Latest Essays
Page 36
Why FBI and CIA Didn't Connect the Dots
The FBI and the CIA are being criticized for not keeping better track of Tamerlan Tsarnaev in the months before the Boston Marathon bombings. How could they have ignored such a dangerous person? How do we reform the intelligence community to ensure this kind of failure doesn’t happen again?
It’s an old song by now, one we heard after the 9/11 attacks in 2001 and after the Underwear Bomber’s failed attack in 2009. The problem is that connecting the dots is a bad metaphor, and focusing on it makes us more likely to implement useless reforms.
Connecting the dots in a coloring book is easy and fun. They’re right there on the page, and they’re all numbered. All you have to do is move your pencil from one dot to the next, and when you’re done, you’ve drawn a sailboat. Or a tiger. It’s so simple that 5-year-olds can do it…
Do You Want the Government Buying Your Data From Corporations?
A new bill moving through Congress would give the authorities unprecedented access to citizens' information.
Our government collects a lot of information about us. Tax records, legal records, license records, records of government services received—it’s all in databases that are increasingly linked and correlated. Still, there’s a lot of personal information the government can’t collect. Either they’re prohibited by law from asking without probable cause and a judicial order, or they simply have no cost-effective way to collect it. But the government has figured out how to get around the laws, and collect personal data that has been historically denied to them: ask corporate America for it…
The Boston Marathon Bombing: Keep Calm and Carry On
It is easy to feel scared and powerless in the wake of attacks like those at the Boston Marathon. But it also plays into the perpetrators' hands.
As the details about the bombings in Boston unfold, it’d be easy to be scared. It’d be easy to feel powerless and demand that our elected leaders do something—anything—to keep us safe.
It’d be easy, but it’d be wrong. We need to be angry and empathize with the victims without being scared. Our fears would play right into the perpetrators’ hands—and magnify the power of their victory for whichever goals whatever group behind this, still to be uncovered, has. We don’t have to be scared, and we’re not powerless. We actually have all the power here, and there’s one thing we can do to render terrorism ineffective: …
On Security Awareness Training
The focus on training obscures the failures of security design
Should companies spend money on security awareness training for their employees? It’s a contentious topic, with respected experts on both sides of the debate. I personally believe that training users in security is generally a waste of time, and that the money can be spent better elsewhere. Moreover, I believe that our industry’s focus on training serves to obscure greater failings in security design.
In order to understand my argument, it’s useful to look at training’s successes and failures. One area where it doesn’t work very well is health. We are forever trying to train people to have healthier lifestyles: eat better, exercise more, whatever. And people are forever ignoring the lessons. One basic reason is psychological: we just aren’t very good at trading off immediate gratification for long-term benefit. A healthier you is an abstract eventually; sitting in front of the television all afternoon with a McDonald’s Super Monster Meal sounds really good …
The Internet Is a Surveillance State
I’m going to start with three data points.
One: Some of the Chinese military hackers who were implicated in a broad set of attacks against the U.S. government and corporations were identified because they accessed Facebook from the same network infrastructure they used to carry out their attacks.
Two: Hector Monsegur, one of the leaders of the LulzSac hacker movement, was identified and arrested last year by the FBI. Although he practiced good computer security and used an anonymous relay service to protect his identity, he …
Rhetoric of Cyber War Breeds Fear—and More Cyber War
Americans have a weird relationship with the word “war”. We hate using it to describe actual wars but we love using it in a rhetorical context. We had the war on poverty, the war on crime, the war on drugs and the war on terror.
One of the big “wars” we’re talking about now is cyber war and, in this case, the word is dangerous. It is both a rhetorical war as well as something with elements of actual combat. The word also confuses the political debate about how to deal with cyber security.
The danger is that words frame the debate. If we use the rhetoric of war, we invoke feelings of fear and helplessness. We understand that this is something nations do to each other and that it’s not “normal” time when we’re at war…
Our Security Models Will Never Work—No Matter What We Do
A core, not side, effect of technology is its ability to magnify power and multiply force—for both attackers and defenders. One side creates ceramic handguns, laser-guided missiles, and new-identity theft techniques, while the other side creates anti-missile defense systems, fingerprint databases, and automatic facial recognition systems.
The problem is that it’s not balanced: Attackers generally benefit from new security technologies before defenders do. They have a first-mover advantage. They’re more nimble and adaptable than defensive institutions like police forces. They’re not limited by bureaucracy, laws, or ethics. They can evolve faster. And entropy is on their side—it’s easier to destroy something than it is to prevent, defend against, or recover from that destruction…
Danger Lurks in Growing New Internet Nationalism
Cyber-espionage is old news. What's new is the rhetoric, which is reaching a fever pitch right now.
For technology that was supposed to ignore borders, bring the world closer together, and sidestep the influence of national governments, the Internet is fostering an awful lot of nationalism right now. We’ve started to see increased concern about the country of origin of IT products and services; U.S. companies are worried about hardware from China; European companies are worried about cloud services in the U.S; no one is sure whether to trust hardware and software from Israel; Russia and China might each be building their own operating systems out of concern about using foreign ones…
Take Stop-and-Scan with a Grain of Salt
Security Has Become a For-Profit Business
This is an edited version of a longer essay.
It’s a new day for the New York Police Department, with technology increasingly informing the way cops do their jobs. With innovation come new possibilities, but also new concerns.
For one, the NYPD is testing a security apparatus that uses terahertz radiation to detect guns under clothing from a distance. As Police Commissioner Ray Kelly explained back in January, “If something is obstructing the flow of that radiation, for example a weapon, the device will highlight that object.”
Ignore, for a moment, the glaring constitutional concerns, which make the stop-and-frisk debate pale in comparison: virtual strip-searching, evasion of probable cause, potential profiling. Organizations like the American Civil Liberties Union are all over those, even though their opposition probably won’t make a difference. We’re scared of terrorism and crime (even as the risks decrease), and when we’re scared, we’re willing to give up all sorts of freedoms to assuage our fears. Often, the courts go along…
IT for Oppression
View or Download in PDF Format
Whether it’s Syria using Facebook to help identify and arrest dissidents or China using its “Great Firewall” to limit access to international news throughout the country, repressive regimes all over the world are using the Internet to more efficiently implement surveillance, censorship, propaganda, and control. They’re getting really good at it, and the IT industry is helping. We’re helping by creating business applications—categories of applications, really—that are being repurposed by oppressive governments for their own use:…
Sidebar photo of Bruce Schneier by Joe MacInnis.