Latest Essays
Page 22
Infrastructure Vulnerabilities Make Surveillance Easy
Weakness in digital communications systems allows security to be bypassed, leaving users at risk of being spied on.
Governments want to spy on their citizens for all sorts of reasons. Some countries do it to help solve crimes or to try to find “terrorists” before they act.
Others do it to find and arrest reporters or dissidents. Some only target individuals, others attempt to spy on everyone all the time.
Many countries spy on the citizens of other countries: for reasons of national security, for advantages in trade negotiations, or to steal intellectual property.
None of this is new. What is new, however, is how easy it has all become. Computers naturally produce data about their activities, which means they’re constantly producing surveillance data about us as we interact with them…
Snoops May Soon Be Able to Buy Your Browsing History. Thank the US Congress
Think about all of the websites you visit every day. Now imagine if the likes of Time Warner, AT&T and Verizon collected all of your browsing history and sold it on to the highest bidder. That’s what will probably happen if Congress has its way.
This week, lawmakers voted to allow internet service providers to violate your privacy for their own profit. Not only have they voted to repeal a rule that protects your privacy, they are also trying to make it illegal for the Federal Communications Commission to enact other rules to protect your privacy online…
Puzzling out TSA's Laptop Travel Ban
On Monday, the TSA announced a peculiar new security measure to take effect within 96 hours. Passengers flying into the US on foreign airlines from eight Muslim countries would be prohibited from carrying aboard any electronics larger than a smartphone. They would have to be checked and put into the cargo hold. And now the UK is following suit.
It’s difficult to make sense of this as a security measure, particularly at a time when many people question the veracity of government orders, but other explanations are either unsatisfying or damning…
How to Keep Your Private Conversations Private for Real
Don't get doxed.
This essay also appeared in The Age.
A decade ago, I wrote about the death of ephemeral conversation. As computers were becoming ubiquitous, some unintended changes happened, too: Before computers, what we said disappeared once we’d said it. Neither face-to-face conversations nor telephone conversations were routinely recorded. A permanent communication was something different and special; we called it correspondence.
The Internet changed this. We now chat by text message and email, on Facebook and on Instagram. These conversations—with friends, lovers, colleagues, fellow employees—all leave electronic trails. And while we know this intellectually, we haven’t truly internalized it. We still think of conversation as ephemeral, forgetting that we’re being recorded and what we say has the permanence of correspondence…
The Internet of Things Will Upend Our Industry
View or Download in PDF Format
Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your smartphone is a portable computer that makes phone calls. Your car is a distributed system with more than 100 computers plus four wheels and an engine. More alarmingly, a nuclear power plant is a computer that produces energy. This is happening at all levels of our lives and all over the world.
As everything turns into a computer, computer security becomes everything security. This will upend the IT security industry, because our knowledge and experience with computer security will be much more broadly applicable, and the restrictions and regulations from the physical world will be applied to the computer world. The beachhead for all of this is the Internet of Things (IoT), which I liken to a world-sized robot—one that can kill people and destroy property…
Botnets of Things
The relentless push to add connectivity to home gadgets is creating dangerous side effects that figure to get even worse.
Botnets have existed for at least a decade. As early as 2000, hackers were breaking into computers over the Internet and controlling them en masse from centralized systems. Among other things, the hackers used the combined computing power of these botnets to launch distributed denial-of-service attacks, which flood websites with traffic to take them down.
But now the problem is getting worse, thanks to a flood of cheap webcams, digital video recorders, and other gadgets in the “Internet of things.” Because these devices typically have little or no security, hackers can take them over with little effort. And that makes it easier than ever to build huge botnets that take down much more than one site at a time…
Click Here to Kill Everyone
With the Internet of Things, we’re building a world-size robot. How are we going to control it?
Last year, on October 21, your digital video recorder—or at least a DVR like yours—knocked Twitter off the internet. Someone used your DVR, along with millions of insecure webcams, routers, and other connected devices, to launch an attack that started a chain reaction, resulting in Twitter, Reddit, Netflix, and many sites going off the internet. You probably didn’t realize that your DVR had that kind of power. But it does.
All computers are hackable. This has as much to do with the computer market as it does with the technologies. We prefer our software full of features and inexpensive, at the expense of security and reliability. That your computer can affect the security of Twitter is a market failure. The industry is filled with market failures that, until now, have been largely ignorable. As computers continue to permeate our homes, cars, businesses, these market failures will no longer be tolerable. Our only solution will be regulation, and that regulation will be foisted on us by a government desperate to “do something” in the face of disaster…
Why Proving the Source of a Cyberattack is So Damn Difficult
President Barack Obama’s public accusation of Russia as the source of the hacks in the US presidential election and the leaking of sensitive emails through WikiLeaks and other sources has opened up a debate on what constitutes sufficient evidence to attribute an attack in cyberspace. The answer is both complicated and inherently tied up in political considerations.
The administration is balancing political considerations and the inherent secrecy of electronic espionage with the need to justify its actions to the public. These issues will continue to plague us as more international conflict plays out in cyberspace…
Class Breaks
This essay appeared as a response to Edge’s annual question, “what scientific term or concept ought to be more widely known?”
There’s a concept from computer security known as a class break. It’s a particular security vulnerability that breaks not just one system, but an entire class of systems. Examples might be a vulnerability in a particular operating system that allows an attacker to take remote control of every computer that runs on that system’s software. Or a vulnerability in Internet-enabled digital video recorders and webcams that allow an attacker to recruit those devices into a massive botnet…
Sidebar photo of Bruce Schneier by Joe MacInnis.