Latest Essays

Page 28

The Importance of Deleting Old Stuff—Another Lesson From the Sony Attack

  • Bruce Schneier
  • Ars Technica
  • January 12, 2015

Thousands of articles have called the December attack against Sony Pictures a wake-up call to industry. Regardless of whether the attacker was the North Korean government, a disgruntled former employee, or a group of random hackers, the attack showed how vulnerable a large organization can be and how devastating the publication of its private correspondence, proprietary data, and intellectual property can be.

But while companies are supposed to learn that they need to improve their security against attack, there’s another equally important but much less discussed lesson here: companies should have an aggressive deletion policy…

Read More →

The Government Must Show Us the Evidence That North Korea Attacked Sony

American history is littered with examples of classified information pointing us towards aggression against other countries—think WMDs—only to later learn that the evidence was wrong

  • Bruce Schneier
  • Time
  • January 5, 2015

When you’re attacked by a missile, you can follow its trajectory back to where it was launched from. When you’re attacked in cyberspace, figuring out who did it is much harder. The reality of international aggression in cyberspace will change how we approach defense.

Many of us in the computer-security field are skeptical of the U.S. government’s claim that it has positively identified North Korea as the perpetrator of the massive Sony hack in November 2014. The FBI’s evidence is circumstantial and not very convincing. The attackers never mentioned the movie that became the centerpiece of the hack until the press did. More likely, the culprits are random hackers who have …

Read More →

We Still Don't Know Who Hacked Sony

Welcome to a world where it's impossible to tell the difference between random hackers and governments.

  • Bruce Schneier
  • The Atlantic
  • January 5, 2015

If anything should disturb you about the Sony hacking incidents and subsequent denial-of-service attack against North Korea, it’s that we still don’t know who’s behind any of it. The FBI said in December that North Korea attacked Sony. I and others have serious doubts. There’s countervailing evidence to suggest that the culprit may have been a Sony insider or perhaps Russian nationals.

No one has admitted taking down North Korea’s Internet. It could have been an act of retaliation by the U.S. government, but it could just as well have been an …

Read More →

2015: The Year "Doxing" Will Hit Home

  • Bruce Schneier
  • BetaBoston
  • December 31, 2014

Those of you unfamiliar with hacker culture might need an explanation of “doxing.”

The word refers to the practice of publishing personal information about people without their consent. Usually it’s things like an address and phone number, but it can also be credit card details, medical information, private e-mails—pretty much anything an assailant can get his hands on.

Doxing is not new; the term dates back to 2001 and the hacker group Anonymous. But it can be incredibly offensive. In 2014, several women were doxed by male gamers trying to intimidate them into keeping silent about sexism in computer games…

Read More →

Did North Korea Really Attack Sony?

It's too early to take the U.S. government at its word.

  • Bruce Schneier
  • The Atlantic
  • December 22, 2014

I am deeply skeptical of the FBI’s announcement on Friday that North Korea was behind last month’s Sony hack. The agency’s evidence is tenuous, and I have a hard time believing it. But I also have trouble believing that the U.S. government would make the accusation this formally if officials didn’t believe it.

Clues in the hackers’ attack code seem to point in all directions at once. The FBI points to reused code from previous attacks associated with North Korea, as well as similarities in the networks used to launch the attacks. Korean language in the code also suggests a Korean origin, though not necessarily a North Korean one since North Koreans use a …

Read More →

Sony Made It Easy, but Any of Us Could Get Hacked

A focused, skillful cyber attacker will always get in, warns a security expert.

  • Bruce Schneier
  • The Wall Street Journal
  • December 19, 2014

Earlier this month, a mysterious group that calls itself Guardians of Peace hacked into Sony Pictures Entertainment’s computer systems and began revealing many of the Hollywood studio’s best-kept secrets, from details about unreleased movies to embarrassing emails (notably some racist notes from Sony bigwigs about President Barack Obama’s presumed movie-watching preferences) to the personnel data of employees, including salaries and performance reviews. The Federal Bureau of Investigation now says it has evidence that North Korea was behind the attack, and Sony Pictures pulled its planned release of …

Read More →

The Best Thing We Can Do About the Sony Hack Is Calm Down

  • Bruce Schneier
  • Motherboard
  • December 19, 2014

First we thought North Korea was behind the Sony cyberattacks. Then we thought it was a couple of hacker guys with an axe to grind. Now we think North Korea is behind it again, but the connection is still tenuous. There have been accusations of cyberterrorism, and even cyberwar. I’ve heard calls for us to strike back, with actual missiles and bombs. We’re collectively pegging the hype meter, and the best thing we can do is calm down and take a deep breath.

First, this is not an act of terrorism. There has been no senseless violence. No innocents are coming home in body bags. Yes, a company is seriously embarrassed—and financially hurt—by all of its information leaking to the public. But posting unreleased movies online is not terrorism. It’s not even close…

Read More →

What Are the Limits of Police Subterfuge?

A warrantless FBI search in Las Vegas sets a troubling precedent.

  • Bruce Schneier
  • The Atlantic
  • December 17, 2014

The next time you call for assistance because the Internet service in your home is not working, the ‘technician’ who comes to your door may actually be an undercover government agent. He will have secretly disconnected the service, knowing that you will naturally call for help and—when he shows up at your door, impersonating a technician—let him in. He will walk through each room of your house, claiming to diagnose the problem. Actually, he will be videotaping everything (and everyone) inside. He will have no reason to suspect you have broken the law, much less probable cause to obtain a search warrant. But that makes no difference, because by letting him in, you will have ‘consented’ to an intrusive search of your home…

Read More →

Over 700 Million People Taking Steps to Avoid NSA Surveillance

  • Bruce Schneier
  • Lawfare
  • December 15, 2014

German translation by Yuri Samoilov

There’s a new international survey on Internet security and trust, of ‘23,376 Internet users in 24 countries,’ including ‘Australia, Brazil, Canada, China, Egypt, France, Germany, Great Britain, Hong Kong, India, Indonesia, Italy, Japan, Kenya, Mexico, Nigeria, Pakistan, Poland, South Africa, South Korea, Sweden, Tunisia, Turkey and the United States.’ Amongst the findings, 60% of Internet users have heard of Edward Snowden, and 39% of those ‘have taken steps to protect their online privacy and security as a result of his revelations.’…

Read More →

NSA Hacking of Cell Phone Networks

  • Bruce Schneier
  • Lawfare
  • December 8, 2014

The Intercept has published an article—based on the Snowden documents—about AURORAGOLD, an NSA surveillance operation against cell phone network operators and standards bodies worldwide. This is not a typical NSA surveillance operation where agents identify the bad guys and spy on them. This is an operation where the NSA spies on people designing and building a general communications infrastructure, looking for weaknesses and vulnerabilities that will allow it to spy on the bad guys at some later date.

In that way, AURORAGOLD is similar to the NSA’s …

Read More →
← Earlier EssaysLater Essays →

Sidebar photo of Bruce Schneier by Joe MacInnis.