Latest Essays

Don't Fear the TSA Cutting Airport Security. Be Glad That They’re Talking about It.

  • Bruce Schneier
  • The Washington Post
  • August 7, 2018

Last week, CNN reported that the Transportation Security Administration is considering eliminating security at U.S. airports that fly only smaller planes — 60 seats or fewer. Passengers connecting to larger planes would clear security at their destinations.

To be clear, the TSA has put forth no concrete proposal.

Read More →

Censorship in the Age of Large Cloud Providers

  • Bruce Schneier
  • Lawfare
  • June 7, 2018

Internet censors have a new strategy in their bid to block applications and websites: pressuring the large cloud providers that host them. These providers have concerns that are much broader than the targets of censorship efforts, so they have the choice of either standing up to the censors or capitulating in order to maximize their business. Today's internet largely reflects the dominance of a handful of companies behind the cloud services, search engines and mobile platforms that underpin the technology landscape. This new centralization radically tips the balance between those who want to censor parts of the internet and those trying to evade censorship.

Read More →

Why the FBI Wants You to Reboot Your Router — and Why That Won’t Be Enough Next Time

The security threats will keep getting worse.

  • Bruce Schneier
  • The Washington Post
  • June 6, 2018

On May 25, the FBI asked us all to reboot our routers. The story behind this request is one of sophisticated malware and unsophisticated home-network security, and it's a harbinger of the sorts of pervasive threats — from nation-states, criminals and hackers — that we should expect in coming years.

VPNFilter is a sophisticated piece of malware that infects mostly older home and small-office routers made by Linksys, MikroTik, Netgear, QNAP and TP-Link. (For a list of specific models, click here.) It's an impressive piece of work. It can eavesdrop on traffic passing through the router — specifically, log-in credentials and SCADA traffic, which is a networking protocol that controls power plants, chemical plants and industrial systems — attack other targets on the Internet and destructively "kill" its infected device.

Read More →

Data Protection Laws Are Shining a Needed Light on a Secretive Industry

  • Bruce Schneier
  • The Guardian
  • June 1, 2018

When Marc Zuckerberg testified before both the House and the Senate last month, it became immediately obvious that few US lawmakers had any appetite to regulate the pervasive surveillance taking place on the internet.

Right now, the only way we can force these companies to take our privacy more seriously is through the market. But the market is broken. First, none of us do business directly with these data brokers.

Read More →

What "Efail" Tells Us About Email Vulnerabilities and Disclosure

  • Bruce Schneier
  • Lawfare
  • May 24, 2018

Last week, researchers disclosed vulnerabilities in a large number of encrypted email clients: specifically, those that use OpenPGP and S/MIME, including Thunderbird and AppleMail. These are serious vulnerabilities: An attacker who can alter mail sent to a vulnerable client can trick that client into sending a copy of the plaintext to a web server controlled by that attacker. The story of these vulnerabilities and the tale of how they were disclosed illustrate some important lessons about security vulnerabilities in general and email security in particular.

But first, if you use PGP or S/MIME to encrypt email, you need to check the list on this page and see if you are vulnerable. If you are, check with the vendor to see if they've fixed the vulnerability.

Read More →

Banning Chinese Phones Won't Fix Security Problems with Our Electronic Supply Chain

The real issue is overall trust.

  • Bruce Schneier
  • The Washington Post
  • May 8, 2018

Earlier this month, the Pentagon stopped selling phones made by the Chinese companies ZTE and Huawei on military bases because they might be used to spy on their users.

It's a legitimate fear, and perhaps a prudent action. But it's just one instance of the much larger issue of securing our supply chains.

All of our computerized systems are deeply international, and we have no choice but to trust the companies and governments that touch those systems.

Read More →

American Elections Are Too Easy to Hack. We Must Take Action Now

  • Bruce Schneier
  • The Guardian
  • April 18, 2018

Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose.

Read More →

It's Not Just Facebook. Thousands of Companies are Spying on You

  • Bruce Schneier
  • CNN
  • March 26, 2018

French translation

In the wake of the Cambridge Analytica scandal, news articles and commentators have focused on what Facebook knows about us. A lot, it turns out. It collects data from our posts, our likes, our photos, things we type and delete without posting, and things we do while not on Facebook and even when we're offline. It buys data about us from others.

Read More →

Artificial Intelligence and the Attack/Defense Balance

  • Bruce Schneier
  • IEEE Security & Privacy
  • March/April 2018

Artificial intelligence technologies have the potential to upend the longstanding advantage that attack has over defense on the Internet. This has to do with the relative strengths and weaknesses of people and computers, how those all interplay in Internet security, and where AI technologies might change things.

You can divide Internet security tasks into two sets: what humans do well and what computers do well. Traditionally, computers excel at speed, scale, and scope.

Read More →

Can Consumers' Online Data Be Protected?

  • Bruce Schneier
  • CQ Researcher
  • February 9, 2018

This essay appeared as half of a point/counterpoint with Priscilla Regan, in a CQ Researcher report on Privacy and the Internet.

Con

Everything online is hackable. This is true for Equifax's data and the federal Office of Personal Management's data, which was hacked in 2015. If information is on a computer connected to the internet, it is vulnerable.

But just because everything is hackable doesn't mean everything will be hacked.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.