Schneier on Security

Clive Robinson • October 31, 2024 12:08 PM

Six degrees of the cyber age

https://en.m.wikipedia.org/wiki/Six_degrees_of_separation

I thought we had talked about this a decade or more ago when those first systems that produced “relationship maps/charts” appeared, that authorities had great hopes would find every terrorist in existence.

As it turns out it appears terrorists must be either somewhat smarter or less connected.

The data to do this sort of connection is in so many databases of “third party business records” that get sold left right and center to anyone with a few dollars in hand, that I’m surprised it’s news any more.

Clive Robinson • October 31, 2024 10:10 PM

@ Winter, ALL,

With regards,

“Someone, somewhere will find a way to follow VIPs by the way they stir up local services and their employees…”

Not just “VIPs” remember Law Enforcement have grabbed “crime bosses” when large orders for pizza have been placed to feed not just the “boss” but the “entourage” as well.

It’s not just the “carbon” that leaves an easily seen “footprint”… one “boss” was caught because the vehicles they and their entourage were moving in effectively drained a small local gas station, and word got out fairly quickly.

There are even stories about the start of the first gulf war and the Pentagon. Apparently so many “take outs” were ordered most fast food outlets in the area knew that the “midnight oil” was being burnt and the “starters gun” had been fired.

But the opposite applies sometimes. Back in WWII prior to D-Day apparently Patton had two or more “ghost divisions” forming his “Ghost Army”. In reality just over a thousand talented soldiers running around the South East corner of Kent etc, creating much noise and disturbance to fool the Germans,

https://en.m.wikipedia.org/wiki/Ghost_Army

Clive Robinson • November 1, 2024 8:42 PM

@ Colin Bennett, ratwithahat,

With regards,

“The problem here is that companies are trying to make everything “social”. It often is done by default.”

Err not quite.

The companies are trying to make everything “profit”, and is the default behaviour.

Thus,

1, The costs of storing data are minimised.

2, The costs of making data available are minimised.

So the data is stored in an “all in silo” and the code to access it has minimal –if any– security.

Thus anyone wanting to get to the whole data set for any way to get an illicit advantage comes in effect,

1, Built in

2, With minimal if any prevention.

Such is the way of the world, where there is a “race to the bottom” built in that happens due to “free market” etc unrestricted capitalism.

As this century has shown in it’s entirety so far, and at least the latter half of the 20th century before it, unless there is strong legislation and regulation, significant harm will be done.

Thus lack of security is just one of many such “failings of the system” with the consequence data gets hemorrhaged as there are not robust controls in place.

The reality is that you are the only person who can protect your data.

Because if you make the mistake of allowing any other entity to have access to your data, they will do with it what they please not what you want. Even if you have a contract etc in place with the entity it will not stop them behaving in a “minimum cost” way, and you will enevitably pay the cost. The only way the entity will treat your data with a greater level of protection is if there is a significant incentive in play for them to do so.

The “big wolf” sitting at the entities door with a “hungry look” attitude is one such. Which is the role Government, it’s legislators, regulators, and prosecutors are supposed to play. With those at the highest levels in entities breaking legislation and regulation doing significant time as well as disbarred for life, with the entity being shut down and the data made inaccessible.

But most importantly, is legislation that,

“Makes your data your property”

That you can not sell or relinquish control over.