other over the head with rocks, or throwing bones into the air until we blink and see a space station.

The word "exploit" sticks in my mind, from his use of it.

It is a rich article that was well worth reading.

Clive RobinsonMay 11, 2017 12:08 PM

I remember the lead up to the first crypto war in the UK, which Ross remembers briefly as,

Here in Britain we had tussles with the Blair government, which started off being against key escrow, but was then rapidly persuaded by Al Gore to get onboard the American bandwagon.

It's not quite how I remember it whilst Al Gore was around later, the bloke doing the Euro Trip with secret meetings with senior civil servents and police chiefs was the FBI's point man Louis Freeh. Who had said to the US legislators untruthfully that the widespread use of effective encryption,

    [I]s one of the most difficult problems for law enforcement as the next century approaches

And that against terrorism and serious crimes, the,

    country [US] would be unable to protect itself

He thus started a faux crusade that argued --again falsly-- that the loss of wiretapping to law enforcement as a result of encryption to be a clear and present danger.

The US politicians did not bite so Louis Freeh decided to try a different tack to drum up support. He basicaly went around European Policing organisations with the old "If you know what I know but can't tell you" routien to frighten them out of their pants with what we now call FUD in order for them to put political preasure on their leaders who in turn would put preasure on the US administration...

In the UK ACPO especialy banged the drum about it as a way to get more funding. The result was that they still falsely bang the drum even today at the UK home Secretary Amber Rudd as they did to her predecessor Theresa May who was stupid enough to swallow the line "hook.and sinker" and drew up the "Snoopers Charter" which will do about squat diddly for crime and terrorism.

Where the resources need to be put as Ross Anderson quite rightly points out is dealing with the low level criminal activities that are "Cyber-crime" and accounts for about three quaters of crime that actually effects UK citizens...

Importantly I suspect that the figures are broadly similar in the US. For the same reason the politicians want to ignore cyber-crime as the migration to it by criminals has in effect taken the smarter criminals out of meatspace crime thus making meatspace crime figures drop whilst also making meatspace crime prosecutions easier thus filling the corporate pockets of the private prison industry, who have been caught out giving kickbacks to judges for both more and longer sentences.

So one massive job creation scheam with profits all round.

Clive RobinsonMay 11, 2017 1:00 PM

Just to show that Ross Anderson is right when he talks about those adept at using the search tools is this story from the Intercept,

https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-breaking-computer-project-to-entire-internet/

Basicaly a highly confidential set of documents about an IBM cracker for passwords/encryprion for the US DoD / NSA got put on the Web by New York University. Who did it, and the how and the why of it is unknown.

However it was found by someone adept at using a search engine as the piece indicates,

    The only tool Adam used to find the NYU trove was Shodan.io, a website that’s roughly equivalent to Google for internet-connected, and typically unsecured, computers and appliances around the world, famous for turning up everything from baby monitors to farming equipment.

      @ Nick P, it's another one of those Hacker News coincidences...

AndrewJMay 11, 2017 7:57 PM

When I read this article the other day it immediately reminded me of Bruce:

Over the years I found myself changing from a mathematician into a hardware engineer, into an economist, into a psychologist.

It's interesting to compare this to Bruce's books over time, starting off with pure crypto and moving into the cross disciplinary approach in recent titles.

tyrMay 11, 2017 9:09 PM


@Clive

Louis Freeh always struck me as one of Dr.
Moreau experiments to create a man from a
weasel.
Rudd looks like May clone and apparently
inherited the bad ideas in the transfer.

@AndrewJ

Polymathy for the win.

Patriot COMSECMay 11, 2017 10:15 PM

Sometimes I try to get my mind around these lapses, such as the one Clive Robinson mentioned above. You would think that the United States or Great Britain would have people who scan the internet for classified information that is about to be exposed. I start to consider the possibility that no one really cares. Orwell talked about how power is stupid. Indeed.

If you try to get your mind around the OPM disaster, how the intimate details of the lives of millions of people with clearances in the U.S. could be exposed, downloaded, and exfiltrated, it's a brain-twister. It dawned on me that the reason this kind of thing happens is that no one cares--it does not effect my wallet--and if you do care, then it is as if you are from outer space. The tendency is to act as if it did not happen--even though it may have been one of the most damaging events in U.S. history.

DroneMay 12, 2017 1:13 AM

Dang, another un-viewable posted to Vimeo. Unlike YouTube, Vimeo is BANNED by the Government here in Indonesia (and other countries too). People need to learn that as long as the content isn't borderline lewd, to get widest coverage post to both YouTube and Vimeo.

At least the text is on the article's page as a fallback.

Ref: Indonesia bans Vimeo

www.lowyinstitute.org/the-interpreter/indonesia-bans-vimeo

Dan HMay 12, 2017 8:15 AM

@Patriot COMSEC

I am one who was affected by the OPM breach, and I do care, but what am I to do? I received some communication from them and a number to call, but the damage was already done.

Hopefully government and industry learned from that debacle so it doesn't happen again, but then one reads of other hacks and you realize nothing changed.

WinterMay 12, 2017 8:36 AM

@Dan H
"Hopefully government and industry learned from that debacle so it doesn't happen again, but then one reads of other hacks and you realize nothing changed."

Some quarters do listen. And some laws can have an effect:

The global implications of the EU General Data Protection Regulation
https://www.eiuperspectives.economist.com/technology-innovation/global-implications-eu-general-data-protection-regulation

Key impacts of the EU General Data Protection Regulation
http://www.williamfry.com/newsandinsights/news-article/2016/06/08/key-impacts-of-the-eu-general-data-protection-regulation

The words "Draconian" have been murmured


Organisations will be potentially subject to fines of up to:

  • €10 million or 2% of total worldwide annual turnover (whichever is greater) for serious breaches; and

  • €20 million or 4% of total worldwide annual turnover (whichever is greater) for very serious breaches.


Clive RobinsonMay 12, 2017 9:03 AM

@ Winter,

The words "Draconian" have been murmured

As in "insufficiently draconian"?

It's been pointed out that banks have paid billions in fines but no seniors ever get their "collars felt"

As far as I'm aware only Iceland have gone after the big boys with jail sentences.

The thing is those fines sound big but they are tax deductible and come only from the lower level workers pockets, as shareholders have to be kept onside, wherever possible. Thus there is actually little incentive to make the seniors pay their dues. Mandatory term jail sentences for sirectors etc, might just bring them into line...

WinterMay 12, 2017 9:22 AM

@Clive
"As in "insufficiently draconian"?"

It is a problem inherent to the concept of a limited company and lifting the corporate veil. But the maximal fines are 2-4% of the global turnover. For most companies, that is a sizeable part of their profits.

Experience on the cartel and monopoly front have shown that these fines really bite. And they can be leveled per incident. All the signs are that corporations are really, really afraid of the GDPR.

gordoMay 12, 2017 7:09 PM

From the interview with Ross Anderson:

We’ve certainly seen in the USA the way that [social media] techniques were used more effectively by Mr. Trump than they were by Mrs. Clinton.


What that's going to teach everybody is that if you’re in the business of politics, you have to get good at this stuff and you have to get good fast, otherwise you’re out of a job. There’s going to be a lot of rapid and aggressive development of techniques of intrusive surveillance, of psychological profiling of voters, and micro-targeting of political messages. And we don't know what the consequences of doing that will be.

Given the EU's GDPR and a post-Brexit Britain in flux, the threat landscape seems especially attuned to Americans:

Moyers & company
DEMOCRACY & GOVERNMENT
Our Next President: Also Brought to You by Big Data and Digital Advertising
How the Trump campaign used big data to elect a president.
BY JEFF CHESTER | JANUARY 6, 2017

The US is still one of the only advanced-economy countries without comprehensive privacy legislation, and what little we have is already under threat. For the vast majority of Americans, there is practically no legal way to turn off or stem the flow of their information. The government’s “hands-off” approach to how Facebook, Google and the rest of the digital marketing industry operate has helped unleash powerful and unaccountable forces that helped elect our next president.

http://billmoyers.com/story/our-next-president-also-brought-to-you-by-big-data-and-digital-advertising/

Patriot COMSECMay 13, 2017 5:28 AM

@ Dan H

So you know the deal. I feel bad about that breach because it is my country and it was dumb, even shamefully dumb.

If the Chinese know you enjoy a little too much booze once in a while, that is not really the end of the world. But for some people, the info they divulged during a clearance interview is blackmail city.

My privacy was violated because others did not care enough to encrypt. I think more heads should roll. It is a big fat disgrace.

wumpusMay 13, 2017 11:15 AM

@R (commentary on self-driving cars)

Much of the issue is that anyone with power tends to assume everything must be mandatory or prohibited based on that person's whims. There are a number of people who would be far-better off having a car drive for them (the elderly, alcoholics) and plenty who would otherwise benefit (underage).

Having a situation where humans can avoid the rare issues were these car's software fails is likely a huge benefit. Having the autopilots outnumber the human drivers is a different case entirely.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.