What's your electronic data worth to you? What is it worth to others? And what's the dividing line between your privacy and your convenience? These are questions Bruce Schneier thinks a lot about, and as he shows in Data and Goliath, they are questions which have an impact on where society and technology are going next.
Data and Goliath is a book about surveillance, both government and corporate. It's an exploration in three parts: what's happening, why it matters, and what to do about it.
The Sony hack revealed the challenges of identifying perpetrators of cyberattacks, especially as hackers can masquerade as government soldiers and spies, and vice versa. It's a dangerous new dynamic for foreign relations, especially as what governments know about hackers – and how they know it – remains secret.
The vigorous debate after the Sony Pictures breach pitted the Obama administration against many of us in the cybersecurity community who didn't buy Washington's claim that North Korea was the culprit.
What's both amazing—and perhaps a bit frightening—about that dispute over who hacked Sony is that it happened in the first place.
But what it highlights is the fact that we're living in a world where we can't easily tell the difference between a couple of guys in a basement apartment and the North Korean government with an estimated $10 billion military budget.
Last month, Moscow-based security software maker Kaspersky Labs published detailed information on what it calls the Equation Group and how the U.S. National Security Agency and their U.K. counterpart, GCHQ, have figure how to embed spyware deep inside computers, gaining almost total control of those computers to eavesdrop on most of the world's computers, even in the face of reboots, operating system reinstalls, and commercial anti-virus products. The details are impressive, and I urge anyone interested in tech to read the Kaspersky documents, or these very detailed articles.
In December Google's Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: "If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place to not keep it is anywhere else."
The surprised me, because Google collects all of your information to show you more targeted advertising. Surveillance is the business model of the Internet, and Google is one of the most successful companies at that. To claim that Google protects your privacy better than anyone else is to profoundly misunderstand why Google stores your data for free in the first place.
German translation by Damian Weber
Earlier this week, we learned that Samsung televisions are eavesdropping on their owners. If you have one of their Internet-connected smart TVs, you can turn on a voice command feature that saves you the trouble of finding the remote, pushing buttons and scrolling through menus. But making that feature work requires the television to listen to everything you say. And what you say isn't just processed by the television; it may be forwarded over the Internet for remote processing.
Last year, two Swiss artists programmed a Random Botnot Shopper, which every week would spend $100 in bitcoin to buy a random item from an anonymous Internet black market...all for an art project on display in Switzerland. It was a clever concept, except there was a problem. Most of the stuff the bot purchased was benign—fake Diesel jeans, a baseball cap with a hidden camera, a stash can, a pair of Nike trainers—but it also purchased ten ecstasy tablets and a fake Hungarian passport.
What do we do when a machine breaks the law?
Thousands of articles have called the December attack against Sony Pictures a wake-up call to industry. Regardless of whether the attacker was the North Korean government, a disgruntled former employee, or a group of random hackers, the attack showed how vulnerable a large organization can be and how devastating the publication of its private correspondence, proprietary data, and intellectual property can be.
But while companies are supposed to learn that they need to improve their security against attack, there's another equally important but much less discussed lesson here: companies should have an aggressive deletion policy.
One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral.
American history is littered with examples of classified information pointing us towards aggression against other countries—think WMDs—only to later learn that the evidence was wrong
When you're attacked by a missile, you can follow its trajectory back to where it was launched from. When you're attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense.
Many of us in the computer-security field are skeptical of the U.S.
Welcome to a world where it's impossible to tell the difference between random hackers and governments.
If anything should disturb you about the Sony hacking incidents and subsequent denial-of-service attack against North Korea, it's that we still don't know who's behind any of it. The FBI said in December that North Korea attacked Sony. I and others have serious doubts. There's countervailing evidence to suggest that the culprit may have been a Sony insider or perhaps Russian nationals.
No one has admitted taking down North Korea's Internet.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.