Entries Tagged "Schneier news"

Page 16 of 46

Organizational Doxing

Recently, WikiLeaks began publishing over half a million previously secret cables and other documents from the Foreign Ministry of Saudi Arabia. It’s a huge trove, and already reporters are writing stories about the highly secretive government.

What Saudi Arabia is experiencing isn’t common but part of a growing trend.

Just last week, unknown hackers broke into the network of the cyber-weapons arms manufacturer Hacking Team and published 400 gigabytes of internal data, describing, among other things, its sale of Internet surveillance software to totalitarian regimes around the world.

Last year, hundreds of gigabytes of Sony’s sensitive data was published on the Internet, including executive salaries, corporate emails and contract negotiations. The attacker in this case was the government of North Korea, which was punishing Sony for producing a movie that made fun of its leader. In 2010, the U.S. cyberweapons arms manufacturer HBGary Federal was a victim, and its attackers were members of a loose hacker collective called LulzSec.

Edward Snowden stole a still-unknown number of documents from the National Security Agency in 2013 and gave them to reporters to publish. Chelsea Manning stole three-quarters of a million documents from the U.S. State Department and gave them to WikiLeaks to publish. The person who stole the Saudi Arabian documents might also be a whistleblower and insider but is more likely a hacker who wanted to punish the kingdom.

Organizations are increasingly getting hacked, and not by criminals wanting to steal credit card numbers or account information in order to commit fraud, but by people intent on stealing as much data as they can and publishing it. Law professor and privacy expert Peter Swire refers to “the declining half-life of secrets.” Secrets are simply harder to keep in the information age. This is bad news for all of us who value our privacy, but there’s a hidden benefit when it comes to organizations.

The decline of secrecy means the rise of transparency. Organizational transparency is vital to any open and free society.

Open government laws and freedom of information laws let citizens know what the government is doing, and enable them to carry out their democratic duty to oversee its activities. Corporate disclosure laws perform similar functions in the private sphere. Of course, both corporations and governments have some need for secrecy, but the more they can be open, the more we can knowledgeably decide whether to trust them.

This makes the debate more complicated than simple personal privacy. Publishing someone’s private writings and communications is bad, because in a free and diverse society people should have private space to think and act in ways that would embarrass them if public.

But organizations are not people and, while there are legitimate trade secrets, their information should otherwise be transparent. Holding government and corporate private behavior to public scrutiny is good.

Most organizational secrets are only valuable for a short term: negotiations, new product designs, earnings numbers before they’re released, patents before filing, and so on.

Forever secrets, like the formula for Coca-Cola, are few and far between. The one exception is embarrassments. If an organization had to assume that anything it did would become public in a few years, people within that organization would behave differently.

The NSA would have had to weigh its collection programs against the possibility of public scrutiny. Sony would have had to think about how it would look to the world if it paid its female executives significantly less than its male executives. HBGary would have thought twice before launching an intimidation campaign against a journalist it didn’t like, and Hacking Team wouldn’t have lied to the UN about selling surveillance software to Sudan. Even the government of Saudi Arabia would have behaved differently. Such embarrassment might be the first significant downside of hiring a psychopath as CEO.

I don’t want to imply that this forced transparency is a good thing, though. The threat of disclosure chills all speech, not just illegal, embarrassing, or objectionable speech. There will be less honest and candid discourse. People in organizations need the freedom to write and say things that they wouldn’t want to be made public.

State Department officials need to be able to describe foreign leaders, even if their descriptions are unflattering. Movie executives need to be able to say unkind things about their movie stars. If they can’t, their organizations will suffer.

With few exceptions, our secrets are stored on computers and networks vulnerable to hacking. It’s much easier to break into networks than it is to secure them, and large organizational networks are very complicated and full of security holes. Bottom line: If someone sufficiently skilled, funded and motivated wants to steal an organization’s secrets, they will succeed. This includes hacktivists (HBGary Federal, Hacking Team), foreign governments (Sony), and trusted insiders (State Department and NSA).

It’s not likely that your organization’s secrets will be posted on the Internet for everyone to see, but it’s always a possibility.

Dumping an organization’s secret information is going to become increasingly common as individuals realize its effectiveness for whistleblowing and revenge. While some hackers will use journalists to separate the news stories from mere personal information, not all will.

Both governments and corporations need to assume that their secrets are more likely to be exposed, and exposed sooner, than ever. They should do all they can to protect their data and networks, but have to realize that their best defense might be to refrain from doing things that don’t look good on the front pages of the world’s newspapers.

This essay previously appeared on CNN.com. I didn’t use the term “organizational doxing,” though, because it would be too unfamiliar to that audience.

EDITED TO ADD: This essay has been translated into German.

Posted on July 10, 2015 at 4:32 AMView Comments

The Risks of Mandating Backdoors in Encryption Products

Tuesday, a group of cryptographers and security experts released a major paper outlining the risks of government-mandated back-doors in encryption products: Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications, by Hal Abelson, Ross Anderson, Steve Bellovin, Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Matthew Green, Susan Landau, Peter Neumann, Ron Rivest, Jeff Schiller, Bruce Schneier, Michael Specter, and Danny Weitzner.

Abstract: Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels going dark, these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates. We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse forward secrecy design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

It’s already had a big impact on the debate. It was mentioned several times during yesterday’s Senate hearing on the issue (see here).

Three blog posts by authors. Four different news articles, and this analysis of how the New York Times article changed. Also, a New York Times editorial.

EDITED TO ADD (7/9): Peter Swire’s Senate testimony is worth reading.

EDITED TO ADD (7/10): Good article on these new crypto wars.

EDITED TO ADF (7/14): Two rebuttals, neither very convincing.

Posted on July 9, 2015 at 6:31 AMView Comments

Twitter Followers: Please Use the Correct Feed

The official Twitter feed for my blog is @schneierblog. The account @Bruce_Schneier also mirrors my blog, but it is not mine. I have nothing to do with it, and I don’t know who owns it.

Normally I wouldn’t mind, but the unofficial blog fails intermittently. Also, @Bruce_Schneier follows people who then think I’m following them. I’m not; I never log in to Twitter and I don’t follow anyone there.

So if you want to read my blog on Twitter, please make sure you’re following @schneierblog. If you are the person who runs the @Bruce_Schneier account—if anyone is even running it anymore—please e-mail me at the address on my Contact page.

And if anyone from the Twitter fraud department is reading this, please contact me. I know I can get the @Bruce_Schneier account deleted, but I don’t want to lose the 27,300 followers on it. What I want is to consolidate them with the 67,700 followers on my real account. There’s no way to explain this on the form to report Twitter impersonation. (Although maybe I should just delete the account. I didn’t do it 18 months ago when there were only 16,000 followers on that account, and look what happened. It’ll only be worse next year.)

EDITED TO ADD (7/2): It’s done. @Bruce_Schneier is gone.

Posted on June 30, 2015 at 1:16 PMView Comments

Security and Human Behavior (SHB 2015)

Earlier this week, I was at the eighth Workshop on Security and Human Behavior.

This is a small invitational gathering of people studying various aspects of the human side of security. The fifty people in the room include psychologists, computer security researchers, sociologists, behavioral economists, philosophers, political scientists, lawyers, biologists, anthropologists, business school professors, neuroscientists, and a smattering of others. It’s not just an interdisciplinary event; most of the people here are individually interdisciplinary.

I call this the most intellectually stimulating two days of my year. The goal is discussion amongst the group. We do that by putting everyone on panels, but only letting each person talk for 10 minutes. The rest of the 90-minute panel is left for discussion.

Ross Anderson liveblogged the talks. Bob Sullivan wrote a piece on some of the presentations on family surveillance.

Here are my posts on the first, second, third, fourth, fifth, sixth, and seventh SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops.

Posted on June 11, 2015 at 1:24 PMView Comments

More Data and Goliath News

Right now, the book is #6 on the New York Times best-seller list in hardcover nonfiction, and #13 in combined print and e-book nonfiction. This is the March 22 list, and covers sales from the first week of March. The March 29 list—covering sales from the second week of March—is not yet on the Internet. On that list, I’m #11 on the hardcover nonfiction list, and not at all on the combined print and e-book nonfiction list.

Marc Rotenberg of EPIC tells me that Vance Packard’s The Naked Society made it to #7 on the list during the week of July 12, 1964, and—by that measure—Data and Goliath is the most popular privacy book of all time. I’m not sure I can claim that honor yet, but it’s a nice thought. And two weeks on the New York Times best-seller list is super fantastic.

For those curious to know what sorts of raw numbers translate into those rankings, this is what I know. Nielsen Bookscan tracks retail sales across the US, and captures about 80% of the book market. It reports that my book sold 4,706 copies during the first week of March, and 2,339 copies in the second week. Taking that 80% figure, that means I sold 6,000 copies the first week and 3,000 the second.

My publisher tells me that Amazon sold 650 hardcovers and 600 e-books during the first week, and 400 hardcovers and 500 e-books during the second week. The hardcover sales ranking was 865, 949, 611, 686, 657, 602, 595 during the first week, and 398, 511, 693, 867, 341, 357, 343 during the second. The book’s rankings during those first few days don’t match sales, because Amazon records a sale for the rankings when a person orders a book, but only counts the sale when it actually ships it. So all of my preorders sold on that first day, even though they were calculated in the rankings during the days and weeks before publication date.

There are few new book reviews. There’s one from the Dealbook blog at the New York Times that treats the book very seriously, but doesn’t agree with my conclusions. (A rebuttal to that review is here.) A review from the Wall Street Journal was even less kind. This review from InfoWorld is much more positive.

All of this, and more, is on the book’s website.

There are several book-related videos online. The first is the talk I gave at the Harvard Bookstore on March 4th. The second and third are interviews of me on Democracy Now. I also did a more general Q&A with Gizmodo.

Note to readers. The book is 80,000 words long, which is a normal length for a book like this. But the book’s size is much larger, because it contains a lot of references. They’re not numbered, but if they were, there would be over 1,000 numbers. I counted all the links, and there are 1,622 individual citations. That’s a lot of text. This means that if you’re reading the book on paper, the narrative ends on page 238, even though the book continues to page 364. If you’re reading it on the Kindle, you’ll finish the book when the Kindle says you’re only 44% of the way through. The difference between pages and percentages is because the references are set in smaller type than the body. I warn you of this now, so you know what to expect. It always annoys me that the Kindle calculates percent done from the end of the file, not the end of the book.

And if you’ve read the book, please post a review on the book’s Amazon page or on Goodreads. Reviews are important on those sites, and I need more of them.

Posted on March 19, 2015 at 2:35 PMView Comments

Fall Seminar on Catastrophic Risk

I am planning a study group at Harvard University (in Boston) for the Fall semester, on catastrophic risk.

Berkman Study Group—Catastrophic Risk: Technologies and Policy

Technology empowers, for both good and bad. A broad history of “attack” technologies shows trends of empowerment, as individuals wield ever more destructive power. The natural endgame is a nuclear bomb in everybody’s back pocket, or a bio-printer that can drop a species. And then what? Is society even possible when the most extreme individual can kill everyone else? Is totalitarian control the only way to prevent human devastation, or are there other possibilities? And how realistic are these scenarios, anyway? In this class, we’ll discuss technologies like cyber, bio, nanotech, artificial intelligence, and autonomous drones; security technologies and policies for catastrophic risk; and more. Is the reason we’ve never met any extraterrestrials that natural selection dictates that any species achieving a sufficiently advanced technology level inevitably exterminates itself?

The study group may serve as a springboard for an independent paper and credit, in conjunction with faculty supervision from your program.

All disciplines and backgrounds welcome, students and non-students alike. This discussion needs diverse perspectives. We also ask that you commit to preparing for and participating in all sessions.

Six sessions, Mondays, 5:00­-7:00 PM, Location TBD
9/14, 9/28, 10/5, 10/19, 11/2, 11/16

Please respond to Bruce Schneier with a resume and statement of interest. Applications due August 14. Bruce will review applications and aim for a seminar size of roughly 16­20 people with a diversity of backgrounds and expertise.

Please help me spread the word far and wide. The description is only on a Berkman page, so students won’t see it in their normal perusal of fall classes.

Posted on March 13, 2015 at 2:36 PMView Comments

1 14 15 16 17 18 46

Sidebar photo of Bruce Schneier by Joe MacInnis.