Essays: 2017 Archives

Don't Waste Your Breath Complaining to Equifax about Data Breach

  • Bruce Schneier
  • CNN
  • September 11, 2017

Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It's an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver's license numbers -- exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud.

Many sites posted guides to protecting yourself now that it's happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as unlikely as that may be at the moment).

Read More →

IoT Security: What’s Plan B?

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2017

In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn’t regulate the IoT market. It doesn’t single out any industries for particular attention, or force any companies to do anything.

Read More →

‘Twitter and Tear Gas’ Looks at How Protest Is Fueled and Crushed by the Internet

The new book from Zeynep Tufekci looks at how the web has helped demonstrations take off around the globe, but also made them harder to sustain.

  • Bruce Schneier
  • Motherboard
  • July 11, 2017

There are two opposing models of how the internet has changed protest movements. The first is that the internet has made protesters mightier than ever. This comes from the successful revolutions in Tunisia (2010-11), Egypt (2011), and Ukraine (2013). The second is that it has made them more ineffectual.

Read More →

Why the NSA Makes Us More Vulnerable to Cyberattacks

The Lessons of WannaCry

  • Bruce Schneier
  • Foreign Affairs
  • May 30, 2017

There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which blocks victims' access to their computers until they pay a fee. Then there are the users who didn't install the Windows security patch that would have prevented an attack. A small portion of the blame falls on Microsoft, which wrote the insecure code in the first place.

Read More →

Who Are the Shadow Brokers?

What is—and isn’t—known about the mysterious hackers leaking National Security Agency secrets

  • Bruce Schneier
  • The Atlantic
  • May 23, 2017

In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of National Security Agency secrets. Since last summer, they've been dumping these secrets on the internet. They have publicly embarrassed the NSA and damaged its intelligence-gathering capabilities, while at the same time have put sophisticated cyberweapons in the hands of anyone who wants them. They have exposed major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers, forcing those companies and their customers to scramble.

Read More →

What Happens When Your Car Gets Hacked?

  • Bruce Schneier
  • The New York Times
  • May 19, 2017

As devastating as the latest widespread ransomware attacks have been, it's a problem with a solution. If your copy of Windows is relatively current and you've kept it updated, your laptop is immune. It's only older unpatched systems on your computer that are vulnerable.

Patching is how the computer industry maintains security in the face of rampant internet insecurity.

Read More →

Why Extending Laptop Ban Makes No Sense

  • Bruce Schneier
  • CNN
  • May 16, 2017

The Department of Homeland Security is rumored to be considering extending the current travel ban on large electronics for Middle Eastern flights to European ones as well. The likely reaction of airlines will be to implement new traveler programs, effectively allowing wealthier and more frequent fliers to bring their computers with them. This will only exacerbate the divide between the haves and the have-nots—all without making us any safer.

In March, both the United States and the United Kingdom required that passengers from 10 Muslim countries give up their laptop computers and larger tablets, and put them in checked baggage.

Read More →

The Next Ransomware Attack Will Be Worse than WannaCry

We'll need new security standards when hackers go after the Internet of Things.

  • Bruce Schneier
  • The Washington Post
  • May 16, 2017

Ransomware isn't new, but it's increasingly popular and profitable.

The concept is simple: Your computer gets infected with a virus that encrypts your files until you pay a ransom. It's extortion taken to its networked extreme. The criminals provide step-by-step instructions on how to pay, sometimes even offering a help line for victims unsure how to buy bitcoin.

Read More →

Three Lines of Defense against Ransomware Attacks

  • Bruce Schneier
  • New York Daily News
  • May 15, 2017

Criminals go where the money is, and cybercriminals are no exception.

And right now, the money is in ransomware.

It's a simple scam. Encrypt the victim's hard drive, then extract a fee to decrypt it.

Read More →

Online Voting Won’t Save Democracy

But letting people use the internet to register to vote is a start.

  • Bruce Schneier
  • The Atlantic
  • May 10, 2017

Technology can do a lot more to make our elections more secure and reliable, and to ensure that participation in the democratic process is available to all. There are three parts to this process.

First, the voter registration process can be improved. The whole process can be streamlined.

Read More →

Who Is Publishing NSA and CIA Secrets, and Why?

  • Bruce Schneier
  • Lawfare
  • April 27, 2017

There's something going on inside the intelligence communities in at least two countries, and we have no idea what it is.

Consider these three data points. One: someone, probably a country's intelligence organization, is dumping massive amounts of cyberattack tools belonging to the NSA onto the Internet. Two: someone else, or maybe the same someone, is doing the same thing to the CIA.

Read More →

The Quick vs the Strong: Commentary on Cory Doctorow’s Walkaway

  • Bruce Schneier
  • Crooked Timber
  • April 26, 2017

Technological advances change the world. That's partly because of what they are, but even more because of the social changes they enable. New technologies upend power balances. They give groups new capabilities, increased effectiveness, and new defenses.

Read More →

Infrastructure Vulnerabilities Make Surveillance Easy

Weakness in digital communications systems allows security to be bypassed, leaving users at risk of being spied on.

  • Bruce Schneier
  • Al Jazeera
  • April 11, 2017

Governments want to spy on their citizens for all sorts of reasons. Some countries do it to help solve crimes or to try to find "terrorists" before they act.

Others do it to find and arrest reporters or dissidents. Some only target individuals, others attempt to spy on everyone all the time.

Read More →

Snoops May Soon Be Able to Buy Your Browsing History. Thank the US Congress

  • Bruce Schneier
  • The Guardian
  • March 30, 2017

Think about all of the websites you visit every day. Now imagine if the likes of Time Warner, AT&T and Verizon collected all of your browsing history and sold it on to the highest bidder. That's what will probably happen if Congress has its way.

This week, lawmakers voted to allow internet service providers to violate your privacy for their own profit.

Read More →

Puzzling out TSA's Laptop Travel Ban

  • Bruce Schneier
  • CNN
  • March 22, 2017

On Monday, the TSA announced a peculiar new security measure to take effect within 96 hours. Passengers flying into the US on foreign airlines from eight Muslim countries would be prohibited from carrying aboard any electronics larger than a smartphone. They would have to be checked and put into the cargo hold. And now the UK is following suit.

Read More →

Security Orchestration for an Uncertain World

  • Bruce Schneier
  • SecurityIntelligence
  • March 21, 2017

Last month at the RSA Conference, I saw a lot of companies selling security incident response automation. Their promise was to replace people with computers—sometimes with the addition of machine learning or other artificial intelligence (AI) techniques—and to respond to attacks at computer speeds.

While this is a laudable goal, there's a fundamental problem with doing this in the short term. You can only automate what you're certain about, and there is still an enormous amount of uncertainty in cybersecurity.

Read More →

How to Keep Your Private Conversations Private for Real

Don't get doxed.

  • Bruce Schneier
  • The Washington Post
  • March 8, 2017

This essay also appeared in The Age.

A decade ago, I wrote about the death of ephemeral conversation. As computers were becoming ubiquitous, some unintended changes happened, too: Before computers, what we said disappeared once we'd said it. Neither face-to-face conversations nor telephone conversations were routinely recorded.

Read More →

Botnets of Things

The relentless push to add connectivity to home gadgets is creating dangerous side effects that figure to get even worse.

  • Bruce Schneier
  • MIT Technology Review
  • March/April 2017

Botnets have existed for at least a decade. As early as 2000, hackers were breaking into computers over the Internet and controlling them en masse from centralized systems. Among other things, the hackers used the combined computing power of these botnets to launch distributed denial-of-service attacks, which flood websites with traffic to take them down.

But now the problem is getting worse, thanks to a flood of cheap webcams, digital video recorders, and other gadgets in the "Internet of things." Because these devices typically have little or no security, hackers can take them over with little effort.

Read More →

Click Here to Kill Everyone

With the Internet of Things, we’re building a world-size robot. How are we going to control it?

  • Bruce Schneier
  • New York Magazine
  • January 27, 2017

Last year, on October 21, your digital video recorder — or at least a DVR like yours — knocked Twitter off the internet. Someone used your DVR, along with millions of insecure webcams, routers, and other connected devices, to launch an attack that started a chain reaction, resulting in Twitter, Reddit, Netflix, and many sites going off the internet. You probably didn't realize that your DVR had that kind of power. But it does.

Read More →

Why Proving the Source of a Cyberattack is So Damn Difficult

  • Bruce Schneier
  • CNN
  • January 5, 2017

President Barack Obama's public accusation of Russia as the source of the hacks in the US presidential election and the leaking of sensitive emails through WikiLeaks and other sources has opened up a debate on what constitutes sufficient evidence to attribute an attack in cyberspace. The answer is both complicated and inherently tied up in political considerations.

The administration is balancing political considerations and the inherent secrecy of electronic espionage with the need to justify its actions to the public. These issues will continue to plague us as more international conflict plays out in cyberspace.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.