Schneier on Security: Tagged overreactions

Entries Tagged "overreactions"

Page 2 of 15

Matthew Green Speculates on How the NSA Defeats Encryption

This blog post is well worth reading, and not just because Johns Hopkins University asked him to remove it, and then backed down a few hours later.

Posted on September 11, 2013 at 11:53 AM • View Comments

Syrian Electronic Army Cyberattacks

The Syrian Electronic Army attacked again this week, compromising the websites of the New York Times, Twitter, the Huffington Post, and others.

Political hacking isn’t new. Hackers were breaking into systems for political reasons long before commerce and criminals discovered the Internet. Over the years, we’ve seen U.K. vs. Ireland, Israel vs. Arab states, Russia vs. its former Soviet republics, India vs. Pakistan, and US vs. China.

There was a big one in 2007, when the government of Estonia was attacked in cyberspace following a diplomatic incident with Russia. It was hyped as the first cyberwar, but the Kremlin denied any Russian government involvement. The only individuals positively identified were young ethnic Russians living in Estonia.

Poke at any of these international incidents, and what you find are kids playing politics. The Syrian Electronic Army doesn’t seem to be an actual army. We don’t even know if they’re Syrian. And—to be fair—I don’t know their ages. Looking at the details of their attacks, it’s pretty clear they didn’t target the New York Times and others directly. They reportedly hacked into an Australian domain name registrar called Melbourne IT, and used that access to disrupt service at a bunch of big-name sites.

We saw this same tactic last year from Anonymous: hack around at random, then retcon a political reason why the sites they successfully broke into deserved it. It makes them look a lot more skilled than they actually are.

This isn’t to say that cyberattacks by governments aren’t an issue, or that cyberwar is something to be ignored. Attacks from China reportedly are a mix of government-executed military attacks, government-sponsored independent attackers, and random hacking groups that work with tacit government approval. The US also engages in active cyberattacks around the world. Together with Israel, the US employed a sophisticated computer virus (Stuxnet) to attack Iran in 2010.

For the typical company, defending against these attacks doesn’t require anything different than what you’ve been traditionally been doing to secure yourself in cyberspace. If your network is secure, you’re secure against amateur geopoliticians who just want to help their side.

This essay originally appeared on the Wall Street Journal’s website.

Posted on September 3, 2013 at 1:45 PM • View Comments

False Positives and Ubiquitous Surveillance

Searching on Google for a pressure cooker and backpacks got one family investigated by the police. More stories and comments.

This seems not to be the NSA eavesdropping on everyone’s Internet traffic, as was first assumed. It was one of those “see something, say something” amateur tips:

Suffolk County Criminal Intelligence Detectives received a tip from a Bay Shore based computer company regarding suspicious computer searches conducted by a recently released employee. The former employee’s computer searches took place on this employee’s workplace computer. On that computer, the employee searched the terms “pressure cooker bombs” and “backpacks.”

Scary, nonetheless.

EDITED TO ADD (8/2): Another article.

EDITED TO ADD (8/3): As more of the facts come out, this seems like less of an overreaction than I first thought. The person was an ex-employee of the company—not an employee—and was searching “pressure cooker bomb.” It’s not unreasonable for the company to call the police in that case, and for the police to investigate the searcher. Whether or not the employer should be monitoring Internet use is another matter.

Posted on August 2, 2013 at 8:03 AM • View Comments

Counterterrorism Mission Creep

One of the assurances I keep hearing about the U.S. government’s spying on American citizens is that it’s only used in cases of terrorism. Terrorism is, of course, an extraordinary crime, and its horrific nature is supposed to justify permitting all sorts of excesses to prevent it. But there’s a problem with this line of reasoning: mission creep. The definitions of “terrorism” and “weapon of mass destruction” are broadening, and these extraordinary powers are being used, and will continue to be used, for crimes other than terrorism.

Back in 2002, the Patriot Act greatly broadened the definition of terrorism to include all sorts of “normal” violent acts as well as non-violent protests. The term “terrorist” is surprisingly broad; since the terrorist attacks of 9/11, it has been applied to people you wouldn’t normally consider terrorists.

The most egregious example of this are the three anti-nuclear pacifists, including an 82-year-old nun, who cut through a chain-link fence at the Oak Ridge nuclear-weapons-production facility in 2012. While they were originally arrested on a misdemeanor trespassing charge, the government kept increasing their charges as the facility’s security lapses became more embarrassing. Now the protestors have been convicted of violent crimes of terrorism—and remain in jail.

Meanwhile, a Tennessee government official claimed that complaining about water quality could be considered an act of terrorism. To the government’s credit, he was subsequently demoted for those remarks.

The notion of making a terrorist threat is older than the current spate of anti-terrorism craziness. It basically means threatening people in order to terrorize them, and can include things like pointing a fake gun at someone, threatening to set off a bomb, and so on. A Texas high-school student recently spent five months in jail for writing the following on Facebook: “I think I’ma shoot up a kindergarten. And watch the blood of the innocent rain down. And eat the beating heart of one of them.” Last year, two Irish tourists were denied entry at the Los Angeles Airport because of some misunderstood tweets.

Another term that’s expanded in meaning is “weapon of mass destruction.” The law is surprisingly broad, and includes anything that explodes, leading political scientist and terrorism-fear skeptic John Mueller to comment:

As I understand it, not only is a grenade a weapon of mass destruction, but so is a maliciously-designed child’s rocket even if it doesn’t have a warhead. On the other hand, although a missile-propelled firecracker would be considered a weapon of mass destruction if its designers had wanted to think of it as a weapon, it would not be so considered if it had previously been designed for use as a weapon and then redesigned for pyrotechnic use or if it was surplus and had been sold, loaned, or given to you (under certain circumstances) by the secretary of the army ….

All artillery, and virtually every muzzle-loading military long arm for that matter, legally qualifies as a WMD. It does make the bombardment of Ft. Sumter all the more sinister. To say nothing of the revelation that The Star Spangled Banner is in fact an account of a WMD attack on American shores.

After the Boston Marathon bombings, one commentator described our use of the term this way: “What the United States means by terrorist violence is, in large part, ‘public violence some weirdo had the gall to carry out using a weapon other than a gun.’ … Mass murderers who strike with guns (and who don’t happen to be Muslim) are typically read as psychopaths disconnected from the larger political sphere.” Sadly, there’s a lot of truth to that.

Even as the definition of terrorism broadens, we have to ask how far we will extend that arbitrary line. Already, we’re using these surveillance systems in other areas. A raft of secret court rulings has recently expanded the NSA’s eavesdropping powers to include “people possibly involved in nuclear proliferation, espionage and cyberattacks.” A “little-noticed provision” in a 2008 law expanded the definition of “foreign intelligence” to include “weapons of mass destruction,” which, as we’ve just seen, is surprisingly broad.

A recent Atlantic essay asks, somewhat facetiously, “If PRISM is so good, why stop with terrorism?” The author’s point was to discuss the value of the Fourth Amendment, even if it makes the police less efficient. But it’s actually a very good question. Once the NSA’s ubiquitous surveillance of all Americans is complete—once it has the ability to collect and process all of our emails, phone calls, text messages, Facebook posts, location data, physical mail, financial transactions, and who knows what else—why limit its use to cases of terrorism? I can easily imagine a public groundswell of support to use to help solve some other heinous crime, like a kidnapping. Or maybe a child-pornography case. From there, it’s an easy step to enlist NSA surveillance in the continuing war on drugs; that’s certainly important enough to warrant regular access to the NSA’s databases. Or maybe to identify illegal immigrants. After all, we’ve already invested in this system, we might as well get as much out of it as we possibly can. Then it’s a short jump to the trivial examples suggested in the Atlantic essay: speeding and illegal downloading. This “slippery slope” argument is largely speculative, but we’ve already started down that incline.

Criminal defendants are starting to demand access to the NSA data that they believe will exonerate themselves. How can a moral government refuse this request?

More humorously, the NSA might have created the best backup system ever.

Technology changes slowly, but political intentions can change very quickly. In 2000, I wrote in my book Secrets and Lies about police surveillance technologies: “Once the technology is in place, there will always be the temptation to use it. And it is poor civic hygiene to install technologies that could someday facilitate a police state.” Today we’re installing technologies of ubiquitous surveillance, and the temptation to use them will be overwhelming.

This essay originally appeared in TheAtlantic.com.

EDITED TO ADD (8/4): Other agencies are already asking to use the NSA data:

Agencies working to curb drug trafficking, cyberattacks, money laundering, counterfeiting and even copyright infringement complain that their attempts to exploit the security agency’s vast resources have often been turned down because their own investigations are not considered a high enough priority, current and former government officials say.

Posted on July 19, 2013 at 9:40 AM • View Comments

DHS Puts its Head in the Sand

On the subject of the recent Washington Post Snowden document, the DHS sent this e-mail out to at least some of its employees:

From: xxxxx
Sent: Thursday, July 11, 2013 10:28 AM
To: xxxxx
Cc: xxx Security Reps; xxx SSO; xxxx;xxxx
Subject: //// SECURITY ADVISORY//// NEW WASHINGTON POST WEBPAGE ARTICLE—DO NOT CLICK ON THIS LINK

I have been advised that this article is on the Washington Post’s Website today and has a clickable link title “The NSA Slide you never seen” that must not be opened. This link opens up a classified document which will raise the classification level of your Unclassified workstation to the classification of the slide which is reported to be TS/NF. This has been verified by our Mission Partner and the reason for this email.

If opened on your home or work computer you are obligated to report this to the SSO as your computer could then be considered a classified workstation.

Again, please exercise good judgment when visiting these webpages and clicking on such links. You are violating your Non-Disclosure Agreement in which you promise by signing that you will protect Classified National Security Information. You may be subject to any administrative or legal action from the Government.

SSOs, please pass this on to your respective components as this may be a threat to the systems under your jurisdiction.

This is not just ridiculous, it’s idiotic. Why put DHS employees at a disadvantage by trying to prevent them from knowing what the rest of the world knows? The point of classification is to keep something out of the hands of the bad guys. Once a document is public, the bad guys have access to it. The harm is already done. Can someone think of a reason for this DHS policy other than spite?

Posted on July 17, 2013 at 2:45 PM • View Comments

The Japanese Response to Terrorism

Lessons from Japan’s response to Aum Shinrikyo:

Yet what’s as remarkable as Aum’s potential for mayhem is how little of it, on balance, they actually caused. Don’t misunderstand me: Aum’s crimes were horrific, not merely the terrible subway gassing but their long history of murder, intimidation, extortion, fraud, and exploitation. What they did was unforgivable, and the human cost, devastating. But at no point did Aum Shinrikyo represent an existential threat to Japan or its people. The death toll of Aum was several dozen; again, a terrible human cost, but not an existential threat. At no time was the territorial integrity of Japan threatened. At no time was the operational integrity of the Japanese government threatened. At no time was the day-to-day operation of the Japanese economy meaningfully threatened. The threat to the average Japanese citizen was effectively nil.

Just as important was what the Japanese government and people did not do. They didn’t panic. They didn’t make sweeping changes to their way of life. They didn’t implement a vast system of domestic surveillance. They didn’t suspend basic civil rights. They didn’t begin to capture, torture, and kill without due process. They didn’t, in other words, allow themselves to be terrorized. Instead, they addressed the threat. They investigated and arrested the cult’s leadership. They tried them in civilian courts and earned convictions through due process. They buried their dead. They mourned. And they moved on. In every sense, it was a rational, adult, mature response to a terrible terrorist act, one that remained largely in keeping with liberal democratic ideals.

Posted on June 21, 2013 at 6:25 AM • View Comments

Are We Finally Thinking Sensibly About Terrorism?

This article wonders if we are:

Yet for pretty much the first time there has been a considerable amount of media commentary seeking to put terrorism in context—commentary that concludes, as a Doyle McManus article in the Los Angeles Times put it a day after the attack, “We’re safer than we think.”

Similar tunes were sung by Tom Friedman of the New York Times, Jeff Jacoby of the Boston Globe, David Rothkopf writing for CNN.com, Josh Barro at Bloomberg, John Cassidy at the New Yorker, and Steve Chapman in the Chicago Tribune, even as the Washington Post told us “why terrorism is not scary” and published statistics on its rarity. Bruce Schneier, who has been making these arguments for over a decade, got 360,000 hits doing so for The Atlantic. Even neoconservative Max Boot, a strong advocate of the war in Iraq as a response to 9/11, argues in the Wall Street Journal, “we must do our best to make sure that the terrorists don’t achieve their objective—to terrorize us.”

James Carafano of the conservative Heritage Foundation noted in a radio interview that “the odds of you being killed by a terrorist are less than you being hit by a meteorite.” Carafano’s odds may be a bit off, but his basic point isn’t. At present rates, an American’s chance of being killed by a terrorist is about one in 3.5 million per year—compared, for example, to a yearly chance of dying in an automobile crash of one in 8,200. That could change, of course, if terrorists suddenly become vastly more capable of inflicting damage—as much commentary on terrorism has predicted over the past decade. But we’re not hearing much of that anymore.

In a 60 Minutes interview a decade ago filmmaker Michael Moore noted, “The chances of any of us dying in a terrorist incident is very, very, very small.” Bob Simon, his interlocutor, responded, “No one sees the world like that.”

Both statements were pretty much true then. However, the unprecedented set of articles projecting a more restrained, and broader, perspective suggests that Simon’s wisdom may need some updating, and that Moore is beginning to have some company.

There’s also this; and this, by Andrew Sullivan; and this, by John Cole. And these two polls.

And, of course, President Obama himself declared that “Americans refuse to be terrorized.”

Posted on May 29, 2013 at 11:22 AM • View Comments

The Boston Marathon Bomber Manhunt

I generally give the police a lot of tactical leeway in times like this. The very armed and very dangerous suspects warranted extraordinary treatment. They were perfectly capable of killing again, taking hostages, planting more bombs—and we didn’t know the extent of the plot or the group. That’s why I didn’t object to the massive police dragnet, the city-wide lock down, and so on.

Ross Anderson has a different take:

…a million people were under virtual house arrest; the 19-year-old fugitive from justice happened to be a Muslim. Whatever happened to the doctrine that infringements of one liberty to protect another should be necessary and proportionate?

In the London bombings, four idiots killed themselves in the first incident with a few dozen bystanders, but the second four failed and ran for it when their bombs didn’t go off. It didn’t occur to anyone to lock down London. They were eventually tracked down and arrested, together with their support team. Digital forensics played a big role; the last bomber to be caught left the country and changed his SIM, but not his IMEI. It’s next to impossible for anyone to escape nowadays if the authorities try hard.

He has a point, although I’m not sure I agree with it.

Opinions?

EDITED TO ADD (4/20): This makes the argument very well. On the other hand, readers are rightfully pointing out that the lock down was in response to the shooting of a campus police officer, a carjacking, a firefight, and a vehicle chase with thrown bombs: the sort of thing that pretty much only happens in the movies.

EDITED TO ADD (4/20): More commentary on this Slashdot thread.

Posted on April 20, 2013 at 8:19 AM • View Comments

Dangerous Security Theater: Scrambling Fighter Jets

This story exemplifies everything that’s wrong with our see-something-say-something war on terror: a perfectly innocent person on an airplane, a random person identifying him as a terrorist threat, and a complete overreaction on the part of the authorities.

Typical overreaction, but in this case—as in several others over the past decade—F-15 fighter jets were scrambled to escort the airplane to the ground. Very expensive, and potentially catastrophically fatal.

This blog post makes the point well:

What bothers me about this is not so much that they interrogated the wrong person—that happens all the time, not that it’s okay—but rather the fighter jets. I think most people probably understand this, but just to make it totally clear, if they send up fighters that is not because they are bringing the first-class passengers some more of those little hot towels. It is so they can be ready to SHOOT YOU DOWN if necessary. Now, I realize the odds that would ever happen, even accidentally, are very tiny. I still question whether it’s wise to put fighters next to a passenger plane at the drop of a hat, or in this case because of an anonymous tip about a sleeping passenger.

[…]

According to the Seattle Times report, though, interceptions like this are apparently much more common than I thought. Citing a NORAD spokesman, it says this has happened “thousands of times” since 9/11. In this press release NORAD says there have been “over fifteen hundred” since 9/11, most apparently involving planes that violated “temporary flight restriction” areas. Either way, while this is a small percentage of all flights, of course, it still seems like one hell of a lot of interceptions—especially since in every single case, it has been unnecessary, and is (as NORAD admits) “at great expense to the taxpayer.”

Posted on January 28, 2013 at 1:25 PM • View Comments

←Previous 1 2 3 4 … 15 Next→

Sidebar photo of Bruce Schneier by Joe MacInnis.