Essays: 2014 Archives

2015: The Year "Doxing" Will Hit Home

  • Bruce Schneier
  • BetaBoston
  • December 31, 2014

Those of you unfamiliar with hacker culture might need an explanation of “doxing.”

The word refers to the practice of publishing personal information about people without their consent. Usually it’s things like an address and phone number, but it can also be credit card details, medical information, private e-mails—pretty much anything an assailant can get his hands on.

Doxing is not new; the term dates back to 2001 and the hacker group Anonymous. But it can be incredibly offensive. In 2014, several women were doxed by male gamers trying to intimidate them into keeping silent about sexism in computer games…

Did North Korea Really Attack Sony?

It's too early to take the U.S. government at its word.

  • Bruce Schneier
  • The Atlantic
  • December 22, 2014

I am deeply skeptical of the FBI’s announcement on Friday that North Korea was behind last month’s Sony hack. The agency’s evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the U.S. government would make the accusation this formally if officials didn’t believe it.

Clues in the hackers’ attack code seem to point in all directions at once. The FBI points to reused code from previous attacks associated with North Korea, as well as similarities in the networks used to launch the attacks. Korean language in the code also suggests a Korean origin, though not necessarily a North Korean one since North Koreans use a …

Sony Made It Easy, but Any of Us Could Get Hacked

A focused, skillful cyber attacker will always get in, warns a security expert.

  • Bruce Schneier
  • The Wall Street Journal
  • December 19, 2014

Earlier this month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment’s computer systems and began revealing many of the Hollywood studio’s best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama’s presumed movie-watching preferences) to the personnel data of employees, including salaries and performance reviews. The Federal Bureau of Investigation now says it has evidence that North Korea was behind the attack, and Sony Pictures pulled its planned release of …

The Best Thing We Can Do About the Sony Hack Is Calm Down

  • Bruce Schneier
  • Motherboard
  • December 19, 2014

First we thought North Korea was behind the Sony cyberattacks. Then we thought it was a couple of hacker guys with an axe to grind. Now we think North Korea is behind it again, but the connection is still tenuous. There have been accusations of cyberterrorism, and even cyberwar. I’ve heard calls for us to strike back, with actual missiles and bombs. We’re collectively pegging the hype meter, and the best thing we can do is calm down and take a deep breath.

First, this is not an act of terrorism. There has been no senseless violence. No innocents are coming home in body bags. Yes, a company is seriously embarrassed—and financially hurt—by all of its information leaking to the public. But posting unreleased movies online is not terrorism. It’s not even close…

What Are the Limits of Police Subterfuge?

A warrantless FBI search in Las Vegas sets a troubling precedent.

  • Bruce Schneier
  • The Atlantic
  • December 17, 2014

The next time you call for assistance because the Internet service in your home is not working, the ‘technician’ who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and—when he shows up at your door, impersonating a technician—let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have ‘consented’ to an intrusive search of your home…

Over 700 Million People Taking Steps to Avoid NSA Surveillance

  • Bruce Schneier
  • Lawfare
  • December 15, 2014

German translation by Yuri Samoilov

There’s a new international survey on Internet security and trust, of ‘23,376 Internet users in 24 countries,’ including ‘Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.’ Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those ‘have taken steps to protect their online privacy and security as a result of his revelations.’…

NSA Hacking of Cell Phone Networks

  • Bruce Schneier
  • Lawfare
  • December 8, 2014

The Intercept has published an article—based on the Snowden documents—about AURORAGOLD, an NSA surveillance operation against cell phone network operators and standards bodies worldwide. This is not a typical NSA surveillance operation where agents identify the bad guys and spy on them. This is an operation where the NSA spies on people designing and building a general communications infrastructure, looking for weaknesses and vulnerabilities that will allow it to spy on the bad guys at some later date.

In that way, AURORAGOLD is similar to the NSA’s …

Antivirus Companies Should Be More Open About Their Government Malware Discoveries

Antivirus companies had tracked the sophisticated—and likely U.S.-backed—Regin malware for years. But they kept what they learned to themselves.

  • Bruce Schneier
  • MIT Technology Review
  • December 5, 2014

Last week we learned about a striking piece of malware called Regin that has been infecting computer networks worldwide since 2008. It’s more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there’s substantial evidence that it was built and operated by the United States.

This isn’t the first government malware discovered. GhostNet is believed to be Chinese. Red October and Turla are believed to be Russian. The Mask is probably Spanish. Stuxnet and Flame…

Why Uber's "God View" Is Creepy

  • Bruce Schneier
  • CNN
  • December 4, 2014

In the Internet age, we have no choice but to entrust our data with private companies: e-mail providers, service providers, retailers, and so on.

We realize that this data is at risk from hackers. But there’s another risk as well: the employees of the companies who are holding our data for us.

In the early years of Facebook, employees had a master password that enabled them to view anything they wanted in any account. NSA employees occasionally snoop on their friends and partners. The agency even has a name for it: LOVEINT. And well before the Internet, people with access to police or medical records occasionally used that power to look up either famous people or people they knew. …

Stop the Hysteria over Apple Encryption

  • Bruce Schneier
  • CNN
  • October 3, 2014

Last week Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone’s encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it.

From now on, all the phone’s data is protected. It can no longer be accessed by criminals, governments, or rogue employees. Access to it can no longer be demanded by totalitarian governments. A user’s iPhone data is now more secure .

To hear U.S. law enforcement respond, you’d think Apple’s move heralded an unstoppable crime wave. See, the FBI had been using that vulnerability to get into peoples’ iPhones. In the …

The Future of Incident Response

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2014

View or Download in Acrobat Format

Security is a combination of protection, detection, and response. It’s taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network. By 2000, we realized that detection needed to be formalized as well, and the industry was full of detection products and services.

This decade is one of response. Over the past few years, we’ve started seeing incident response (IR) products and services. Security teams are incorporating them into their arsenal because of three trends in computing. One, we’ve lost control of our computing environment. More of our data is held in the cloud by other companies, and more of our actual networks are outsourced. This makes response more complicated, because we might not have visibility into parts of our critical network infrastructures…

The U.S.'s Hypocritical Stance Against Chinese Hackers

  • Bruce Schneier
  • Time
  • May 20, 2014

Chinese hacking of American computer networks is old news. For years we’ve known about their attacks against U.S. government and corporate targets. We’ve seen detailed reports of how they hacked The New York Times. Google has detected them going after Gmail accounts of dissidents. They’ve built sophisticated worldwide eavesdropping networks. These hacks target both military secrets and corporate intellectual property. They’re perpetrated by a combination of state, state-sponsored and state-tolerated hackers. It’s been going on for years.

On Monday, the Justice Department …

A Human Problem

The Heartbleed bug that was reported in April allowed hackers to steal private online information. Cyber-security analyst Bruce Schneier argues that such technical vulnerabilities always arise from human errors.

  • Bruce Schneier
  • The Mark News
  • May 19, 2014

The announcement on April 7 was alarming. A new internet vulnerability called Heartbleed could allow hackers to steal your logins and passwords. It affected a piece of security software that is used on half a million websites worldwide. Fixing it would be hard: It would strain our security infrastructure and the patience of users everywhere.

It was a software insecurity, but the problem was entirely human.

Software has vulnerabilities because it’s written by people, and people make mistakes—thousands of mistakes. This particular mistake was made in 2011 by a German graduate student who was one of the unpaid volunteers working on a piece of software called OpenSSL. The update was approved by a British consultant…

Should U.S. Hackers Fix Cybersecurity Holes or Exploit Them?

  • Bruce Schneier
  • The Atlantic
  • May 19, 2014

There’s a debate going on about whether the U.S. government—specifically, the NSA and United States Cyber Command—should stockpile Internet vulnerabilities or disclose and fix them. It’s a complicated problem, and one that starkly illustrates the difficulty of separating attack and defense in cyberspace.

A software vulnerability is a programming mistake that allows an adversary access into that system. Heartbleed is a recent example, but hundreds are discovered every year.

Unpublished vulnerabilities are called “zero-day” vulnerabilities, and they’re very valuable because no one is protected. Someone with one of those can attack systems world-wide with impunity…

Let the Spies Spy, Let the Cops Chase Terrorists

  • Bruce Schneier
  • CNN
  • May 15, 2014

According to NSA documents published in Glenn Greenwald’s new book “No Place to Hide,” we now know that the NSA spies on embassies and missions all over the world, including those of Brazil, Bulgaria, Colombia, the European Union, France, Georgia, Greece, India, Italy, Japan, Mexico, Slovakia, South Africa, South Korea, Taiwan, Venezuela and Vietnam.

This will certainly strain international relations, as happened when it was revealed that the United States is eavesdropping on German Chancellor Angela Merkel’s cell phone—but is anyone really surprised? Spying on foreign governments is what the NSA is …

Internet Subversion

  • Bruce Schneier
  • Boston Review
  • May/June 2014

In addition to turning the Internet into a worldwide surveillance platform, the NSA has surreptitiously weakened the products, protocols, and standards we all use to protect ourselves. By doing so, it has destroyed the trust that underlies the Internet. We need that trust back.

Trust is inherently social. It is personal, relative, situational, and fluid. It is not uniquely human, but it is the underpinning of everything we have accomplished as a species. We trust other people, but we also trust organizations and processes. The psychology is complex, but when we trust a technology, we basically believe that it will work as intended…

How Secure are Snapchat-style Apps?

  • Bruce Schneier
  • CNN
  • March 26, 2014

Ephemeral messaging apps such as Snapchat, Wickr and Frankly, all of which advertise that your photo, message or update will only be accessible for a short period, are on the rise. Snapchat and Frankly, for example, claim they permanently delete messages, photos and videos after 10 seconds. After that, there’s no record.

This notion is especially popular with young people, and these apps are an antidote to sites such as Facebook where everything you post lasts forever unless you take it down—and taking it down is no guarantee that it isn’t still available…

Don’t Listen to Google and Facebook: The Public-Private Surveillance Partnership Is Still Going Strong

And real corporate security is still impossible.

  • Bruce Schneier
  • The Atlantic
  • March 25, 2014

If you’ve been reading the news recently, you might think that corporate America is doing its best to thwart NSA surveillance.

Google just announced that it is encrypting Gmail when you access it from your computer or phone, and between data centers. Last week, Mark Zuckerberg personally called President Obama to complain about the NSA using Facebook as a means to hack computers, and Facebook’s Chief Security Officer explained to reporters that the attack technique has not worked since last summer. Yahoo, Google, Microsoft, and others are now regularly publishing “…

There's No Real Difference Between Online Espionage and Online Attack

  • Bruce Schneier
  • The Atlantic
  • March 6, 2014

Back when we first started getting reports of the Chinese breaking into U.S. computer networks for espionage purposes, we described it in some very strong language. We called the Chinese actions cyberattacks. We sometimes even invoked the word cyberwar, and declared that a cyber-attack was an act of war.

When Edward Snowden revealed that the NSA has been doing exactly the same thing as the Chinese to computer networks around the world, we used much more moderate language to describe U.S. actions: words like espionage, or intelligence gathering, or spying. We stressed that it’s a peacetime activity, and that everyone does it…

Metadata = Surveillance

  • Bruce Schneier
  • IEEE Security & Privacy
  • March/April 2014

Ever since reporters began publishing stories about NSA activities, based on documents provided by Edward Snowden, we’ve been repeatedly assured by government officials that it’s “only metadata.” This might fool the average person, but it shouldn’t fool those of us in the security field. Metadata equals surveillance data, and collecting metadata on people means putting them under surveillance.

An easy thought experiment demonstrates this. Imagine that you hired a private detective to eavesdrop on a subject. That detective would plant a bug in that subject’s home, office, and car. He would eavesdrop on his computer. He would listen in on that subject’s conversations, both face to face and remotely, and you would get a report on what was said in those conversations. (This is what President Obama repeatedly reassures us isn’t happening with our phone calls. But am I the only one who finds it suspicious that he always uses very specific words? “The NSA is not listening in on your phone calls.” This leaves open the possibility that the NSA is recording, transcribing, and analyzing your phone calls—and very occasionally reading them. This is far more likely to be true, and something a pedantically minded president could claim he wasn’t lying about.)…

NSA Robots are "Collecting" Your Data, Too, and They're Getting Away With It

  • Bruce Schneier
  • The Guardian
  • February 27, 2014

Increasingly, we are watched not by people but by algorithms. Amazon and Netflix track the books we buy and the movies we stream, and suggest other books and movies based on our habits. Google and Facebook watch what we do and what we say, and show us advertisements based on our behavior. Google even modifies our web search results based on our previous behavior. Smartphone navigation apps watch us as we drive, and update suggested route information based on traffic congestion. And the National Security Agency, of course, monitors our phone calls, emails and locations, then uses that information to try to identify terrorists…

Choosing a Secure Password

  • Bruce Schneier
  • Boing Boing
  • February 25, 2014

As insecure as passwords generally are, they’re not going away anytime soon. Every year you have more and more passwords to deal with, and every year they get easier and easier to break. You need a strategy.

The best way to explain how to choose a good password is to explain how they’re broken. The general attack model is what’s known as an offline password-guessing attack. In this scenario, the attacker gets a file of encrypted passwords from somewhere people want to authenticate to. His goal is to turn that encrypted file into unencrypted passwords he can use to authenticate himself. He does this by guessing passwords, and then seeing if they’re correct. He can try guesses as fast as his computer will process them—and he can parallelize the attack—and gets immediate confirmation if he guesses correctly. Yes, there are ways to foil this attack, and that’s why we can still have four-digit PINs on ATM cards, but it’s the correct model for breaking passwords…

It's Time to Break Up the NSA

  • Bruce Schneier
  • CNN
  • February 20, 2014

The NSA has become too big and too powerful. What was supposed to be a single agency with a dual mission—protecting the security of U.S. communications and eavesdropping on the communications of our enemies—has become unbalanced in the post-Cold War, all-terrorism-all-the-time era.

Putting the U.S. Cyber Command, the military’s cyberwar wing, in the same location and under the same commander, expanded the NSA’s power. The result is an agency that prioritizes intelligence gathering over security, and that’s increasingly putting us all at risk…

Let the NSA Keep Hold of the Data

Giving it to private companies will only make privacy intrusion worse.

  • Bruce Schneier
  • Slate
  • February 14, 2014

One of the recommendations by the president’s Review Group on Intelligence and Communications Technologies on reforming the National Security Agency—No. 5, if you’re counting—is that the government should not collect and store telephone metadata. Instead, a private company—either the phone companies themselves or some other third party—should store the metadata and provide it to the government only upon a court order.

This isn’t a new idea. Over the past decade, several countries have enacted mandatory data retention laws, in which companies are required to save Internet or telephony data about customers for a specified period of time, in case the government needs it for an investigation. But does it make sense? In December, Harvard Law professor Jack Goldsmith …

Everything We Know About How the NSA Tracks People's Physical Location

  • Bruce Schneier
  • The Atlantic
  • February 11, 2014

French translation

Glenn Greenwald is back reporting about the NSA, now with Pierre Omidyar’s news organization FirstLook and its introductory publication, The Intercept. Writing with national security reporter Jeremy Scahill, his first article covers how the NSA helps target individuals for assassination by drone.

Leaving aside the extensive political implications of the story, the article and the NSA source documents reveal additional information about how the agency’s programs work. From this and other articles, we can now piece together how the NSA tracks individuals in the real world through their actions in cyberspace…

How the NSA Threatens National Security

  • Bruce Schneier
  • The Atlantic
  • January 6, 2014

Secret NSA eavesdropping is still in the news. Details about once secret programs continue to leak. The Director of National Intelligence has recently declassified additional information, and the President’s Review Group has just released its report and recommendations.

With all this going on, it’s easy to become inured to the breadth and depth of the NSA’s activities. But through the disclosures, we’ve learned an enormous amount about the agency’s capabilities, how it is failing to protect us, and what we need to do to regain security in the Information Age…

The Internet of Things Is Wildly Insecure—And Often Unpatchable

  • Bruce Schneier
  • Wired
  • January 6, 2014

Japanese translation

We’re at a crisis point now with regard to the security of embedded systems, where computing is embedded into the hardware itself—as with the Internet of Things. These embedded computers are riddled with vulnerabilities, and there’s no good way to patch them.

It’s not unlike what happened in the mid-1990s, when the insecurity of personal computers was reaching crisis levels. Software and operating systems were riddled with security vulnerabilities, and there was no good way to patch them. Companies were trying to keep vulnerabilities secret, and not releasing security updates quickly. And when updates were released, it was hard—if not impossible—to get users to install them. This has changed over the past twenty years, due to a combination of full disclosure—publishing vulnerabilities to force companies to issue patches quicker—and automatic updates: automating the process of installing updates on users’ computers. The results aren’t perfect, but they’re much better than ever before…

Sidebar photo of Bruce Schneier by Joe MacInnis.