Entries Tagged "copyright"

Page 1 of 7

The Importance of Security Engineering

In May, neuroscientist and popular author Sam Harris and I debated the issue of profiling Muslims at airport security. We each wrote essays, then went back and forth on the issue. I don’t recommend reading the entire discussion; we spent 14,000 words talking past each other. But what’s interesting is how our debate illustrates the differences between a security engineer and an intelligent layman. Harris was uninterested in the detailed analysis required to understand a security system and unwilling to accept that security engineering is a specialized discipline with a body of knowledge and relevant expertise. He trusted his intuition.

Many people have researched how intuition fails us in security: Paul Slovic and Bill Burns on risk perception, Daniel Kahneman on cognitive biases in general, Rick Walsh on folk computer-security models. I’ve written about the psychology of security, and Daniel Gartner has written more. Basically, our intuitions are based on things like antiquated fight-or-flight models, and these increasingly fail in our technological world.

This problem isn’t unique to computer security, or even security in general. But this misperception about security matters now more than it ever has. We’re no longer asking people to make security choices only for themselves and their businesses; we need them to make security choices as a matter of public policy. And getting it wrong has increasingly bad consequences.

Computers and the Internet have collided with public policy. The entertainment industry wants to enforce copyright. Internet companies want to continue freely spying on users. Law-enforcement wants its own laws imposed on the Internet: laws that make surveillance easier, prohibit anonymity, mandate the removal of objectionable images and texts, and require ISPs to retain data about their customers’ Internet activities. Militaries want laws regarding cyber weapons, laws enabling wholesale surveillance, and laws mandating an Internet kill switch. “Security” is now a catch-all excuse for all sorts of authoritarianism, as well as for boondoggles and corporate profiteering.

Cory Doctorow recently spoke about the coming war on general-purpose computing. I talked about it in terms of the entertainment industry and Jonathan Zittrain discussed it more generally, but Doctorow sees it as a much broader issue. Preventing people from copying digital files is only the first skirmish; just wait until the DEA wants to prevent chemical printers from making certain drugs, or the FBI wants to prevent 3D printers from making guns.

I’m not here to debate the merits of any of these policies, but instead to point out that people will debate them. Elected officials will be expected to understand security implications, both good and bad, and will make laws based on that understanding. And if they aren’t able to understand security engineering, or even accept that there is such a thing, the result will be ineffective and harmful policies.

So what do we do? We need to establish security engineering as a valid profession in the minds of the public and policy makers. This is less about certifications and (heaven forbid) licensing, and more about perception — and cultivating a security mindset. Amateurs produce amateur security, which costs more in dollars, time, liberty, and dignity while giving us less — or even no — security. We need everyone to know that.

We also need to engage with real-world security problems, and apply our expertise to the variety of technical and socio-technical systems that affect broader society. Everything involves computers, and almost everything involves the Internet. More and more, computer security is security.

Finally, and perhaps most importantly, we need to learn how to talk about security engineering to a non-technical audience. We need to convince policy makers to follow a logical approach instead of an emotional one — an approach that includes threat modeling, failure analysis, searching for unintended consequences, and everything else in an engineer’s approach to design. Powerful lobbying forces are attempting to force security policies on society, largely for non-security reasons, and sometimes in secret. We need to stand up for security.

A shorter version of this essay appeared in the September/October 2012 issue of IEEE Security & Privacy.

Posted on August 28, 2012 at 10:38 AMView Comments

The Battle for Internet Governance

Good article on the current battle for Internet governance:

The War for the Internet was inevitable — a time bomb built into its creation. The war grows out of tensions that came to a head as the Internet grew to serve populations far beyond those for which it was designed. Originally built to supplement the analog interactions among American soldiers and scientists who knew one another off-line, the Internet was established on a bedrock of trust: trust that people were who they said they were, and trust that information would be handled according to existing social and legal norms. That foundation of trust crumbled as the Internet expanded. The system is now approaching a state of crisis on four main fronts.

The first is sovereignty: by definition, a boundary-less system flouts geography and challenges the power of nation-states. The second is piracy and intellectual property: information wants to be free, as the hoary saying goes, but rights-holders want to be paid and protected. The third is privacy: online anonymity allows for creativity and political dissent, but it also gives cover to disruptive and criminal behavior — and much of what Internet users believe they do anonymously online can be tracked and tied to people’s real-world identities. The fourth is security: free access to an open Internet makes users vulnerable to various kinds of hacking, including corporate and government espionage, personal surveillance, the hijacking of Web traffic, and remote manipulation of computer-controlled military and industrial processes.

Posted on April 4, 2012 at 12:34 PMView Comments

Ebook Fraud

Interesting post — and discussion — on Making Light about ebook fraud. Currently there are two types of fraud. The first is content farming, discussed in these two interesting blog posts. People are creating automatically generated content, web-collected content, or fake content, turning it into a book, and selling it on an ebook site like Amazon.com. Then they use multiple identities to give it good reviews. (If it gets a bad review, the scammer just relists the same content under a new name.) That second blog post contains a screen shot of something called “Autopilot Kindle Cash,” which promises to teach people how to post dozens of ebooks to Amazon.com per day.

The second type of fraud is stealing a book and selling it as an ebook. So someone could scan a real book and sell it on an ebook site, even though he doesn’t own the copyright. It could be a book that isn’t already available as an ebook, or it could be a “low cost” version of a book that is already available. Amazon doesn’t seem particularly motivated to deal with this sort of fraud. And it too is suitable for automation.

Broadly speaking, there’s nothing new here. All complex ecosystems have parasites, and every open communications system we’ve ever built gets overrun by scammers and spammers. Far from making editors superfluous, systems that democratize publishing have an even greater need for editors. The solutions are not new, either: reputation-based systems, trusted recommenders, white lists, takedown notices. Google has implemented a bunch of security countermeasures against content farming; ebook sellers should implement them as well. It’ll be interesting to see what particular sort of mix works in this case.

Posted on April 4, 2011 at 9:18 AMView Comments

U.S. Strategy to Prevent Leaks is Leaked

As the article says, it doesn’t get any more ironic than that.

More importantly, it demonstrates how hard it is to keep secrets in the age of the Internet.

Me:

I think the government is learning what the music and movie industries were forced to learn years ago: it’s easy to copy and distribute digital files. That’s what’s different between the 1970s and today. Amassing and releasing that many documents was hard in the paper and photocopier era; it’s trivial in the Internet era. And just as the music and movie industries are going to have to change their business models for the Internet era, governments are going to have to change their secrecy models. I don’t know what those new models will be, but they will be different.

The more I think about it, the more I see this as yet another example of the Internet making information available. It’s done that to the music and movie industry. It’s done that to corporations and other organizations. And it’s doing that to government as well. This is the world we live in; the sooner the U.S. government realizes its secrecy paradigm has irrevocably changed, the sooner it will figure out how to thrive in this new paradigm.

Shutting WikiLeaks down won’t stop government secrets from leaking any more than shutting Napster down stopped illegal filesharing.

EDITED TO ADD (1/27): The story turned out to be too good to be true; it’s been retracted.

Posted on January 27, 2011 at 6:22 AMView Comments

Predator Software Pirated?

This isn’t good:

Intelligent Integration Systems (IISi), a small Boston-based software development firm, alleges that their Geospatial Toolkit and Extended SQL Toolkit were pirated by Massachusetts-based Netezza for use by a government client. Subsequent evidence and court proceedings revealed that the “government client” seeking assistance with Predator drones was none other than the Central Intelligence Agency.

IISi is seeking an injunction that would halt the use of their two toolkits by Netezza for three years. Most importantly, IISi alleges in court papers that Netezza used a “hack” version of their software with incomplete targeting functionality in response to rushed CIA deadlines. As a result, Predator drones could be missing their targets by as much as 40 feet.

The obvious joke is that this is what you get when you go with the low bidder, but it doesn’t have to be that way. And there’s nothing special about this being a government procurement; any bespoke IT procurement needs good contractual oversight.

EDITED TO ADD (11/10): Another article.

Posted on October 20, 2010 at 7:21 AMView Comments

Master HDCP Key Cracked

The master key for the High-Bandwidth Digital Content Protection standard — that’s what encrypts digital television between set-top boxes and digital televisions — has been cracked and published. (Intel confirmed that the key is real.) The ramifications are unclear:

But even if the code is real, it might not immediately foster piracy as the cracking of CSS on DVDs did more than a decade ago. Unlike CSS, which could be implemented in software, HDCP requires custom hardware. The threat model for Hollywood, then, isn’t that a hacker could use the master key to generate a DeCSS-like program for HD, but that shady hardware makers, perhaps in China, might eventually create and sell black-market HDCP cards that would allow the free copying of protected high-def content.

Posted on September 17, 2010 at 1:57 PMView Comments

1 2 3 7

Sidebar photo of Bruce Schneier by Joe MacInnis.