Page 15 of 46
The show is about security theater. I am a disembodied head on a scooter.
Here’s a teaser. Here’s the full episode (for pay, but cheap).
The scooter idea was a hack when I couldn’t find the time to fly to LA for live filming. The whole thing was a lot of fun.
This coming Thursday, I’ll be talking with Larry Poneman about cyber-resilience and the results of a new survey he’s releasing. Join us here. The event is sponsored by my company, Resilient Systems, Inc.
Yet another example of my surreal life. (No, I have no idea who did this.)
I could use some help with finding a host for my monthly newsletter, Crypto-Gram. My old setup just wasn’t reliable enough. I had a move planned, but that fell through when the new host’s bounce processing system turned out to be buggy and they admitted the problem might never be fixed.
Clearly I need something a lot more serious. My criteria include subscriber privacy, reasonable cost, and a proven track record of reliability with large mailing lists. (I would use MailChimp, but it has mandatory click tracking for new accounts.)
One complication is that SpamCop, a popular anti-spam service, tells me I have at least one of their “spamtrap” addresses on the list. Spamtraps are addresses that—in theory—have never been used, so they shouldn’t be on any legitimate list. I don’t know how they got on my list, since I make people confirm their subscriptions by replying to an e-mail or clicking on an e-mailed link. But I used to make rare exceptions for people who just asked to join, so maybe a bad address or two got on that way. Spamtraps don’t work if you tell people what they are, so I can’t just find and remove them. And this has caused no end of problems for subscribers who use SpamCop’s blacklist.
At a minimum, I need to be sure that a new host won’t kick me out for couple of spamtraps. And if the solution to this problem involves making all 100,000 people on the list reconfirm their subscriptions, then that has to be as simple and user-friendly a process as possible.
If you can recommend a host that would work, I’m interested. Even better would be talking to an expert with lots of experience running large mailing lists who can guide me. If you know a person like that, or if you are one, please leave a comment or e-mail me at the address on my Contact page.
I’m speaking at an Infoedge event at Bali Hai Golf Club in Las Vegas, at 5 pm on August 5, 2015.
I’m speaking at Def Con 23 on Friday, August 7, 2015.
I’m speaking—remotely via Skype—at LinuxCon in Seattle on August 18, 2015.
I’m speaking at CloudSec in Singapore on August 25, 2015.
I’m speaking at MindTheSec in São Paulo, Brazil, on August 27, 2015.
I’m speaking on the future of privacy at a public seminar sponsored by the Institute for Future Studies, in Stockholm, Sweden on September 21, 2015.
I’m speaking at Next Generation Threats 2015 in Stockholm, Sweden, on September 22, 2015.
I’m speaking at Next Generation Threats 2015 in Gothenburg, Sweden, on September 23, 2015.
I’m speaking at Free and Safe in Cyberspace in Brussels on September 24, 2015.
I’ll be on a panel at Privacy. Security. Risk. 2015 in Las Vegas on September 30, 2015.
I’m speaking at the Privacy + Security Forum, October 21-23, 2015, at The Marvin Center in Washington, DC.
I’m speaking at the Boston Book Festival on October 24, 2015.
I’m speaking at the 4th Annual Cloud Security Congress EMEA in Berlin on November 17, 2015.
If you subscribe to my monthly e-mail newsletter, Crypto-Gram, you need to read this.
Sometime between now and the August issue, the Crypto-Gram mailing list will be moving to a new host. When the move happens, you’ll get an e-mail asking you to confirm your subscription. In the e-mail will be a link that you will have to click in order to join the new list. The link will go to dreamhost.com—that’s the new host—not to schneier.com. It’s just the one click, and you won’t be asked for any additional information.
(Yes, I am asking you all to click on a link you’ve received in e-mail. The fact that I’m writing about this in Crypto-Gram and posting about it on this blog is the best confirmation I can provide.)
If for any reason you don’t want to receive Crypto-Gram anymore, just don’t click the confirmation link, and you’ll automatically drop off the list.
I’ll post updates on the status of the move on the main list page.
Recently, WikiLeaks began publishing over half a million previously secret cables and other documents from the Foreign Ministry of Saudi Arabia. It’s a huge trove, and already reporters are writing stories about the highly secretive government.
What Saudi Arabia is experiencing isn’t common but part of a growing trend.
Just last week, unknown hackers broke into the network of the cyber-weapons arms manufacturer Hacking Team and published 400 gigabytes of internal data, describing, among other things, its sale of Internet surveillance software to totalitarian regimes around the world.
Last year, hundreds of gigabytes of Sony’s sensitive data was published on the Internet, including executive salaries, corporate emails and contract negotiations. The attacker in this case was the government of North Korea, which was punishing Sony for producing a movie that made fun of its leader. In 2010, the U.S. cyberweapons arms manufacturer HBGary Federal was a victim, and its attackers were members of a loose hacker collective called LulzSec.
Edward Snowden stole a still-unknown number of documents from the National Security Agency in 2013 and gave them to reporters to publish. Chelsea Manning stole three-quarters of a million documents from the U.S. State Department and gave them to WikiLeaks to publish. The person who stole the Saudi Arabian documents might also be a whistleblower and insider but is more likely a hacker who wanted to punish the kingdom.
Organizations are increasingly getting hacked, and not by criminals wanting to steal credit card numbers or account information in order to commit fraud, but by people intent on stealing as much data as they can and publishing it. Law professor and privacy expert Peter Swire refers to “the declining half-life of secrets.” Secrets are simply harder to keep in the information age. This is bad news for all of us who value our privacy, but there’s a hidden benefit when it comes to organizations.
The decline of secrecy means the rise of transparency. Organizational transparency is vital to any open and free society.
Open government laws and freedom of information laws let citizens know what the government is doing, and enable them to carry out their democratic duty to oversee its activities. Corporate disclosure laws perform similar functions in the private sphere. Of course, both corporations and governments have some need for secrecy, but the more they can be open, the more we can knowledgeably decide whether to trust them.
This makes the debate more complicated than simple personal privacy. Publishing someone’s private writings and communications is bad, because in a free and diverse society people should have private space to think and act in ways that would embarrass them if public.
But organizations are not people and, while there are legitimate trade secrets, their information should otherwise be transparent. Holding government and corporate private behavior to public scrutiny is good.
Most organizational secrets are only valuable for a short term: negotiations, new product designs, earnings numbers before they’re released, patents before filing, and so on.
Forever secrets, like the formula for Coca-Cola, are few and far between. The one exception is embarrassments. If an organization had to assume that anything it did would become public in a few years, people within that organization would behave differently.
The NSA would have had to weigh its collection programs against the possibility of public scrutiny. Sony would have had to think about how it would look to the world if it paid its female executives significantly less than its male executives. HBGary would have thought twice before launching an intimidation campaign against a journalist it didn’t like, and Hacking Team wouldn’t have lied to the UN about selling surveillance software to Sudan. Even the government of Saudi Arabia would have behaved differently. Such embarrassment might be the first significant downside of hiring a psychopath as CEO.
I don’t want to imply that this forced transparency is a good thing, though. The threat of disclosure chills all speech, not just illegal, embarrassing, or objectionable speech. There will be less honest and candid discourse. People in organizations need the freedom to write and say things that they wouldn’t want to be made public.
State Department officials need to be able to describe foreign leaders, even if their descriptions are unflattering. Movie executives need to be able to say unkind things about their movie stars. If they can’t, their organizations will suffer.
With few exceptions, our secrets are stored on computers and networks vulnerable to hacking. It’s much easier to break into networks than it is to secure them, and large organizational networks are very complicated and full of security holes. Bottom line: If someone sufficiently skilled, funded and motivated wants to steal an organization’s secrets, they will succeed. This includes hacktivists (HBGary Federal, Hacking Team), foreign governments (Sony), and trusted insiders (State Department and NSA).
It’s not likely that your organization’s secrets will be posted on the Internet for everyone to see, but it’s always a possibility.
Dumping an organization’s secret information is going to become increasingly common as individuals realize its effectiveness for whistleblowing and revenge. While some hackers will use journalists to separate the news stories from mere personal information, not all will.
Both governments and corporations need to assume that their secrets are more likely to be exposed, and exposed sooner, than ever. They should do all they can to protect their data and networks, but have to realize that their best defense might be to refrain from doing things that don’t look good on the front pages of the world’s newspapers.
This essay previously appeared on CNN.com. I didn’t use the term “organizational doxing,” though, because it would be too unfamiliar to that audience.
EDITED TO ADD: This essay has been translated into German.
Tuesday, a group of cryptographers and security experts released a major paper outlining the risks of government-mandated back-doors in encryption products: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, by Hal Abelson, Ross Anderson, Steve Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter Neumann, Ron Rivest, Jeff Schiller, Bruce Schneier, Michael Specter, and Danny Weitzner.
Abstract: Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels going dark, these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.
It’s already had a big impact on the debate. It was mentioned several times during yesterday’s Senate hearing on the issue (see here).
Three blog posts by authors. Four different news articles, and this analysis of how the New York Times article changed. Also, a New York Times editorial.
EDITED TO ADD (7/9): Peter Swire’s Senate testimony is worth reading.
EDITED TO ADD (7/10): Good article on these new crypto wars.
EDITED TO ADF (7/14): Two rebuttals, neither very convincing.
The official Twitter feed for my blog is @schneierblog. The account @Bruce_Schneier also mirrors my blog, but it is not mine. I have nothing to do with it, and I don’t know who owns it.
Normally I wouldn’t mind, but the unofficial blog fails intermittently. Also, @Bruce_Schneier follows people who then think I’m following them. I’m not; I never log in to Twitter and I don’t follow anyone there.
So if you want to read my blog on Twitter, please make sure you’re following @schneierblog. If you are the person who runs the @Bruce_Schneier account—if anyone is even running it anymore—please e-mail me at the address on my Contact page.
And if anyone from the Twitter fraud department is reading this, please contact me. I know I can get the @Bruce_Schneier account deleted, but I don’t want to lose the 27,300 followers on it. What I want is to consolidate them with the 67,700 followers on my real account. There’s no way to explain this on the form to report Twitter impersonation. (Although maybe I should just delete the account. I didn’t do it 18 months ago when there were only 16,000 followers on that account, and look what happened. It’ll only be worse next year.)
EDITED TO ADD (7/2): It’s done. @Bruce_Schneier is gone.
Earlier this week, I was at the eighth Workshop on Security and Human Behavior.
This is a small invitational gathering of people studying various aspects of the human side of security. The fifty people in the room include psychologists, computer security researchers, sociologists, behavioral economists, philosophers, political scientists, lawyers, biologists, anthropologists, business school professors, neuroscientists, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.
I call this the most intellectually stimulating two days of my year. The goal is discussion amongst the group. We do that by putting everyone on panels, but only letting each person talk for 10 minutes. The rest of the 90-minute panel is left for discussion.
Ross Anderson liveblogged the talks. Bob Sullivan wrote a piece on some of the presentations on family surveillance.
Here are my posts on the first, second, third, fourth, fifth, sixth, and seventh SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops.
Sidebar photo of Bruce Schneier by Joe MacInnis.