Essays: 2016 Archives

Class Breaks

  • Bruce Schneier
  • Edge
  • December 30, 2016

This essay appeared as a response to Edge's annual question, "what scientific term or concept ought to be more widely known?"

There's a concept from computer security known as a class break. It's a particular security vulnerability that breaks not just one system, but an entire class of systems. Examples might be a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system's software. Or a vulnerability in Internet-enabled digital video recorders and webcams that allow an attacker to recruit those devices into a massive botnet.

Read More →

U.S. Elections Are a Mess, Even Though There’s No Evidence This One Was Hacked

Unproven reports of possible discrepancies in the Rust Belt just show how untrustworthy the system is.

  • Bruce Schneier
  • The Washington Post
  • November 23, 2016

Was the 2016 presidential election hacked? It's hard to tell. There were no obvious hacks on Election Day, but new reports have raised the question of whether voting machines were tampered with in three states that Donald Trump won this month: Wisconsin, Michigan and Pennsylvania.

The researchers behind these reports include voting rights lawyer John Bonifaz and J. Alex Halderman, the director of the University of Michigan Center for Computer Security and Society, both respected in the community.

Read More →

Testimony at the U.S. House of Representatives Joint Hearing “Understanding the Role of Connected Devices in Recent Cyber Attacks”

  • Bruce Schneier
  • November 16, 2016

Testimony of Bruce Schneier
Fellow, Berkman-Klein Center at Harvard University
Lecturer and Fellow, Harvard Kennedy School of Government
Special Advisor to IBM Security and CTO of Resilient: An IBM Company

Before the

U.S. House of Representatives
Committee on Energy and Commerce
Subcommittee on Communications and Technology, and the
Subcommittee on Commerce, Manufacturing, and Trade

Joint Hearing Entitled
“Understanding the Role of Connected Devices in Recent Cyber Attacks”

November 16, 2016
10:00 AM

Watch the Video on House.gov

Good morning. Chairmen Walden and Burgess, Ranking Members Eshoo and Schakowsky, members of the committee: thank you for the opportunity to testify on this matter. Although I have an affiliation with both Harvard University and IBM, I am testifying in my personal capacity as a cybersecurity expert and nothing I say should be construed as the official position of either of those organizations.

Read More →

American Elections Will Be Hacked

  • Bruce Schneier
  • The New York Times
  • November 9, 2016

It's over. The voting went smoothly. As of the time of writing, there are no serious fraud allegations, nor credible evidence that anyone tampered with voting rolls or voting machines. And most important, the results are not in doubt.

Read More →

Your WiFi-Connected Thermostat Can Take Down the Whole Internet. We Need New Regulations.

  • Bruce Schneier
  • The Washington Post
  • November 3, 2016

Late last month, popular websites like Twitter, Pinterest, Reddit and PayPal went down for most of a day. The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology. If we want to secure our increasingly computerized and connected world, we need more government involvement in the security of the "Internet of Things" and increased regulation of what are now critical and life-threatening technologies. It's no longer a question of if, it's a question of when.

Read More →

Lessons From the Dyn DDoS Attack

  • Bruce Schneier
  • SecurityIntelligence
  • November 1, 2016

A week ago Friday, someone took down numerous popular websites in a massive distributed denial-of-service (DDoS) attack against the domain name provider Dyn. DDoS attacks are neither new nor sophisticated. The attacker sends a massive amount of traffic, causing the victim's system to slow to a crawl and eventually crash. There are more or less clever variants, but basically, it's a datapipe-size battle between attacker and victim.

Read More →

Cybersecurity Issues for the Next Administration

Solutions require both corporate regulation and international cooperation

  • Bruce Schneier
  • Time
  • October 13, 2016

This essay appeared on Time.com as part of a special section called Let's Talk About the Issues.

On today's Internet, too much power is concentrated in too few hands. In the early days of the Internet, individuals were empowered. Now governments and corporations hold the balance of power. If we are to leave a better Internet for the next generations, governments need to rebalance Internet power more towards the individual.

Read More →

We Need to Save the Internet from the Internet of Things

  • Bruce Schneier
  • Motherboard
  • October 6, 2016

Brian Krebs is a popular reporter on the cybersecurity beat. He regularly exposes cybercriminals and their tactics, and consequently is regularly a target of their ire. Last month, he wrote about an online attack-for-hire service that resulted in the arrest of the two proprietors. In the aftermath, his site was taken down by a massive DDoS attack.

Read More →

How Long Until Hackers Start Faking Leaked Documents?

There’s nothing stopping attackers from manipulating the data they make public.

  • Bruce Schneier
  • The Atlantic
  • September 13, 2016

In the past few years, the devastating effects of hackers breaking into an organization's network, stealing confidential data, and publishing everything have been made clear. It happened to the Democratic National Committee, to Sony, to the National Security Agency, to the cyber-arms weapons manufacturer Hacking Team, to the online adultery site Ashley Madison, and to the Panamanian tax-evasion law firm Mossack Fonseca.

This style of attack is known as organizational doxing. The hackers, in some cases individuals and in others nation-states, are out to make political points by revealing proprietary, secret, and sometimes incriminating information.

Read More →

Someone Is Learning How to Take Down the Internet

  • Bruce Schneier
  • Lawfare
  • September 13, 2016

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large a large nation state. China and Russia would be my first guesses.

Read More →

Stop Trying to Fix the User

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2016

Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

Enough of that.

Read More →

New Leaks Prove It: The NSA Is Putting Us All at Risk to Be Hacked

  • Bruce Schneier
  • Vox
  • August 24, 2016

The National Security Agency is lying to us. We know that because of data stolen from an NSA server was dumped on the internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others' computers. Those vulnerabilities aren't being reported, and aren't getting fixed, making your computers and networks unsafe.

Read More →

Hackers Are Putting U.S. Election at Risk

  • Bruce Schneier
  • CNN
  • July 28, 2016

Russia has attacked the U.S. in cyberspace in an attempt to influence our national election, many experts have concluded. We need to take this national security threat seriously and both respond and defend, despite the partisan nature of this particular attack.

There is virtually no debate about that, either from the technical experts who analyzed the attack last month or the FBI which is analyzing it now.

Read More →

By November, Russian Hackers Could Target Voting Machines

If Russia really is responsible, there's no reason political interference would end with the DNC emails.

  • Bruce Schneier
  • The Washington Post
  • July 27, 2016

Russia was behind the hacks into the Democratic National Committee's computer network that led to the release of thousands of internal emails just before the party's convention began, U.S. intelligence agencies have reportedly concluded.

The FBI is investigating. WikiLeaks promises there is more data to come.

Read More →

The Internet of Things Will Turn Large-Scale Hacks into Real World Disasters

  • Bruce Schneier
  • Motherboard
  • July 25, 2016

Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die.

Read More →

Credential Stealing as Attack Vector

  • Bruce Schneier
  • Xconomy
  • April 20, 2016

Portuguese translation

Traditional computer security concerns itself with vulnerabilities. We employ antivirus software to detect malware that exploits vulnerabilities. We have automatic patching systems to fix vulnerabilities. We debate whether the FBI should be permitted to introduce vulnerabilities in our software so it can get access to systems with a warrant.

Read More →

The Value of Encryption

  • Bruce Schneier
  • The Ripon Forum
  • April 2016

In today's world of ubiquitous computers and networks, it's hard to overstate the value of encryption. Quite simply, encryption keeps you safe. Encryption protects your financial details and passwords when you bank online. It protects your cell phone conversations from eavesdroppers.

Read More →

Can You Trust IRS to Keep Your Tax Data Secure?

  • Bruce Schneier
  • CNN
  • April 13, 2016

Monday is Tax Day. Many of us are thinking about our taxes. Are they too high or too low? What's our money being spent on? Do we have a government worth paying for?

Read More →

Your iPhone Just Got Less Secure. Blame the FBI.

When Johns Hopkins discovered a different security flaw, it notified Apple so the problem could be fixed. The FBI is keeping its newly found breach a secret from everyone.

  • Bruce Schneier
  • The Washington Post
  • March 29, 2016

The FBI's legal battle with Apple is over, but the way it ended may not be good news for anyone.

Federal agents had been seeking to compel Apple to break the security of an iPhone 5c that had been used by one of the San Bernardino, Calif., terrorists. Apple had been fighting a court order to cooperate with the FBI, arguing that the authorities' request was illegal and that creating a tool to break into the phone was itself harmful to the security of every iPhone user worldwide.

Last week, the FBI told the court it had learned of a possible way to break into the phone using a third party's solution, without Apple's help.

Read More →

Cryptography Is Harder Than It Looks

  • Bruce Schneier
  • IEEE Security & Privacy
  • January/February 2016

Writing a magazine column is always an exercise in time travel. I'm writing these words in early December. You're reading them in February. This means anything that's news as I write this will be old hat in two months, and anything that's news to you hasn't happened yet as I'm writing.

Read More →

Data Is a Toxic Asset, So Why Not Throw It Out?

  • Bruce Schneier
  • CNN
  • March 1, 2016

Thefts of personal information aren't unusual. Every week, thieves break into networks and steal data about people, often tens of millions at a time. Most of the time it's information that's needed to commit fraud, as happened in 2015 to Experian and the IRS.

Sometimes it's stolen for purposes of embarrassment or coercion, as in the 2015 cases of Ashley Madison and the U.S.

Read More →

A ‘Key’ for Encryption, Even for Good Reasons, Weakens Security

  • Bruce Schneier
  • The New York Times Room for Debate
  • February 23, 2016

This essay is part of a debate with Denise Zheng of the Center for Strategic and International Studies.

Encryption keeps you safe. Encryption protects your financial details and passwords when you bank online. It protects your cell phone conversations from eavesdroppers. If you encrypt your laptop—and I hope you do—it protects your data if your computer is stolen.

Read More →

Why You Should Side With Apple, Not the FBI, in the San Bernardino iPhone Case

Either everyone gets security, or no one does.

  • Bruce Schneier
  • The Washington Post
  • February 18, 2016

Earlier this week, a federal magistrate ordered Apple to assist the FBI in hacking into the iPhone used by one of the San Bernardino shooters. Apple will fight this order in court.

The policy implications are complicated. The FBI wants to set a precedent that tech companies will assist law enforcement in breaking their users' security, and the technology community is afraid that the precedent will limit what sorts of security features it can offer customers.

Read More →

Candidates Won't Hesitate to Use Manipulative Advertising to Score Votes

Advertising in the 2016 election is going to be highly personalized, targeting voters’ personal information to sway their decisions

  • Bruce Schneier
  • The Guardian
  • February 4, 2016

This presidential election, prepare to be manipulated.

In politics, as in the marketplace, you are the consumer. But you only have one vote to "spend" per election, and in November you'll almost always only have two possible candidates on which to spend it.

In every election, both of those candidates are going to pull every trick in the surveillance-driven, highly personalized internet advertising world to get you to vote for them.

Read More →

The Internet of Things Will Be the World's Biggest Robot

  • Bruce Schneier
  • Forbes
  • February 2, 2016

Hebrew translation

The Internet of Things is the name given to the computerization of everything in our lives. Already you can buy Internet-enabled thermostats, light bulbs, refrigerators, and cars. Soon everything will be on the Internet: the things we own, the things we interact with in public, autonomous things that interact with each other.

These "things" will have two separate parts.

Read More →

Security vs. Surveillance

  • Bruce Schneier
  • Don't Panic: Making Progress on the 'Going Dark' Debate
  • February 1, 2016

Both the "going dark" metaphor of FBI Director James Comey and the contrasting "golden age of surveillance" metaphor of privacy law professor Peter Swire focus on the value of data to law enforcement. As framed in the media, encryption debates are about whether law enforcement should have surreptitious access to data, or whether companies should be allowed to provide strong encryption to their customers.

It's a myopic framing that focuses only on one threat—criminals, including domestic terrorists—and the demands of law enforcement and national intelligence. This obscures the most important aspects of the encryption issue: the security it provides against a much wider variety of threats.

Read More →

When Hacking Could Enable Murder

  • Bruce Schneier
  • CNN
  • January 26, 2016

Cyberthreats are changing. We're worried about hackers crashing airplanes by hacking into computer networks. We're worried about hackers remotely disabling cars. We're worried about manipulated counts from electronic voting booths, remote murder through hacked medical devices and someone hacking an Internet thermostat to turn off the heat and freeze the pipes.

Read More →

How an Overreaction to Terrorism Can Hurt Cybersecurity

  • Bruce Schneier
  • MIT Technology Review
  • January 25, 2016

Many technological security failures of today can be traced to failures of encryption. In 2014 and 2015, unnamed hackers—probably the Chinese government—stole 21.5 million personal files of U.S. government employees and others. They wouldn't have obtained this data if it had been encrypted.

Read More →

The Internet of Things That Talk About You Behind Your Back

  • Bruce Schneier
  • Motherboard
  • January 8, 2016

French translation

SilverPush is an Indian startup that's trying to figure out all the different computing devices you own. It embeds inaudible sounds into the webpages you read and the television commercials you watch. Software secretly embedded in your computers, tablets, and smartphones picks up the signals, and then use scookies to transmit that information back to SilverPush. The result is that the company can track you across your different devices. It can correlate the television commercials you watch with the web searches you make.

Read More →

The Risks—and Benefits—of Letting Algorithms Judge Us

  • Bruce Schneier
  • CNN
  • January 6, 2016

China is considering a new "social credit" system, designed to rate everyone's trustworthiness. Many fear that it will become a tool of social control—but in reality it has a lot in common with the algorithms and systems that score and classify us all every day.

Human judgment is being replaced by automatic algorithms, and that brings with it both enormous benefits and risks. The technology is enabling a new form of social control, sometimes deliberately and sometimes as a side effect.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.