Weakness in digital communications systems allows security to be bypassed, leaving users at risk of being spied on.
Governments want to spy on their citizens for all sorts of reasons. Some countries do it to help solve crimes or to try to find "terrorists" before they act.
Others do it to find and arrest reporters or dissidents. Some only target individuals, others attempt to spy on everyone all the time.
Think about all of the websites you visit every day. Now imagine if the likes of Time Warner, AT&T and Verizon collected all of your browsing history and sold it on to the highest bidder. That's what will probably happen if Congress has its way.
This week, lawmakers voted to allow internet service providers to violate your privacy for their own profit.
On Monday, the TSA announced a peculiar new security measure to take effect within 96 hours. Passengers flying into the US on foreign airlines from eight Muslim countries would be prohibited from carrying aboard any electronics larger than a smartphone. They would have to be checked and put into the cargo hold. And now the UK is following suit.
Last month at the RSA Conference, I saw a lot of companies selling security incident response automation. Their promise was to replace people with computers—sometimes with the addition of machine learning or other artificial intelligence (AI) techniques—and to respond to attacks at computer speeds.
While this is a laudable goal, there's a fundamental problem with doing this in the short term. You can only automate what you're certain about, and there is still an enormous amount of uncertainty in cybersecurity.
Don't get doxed.
This essay also appeared in The Age.
A decade ago, I wrote about the death of ephemeral conversation. As computers were becoming ubiquitous, some unintended changes happened, too: Before computers, what we said disappeared once we'd said it. Neither face-to-face conversations nor telephone conversations were routinely recorded.
The relentless push to add connectivity to home gadgets is creating dangerous side effects that figure to get even worse.
Botnets have existed for at least a decade. As early as 2000, hackers were breaking into computers over the Internet and controlling them en masse from centralized systems. Among other things, the hackers used the combined computing power of these botnets to launch distributed denial-of-service attacks, which flood websites with traffic to take them down.
But now the problem is getting worse, thanks to a flood of cheap webcams, digital video recorders, and other gadgets in the "Internet of things." Because these devices typically have little or no security, hackers can take them over with little effort.
With the Internet of Things, we’re building a world-size robot. How are we going to control it?
Last year, on October 21, your digital video recorder — or at least a DVR like yours — knocked Twitter off the internet. Someone used your DVR, along with millions of insecure webcams, routers, and other connected devices, to launch an attack that started a chain reaction, resulting in Twitter, Reddit, Netflix, and many sites going off the internet. You probably didn't realize that your DVR had that kind of power. But it does.
President Barack Obama's public accusation of Russia as the source of the hacks in the US presidential election and the leaking of sensitive emails through WikiLeaks and other sources has opened up a debate on what constitutes sufficient evidence to attribute an attack in cyberspace. The answer is both complicated and inherently tied up in political considerations.
The administration is balancing political considerations and the inherent secrecy of electronic espionage with the need to justify its actions to the public. These issues will continue to plague us as more international conflict plays out in cyberspace.
This essay appeared as a response to Edge's annual question, "what scientific term or concept ought to be more widely known?"
There's a concept from computer security known as a class break. It's a particular security vulnerability that breaks not just one system, but an entire class of systems. Examples might be a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system's software. Or a vulnerability in Internet-enabled digital video recorders and webcams that allow an attacker to recruit those devices into a massive botnet.
Unproven reports of possible discrepancies in the Rust Belt just show how untrustworthy the system is.
Was the 2016 presidential election hacked? It's hard to tell. There were no obvious hacks on Election Day, but new reports have raised the question of whether voting machines were tampered with in three states that Donald Trump won this month: Wisconsin, Michigan and Pennsylvania.
The researchers behind these reports include voting rights lawyer John Bonifaz and J. Alex Halderman, the director of the University of Michigan Center for Computer Security and Society, both respected in the community.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.