Essays: 2015 Archives

How the Internet of Things Limits Consumer Choice

  • Bruce Schneier
  • The Atlantic
  • December 24, 2015

In theory, the Internet of Things—the connected network of tiny computers inside home appliances, household objects, even clothing—promises to make your life easier and your work more efficient. These computers will communicate with each other and the Internet in homes and public spaces, collecting data about their environment and making changes based on the information they receive. In theory, connected sensors will anticipate your needs, saving you time, money, and energy.

Except when the companies that make these connected objects act in a way that runs counter to the consumer’s best interests—as the technology company Philips did recently with its smart ambient-lighting system, Hue, which consists of a central controller that can remotely communicate with light bulbs. In mid-December, the company pushed out a …

Can Laws Keep Up with Tech World?

  • Bruce Schneier
  • CNN
  • December 21, 2015

On Thursday, a Brazilian judge ordered the text messaging service WhatsApp shut down for 48 hours. It was a monumental action.

WhatsApp is the most popular app in Brazil, used by about 100 million people. The Brazilian telecoms hate the service because it entices people away from more expensive text messaging services, and they have been lobbying for months to convince the government that it’s unregulated and illegal. A judge finally agreed.

    In Brazil’s case, WhatsApp was blocked for allegedly failing to respond to a court order. Another judge …

    The Automation of Reputation

    • Bruce Schneier
    • Edge
    • November 5, 2015

    This essay is part of a conversation with Gloria Origgi entitled “What is Reputation?” Other participants were Abbas Raza, William Poundstone, Hugo Mercier, Quentin Hardy, Martin Nowak and Roger Highfield, Bruce Schneier, and Kai Krause.

    Reputation is a social mechanism by which we come to trust one another, in all aspects of our society. I see it as a security mechanism. The promise and threat of a change in reputation entices us all to be trustworthy, which in turn enables others to trust us. In a very real sense, reputation enables friendships, commerce, and everything else we do in society. It’s old, older than our species, and we are finely tuned to both perceive and remember reputation information, and broadcast it to others…

    The Rise of Political Doxing

    • Bruce Schneier
    • Motherboard
    • October 28, 2015

    Last week, CIA director John O. Brennan became the latest victim of what’s become a popular way to embarrass and harass people on the internet. A hacker allegedly broke into his AOL account and published emails and documents found inside, many of them personal and sensitive.

    It’s called doxing—sometimes doxxing—from the word “documents.” It emerged in the 1990s as a hacker revenge tactic, and has since been as a tool to harass and intimidate people, primarily women, on the internet. Someone would threaten a woman with physical harm, or try to incite others to harm her, and publish her personal information as a way of saying “I know a lot about you—like where you live and work.” Victims of doxing …

    Face Facts about Internet Security

    • Bruce Schneier
    • CNN
    • October 23, 2015

    If the director of the CIA can’t keep his e-mail secure, what hope do the rest of us have—for our e-mail or any of our digital information?

    None, and that’s why the companies that we entrust with our digital lives need to be required to secure it for us, and held accountable when they fail. It’s not just a personal or business issue; it’s a matter of public safety.

    The details of the story are worth repeating. Someone, reportedly a teenager, hacked into CIA Director John O. Brennan’s AOL account. He says he did so by posing as a Verizon employee to Verizon to get personal information about Brennan’s account, as well as his bank card number and his AOL e-mail address. Then he called AOL and pretended to be Brennan. Armed with the information he got from Verizon, he convinced AOL customer service to reset his password…

    The Era Of Automatic Facial Recognition And Surveillance Is Here

    • Bruce Schneier
    • Forbes
    • September 29, 2015

    ID checks were a common response to the terrorist attacks of 9/11, but they’ll soon be obsolete. You won’t have to show your ID, because you’ll be identified automatically. A security camera will capture your face, and it’ll be matched with your name and a whole lot of other information besides. Welcome to the world of automatic facial recognition. Those who have access to databases of identified photos will have the power to identify us. Yes, it’ll enable some amazing personalized services; but it’ll also enable whole new levels of surveillance. The underlying technologies are being developed today, and there are currently no rules limiting their use…

    Stealing Fingerprints

    • Bruce Schneier
    • Motherboard
    • September 29, 2015

    The news from the Office of Personnel Management hack keeps getting worse. In addition to the personal records of over 20 million US government employees, we’ve now learned that the hackers stole fingerprint files for 5.6 million of them.

    This is fundamentally different from the data thefts we regularly read about in the news, and should give us pause before we entrust our biometric data to large networked databases.

    There are three basic kinds of data that can be stolen. The first, and most common, is authentication credentials. These are passwords and other information that allows someone else access into our accounts and—usually—our money. An example would be the 56 million credit card numbers hackers …

    VW Scandal Could Just Be the Beginning

    • Bruce Schneier
    • CNN
    • September 28, 2015

    Portuguese translation by Ricardo R Hashimoto

    For the past six years, Volkswagen has been cheating on the emissions testing for its diesel cars. The cars’ computers were able to detect when they were being tested, and temporarily alter how their engines worked so they looked much cleaner than they actually were. When they weren’t being tested, they belched out 40 times the pollutants. Their CEO has resigned, and the company will face an expensive recall, enormous fines and worse.

    Cheating on regulatory testing has a long history in corporate America. It …

    Living in Code Yellow

    • Bruce Schneier
    • Fusion
    • September 22, 2015

    In 1989, handgun expert Jeff Cooper invented something called the Color Code to describe what he called the ‘combat mind-set.’ Here is his summary:

    In White you are unprepared and unready to take lethal action. If you are attacked in White you will probably die unless your adversary is totally inept.

    In Yellow you bring yourself to the understanding that your life may be in danger and that you may have to do something about it.

    In Orange you have determined upon a specific adversary and are prepared to take action which may result in his death, but you are not in a lethal mode…

    Hacking Team, Computer Vulnerabilities, and the NSA

    • Bruce Schneier
    • Georgetown Journal of International Affairs
    • September 13, 2015

    When the National Security Administration (NSA)—or any government agency—discovers a vulnerability in a popular computer system, should it disclose it or not? The debate exists because vulnerabilities have both offensive and defensive uses. Offensively, vulnerabilities can be exploited to penetrate others’ computers and networks, either for espionage or destructive purposes. Defensively, publicly revealing security flaws can be used to make our own systems less vulnerable to those same attacks. The two options are mutually exclusive: either we can help to secure both our own networks and the systems we might want to attack, or we can keep both networks vulnerable. Many, myself …

    Is It OK to Shoot Down a Drone over Your Backyard?

    • Bruce Schneier
    • CNN
    • September 9, 2015

    Last month, a Kentucky man shot down a drone that was hovering near his backyard.

    WDRB News reported that the camera drone’s owners soon showed up at the home of the shooter, William H. Merideth: “Four guys came over to confront me about it, and I happened to be armed, so that changed their minds,” Merideth said. “They asked me, ‘Are you the S-O-B that shot my drone?’ and I said, ‘Yes I am,’” he said. “I had my 40 mm Glock on me and they started toward me and I told them, ‘If you cross my sidewalk, there’s gonna be another shooting.’” Police charged Meredith with criminal mischief and wanton endangerment…

    The Meanest Email You Ever Wrote, Searchable on the Internet

    The doxing of Ashley Madison reveals an uncomfortable truth: In the age of cloud computing, everyone is vulnerable.

    • Bruce Schneier
    • The Atlantic
    • September 8, 2015

    Most of us get to be thoroughly relieved that our emails weren’t in the Ashley Madison database. But don’t get too comfortable. Whatever secrets you have, even the ones you don’t think of as secret, are more likely than you think to get dumped on the Internet. It’s not your fault, and there’s largely nothing you can do about it.

    Welcome to the age of organizational doxing.

    Organizational doxing—stealing data from an organization’s network and indiscriminately dumping it all on the Internet—is an increasingly popular attack against organizations. Because our data is connected to the Internet, and stored in corporate networks, we are all in the potential blast-radius of these attacks. While the risk that any particular bit of data gets published is low, we have to start thinking about what could happen if a larger-scale breach affects us or the people we care about. It’s going to get a lot uglier before security improves…

    Should Some Secrets Be Exposed?

    • Bruce Schneier
    • CNN
    • July 7, 2015

    German translation

    Recently, WikiLeaks began publishing over half a million previously secret cables and other documents from the Foreign Ministry of Saudi Arabia. It’s a huge trove, and already reporters are writing stories about the highly secretive government.

    What Saudi Arabia is experiencing isn’t common but part of a growing trend.

    Just last week, unknown hackers broke into the network of the cyber-weapons arms manufacturer Hacking Team and published 400 gigabytes of internal data, describing, among other things, its sale of Internet surveillance software to totalitarian regimes around the world…

    Why We Encrypt

    • Bruce Schneier
    • Foreword to Privacy International's Securing Safe Spaces Online
    • June 2015

    Bosnian translation
    French translation
    Hungarian translation
    Persian translation
    Russian translation
    Spanish translation

    Encryption protects our data. It protects our data when it’s sitting on our computers and in data centres, and it protects it when it’s being transmitted around the Internet. It protects our conversations, whether video, voice, or text. It protects our privacy. It protects our anonymity. And sometimes, it protects our lives.

    This protection is important for everyone. It’s easy to see how encryption protects journalists, human rights defenders, and political activists in authoritarian countries. But encryption protects the rest of us as well. It protects our data from criminals. It protects it from competitors, neighbours, and family members. It protects it from malicious attackers, and it protects it from accidents…

    China and Russia Almost Definitely Have the Snowden Docs

    • Bruce Schneier
    • Wired
    • June 16, 2015

    Last weekend, the Sunday Times published a front-page story (full text here), citing anonymous British sources claiming that both China and Russia have copies of the Snowden documents. It’s a terrible article, filled with factual inaccuracies and unsubstantiated claims about both Snowden’s actions and the damage caused by his disclosure, and others have thoroughly refuted the story. I want to focus on the actual question: Do countries like China and Russia have copies of the Snowden documents?

    I believe the answer is certainly yes, but that it’s almost certainly not Snowden’s fault…

    Why are We Spending $7 Billion on TSA?

    • Bruce Schneier
    • CNN
    • June 5, 2015

    News that the Transportation Security Administration missed a whopping 95% of guns and bombs in recent airport security “red team” tests was justifiably shocking. It’s clear that we’re not getting value for the $7 billion we’re paying the TSA annually.

    But there’s another conclusion, inescapable and disturbing to many, but good news all around: We don’t need $7 billion worth of airport security. These results demonstrate that there isn’t much risk of airplane terrorism, and we should ratchet security down to pre-9/11 levels.

    We don’t need perfect airport security…

    Debate: Should Companies Do Most of Their Computing in the Cloud?

    • Bruce Schneier
    • The Economist
    • June 5, 2015

    From May 26th to June 5th, 2015, The Economist hosted a debate on cloud computing, with Ludwig Siegele as moderator, Simon Crosby taking the Yes position, and Bruce Schneier as No. For the full debate, see The Economist‘s site. Bruce’s entries are reprinted below.

    Opening Remarks

    Yes. No. Yes. Maybe. Yes. Okay, it’s complicated.

    The economics of cloud computing are compelling. For companies, the lower operating costs, the lack of capital expenditure, the ability to quickly scale and the ability to outsource maintenance are just some of the benefits. Computing is infrastructure, like cleaning, payroll, tax preparation and legal services. All of these are outsourced. And computing is becoming a utility, like power and water. Everyone does their power generation and water distribution “in the cloud”. Why should information technology (IT) be any different?…

    How We Sold Our Souls—and More—to the Internet Giants

    From TVs that listen in on us to a doll that records your child’s questions, data collection has become both dangerously intrusive and highly profitable. Is it time for governments to act to curb online surveillance?

    • Bruce Schneier
    • The Guardian
    • May 17, 2015

    Persian translation
    Portuguese translation

    Last year, when my refrigerator broke, the repair man replaced the computer that controls it. I realised that I had been thinking about the refrigerator backwards: it’s not a refrigerator with a computer, it’s a computer that keeps food cold. Just like that, everything is turning into a computer. Your phone is a computer that makes calls. Your car is a computer with wheels and an engine. Your oven is a computer that cooks lasagne. Your camera is a computer that takes pictures. Even our pets and livestock are now regularly chipped; my cat could be considered a computer that sleeps in the sun all day…

    Could Your Plane Be Hacked?

    • Bruce Schneier
    • CNN
    • April 16, 2015

    Imagine this: A terrorist hacks into a commercial airplane from the ground, takes over the controls from the pilots and flies the plane into the ground. It sounds like the plot of some “Die Hard” reboot, but it’s actually one of the possible scenarios outlined in a new Government Accountability Office report on security vulnerabilities in modern airplanes.

    It’s certainly possible, but in the scheme of Internet risks I worry about, it’s not very high. I’m more worried about the more pedestrian attacks against more common Internet-connected devices. I’m more worried, for example, about a multination cyber arms race that stockpiles capabilities such as this, and prioritizes attack over defense in an effort to gain relative advantage. I worry about the democratization of cyberattack techniques, and who might have the capabilities currently reserved for nation-states. And I worry about a future a decade from now if these problems aren’t addressed…

    Baseball’s New Metal Detectors Won’t Keep You Safe. They’ll Just Make You Miss a Few Innings

    Security theater meets America's pastime.

    • Bruce Schneier
    • The Washington Post
    • April 14, 2015

    Fans attending Major League Baseball games are being greeted in a new way this year: with metal detectors at the ballparks. Touted as a counterterrorism measure, they’re nothing of the sort. They’re pure security theater: They look good without doing anything to make us safer. We’re stuck with them because of a combination of buck passing, CYA thinking and fear.

    As a security measure, the new devices are laughable. The ballpark metal detectors are much more lax than the ones at an airport checkpoint. They aren’t very sensitive — people with phones and keys in their pockets are …

    The Big Idea: Bruce Schneier

    • Bruce Schneier
    • Whatever
    • March 4, 2015

    What’s your electronic data worth to you? What is it worth to others? And what’s the dividing line between your privacy and your convenience? These are questions Bruce Schneier thinks a lot about, and as he shows in Data and Goliath, they are questions which have an impact on where society and technology are going next.

    BRUCE SCHNEIER:

    Data and Goliath is a book about surveillance, both government and corporate. It’s an exploration in three parts: what’s happening, why it matters, and what to do about it. This is a big and important issue, and one that I’ve been working on for decades now. We’ve been on a headlong path of more and more surveillance, fueled by fear—of terrorism mostly—on the government side, and convenience on the corporate side. My goal was to step back and say “wait a minute; does any of this make sense?” I’m proud of the book, and hope it will contribute to the debate…

    Hacker or Spy? In Today's Cyberattacks, Finding the Culprit Is a Troubling Puzzle

    • Bruce Schneier
    • March 4, 2015

    The Sony hack revealed the challenges of identifying perpetrators of cyberattacks, especially as hackers can masquerade as government soldiers and spies, and vice versa. It’s a dangerous new dynamic for foreign relations, especially as what governments know about hackers – and how they know it – remains secret.

    The vigorous debate after the Sony Pictures breach pitted the Obama administration against many of us in the cybersecurity community who didn’t buy Washington’s claim that North Korea was the culprit.

    What’s both amazing—and perhaps a bit frightening—about that dispute over who hacked Sony is that it happened in the first place…

    The World's Most Sophisticated Hacks: Governments?

    • Bruce Schneier
    • Fortune
    • March 3, 2015

    Last month, Moscow-based security software maker Kaspersky Labs published detailed information on what it calls the Equation Group and how the U.S. National Security Agency and their U.K. counterpart, GCHQ, have figure how to embed spyware deep inside computers, gaining almost total control of those computers to eavesdrop on most of the world’s computers, even in the face of reboots, operating system reinstalls, and commercial anti-virus products. The details are impressive, and I urge anyone interested in tech to read the Kaspersky documents, or these …

    The Security Value of Muddling Through

    • Bruce Schneier
    • IEEE Security & Privacy
    • March/April 2015

    Of all the stories to come out of last year’s massive Sony hack, the most interesting was the ineffectiveness of the company’s incident response. Its initial reactions were indicative of a company in panic, and Sony’s senior executives even talked about how long it took them to fully understand the attack’s magnitude.

    Sadly, this is more the norm than the exception. It seems to be the way Target and Home Depot handled their large hacks in 2013 and 2014, respectively. The lack of immediate response made the incidents worse.

    It doesn’t have to be this way. Crisis management was developed in the 1980s in response to large-scale industrial and environmental disasters. It includes procedures and best practices, professional organizations for industry, and a wide array of products and services. It’s something IT incident response teams need to learn from, understand, and integrate with, as an Internet attack can quickly become a broader organizational crisis…

    Cyberweapons Have No Allegiance

    • Bruce Schneier
    • Motherboard
    • February 25, 2015

    The thing about infrastructure is that everyone uses it. If it’s secure, it’s secure for everyone. And if it’s insecure, it’s insecure for everyone. This forces some hard policy choices.

    When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA’s program for what is called packet injection—basically, a technology that allows the agency to hack into computers.

    Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well…

    Everyone Wants You To Have Security, But Not From Them

    • Bruce Schneier
    • Forbes
    • February 23, 2015

    French translation

    In December Google’s Executive Chairman Eric Schmidt was interviewed at the CATO Institute Surveillance Conference. One of the things he said, after talking about some of the security measures his company has put in place post-Snowden, was: “If you have important information, the safest place to keep it is in Google. And I can assure you that the safest place to not keep it is anywhere else.”

    The surprised me, because Google collects all of your information to show you more targeted advertising. Surveillance is the business model of the Internet, and Google is one of the most successful companies at that. To claim that Google protects your privacy better than anyone else is to profoundly misunderstand why Google stores your data for free in the first place…

    Your TV May Be Watching You

    • Bruce Schneier
    • CNN
    • February 11, 2015

    German translation by Damian Weber

    Earlier this week, we learned that Samsung televisions are eavesdropping on their owners. If you have one of their Internet-connected smart TVs, you can turn on a voice command feature that saves you the trouble of finding the remote, pushing buttons and scrolling through menus. But making that feature work requires the television to listen to everything you say. And what you say isn’t just processed by the television; it may be forwarded over the Internet for remote processing. It’s literally Orwellian.

    This discovery surprised people, but it shouldn’t have. The things around us are increasingly computerized, and increasingly connected to the Internet. And most of them are listening…

    When Thinking Machines Break The Law

    • Bruce Schneier
    • Edge
    • January 28, 2015

    Last year, two Swiss artists programmed a Random Botnot Shopper, which every week would spend $100 in bitcoin to buy a random item from an anonymous Internet black market…all for an art project on display in Switzerland. It was a clever concept, except there was a problem. Most of the stuff the bot purchased was benign—fake Diesel jeans, a baseball cap with a hidden camera, a stash can, a pair of Nike trainers—but it also purchased ten ecstasy tablets and a fake Hungarian passport.

    What do we do when a machine breaks the law? Traditionally, we hold the person controlling the machine responsible. People commit the crimes; the guns, lockpicks, or computer viruses are merely their tools. But as machines become more autonomous, the link between machine and controller becomes more tenuous…

    The Importance of Deleting Old Stuff—Another Lesson From the Sony Attack

    • Bruce Schneier
    • Ars Technica
    • January 12, 2015

    Thousands of articles have called the December attack against Sony Pictures a wake-up call to industry. Regardless of whether the attacker was the North Korean government, a disgruntled former employee, or a group of random hackers, the attack showed how vulnerable a large organization can be and how devastating the publication of its private correspondence, proprietary data, and intellectual property can be.

    But while companies are supposed to learn that they need to improve their security against attack, there’s another equally important but much less discussed lesson here: companies should have an aggressive deletion policy…

    The Government Must Show Us the Evidence That North Korea Attacked Sony

    American history is littered with examples of classified information pointing us towards aggression against other countries—think WMDs—only to later learn that the evidence was wrong

    • Bruce Schneier
    • Time
    • January 5, 2015

    When you’re attacked by a missile, you can follow its trajectory back to where it was launched from. When you’re attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense.

    Many of us in the computer-security field are skeptical of the U.S. government’s claim that it has positively identified North Korea as the perpetrator of the massive Sony hack in November 2014. The FBI’s evidence is circumstantial and not very convincing. The attackers never mentioned the movie that became the centerpiece of the hack until the press did. More likely, the culprits are random hackers who have …

    We Still Don't Know Who Hacked Sony

    Welcome to a world where it's impossible to tell the difference between random hackers and governments.

    • Bruce Schneier
    • The Atlantic
    • January 5, 2015

    If anything should disturb you about the Sony hacking incidents and subsequent denial-of-service attack against North Korea, it’s that we still don’t know who’s behind any of it. The FBI said in December that North Korea attacked Sony. I and others have serious doubts. There’s countervailing evidence to suggest that the culprit may have been a Sony insider or perhaps Russian nationals.

    No one has admitted taking down North Korea’s Internet. It could have been an act of retaliation by the U.S. government, but it could just as well have been an …

    Sidebar photo of Bruce Schneier by Joe MacInnis.