News: 2014 Archives
Schneier on Security by Bruce Schneier
One of those security blogs you cannot afford to avoid, it focuses on a wide range of subjects, and one of the most common topics in 2014 was the NSA and Edward Snowden affair. I like this blog because Bruce doesn't publish only his articles: he also comments on various other security news and publications, so you can use it as a kind of a portal to a wider picture of the security world.
One of his most popular posts was on the Heartbleed bug—almost 300 comments there.
The Sony hack is "every CEO's worst nightmare" and the leaked data is probably going to send someone to jail, security expert Bruce Schneier says. That, not any threat of violence, is the real power of this hack.
The "Guardians of Peace," as the group behind the attack has called itself, posted a new dump of emails today, this time from CEO Michael Lynton. The hackers also issued a warning implying that any theater screening the political comedy The Interview, which is about the assassination of North Korean leader Kim Jong-un, could be the target of a physical attack as well.
Sony Hackers: It's Not the North Korean Government, nor an Insider, Suggests Security Expert Bruce Schneier
Cryptographer and security expert Bruce Schneier has suggested that the hackers behind the devastating hack and leak of internal data from Sony Pictures is neither the work of the North Korean government, nor of insiders.
"At this point, the attacks seem to be a few hackers and not the North Korean government. (My guess is that it's not an insider, either). That we live in the world where we aren't sure if any given cyber attack is the work of a foreign government or a couple of guys should be scary to us all," he wrote in a blog post.
According to Bruce Schneier, his career in IT security has been an endeavor he naturally "flowed into." Schneier, a prominent cryptologist who developed numerous encryption algorithms, including Blowfish and Twofish, has continued to contribute to the industry through his musings and insight on his esteemed blog "Schneier on Security," and newsletter "Crypto-Gram," which have garnered a major following in the community. Having gotten his start in cryptography, Schneier says he eventually moved into computer security, network security and security technology as a focus. In his attempt to "understand context" as it pertains to the threat landscape, Schneier also turned to examining the economics, psychology and sociology of security and now he primarily studies and shares his views on the political science of security, he tells SC Magazine. Schneier is currently working on a book called Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (due late February), and at Co3 Systems, he focuses on building coordination software for incident response, "a long-neglected aspect of IT security," as he puts it.
Bruce Schneier, noted cryptologist and fellow at the Berman Center for Internet & Society at Harvard Law School, tells us how to protect our Wi-Fi connection in public and prevent ISPs from tracking our mobile internet use.
BetaBoston partnered with Silicon Valley Bank, Hack/Reduce, and Terrible Labs on Thursday to host the Cyber Security Symposium. Security experts from Credit Suisse, Threat Stack, Bit9 and others convened for a day-long event, the second niche-focused conference put together by SVB, Atlas Venture's Cort Johnson and Terrible Labs' Smith Anderson after the Quantified Self Conference in March.
The event was capped off with a talk by security expert Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard, and the chief technology officer at Co3 Systems.
Schneier noted three trends he's currently tracking.
Erin Ade sits down with Bruce Schneier – noted author, cryptologist, and fellow at the Berkman Center for Internet and Security and Harvard Law School. Bruce gives us his take on President Obama’s recent statement on net neutrality and explains why encryption is vital to personal security and privacy.
Democrats didn't need this: Another cyberattack on an unclassified White House computer network (and unconfirmed reports of Russian involvement) in the closing days of a midterm election in which voter frustration toward President Barack Obama, government dysfunction and national security fears already are hurting their chances of hanging onto control of the Senate.
Chinese hackers reportedly targeted White House staffers' Gmail accounts in 2011. The next year, Chinese hackers reportedly used spear phishing to break into an unclassified network of the White House Military Office. But the problem didn't start with Obama—attempted cyberattacks on the White House date at least to 2008, during George W. Bush's administration.
Just how much of your life is watched? Security expert Bruce Schneier points out that it is more than most people think, says Chris Baraniuk.
Do you have secrets? Security expert Bruce Schneier has little patience for those who say they don't.
When asked about government and corporate surveillance, there are some who shrug their shoulders and say they have nothing to fear because they have nothing to hide. Schneier's response?
It's how you respond that's key, says securo guru
Hacking attacks are more or less inevitable, so organisations need to move on from the protection and detection of attacks towards managing their response to breaches so as to minimise harm, according to security guru Bruce Schneier.
Prevention and detection are necessary, but not sufficient, he said. Improving response means that organisations stay on their feet even after they are hit by a serious security breach or hacking attack.
"A sufficiently motivated, funded and skilled hacker will always get in," Schneier told delegates during a keynote at the IP Expo conference in London.
The US National Security Agency (NSA) has turned the internet into a "giant surveillance platform," a leading security specialist has said.
Bruce Schneier, who has written extensively on digital security and privacy, told an audience in Dublin tonight that the revelations by whistleblower Edward Snowden of large-scale surveillance by the NSA showed that we were living in a "golden age of surveillance."
In a lecture for the human rights group Front Line Defenders, Mr. Schneier said the NSA's role changed completely after the 9/11 attacks, when US intelligence agencies were given "an impossible mission: never again." "The only way to ensure something doesn't happen is to know everything that is happening," he said.
This desire to "collect everything" coincided with changes in technology, notably the spread of smartphones, the rise of cloud storage and the fact that it became cheaper for individuals to store data and thereby leave deeper digital footprints for the state to pursue. "The NSA has turned the internet into a giant surveillance platform," he said.
In my continuing series of keynote recaps, I will be covering Bruce Schneier’s keynote at Black Hat USA 2014—yes, it can be called a keynote even though it is more of a briefing. By the way, Black Hat: Next time, please give him appropriate space; people were lining up outside the room waiting to get in because of the lack of space.
I will be sharing what I learned from his speech in my own words with selected graphics. Schneier’s “The State of Incident Response” talk is available online, but if you don’t have an hour to watch that, read this as a recap.
Almost a year and a half after the Snowden revelations, it’s business as usual for America’s giant global eavesdropping and spying organisation: the NSA, the National Security Agency.
As revelations continue to unfold, legislative attempts to rein in the NSA's powers appear to be stalling. But, Harvard University security analyst Bruce Schneier says the situation is unacceptable.
In the future, argues Schneier, people will look back at the way we ignore privacy today and ask "how could we be that immoral?" He’s put forward his own plan for breaking -up the NSA, and in so doing, bringing its activities under greater civilian control.
Network breaches are inevitable. It's what happens next that really matters, said renowned cryptographic expert Bruce Schneier during the Black Hat security conference.
If there is something the organization has the attacker wants, the attacker will figure out a way to get in. Regardless of how much the organization invests in its defenses, attackers need to find that one weak spot to succeed.
Bruce Schneier on Expanding the Use of Automated Tools
When the organizers of the just-concluded Black Hat USA conference wanted to explore incident response, they turned to Bruce Schneier, the cryptographer, author, blogger and cybersecurity expert, to make a presentation. Until recently, however, Schneier's name wouldn't be on most people's list of incident response experts.
Schneier's reputation, after all, was built on his keen observations of the influence of IT security on society and vice versa, as well as bringing to light the previously unknown, such as the National Security Agency's tampering with cryptography guidance from the National Institute of Standards and Technology (see NIST to Drop Crypto Algorithm from Guidance).
But since the beginning of the year, Schneier has been serving as chief technology officer of 4-year-old Co3 Systems, which provides automated incident response systems.
In his Black Hat 2014 session entitled "The State of Incident Response," security guru Bruce Schneier, CTO of Co3 Systems, Inc., said that hackers will invariably breach networks, but it is what comes next that really matters.
Placing a great deal of emphasis on automated systems and technology being used to support the people needed for incident response, Schneier proposed a four-step approach: observe, context, decide, and act.
Observe means knowing what is happening on networks in real-time, which can be done using log monitoring, log analysis tools, network management tools and the like, Schneier said.
Context is tantamount to gathering data and intelligence, as in knowing the latest malware and vulnerabilities.
Erin Ade talks to Bruce Schneier about the efforts of government and private companies to track us and our personal information. However, our outrage over this invasion of privacy is overshadowed by the convenience of using technology. This tension has led to our ongoing, intense debate over the tradeoffs between security and surveillance. To help sort out all of these issues Schneier weighs in.
Bruce Schneier is one of the best-known security professionals both within the field and in the larger world of technology policymaking. He's written 12 books, produces the influential "Schneier on Security" blog and is widely quoted in the press. After a multi-year stint at BT Managed Security Solutions, Schneier has moved to a startup: Co3 Systems. The new company, where he serves as Chief Technology Officer, makes a tool that focuses specifically on security incident response management.
Bruce Schneier, cyber-security expert and author of Liars and Outliers: Enabling the Trust Society Needs to Thrive, talks about corporate and governmental data collection and surveillance. Schneier gave a lecture, “Internet, Security, and Power” on May 28, 2014 at the UO in Eugene and at the UO in Portland on May 29, 2014.
Cyber defenders are currently fighting a losing battle against hackers and government agencies, according to security expert Bruce Schneier.
Speaking in London on Thursday, the security guru said that with cyber criminals' attacks increasing in sophistication all the time, incidents like the Target credit card theft will only become more common.
"Security is a battle of attack versus defence and right now on the internet attack is much easier than defence," he said at the Good Exchange event, attended by V3.
Schneier pointed to advanced persistent threats (APT) as an area where organisations are woefully ill-prepared to prevent attacks.
Security technologist Bruce Schneier tells DW why he finds it curious that the German BND is getting a free pass on surveillance and why Europe should take the lead on protecting privacy in the digital age.
DW: One year ago the Guardian published the first article on the NSA's surveillance activities based on the disclosures of Edward Snowden. Many other revelations have followed since and triggered a robust international debate about surveillance and privacy. Now one year later what is the most significant consequence of Snowden's disclosures?
Bruce Schneier: Right now the most significant consequence has been the knowledge that has fueled the debate. A lot of what we have read from these NSA documents isn't surprising, but the details make them real in a way that speculation doesn't.
Bruce Schneier is the special guest on Episode 11 of the Security Advisor Alliance, on Incident Response.
A short password, or one using a name or a word in a dictionary, can be easily cracked by computers. And simply adding "@" for the letter "a" isn't going to fool the bad guys.
Here's cryptographer and computer security expert Bruce Schneier's advice on using and managing your passwords.
1. Use a "passphrase": a sentence you can remember. Then replace each word of the phrase with its initial, a similar digit or symbol, or, at random, use a whole word.
"Information is power," has been true for so long that it has become a cliché.
But the Internet has increased the power to collect, store and analyze information by such an order of magnitude that we are now in what Bruce Schneier called "the golden age of surveillance," in his keynote address Wednesday morning at SOURCE Boston.
That would be golden for those doing the surveillance, not the subjects of it.
Schneier, author, security guru, blogger and CTO of Co3 Systems, said the expectation that the Internet would mainly empower the powerless—grassroots groups, hackers, minorities and other relatively fringe groups—did come true for a number of years.
BOSTON—History is not entirely kind to those responsible for the Industrial Age in the 19th century. How, for example, were the consequences of industrial innovation such as pollution largely ignored?
Flash forward to today's digital age and ask the same question: How are those responsible for building our infrastructure callously disregarding privacy and security in favor of rapid online innovation?
"I think this is the issue by which we will be judged when our grandchildren read the history of the early days of the Internet," said Bruce Schneier today during his Source Boston keynote.
Data is a natural consequence of computing, and as search tools get better, it shifts the balance of power towards mass collection and surveillance, renowned security expert Bruce Schneier said at the SOURCE Boston conference on Wednesday.
"Surveillance is the business model of the Internet," Schneier told attendees. "We build systems that spy on people in exchange for services. Corporations call it marketing."
The data economy—the growth of mass data collection and tracking—is changing how power is perceived, Schneier said in his keynote speech.
In G-Force, the 2009 Disney movie, a group of secret agent rodents stops a kitchen gadget robot apocalypse. In the real world, we're in no danger from weaponized blenders, but our toasters just might be used in a denial of service attack.
Rivera Sun and Getch talk with computer security, and privacy specialist, Bruce Schneier. We get the scoop on the latest from the NSA, as well as the security vulnerabilities in the vast internet of things, this week on Occupy Radio.
‘'It's only metadata' is a mischaracterization that plays into goverment hands.'—Bruce Schneier
At the 2014 Source Conference in Boston, I was able to sit down with Bruce Schneier after his keynote to clarify his position on several topics he brought up. The Twitter stream was on fire during his presentation as he described how the power of government and large corporations affects the internet. Where are the boundaries between personal data and corporate/government usage of that data? What is our responsibility in the equation?
In today's interconnected world, all it takes is one security mistake to make your whole world come crashing down. Who better to turn to for advice than security expert Bruce Schneier?
If you have even a passing interest in security matters, then you've surely come across the writings of Bruce Schneier, a world-renowned security guru who has served on numerous government committees, testified before Congress, and is the author of 12 books on security issues so far, as well as countless essays and academic papers.
After hearing about Schneier's newest book, Carry On: Sound Advice from Schneier on Security, we decided that it was about time to reach out to Bruce to get some sound advice concerning some of our own pressing privacy and security concerns.
News emerged this week that web giant Google is routinely encrypting web searches conducted in China in a move designed to offset the national government's ability to censor the Internet and track what individuals are viewing. The Google move is part of a global expansion of privacy technology to counter surveillance by government intelligence agencies, police and hackers and is seen as a direct consequence of whistleblower, Edward Snowden's release last year of US National Security Agency (NSA) documents exposing the extent of government surveillance of the Internet.
Among the many fears Snowden's leaked revelations have raised is the claim that the NSA and other leading western intelligence agencies are involved in programs to deliberately weaken the Net's security standards to make it easier for them to break in.
Bruce Schneier is a leading US cryptology expert and Chief Technology Officer at CO3 Systems.
The Daily's Kim Williams spoke to him earlier about Google's latest moves to combat alleged privacy intrusions into the Net.
Bruce Schneier says the key to good security is accepting that perfect security doesn’t exist.
Last fall, not long after Bruce Schneier quietly revealed himself as the cryptographer who had helped journalist Glenn Greenwald review Edward Snowden's NSA documents, he found himself on CNN International, talking about allegations that the United States had spied on the chancellor of Germany.
An exasperated host beamed Schneier in from Minneapolis, where he lives, and asked him to "help us," as she put it, "decipher this enigma." Schneier is a legendary encryption specialist who has written or edited 13 books on the subject, and worked for the Department of Defense, telecommunications companies, banks and governments. Most recently, he's been a vocal advocate of the idea that the best security systems accept a reasonable amount of risk; a blind focus on protecting against every threat, he says, usually comes with unexpected costs.
Outside of the cryptography community, however, this view is not widely held, and the simplicity and directness with which Schneier expresses it tends to take people by surprise.
Few figures in the IT security landscape command the respect and admiration of so many people as does Bruce Schneier. The well-regarded expert recently changed jobs, moving from BT to become the CTO of Co3 Systems in January of this year.
In a video interview with eSecurity Planet, Schneier explains why the incident response technology that Co3 Systems builds is an important part of the modern IT security lifecycle. A key part of what Co3 does is to automate the details of incident response, he said.
Josh Corman talks to Bruce about his keynote at the 2014 SOURCE Security Conference.
We are entering a new era of Internet connectivity — the Internet of Things. Suddenly our devices are much more than just the computers we can hold in our laps.
These new devices collect information and make decisions on their own. What does this mean for us?
Bruce Schneier, an author and security technologist who has written several articles about the darker side of the Internet of Things, describes the new situation this way:
"The Internet of yesterday was the Internet of the things we typed into it. It was Facebook.
If your car, your thermostat, and your refrigerator are all online and communicating with the world, is enough attention being given to who might be listening—or talking—to your networked things? And what happens if there’s a security flaw in the networking component of, say, your toaster? Security expert Bruce Schneier says that the world is at a crisis point regarding embedded network security, and that an Internet of Things could mean ubiquitous surveillance.
Reuters Technology reporter Joseph Menn interviewed security expert Bruce Schneier in front of last week's TrustyCon audience in San Francisco, where the security expert provided his analysis of the government surveillance controversy
Bruce Schneier has been a vocal critic of the mass surveillance being conducted by the NSA and GCHQ. The security expert recently left his post at BT and joined the board of digital rights firm Electronic Frontier Foundation (EFF), one of TrustyCon's organizers. Although several of TrustyCon's speakers were part of the group who withdrew from their speaking commitments at last week's RSA Conference, Schneier was featured on the agenda at both events.
Schneier said that the NSA's surveillance capabilities are far and away the most advanced in the world, but not necessarily the most skilled.
Think the Edward Snowden-NSA storyline is played out? Think again.
"I think this story is going to keep going for at least a year, probably longer," said Bruce Schneier, chief technology officer with Co3 Systems, who is working with The Intercept's Glenn Greenwald to analyze and report on the NSA documents allegedly stolen and leaked by former contractor Edward Snowden. "There's an enormous pile of documents; they're very technical [and] hard to understand, and as you go through them, you find stories."
In this interview recorded at the 2014 RSA Conference, SearchSecurity Editorial Director Robert Richardson sits down with Schneier to discuss his role in reviewing the Snowden documents.
Bruce Schneier appeared on an episode of Inventing the Future with Robert Tercek about the collision between open society and surveillance.
Bruce Schneier is the man who literally wrote the book on modern encryption, publishing Applied Cryptography in 1994, and for the past 20 years has been an important and sometimes outspoken voice in the security industry.
He founded the firm Counterpane Internet Security (later sold to BT), and is also a board member of the Electronic Frontier Foundation and an Advisory Board Member of the Electronic Privacy Information Center.
More recently he's been working on documents released by Edward Snowden on NSA activities and presented his findings at this year's RSA conference in San Francisco. The Register took the opportunity of sitting down with Schneier at the event and chewing through the current state of security, privacy and government intrusion online.
When Bruce Schneier went on to a different stage at the RSA Conference, resplendent in a purple floral shirt, he gave a very different presentation than an earlier panel from Washington intelligence insiders. Schneier, the CTO of Co3 Systems and author, gave the security-geek view. He also gave his answer to the question everyone has been asking: how do we keep from being spied on?Collect Everything
Schneier laid out the situation as he sees it today: that the NSA has turned the Internet into a giant surveillance platform that is both technically and legally robust.
Of the small pool of people who have seen the Snowden documents, few, if any, are as technically savvy and knowledgeable about security and surveillance as Bruce Schneier. And after reading through stacks and stacks of them, Schneier says that yes, the NSA is extremely capable and full of smart people but "they are not made of magic".
A cryptographer by training and a security thinker by trade, Schneier has spent many hours reading the Snowden documents and thinking about what they mean, both in terms of the NSA's actual capabilities and their effect on data security and privacy. Much of the news, clearly, is not good on that front.
The good news? Strong crypto still works
RSA 2014 If you thought NSA snooping was bad, you ain't seen nothing yet: online criminals have also been watching and should soon be able to copy the agency's invasive surveillance tactics, according to security guru Bruce Schneier.
"The NSA techniques give about a three to five year lead on what cyber-criminals will do," he told an audience at the RSA 2014 conference in San Francisco.
"These techniques for exfiltrating data aren't magical, they are just expensive. Everything we know about technology is that it gets cheaper.
Two recently-discovered flaws in Apple iOS and Mac OS X have security experts openly asking whether the software vulnerabilities represent backdoors inserted for purposes of cyber-espionage. There's no clear answer so far, but it just shows that anxiety about state-sponsored surveillance is running high.
'One line of code—was it an accident or enemy action? I don't know, but it's the kind of bug I'd put in,' remarked Bruce Schneier, chief technology officer at Co3 Systems, about the flaw in Apple OS X SSL encryption that was revealed last week.
Bruce Schneier is a legendary figure in the security community, well-known for his expertise in cryptography and more recently for his insight into the surveillance activities of the National Security Agency (NSA). Schneier currently serves as the CTO of incident response management vendor Co3 Systems. In an interview with eWEEK at the RSA conference here, Schneier detailed his views on the NSA's surveillance activities. When it comes to domestic surveillance and metadata collection, Schneier firmly believes that the Federal Bureau of Investigation is the right agency to handle that data. He noted that the FBI already has domestic security capabilities and is responsible for the national fingerprint database.
Cryptography expert Bruce Schneier, now CTO of Co3 Systems, continued his criticism of the National Security Agency's surveillance during his well-attended talk at the RSA Conference in San Francisco today.
Schneier has been a fierce critic of the National Security Agency (NSA) ever since the details of this surveillance were first revealed by former CIA contractor Edward Snowden last summer. And following on from an interview with CNN this week where he argued for the NSA to be split up, he took the opportunity to champion for stronger encryption in front of a packed audience at the RSA Conference.
Schneier, who left BT—also reportedly offering back doors in products—to join Co3 Systems in December, mused from the beginning that the talk was going to be a prickly and hotly-contested subject. "This will be a fun topic."
His talk was entitled "NSA Surveillance: What we know and what to do about it" and he first ran into the attack techniques—sometimes obscured by odd code names—being used by the NSA and GCHQ to carry out mass surveillance.
Don't feel futile, the Internet can be saved, according to cryptography luminary
There are ways for people to win back their privacy from global intelligence agencies, largely by making bulk collection of data economically unviable, encryption luminary Bruce Schneier told delegates at the RSA 2014 conference today.
This would be doable by placing secure encryption in places where it currently does not reside, from vulnerable mobile applications to people's hard drives.
"Encryption frustrates the NSA at scale," he said. "Our goal should be to leverage economics, physics and maths to make the Internet secure, to make surveillance more expensive.
When incident response software maker Co3 announced earlier this month that Bruce Schneier was joining the company as its first CTO, some observers might have wondered: Huh?
Why would an internationally known thinker on security issues leave a gig as chief security technology officer at a large telecom like BT to serve as CTO of a much smaller software company? Well, the answer is pretty basic. He sees the company offering a product the security and privacy communities desperately need.
Security expert and technologist Bruce Schneier has told the BBC that he believes the NSA and GCHQ have "betrayed the trust of the internet".
Mr Schneier said: "We have to trust the infrastructure [of the internet]... The fact that it has been subverted in ways we don't understand... we don't know what to trust.
A computer cryptography expert revealed that he met Thursday with members of Congress to explain Edward Snowden's revelations about the National Security Agency because "the NSA wasn't forthcoming."
In a brief post on his blog, Bruce Schneier said that he had held a roundtable discussion with six House members, organized by Rep. Zoe Lofgren (D-Calif.), to discuss the NSA's activities.
Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School, co-authored a Guardian article with reporter Glenn Greenwald on the NSA's attempts to hack an anonymizing web service and has taken a peek at many of the documents that Snowden leaked.
"Lofgren asked me to brief her and a few Representatives on the NSA," Schneier wrote. "She said that the NSA wasn't forthcoming about their activities, and they wanted me—as someone with access to the Snowden documents—to explain to them what the NSA was doing.
Cyptographer, essayist, book author, free thinker, privacy advocate and cybersecurity thought leader Bruce Schneier announced a few days ago that he's joining Co3 Systems as its new CTO. The Cambridge, Mass.-based start up helps companies comply deal with data privacy and data loss disclosure regulations. Schneier shared what's top of his mind with CyberTruth.
CT: You started in encryption, and had a great run as a globe trotting cybersecurity guru.
Schneier says new gig at incident response management vendor a natural progression for him
Other articles about Bruce Schneier's new position with Co3 Systems appeared in InfoSecurity Magazine, SearchSecurity, TechWeekEurope, The Inquirer, ZDNet, Help Net Security, Security Week, The Register, SecurityCurrent, Boston Business Journal, Network World, and Threatpost.
Famed security expert Bruce Schneier has left BT and is now CTO of incident response (IR) management startup Co3 Systems.
Schneier, who previously had served on Co3 Systems' advisory board and has helped shape the look and feel of the software-as-a-service firm's architecture, says the time had come for him to make a change and leave BT. He had been the security futurologist for BT since it purchased his network monitoring services firm Counterpane Internet Security in October 2006.
Word that Schneier was leaving BT leaked publicly last month, and speculation arose that it had to do with his outspoken criticism of surveillance by the NSA and Britain's GCHQ.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.