Entries Tagged "privacy"

Page 84 of 145

Three Emerging Cyber Threats

On Monday, I participated in a panel at the Information Systems Forum in Berlin. The moderator asked us what the top three emerging threats were in cyberspace. I went last, and decided to focus on the top three threats that are not criminal:

  1. The Rise of Big Data. By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google. They’re collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government. Big data is becoming a powerful industry, resisting any calls to regulate its behavior.
  2. Ill-Conceived Regulations from Law Enforcement. We’re seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime. I’m thinking about data retention laws, Internet kill switches, and calls to eliminate anonymity. None of these will work, and they’ll all make us less safe.
  3. The Cyberwar Arms Race. I’m not worried about cyberwar, but I am worried about the proliferation of cyber weapons. Arms races are fundamentally destabilizing, especially when their development can be so easily hidden. I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust. Plus, arms races are expensive.

That’s my list, and they all have the potential to be more dangerous than cybercriminals.

Posted on September 23, 2011 at 6:53 AMView Comments

More 9/11 Retrospectives

Joseph Stiglitz on the price of 9/11.

How 9/11 changed surveillance.

New scientific research as a result of 9/11.

A good controversial piece.

The day we lost our privacy and power.

The probability of another 9/11-magnitude terrorist attack.

To justify the current U.S. spending on homeland security—not including our various official and unofficial wars—we’d have to foil 1,667 Times Square-style plots per year.

Let’s Cancel 9/11.”

I didn’t write anything to commemorate the 9/11 anniversary. I couldn’t think of anything to say that I haven’t said a gazillion times already.

Anything else worth reading? Post links here.

EDITED TO ADD (9/14): “How to Beat Terrorism: Refuse to Be Terrorized” from Wired.

Ten Things I Want My Children To Learn from 9/11.”

The creator of the TSA says it should be dismantled and privatized:

Pat Buchanan on Bush after 9/11.

9/11: Was There an Alternative? by Noam Chomsky.

Comments from Al-Jazeera.

The Onion’s comment.

Posted on September 12, 2011 at 1:27 PMView Comments

The Efficacy of Post-9/11 Counterterrorism

This is an interesting article. The authors argue that the whole war-on-terror nonsense is useless—that’s not new—but that the security establishment knows it doesn’t work and abandoned many of the draconian security measures years ago, long before Obama became president. All that’s left of the war on terror is political, as lawmakers fund unwanted projects in an effort to be tough on crime.

I wish it were true, but I don’t buy it. The war on terror is an enormous cash cow, and law enforcement is spending the money as fast as it can get it. It’s also a great stalking horse for increases in police powers, and I see no signs of agencies like the FBI or the TSA not grabbing all the power they can.

The second half of the article is better. The authors argue that openness, not secrecy, improves security:

The worst mistakes and abuses of the War on Terror were possible, in no small part, because national security is still practiced more as a craft than a science. Lacking rigorous evaluations of its practices, the national security establishment was particularly vulnerable to the panic, grandiosity, and overreach that colored policymaking in the wake of 9/11.

To avoid making those sorts of mistakes again, it is essential that we reimagine national security as an object of scientific inquiry. Over the last four centuries, virtually every other aspect of statecraft—from the economy to social policy to even domestic law enforcement—has been opened up to engagement with and evaluation by civil society. The practice of national security is long overdue for a similar transformation.

Maintaining the nation’s security of course will continue to require some degree of secrecy. But there is little reason to think that appropriate secrecy is inconsistent with a fact-based culture of robust and multiplicative inquiry. Indeed, to whatever partial extent that culture already exists within the national security establishment, it has led the move away from many of the counterproductive security measures established after 9/11.

Yet, in the ten years that Congress has been debating issues like coercive interrogation, ethnic profiling, and military tribunals, the House and Senate Intelligence committees, which have all the proper security clearances to evaluate such questions, have never established any formal process to consistently evaluate and improve the effectiveness of U.S. counterterrorism measures.

Establishing proper oversight and evaluation of the efficacy of our security practices will not come easily, for the security craft guards its claims to privileged knowledge jealously. But as long as the practice of security remains hidden behind a veil of classified documents and accepted wisdoms handed down from generation to generation of security agents, our national security apparatus will never become fully modern.

Here’s the report the article was based on.

Posted on September 2, 2011 at 1:34 PMView Comments

Pseudonymity

Long essay on the value of pseudonymity. From the conclusions:

Here lies the huge irony in this discussion. Persistent pseudonyms aren’t ways to hide who you are. They provide a way to be who you are. You can finally talk about what you really believe; your real politics, your real problems, your real sexuality, your real family, your real self. Much of the support for “real names” comes from people who don’t want to hear about controversy, but controversy is only a small part of the need for pseudonyms. For most of us, it’s simply the desire to be able to talk openly about the things that matter to every one of us who uses the Internet. The desire to be judged—not by our birth, not by our sex, and not by who we work for—but by what we say.

[…]

I leave you with this question. What if I had posted this under my pseudonym? Why should that have made a difference? I would have written the same words, but ironically, I could have added some more personal and perhaps persuasive arguments which I dare not make under this account. Because I was forced to post this under my real name, I had to weaken my arguments; I had to share less of myself. Have you ever met “Kee Hinckley”? Have you met me under my other name? Does it matter? There is nothing real on the Internet; all you know about me is my words. You can look me up on Google, and still all you will know is my words. One real person wrote this post. It could have been submitted under either name. But one of them is not allowed to. Does that really make sense?

Behind every pseudonym is a real person. Deny the pseudonym and you deny the person.

This is, of a course, a response to the Google+ names policy.

Posted on August 22, 2011 at 6:01 AMView Comments

New, Undeletable, Web Cookie

A couple of weeks ago Wired reported the discovery of a new, undeletable, web cookie:

Researchers at U.C. Berkeley have discovered that some of the net’s most popular sites are using a tracking service that can’t be evaded—even when users block cookies, turn off storage in Flash, or use browsers’ “incognito” functions.

The Wired article was very short on specifics, so I waited until one of the researchers—Ashkan Soltani—wrote up more details. He finally did, in a quite technical essay:

What differentiates KISSmetrics apart from Hulu with regards to respawning is, in addition to Flash and HTML5 LocalStorage, KISSmetrics was exploiting the browser cache to store persistent identifiers via stored Javascript and ETags. ETags are tokens presented by a user’s browser to a remote webserver in order to determine whether a given resource (such as an image) has changed since the last time it was fetched. Rather than simply using it for version control, we found KISSmetrics returning ETag values that reliably matched the unique values in their ‘km_ai’ user cookies.

Posted on August 15, 2011 at 4:48 AMView Comments

GPRS Hacked

Just announced:

Nohl’s group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren’t encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication. The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

More articles.

Posted on August 10, 2011 at 4:11 PMView Comments

1 82 83 84 85 86 145

Sidebar photo of Bruce Schneier by Joe MacInnis.