fourth post
Why the Government Should Help Leakers
In the Information Age, it's easier than ever to steal and publish data.
Corporations and governments have to adjust to their secrets being
exposed, regularly.
When massive amounts of government documents are leaked, journalists
sift through them to determine which pieces of information are
newsworthy, and confer with government agencies over what needs to be
redacted.
Managing this reality is going to require that governments actively
engage with members of the press who receive leaked secrets, helping
them secure those secrets -- even while being unable to prevent them
from publishing. It might seem abhorrent to help those who are seeking
to bring your secrets to light, but it's the best way to ensure that the
things that truly need to be secret remain secret, even as everything
else becomes public.
The WikiLeaks cables serve as an excellent example of how a government
should not deal with massive leaks of classified information.
WikiLeaks has said it asked US authorities for help in determining what
should be redacted before publication of documents, although some
government officials have challenged that statement. WikiLeaks' media
partners did redact many documents, but eventually all 250,000
unredacted cables were released to the world as a result of a mistake.
The damage was nowhere near as serious as government officials initially
claimed, but it had been avoidable.
Fast-forward to today, and we have an even bigger trove of classified
documents. What Edward Snowden took -- "exfiltrated" is the National
Security Agency term -- dwarfs the State Department cables, and contains
considerably more important secrets. But again, the US government is
doing nothing to prevent a massive data dump.
The government engages with the press on individual stories. The
"Guardian," the "Washington Post," and the "New York Times" are all
redacting the original Snowden documents based on discussions with the
government. This isn't new. The US press regularly consults with the
government before publishing something that might be damaging. In 2006,
the "New York Times" consulted with both the NSA and the Bush
administration before publishing Mark Klein's whistleblowing about the
NSA's eavesdropping on AT&T trunk circuits. In all these cases, the goal
is to minimize actual harm to US security while ensuring the press can
still report stories in the public interest, even if the government
doesn't want it to.
In today's world of reduced secrecy, whistleblowing as civil
disobedience, and massive document exfiltrations, negotiations over
individual stories aren't enough. The government needs to develop a
protocol to actively help news organizations expose their secrets safely
and responsibly.
Here's what should have happened as soon as Snowden's whistleblowing
became public. The government should have told the reporters and
publications with the classified documents something like this: "OK, you
have them. We know that we can't undo the leak. But please let us help.
Let us help you secure the documents as you write your stories, and
securely dispose of the documents when you're done."
The people who have access to the Snowden documents say they don't want
them to be made public in their raw form or to get in the hands of rival
governments. But accidents happen, and reporters are not trained in
military secrecy practices.
Copies of some of the Snowden documents are being circulated to
journalists and others. With each copy, each person, each day, there's a
greater chance that, once again, someone will make a mistake and some --
or all -- of the raw documents will appear on the Internet. A formal
system of working with whistleblowers could prevent that.
I'm sure the suggestion sounds odious to a government that is actively
engaging in a war on whistleblowers, and that views Snowden as a
criminal and the reporters writing these stories as "helping the
terrorists." But it makes sense. Harvard law professor Jonathan Zittrain
compares this to plea bargaining.
The police regularly negotiate lenient sentences or probation for
confessed criminals in order to convict more important criminals. They
make deals with all sorts of unsavory people, giving them benefits they
don't deserve, because the result is a greater good.
In the Snowden case, an agreement would safeguard the most important of
NSA's secrets from other nations' intelligence agencies. It would help
ensure that the truly secret information not be exposed. It would
protect US interests.
Why would reporters agree to this? Two reasons. One, they actually do
want these documents secured while they look for stories to publish. And
two, it would be a public demonstration of that desire.
Why wouldn't the government just collect all the documents under the
pretense of securing them and then delete them? For the same reason they
don't renege on plea bargains: No one would trust them next time. And,
of course, because smart reporters will probably keep encrypted backups
under their own control.
We're nowhere near the point where this system could be put into
practice, but it's worth thinking about how it could work. The
government would need to establish a semi-independent group, called,
say, a Leak Management unit, which could act as an intermediary. Since
it would be isolated from the agencies that were the source of the leak,
its officials would be less vested and -- this is important -- less
angry over the leak. Over time, it would build a reputation, develop
protocols that reporters could rely on. Leaks will be more common in the
future, but they'll still be rare. Expecting each agency to develop
expertise in this process is unrealistic.
If there were sufficient trust between the press and the government,
this could work. And everyone would benefit.
This essay previously appeared on CNN.com.
http://edition.cnn.com/2013/11/04/opinion/schneier-leakers-government/index.html or
http://tinyurl.com/jwb6lbwWikiLeaks story:
http://thelede.blogs.nytimes.com/2011/09/01/all-leaked-u-s-cables-were-made-available-online-as-wikileaks-splintered/ or
http://tinyurl.com/3mugz7jhttp://www.salon.com/2011/09/02/wikileaks_28/http://www.reuters.com/article/2013/07/31/us-usa-wikileaks-manning-damage-analysis-idUSBRE96U00420130731 or
http://tinyurl.com/o79sfslhttp://www.cbsnews.com/2100-201_162-6962209.htmlhttp://www.nytimes.com/2011/01/30/magazine/30WikiLeaks-t.htmlMark Klein story:
http://www.nytimes.com/2006/04/13/us/nationalspecial3/13nsa.htmlThe world of reduced secrecy:
https://www.schneier.com/essay-449.htmlWhistleblowing as civil disobedience:
http://www.zephoria.org/thoughts/archives/2013/07/19/edward-snowden-whistleblower.html or
http://tinyurl.com/jwbcgomSoftware to facilitate massive document exfiltrations:
https://www.schneier.com/blog/archives/2013/10/securedrop.html** *** ***** ******* *********** *************
NSA/Snowden News
Jack Goldsmith argues that we need the NSA to surveil the Internet not
for terrorism reasons, but for cyberespionage and cybercrime reasons.
http://www.newrepublic.com/node/115002/Daniel Gallington argues -- the headline has nothing to do with the
content -- that the balance between surveillance and privacy is about
right.
http://mobile.usnews.com/opinion/blogs/world-report/2013/10/23/edward-snowden-could-have-raised-nsa-spying-concerns-without-going-to-media or
http://tinyurl.com/lksejkaGood summary from the "London Review of Books" on what the NSA can and
cannot do.
http://www.lrb.co.uk/v35/n20/daniel-soar/how-to-get-ahead-at-the-nsa"A Template for Reporting Government Surveillance News Stories." This
is from 2006, but it's even more true today.
http://www.concurringopinions.com/archives/2006/06/template_for_ne.html or
http://tinyurl.com/gpsybWe've changed administrations -- we've changed political parties -- but
nothing has changed.
There's a story that Edward Snowden successfully socially engineered
other NSA employees into giving him their passwords.
http://mobile.reuters.com/article/idUSBRE9A703020131108?irpc=932This talk by Dan Geer explains the NSA mindset of "collect everything":
https://www.schneier.com/blog/archives/2013/11/dan_geer_explai.htmlThe whole essay is well worth reading.
http://geer.tinho.net/geer.uncc.9x13.txtThis "New York Times" story on the NSA is very good, and contains lots
of little tidbits of new information gleaned from the Snowden documents.
"The agency's Dishfire database -- nothing happens without a code word
at the N.S.A. -- stores years of text messages from around the world,
just in case. Its Tracfin collection accumulates gigabytes of credit
card purchases. The fellow pretending to send a text message at an
Internet cafe in Jordan may be using an N.S.A. technique code-named
Polarbreeze to tap into nearby computers. The Russian businessman who is
socially active on the web might just become food for Snacks, the
acronym-mad agency's Social Network Analysis Collaboration Knowledge
Services, which figures out the personnel hierarchies of organizations
from texts.
http://www.nytimes.com/2013/11/03/world/no-morsel-too-minuscule-for-all-consuming-nsa.html or
http://tinyurl.com/qdz55dkThis "Guardian" story is related. It looks like both the "New York
Times" and the "Guardian" wrote separate stories about the same source
material.
http://www.theguardian.com/world/2013/nov/02/nsa-portrait-total-surveillance or
http://tinyurl.com/q4pa5ff"New York Times" reporter Scott Shane gave a 20-minute interview on
"Democracy Now" on the NSA and his reporting.
http://www.democracynow.org/2013/11/4/inside_the_electronic_omnivore_new_leaks or
http://tinyurl.com/mt9c6z4"Der Spiegel" is reporting that the GCHQ used QUANTUMINSERT to direct
users to fake LinkedIn and Slashdot pages run by -- this code name is
not in the article -- FOXACID servers. There's not a lot technically
new in the article, but we do get some information about popularity and
jargon.
http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html or
http://tinyurl.com/k3lb6qdSlashdot has reacted to the story.
https://slashdot.org/topic/bi/gchq-responds-to-slashdot-linkedin-hack/ or
http://tinyurl.com/mct8hrhI wrote about QUANTUMINSERT, and the whole infection process, here.
https://www.schneier.com/essay-455.html** *** ***** ******* *********** *************
The Trajectories of Government and Corporate Surveillance
Historically, surveillance was difficult and expensive.
Over the decades, as technology advanced, surveillance became easier and
easier. Today, we find ourselves in a world of ubiquitous surveillance,
where everything is collected, saved, searched, correlated and analyzed.
But while technology allowed for an increase in both corporate and
government surveillance, the private and public sectors took very
different paths to get there. The former always collected information
about everyone, but over time, collected more and more of it, while the
latter always collected maximal information, but over time, collected it
on more and more people.
Corporate surveillance has been on a path from minimal to maximal
information. Corporations always collected information on everyone they
could, but in the past they didn't collect very much of it and only held
it as long as necessary. When surveillance information was expensive to
collect and store, companies made do with as little as possible.
Telephone companies collected long-distance calling information because
they needed it for billing purposes. Credit cards collected only the
information about their customers' transactions that they needed for
billing. Stores hardly ever collected information about their customers,
maybe some personal preferences, or name-and-address for advertising
purposes. Even Google, back in the beginning, collected far less
information about its users than it does today.
As technology improved, corporations were able to collect more. As the
cost of data storage became cheaper, they were able to save more data
and for a longer time. And as big data analysis tools became more
powerful, it became profitable to save more. Today, almost everything is
being saved by someone -- probably forever.
Examples are everywhere. Internet companies like Google, Facebook,
Amazon and Apple collect everything we do online at their sites.
Third-party cookies allow those companies, and others, to collect data
on us wherever we are on the Internet. Store affinity cards allow
merchants to track our purchases. CCTV and aerial surveillance combined
with automatic face recognition allow companies to track our movements;
so does your cell phone. The Internet will facilitate even more
surveillance, by more corporations for more purposes.
On the government side, surveillance has been on a path from
individually targeted to broadly collected. When surveillance was manual
and expensive, it could only be justified in extreme cases. The warrant
process limited police surveillance, and resource restraints and the
risk of discovery limited national intelligence surveillance. Specific
individuals were targeted for surveillance, and maximal information was
collected on them alone.
As technology improved, the government was able to implement
ever-broadening surveillance. The National Security Agency could surveil
groups -- the Soviet government, the Chinese diplomatic corps, etc. --
not just individuals. Eventually, they could spy on entire
communications trunks.
Now, instead of watching one person, the NSA can monitor "three hops"
away from that person -- an ever widening network of people not directly
connected to the person under surveillance. Using sophisticated tools,
the NSA can surveil broad swaths of the Internet and phone network.
Governments have always used their authority to piggyback on corporate
surveillance. Why should they go through the trouble of developing their
own surveillance programs when they could just ask corporations for the
data? For example we just learned that the NSA collects e-mail, IM and
social networking contact lists for millions of Internet users worldwide.
But as corporations started collecting more information on populations,
governments started demanding that data. Through National Security
Letters, the FBI can surveil huge groups of people without obtaining a
warrant. Through secret agreements, the NSA can monitor the entire
Internet and telephone networks.
This is a huge part of the public-private surveillance partnership.
The result of all this is we're now living in a world where both
corporations and governments have us all under pretty much constant
surveillance.
Data is a byproduct of the information society. Every interaction we
have with a computer creates a transaction record, and we interact with
computers hundreds of times a day. Even if we don't use a computer --
buying something in person with cash, say -- the merchant uses a
computer, and the data flows into the same system. Everything we do
leaves a data shadow, and that shadow is constantly under surveillance.
Data is also a byproduct of information society socialization, whether
it be e-mail, instant messages or conversations on Facebook.
Conversations that used to be ephemeral are now recorded, and we are all
leaving digital footprints wherever we go.
Moore's law has made computing cheaper. All of us have made computing
ubiquitous. And because computing produces data, and that data equals
surveillance, we have created a world of ubiquitous surveillance.
Now we need to figure out what to do about it. This is more than reining
in the NSA or fining a corporation for the occasional data abuse. We
need to decide whether our data is a shared societal resource, a part of
us that is inherently ours by right, or a private good to be bought and
sold.
Writing in the "Guardian," Chris Huhn said that "information is power,
and the necessary corollary is that privacy is freedom." How this
interplay between power and freedom play out in the information age is
still to be determined.
This essay previously appeared on CNN.com.
http://www.cnn.com/2013/10/16/opinion/schneier-surveillance-trajectories/index.html or
http://tinyurl.com/mdwfo6khttps://www.schneier.com/blog/archives/2013/10/the_trajectorie.htmlUbiquitous surveillance:
http://www.cnn.com/2013/03/16/opinion/schneier-internet-surveillanceThree hop analysis:
http://www.theatlanticwire.com/politics/2013/07/nsa-admits-it-analyzes-more-peoples-data-previously-revealed/67287 or
http://tinyurl.com/nseaodwhttp://arstechnica.com/information-technology/2013/07/you-may-already-be-a-winner-in-nsas-three-degrees-surveillance-sweepstakes or
http://tinyurl.com/lvz63g5The public-private surveillance partnership:
https://www.schneier.com/essay-436.htmlChris Huhn's comment:
http://www.theguardian.com/commentisfree/2013/oct/06/prism-tempora-cabinet-surveillance-state or
http://tinyurl.com/numre3yRichard Stallman's comments on the subject:
http://ieet.org/index.php/IEET/more/stallman20131020** *** ***** ******* *********** *************
A Fraying of the Public/Private Surveillance Partnership
The public/private surveillance partnership between the NSA and
corporate data collectors is starting to fray. The reason is sunlight.
The publicity resulting from the Snowden documents has made companies
think twice before allowing the NSA access to their users' and
customers' data.
Pre-Snowden, there was no downside to cooperating with the NSA. If the
NSA asked you for copies of all your Internet traffic, or to put
backdoors into your security software, you could assume that your
cooperation would forever remain secret. To be fair, not every
corporation cooperated willingly. Some fought in court. But it seems
that a lot of them, telcos and backbone providers especially, were happy
to give the NSA unfettered access to everything. Post-Snowden, this is
changing. Now that many companies' cooperation has become public,
they're facing a PR backlash from customers and users who are upset that
their data is flowing to the NSA. And this is costing those companies
business.
How much is unclear. In July, right after the PRISM revelations, the
Cloud Security Alliance reported that US cloud companies could lose $35
billion over the next three years, mostly due to losses of foreign
sales. Surely that number has increased as outrage over NSA spying
continues to build in Europe and elsewhere. There is no similar report
for software sales, although I have attended private meetings where
several large US software companies complained about the loss of foreign
sales. On the hardware side, IBM is losing business in China. The US
telecom companies are also suffering: AT&T is losing business worldwide.
This is the new reality. The rules of secrecy are different, and
companies have to assume that their responses to NSA data demands will
become public. This means there is now a significant cost to
cooperating, and a corresponding benefit to fighting.
Over the past few months, more companies have woken up to the fact that
the NSA is basically treating them as adversaries, and are responding as
such. In mid-October, it became public that the NSA was collecting
e-mail address books and buddy lists from Internet users logging into
different service providers. Yahoo, which didn't encrypt those user
connections by default, allowed the NSA to collect much more of its data
than Google, which did. That same day, Yahoo announced that it would
implement SSL encryption by default for all of its users. Two weeks
later, when it became public that the NSA was collecting data on Google
users by eavesdropping on the company's trunk connections between its
data centers, Google announced that it would encrypt those connections.
We recently learned that Yahoo fought a government order to turn over
data. Lavabit fought its order as well. Apple is now tweaking the
government. And we think better of those companies because of it.
Now Lavabit, which closed down its e-mail service rather than comply
with the NSA's request for the master keys that would compromise all of
its customers, has teamed with Silent Circle to develop a secure e-mail
standard that is resistant to these kinds of tactics.
The Snowden documents made it clear how much the NSA relies on
corporations to eavesdrop on the Internet. The NSA didn't build a
massive Internet eavesdropping system from scratch. It noticed that the
corporate world was already eavesdropping on every Internet user --
surveillance is the business model of the Internet, after all -- and
simply got copies for itself.
Now, that secret ecosystem is breaking down. Supreme Court Justice
Louis Brandeis wrote about transparency, saying "Sunlight is said to be
the best of disinfectants." In this case, it seems to be working.
These developments will only help security. Remember that while Edward
Snowden has given us a window into the NSA's activities, these sorts of
tactics are probably also used by other intelligence services around the
world. And today's secret NSA programs become tomorrow's PhD theses, and
the next day's criminal hacker tools. It's impossible to build an
Internet where the good guys can eavesdrop, and the bad guys cannot. We
have a choice between an Internet that is vulnerable to all attackers,
or an Internet that is safe from all attackers. And a safe and secure
Internet is in everyone's best interests, including the US's.
This essay previously appeared on TheAtlantic.com.
http://www.theatlantic.com/technology/archive/2013/11/a-fraying-of-the-public-private-surveillance-partnership/281289/ or
http://tinyurl.com/lpgv6lcThe public/private surveillance partnership:
https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html or
http://tinyurl.com/lr66rkpPRISM:
http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html or
http://tinyurl.com/mm3ttqtIncreased outrage outside the US:
http://www.usatoday.com/story/news/world/2013/10/28/report-nsa-spain/3284609/ or
http://tinyurl.com/mep8m8yLosses due to NSA spying:
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/07/nsa-snooping-could-cost-u-s-tech-companies-35-billion-over-three-years/ or
http://tinyurl.com/laba7fuhttp://www.nakedcapitalism.com/2013/10/wolf-richter-nsa-revelations-kill-ibm-hardware-sales-in-china.html or
http://tinyurl.com/meqjezjhttp://online.wsj.com/news/articles/SB10001424052702304073204579167873091999730 or
http://tinyurl.com/lrkup9xNew rules of secrecy:
https://www.schneier.com/essay-449.htmlThe NSA and tech companies as adversaries:
http://www.theguardian.com/commentisfree/2013/nov/01/google-yahoo-nsa-surveillance-reform or
http://tinyurl.com/leagmzvhttp://www.nytimes.com/2013/11/01/technology/angry-over-us-surveillance-tech-giants-bolster-defenses.html or
http://tinyurl.com/pb7v45hhttp://www.wired.com/opinion/2013/08/stop-clumping-tech-companies-in-with-government-in-the-surveillance-scandals-they-may-be-at-war/ or
http://tinyurl.com/os3pv2nhttp://www.theguardian.com/world/2013/sep/09/yahoo-lawsuit-nsa-surveillance-requests or
http://tinyurl.com/nky7qudhttp://news.cnet.com/8301-1009_3-57610342-83/apple-google-microsoft-unite-against-nsa-spying-program/ or
http://tinyurl.com/mv7bkerhttp://news.yahoo.com/microsoft-google-team-sue-federal-government-over-nsa-180635058.html or
http://tinyurl.com/oevlmeahttp://rt.com/news/yahoo-data-collection-court-case-165/https://www.techdirt.com/articles/20130924/18051224648/lavabit-asks-court-to-unseal-least-some-its-case-so-others-can-submit-amici-briefs.shtml or
http://tinyurl.com/k72a3k6http://boingboing.net/2013/11/05/apple-hides-a-patriot-act-bust.htmlYahoo announce3s SSL by default:
http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/14/yahoo-to-make-ssl-encryption-the-default-for-webmail-users-finally/ or
http://tinyurl.com/kdthaojLavabit:
https://www.schneier.com/blog/archives/2013/08/lavabit_e-mail.htmlSilent Circle's new e-mail system:
http://www.computerworld.com.au/article/530582/silent_circle_lavabit_unite_dark_mail_encrypted_email_project/ or
http://tinyurl.com/letnnmwBrandeis quote:
http://www.law.louisville.edu/library/collections/brandeis/node/196** *** ***** ******* *********** *************
Book Review: "Cyber War Will Not Take Place"
Cyber war is possibly the most dangerous buzzword of the Internet era.
The fear-inducing rhetoric surrounding it is being used to justify major
changes in the way the Internet is organized, governed, and constructed.
And in "Cyber War Will Not Take Place," Thomas Rid convincingly argues
that cyber war is not a compelling threat. Rid is one of the leading
cyber war skeptics in Europe, and although he doesn't argue that war
won't extend into cyberspace, he says that cyberspace's role in war is
more limited than doomsayers want us to believe. His argument against
cyber war is lucid and methodical. He divides "offensive and violent
political acts" in cyberspace into: sabotage, espionage, and subversion.
These categories are larger than cyberspace, of course, but Rid spends
considerable time analyzing their strengths and limitations within
cyberspace. The details are complicated, but his end conclusion is that
many of these types of attacks cannot be defined as acts of war, and any
future war won't involve many of these types of attacks.
None of this is meant to imply that cyberspace is safe. Threats of all
sorts fill cyberspace, but not threats of war. As such, the policies to
defend against them are different. While hackers and criminal threats
get all the headlines, more worrisome are the threats from governments
seeking to consolidate their power. I have long argued that controlling
the Internet has become critical for totalitarian states, and their four
broad tools of surveillance, censorship, propaganda and use control have
legitimate commercial applications, and are also employed by democracies.
A lot of the problem here is of definition. There isn't broad agreement
as to what constitutes cyber war, and this confusion plays into the
hands of those hyping its threat. If everything from Chinese espionage
to Russian criminal extortion to activist disruption falls under the
cyber war umbrella, then it only makes sense to put more of the Internet
under government -- and thus military -- control. Rid's book is a
compelling counter-argument to this approach.
Rid's final chapter is an essay unto itself, and lays out his vision as
to how we should deal with threats in cyberspace. For policymakers who
won't sit through an entire book, this is the chapter I would urge them
to read. Arms races are dangerous and destabilizing, and we're in the
early years of a cyberwar arms race that's being fueled by fear and
ignorance. This book is a cogent counterpoint to the doomsayers and the
profiteers, and should be required reading for anyone concerned about
security in cyberspace.
This book review previously appeared in Europe's World.
http://europesworld.org/2013/10/01/cyber-war-will-not-take-place/Thomas Rid, "Cyber War Will Not Take Place," Oxford University Press, 2013.
** *** ***** ******* *********** *************
Understanding the Threats in Cyberspace
The primary difficulty of cyber security isn't technology -- it's
policy. The Internet mirrors real-world society, which makes security
policy online as complicated as it is in the real world. Protecting
critical infrastructure against cyber-attack is just one of cyberspace's
many security challenges, so it's important to understand them all
before any one of them can be solved.
The list of bad actors in cyberspace is long, and spans a wide range of
motives and capabilities. At the extreme end there's cyberwar:
destructive actions by governments during a war. When government
policymakers like David Omand think of cyber-attacks, that's what comes
to mind. Cyberwar is conducted by capable and well-funded groups and
involves military operations against both military and civilian targets.
Along much the same lines are non-nation state actors who conduct
terrorist operations. Although less capable and well-funded, they are
often talked about in the same breath as true cyberwar.
Much more common are the domestic and international criminals who run
the gamut from lone individuals to organized crime. They can be very
capable and well-funded and will continue to inflict significant
economic damage.
Threats from peacetime governments have been seen increasingly in the
news. The US worries about Chinese espionage against Western targets,
and we're also seeing US surveillance of pretty much everyone in the
world, including Americans inside the US. The National Security Agency
(NSA) is probably the most capable and well-funded espionage
organization in the world, and we're still learning about the full
extent of its sometimes illegal operations.
Hacktivists are a different threat. Their actions range from
Internet-age acts of civil disobedience to the inflicting of actual
damage. This is hard to generalize about because the individuals and
groups in this category vary so much in skill, funding and motivation.
Hackers falling under the "anonymous" aegis -- it really isn't correct
to call them a group -- come under this category, as does WikiLeaks.
Most of these attackers are outside the organization, although
whistleblowing -- the civil disobedience of the information age --
generally involves insiders like Edward Snowden.
This list of potential network attackers isn't exhaustive. Depending on
who you are and what your organization does, you might be also concerned
with espionage cyber-attacks by the media, rival corporations or even
the corporations we entrust with our data.
The issue here, and why it affects policy, is that protecting against
these various threats can lead to contradictory requirements. In the US,
the NSA's post-9/11 mission to protect the country from terrorists has
transformed it into a domestic surveillance organization. The NSA's need
to protect its own information systems from outside attack opened it up
to attacks from within. Do the corporate security products we buy to
protect ourselves against cybercrime contain backdoors that allow for
government spying? European countries may condemn the US for spying on
its own citizens, but do they do the same thing?
All these questions are especially difficult because military and
security organizations along with corporations tend to hype particular
threats. For example, cyberwar and cyberterrorism are greatly overblown
as threats -- because they result in massive government programs with
huge budgets and power -- while cybercrime is largely downplayed.
We need greater transparency, oversight and accountability on both the
government and corporate sides before we can move forward. With the
secrecy that surrounds cyber-attack and cyberdefense it's hard to be
optimistic.
This essay previously appeared in "Europe's World."
http://europesworld.org/commentaries/understanding-the-threats-in-cyberspace/ or
http://tinyurl.com/msedsut** *** ***** ******* *********** *************
News
Ed Felten makes a strong argument that a court order is exactly the
same thing as an insider attack:
https://freedom-to-tinker.com/blog/felten/a-court-order-is-an-insider-attack/ or
http://tinyurl.com/lyah32eThis is why designing Lavabit to be resistant to court order would have
been the right thing to do, and why we should all demand systems that
are designed in this way.
http://boingboing.net/2013/10/15/why-email-services-should-be-c.htmlThere seems to be a bunch of research into uniquely identifying cell
phones through unique analog characteristics of the various embedded
sensors. These sorts of things could replace cookies as surveillance tools.
http://www.hotmobile.org/2014/papers/posters/Hotmobile_poster_Dey.pdf or
http://tinyurl.com/movpmgohttp://blog.sfgate.com/techchron/2013/10/10/stanford-researchers-discover-alarming-method-for-phone-tracking-fingerprinting-through-sensor-flaws/ or
http://tinyurl.com/kgru3xohttp://yro.slashdot.org/story/13/10/11/1231240/sensor-characteristics-uniquely-identify-individual-phones or
http://tinyurl.com/ls9bj7phttp://www.metafilter.com/132752/Leveraging-Imperfections-of-Sensors-for-Fingerprinting-Smartphones or
http://tinyurl.com/khz3g3nSeveral versions of D-Link router firmware contain a backdoor. Just set
the browser's user agent string to "xmlset_roodkcableoj28840ybtide," and
you're in. (Hint, remove the number and read it backwards.) It was
probably put there for debugging purposes, but has all sorts of
applications for surveillance.
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ or
http://tinyurl.com/kulv2oohttp://www.infoworld.com/d/security/backdoor-found-in-d-link-router-firmware-code-228725 or
http://tinyurl.com/o4oarknThere are open-source programs available to replace the firmware:
http://www.infoworld.com/d/networking/review-6-slick-open-source-routers-206810 or
http://tinyurl.com/czjcnpwThe new iPhone has a motion sensor chip, and that opens up new
opportunities for surveillance.
http://www.wired.com/opinion/2013/10/the-trojan-horse-of-the-latest-iphone-with-the-m7-coprocessor-we-all-become-qs-activity-trackers/ or
http://tinyurl.com/lgszxodSlashdot asks whether I can be trusted:
http://ask.slashdot.org/story/13/10/22/1416201/ask-slashdot-can-bruce-schneier-be-trusted or
http://tinyurl.com/ltl6x4jDARPA is looking for a fully automated network defense system, and has a
contest:
http://www.darpa.mil/NewsEvents/Releases/2013/10/22.aspxhttp://www.forbes.com/sites/andygreenberg/2013/10/23/darpa-announces-2-million-prize-in-self-patching-software-competition/ or
http://tinyurl.com/kbyy2wyhttp://gizmodo.com/darpa-will-give-you-2-million-to-build-hacker-proof-de-1451009416 or
http://tinyurl.com/ou2d9nvhttp://www.infosecurity-magazine.com/view/35211/darpas-new-cyber-grand-challenge-the-development-of-selfhealing-software/ or
http://tinyurl.com/ls6uuvzhttp://news.slashdot.org/story/13/10/24/0242252/darpa-issues-2mil-cyber-grand-challenge or
http://tinyurl.com/njkjxd6http://www.reddit.com/r/netsec/comments/1ozoiy/darpas_cyber_grand_challenge_cyber_defense/ or
http://tinyurl.com/q4eyuz7Cognitive biases about violence as a negotiating tactic: interesting paper.
http://www.academia.edu/4770419/The_Credibility_Paradox_Violence_as_a_Double-Edged_Sword_in_International_Politics_International_Studies_Quarterly_December_2013_ or
http://tinyurl.com/nymrbuzThis article talks about applications of close-in surveillance using
your phone's Wi-Fi in retail, but the possibilities are endless.
http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/19/how-stores-use-your-phones-wifi-to-track-your-shopping-habits/ or
http://tinyurl.com/p6rz7d4Basically, the system is using the MAC address to identify individual
devices. Another article on the system is here.
http://www.nytimes.com/2013/07/15/business/attention-shopper-stores-are-tracking-your-cell.html?pagewanted=all&_r=1& or
http://tinyurl.com/nh968hwGood story of badBIOS, a really nasty piece of malware. The weirdest
part is how it uses ultrasonic sound to jump air gaps.
http://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/ or
http://tinyurl.com/q3e4zgjI'm not sure what to make of this. When I first read it, I thought it
was a hoax. But enough others are taking it seriously that I think it's
a real story. I don't know whether the facts are real, and I haven't
seen anything about what this malware actually does.
http://boingboing.net/2013/10/31/badbios-airgap-jumping-malwar.htmlhttp://www.reddit.com/r/netsec/comments/1pm66y/meet_badbios_the_mysterious_mac_and_pc_malware/ or
http://tinyurl.com/oyqa9m8https://news.ycombinator.com/item?id=6654663http://blog.erratasec.com/2013/10/badbios-features-explained.htmlA debunking:
http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/This story of the bomb squad at the Boston marathon interesting reading,
but I'm left wanting more. What are the lessons here? How can we do
this better next time? Clearly we won't be able to anticipate bombings;
even Israel can't do that. We have to get better at responding.
http://www.wired.com/threatlevel/2013/10/boston-police-bomb-squad/all/ or
http://tinyurl.com/m6hxcyaHere's a demonstration of the US government's capabilities to monitor
the public Internet. Former CIA and NSA Director Michael Hayden was on
the Acela train between New York and Washington DC, taking press
interviews on the phone. Someone nearby overheard the conversation, and
started tweeting about it. Within 15 or so minutes, someone somewhere
noticed the tweets, and informed someone who knew Hayden. That person
called Hayden on his cell phone and, presumably, told him to shut up.
Nothing covert here; the tweets were public.
http://www.theguardian.com/world/2013/oct/24/former-spy-chief-overheard-acela-twitter or
http://tinyurl.com/mgjg2beI don't think this was a result of the NSA monitoring the Internet. I
think this was some public relations office -- probably the one that is
helping General Alexander respond to all the Snowden stories -- who is
searching the public Twitter feed for, among other things, Hayden's
name. Even so: wow.
This elliptic-curve crypto primer is well-written and very good.
http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/ or
http://tinyurl.com/qznvhd4The wings of the *Goniurellia tridens* fruit fly have images of an ant
on them, to deceive predators: "When threatened, the fly flashes its
wings to give the appearance of ants walking back and forth. The
predator gets confused and the fly zips off."
http://www.thenational.ae/news/uae-news/science/fruit-fly-with-the-wings-of-beauty or
http://tinyurl.com/cnccw2kInteresting article on risk-based authentication. I like the idea of
giving each individual login attempt a risk score, based on the
characteristics of the attempt.
http://deloitte.wsj.com/cio/2013/10/30/risk-based-authentication-a-primer/ or
http://tinyurl.com/l5t2mh4This bizarre essay argues that online gambling is a strategic national
threat because terrorists could use it to launder money.
http://www.tampabay.com/opinion/columns/column-online-gambling-is-a-strategic-national-threat/2151317 or
http://tinyurl.com/mw3x3scI'm impressed with the massive fear resonating.
Adobe lost 150 million customer passwords. Even worse, it had a pretty
dumb cryptographic hash system protecting those passwords.
http://www.theguardian.com/technology/2013/nov/07/adobe-password-leak-can-check or
http://tinyurl.com/odowevqhttp://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/ or
http://tinyurl.com/n2fpgxjhttp://xkcd.com/1286/Microsoft has announced plans to retire SHA-1 by 2016. I think this is a
good move.
https://www.schneier.com/blog/archives/2013/11/microsoft_retir.html** *** ***** ******* *********** *************
SecureDrop
SecureDrop is an open-source whistleblower support system, originally
written by Aaron Swartz and now run by the Freedom of the Press
Foundation. The first instance of this system was named StrongBox and
is being run by "The New Yorker." To further add to the naming
confusion, Aaron Swartz called the system DeadDrop when he wrote the code.
I participated in a detailed security audit of the StrongBox
implementation, along with some great researchers from the University of
Washington and Jake Applebaum. The problems we found were largely
procedural, and things that the Freedom of the Press Foundation are
working to fix.
Freedom of the Press Foundation is not running any instances of
SecureDrop. It has about a half dozen major news organization lined up,
and will be helping them install their own starting the first week of
November. So hopefully any would-be whistleblowers will soon have their
choice of news organizations to securely communicate with.
Strong technical whistleblower protection is essential, especially given
President Obama's war on whistleblowers. I hope this system is broadly
implemented and extensively used.
SecureDrop:
https://pressfreedomfoundation.org/securedrophttps://pressfreedomfoundation.org/blog/2013/10/freedom-press-foundation-launches-securedrop or
http://tinyurl.com/mujzg8jStrongBox:
http://www.newyorker.com/strongbox/DeadDrop:
http://deaddrop.github.io/Our security audit:
http://homes.cs.washington.edu/~aczeskis/research/pubs/UW-CSE-13-08-02.PDF or
http://tinyurl.com/prf7rxvObama's war on whistleblowers:
http://www.motherjones.com/politics/2012/06/obamas-whistleblowers-stuxnet-leaks-drones or
http://tinyurl.com/buqm984http://www.techdirt.com/articles/20130722/01430523882/architect-obamas-war-whistleblowers-its-good-to-hang-admiral-once-while-as-example.shtml or
http://tinyurl.com/lz28uwlhttps://www.cpj.org/reports/2013/10/obama-and-the-press-us-leaks-surveillance-post-911.php or
http://tinyurl.com/l3vx8k5The US government sets up secure indoor tents for the president and
other officials to deal with classified material while traveling abroad.
http://www.theage.com.au/world/barack-obamas-portable-secrecy-tent-some-assembly-required-20131111-2xb0l.html** *** ***** ******* *********** *************
Dry Ice Bombs at LAX
The news story about the guy who left dry ice bombs in restricted areas
of LAX is really weird.
I can't get worked up over it, though. Dry ice bombs are a harmless
prank. I set off a bunch of them when I was in college, although I used
liquid nitrogen, because I was impatient -- and they're harmless. I
know of someone who set a few off over the summer, just for fun. They
do make a very satisfying boom.
Having them set off in a secure airport area doesn't illustrate any new
vulnerabilities. We already know that trusted people can subvert
security systems. So what?
I've done a bunch of press interviews on this. One radio announcer
really didn't like my nonchalance. He really wanted me to complain
about the lack of cameras at LAX, and was unhappy when I pointed out
that we didn't need cameras to catch this guy.
I like my kicker quote in this article:
Various people, including former Los Angeles Police Chief
William Bratton, have called LAX the No. 1 terrorist target on
the West Coast. But while an Algerian man discovered with a
bomb at the Canadian border in 1999 was sentenced to 37 years
in prison in connection with a plot to cause damage at LAX,
Schneier said that assessment by Bratton is probably not true.
"Where can you possibly get that data?" he said. "I don't think
terrorists respond to opinion polls about how juicy targets
are."
http://www.latimes.com/local/lanow/la-me-ln-lax-dry-ice-bombs-20131014,0,1147428.story or
http://tinyurl.com/lbjxre8http://www.latimes.com/local/lanow/la-me-ln-dry-ice-bomb-suspect-protect-dog-20131018,0,3318134.story or
http://tinyurl.com/lqchfnzhttp://www.latimes.com/local/la-me-1019-dryice-bombs-20131019,0,264254.story or
http://tinyurl.com/jvuqh36http://www.dailynews.com/general-news/20131019/for-employees-lax-airport-security-is-built-on-trust or
http://tinyurl.com/k3duee6** *** ***** ******* *********** *************
Schneier News
In Spring semester, I'm running a reading group -- which seems to be a
formal variant of a study group -- at Harvard Law School on "Security,
Power, and the Internet. I would like a good mix of people, so non law
students and non Harvard students are both welcome to sign up.
http://www.law.harvard.edu/academics/curriculum/catalog/index.html?o=66620 or
http://tinyurl.com/mplc9vcVarious security articles about me (or with good quotes by me):
http://fedscoop.com/nsa-murky-relationship-contractors-government-secrets-journalism/ or
http://tinyurl.com/ohj85xrhttp://www.techdirt.com/articles/20131105/11325125139/http://www.computerworld.com/s/article/9243865/Security_expert_seeks_to_make_surveillance_costly_again or
http://tinyurl.com/jwdtc4nhttp://www.economist.com/blogs/babbage/2013/11/internet-after-snowden or
http://tinyurl.com/l4utwnpMy talk at the IETF Vancouver meeting on NSA and surveillance:
http://www.youtube.com/watch?v=oV71hhEpQ20Press articles about me and the IEFT meeting:
http://www.darkreading.com/vulnerability/schneier-make-wide-scale-surveillance-to/240163668 or
http://tinyurl.com/ppuek4ehttp://www.technologyreview.com/view/521306/time-for-internet-engineers-to-fight-back-against-the-surveillance-internet/ or
http://tinyurl.com/pouxmr4http://www.ip-watch.org/2013/11/07/expert-us-benign-dictatorship-of-the-net-is-over-age-of-encryption-begins/ or
http://tinyurl.com/kaq7gj2http://www.economist.com/news/science-and-technology/21589383-stung-revelations-ubiquitous-surveillance-and-compromised-software or
http://tinyurl.com/krs7n7khttp://www.net-security.org/secworld.php?id=15916Other video interviews:
http://cis-india.org/internet-governance/blog/interview-with-bruce-schneier or
http://tinyurl.com/n4mfuqchttp://connecttheworld.blogs.cnn.com/tag/bruce-schneier/http://www.youtube.com/watch?v=Ar67N94NYr0http://www.youtube.com/watch?v=Az-jXeCswCg&feature=youtu.be&ahttp://www.channel4.com/news/nsa-security-row-the-key-questions** *** ***** ******* *********** *************
The Battle for Power on the Internet
We're in the middle of an epic battle for power in cyberspace. On one
side are the traditional, organized, institutional powers such as
governments and large multinational corporations. On the other are the
distributed and nimble: grassroots movements, dissident groups, hackers,
and criminals. Initially, the Internet empowered the second side. It
gave them a place to coordinate and communicate efficiently, and made
them seem unbeatable. But now, the more traditional institutional powers
are winning, and winning big. How these two sides fare in the long term,
and the fate of the rest of us who don't fall into either group, is an
open question -- and one vitally important to the future of the Internet.
In the Internet's early days, there was a lot of talk about its "natural
laws" -- how it would upend traditional power blocks, empower the
masses, and spread freedom throughout the world. The international
nature of the Internet circumvented national laws. Anonymity was easy.
Censorship was impossible. Police were clueless about cybercrime. And
bigger changes seemed inevitable. Digital cash would undermine national
sovereignty. Citizen journalism would topple traditional media,
corporate PR, and political parties. Easy digital copying would destroy
the traditional movie and music industries. Web marketing would allow
even the smallest companies to compete against corporate giants. It
really would be a new world order.
This was a utopian vision, but some of it did come to pass. Internet
marketing has transformed commerce. The entertainment industries have
been transformed by things like MySpace and YouTube, and are now more
open to outsiders. Mass media has changed dramatically, and some of the
most influential people in the media have come from the blogging world.
There are new ways to organize politically and run elections.
Crowdfunding has made tens of thousands of projects possible to finance,
and crowdsourcing made more types of projects possible. Facebook and
Twitter really did help topple governments.
But that is just one side of the Internet's disruptive character. The
Internet has emboldened traditional power as well.
On the corporate side, power is consolidating, a result of two current
trends in computing. First, the rise of cloud computing means that we no
longer have control of our data. Our e-mail, photos, calendars, address
books, messages, and documents are on servers belonging to Google,
Apple, Microsoft, Facebook, and so on. And second, we are increasingly
accessing our data using devices that we have much less control over:
iPhones, iPads, Android phones, Kindles, ChromeBooks, and so on. Unlike
traditional operating systems, those devices are controlled much more
tightly by the vendors, who limit what software can run, what they can
do, how they're updated, and so on. Even Windows 8 and Apple's Mountain
Lion operating system are heading in the direction of more vendor control.
I have previously characterized this model of computing as "feudal."
Users pledge their allegiance to more powerful companies who, in turn,
promise to protect them from both sysadmin duties and security threats.
It's a metaphor that's rich in history and in fiction, and a model
that's increasingly permeating computing today.
Medieval feudalism was a hierarchical political system, with obligations
in both directions. Lords offered protection, and vassals offered
service. The lord-peasant relationship was similar, with a much greater
power differential. It was a response to a dangerous world.
Feudal security consolidates power in the hands of the few. Internet
companies, like lords before them, act in their own self-interest. They
use their relationship with us to increase their profits, sometimes at
our expense. They act arbitrarily. They make mistakes. They're
deliberately -- and incidentally -- changing social norms. Medieval
feudalism gave the lords vast powers over the landless peasants; we're
seeing the same thing on the Internet.
It's not all bad, of course. We, especially those of us who are not
technical, like the convenience, redundancy, portability, automation,
and shareability of vendor-managed devices. We like cloud backup. We
like automatic updates. We like not having to deal with security
ourselves. We like that Facebook just works -- from any device, anywhere.
Government power is also increasing on the Internet. There is more
government surveillance than ever before. There is more government
censorship than ever before. There is more government propaganda, and an
increasing number of governments are controlling what their users can
and cannot do on the Internet. Totalitarian governments are embracing a
growing "cyber sovereignty" movement to further consolidate their power.
And the cyberwar arms race is on, pumping an enormous amount of money
into cyber-weapons and consolidated cyber-defenses, further increasing
government power.
In many cases, the interests of corporate and government powers are
aligning. Both corporations and governments benefit from ubiquitous
surveillance, and the NSA is using Google, Facebook, Verizon, and others
to get access to data it couldn't otherwise. The entertainment industry
is looking to governments to enforce its antiquated business models.
Commercial security equipment from companies like BlueCoat and Sophos is
being used by oppressive governments to surveil and censor their
citizens. The same facial recognition technology that Disney uses in its
theme parks can also identify protesters in China and Occupy Wall Street
activists in New York. Think of it as a public/private surveillance
partnership.
What happened? How, in those early Internet years, did we get the future
so wrong?
The truth is that technology magnifies power in general, but rates of
adoption are different. The unorganized, the distributed, the marginal,
the dissidents, the powerless, the criminal: they can make use of new
technologies very quickly. And when those groups discovered the
Internet, suddenly they had power. But later, when the already-powerful
big institutions finally figured out how to harness the Internet, they
had more power to magnify. That's the difference: the distributed were
more nimble and were faster to make use of their new power, while the
institutional were slower but were able to use their power more effectively.
So while the Syrian dissidents used Facebook to organize, the Syrian
government used Facebook to identify dissidents to arrest.
All isn't lost for distributed power, though. For institutional power,
the Internet is a change in degree, but for distributed power, it's a
qualitative one. The Internet gives decentralized groups -- for the
first time -- the ability to coordinate. This can have incredible
ramifications, as we saw in the SOPA/PIPA debate, Gezi, Brazil, and the
rising use of crowdfunding. It can invert power dynamics, even in the
presence of surveillance, censorship, and use control. But aside from
political coordination, the Internet allows for social coordination as
well -- to unite, for example, ethnic diasporas, gender minorities,
sufferers of rare diseases, and people with obscure interests.
This isn't static: Technological advances continue to provide advantage
to the nimble. I discussed this trend in my book "Liars and Outliers."
If you think of security as an arms race between attackers and
defenders, any technological advance gives one side or the other a
temporary advantage. But most of the time, a new technology benefits the
nimble first. They are not hindered by bureaucracy -- and sometimes not
by laws or ethics, either. They can evolve faster.
We saw it with the Internet. As soon as the Internet started being used
for commerce, a new breed of cybercriminal emerged, immediately able to
take advantage of the new technology. It took police a decade to catch
up. And we saw it on social media, as political dissidents made use of
its organizational powers before totalitarian regimes did.
This delay is what I call a "security gap." It's greater when there's
more technology, and in times of rapid technological change. Basically,
if there are more innovations to exploit, there will be more damage
resulting from society's inability to keep up with exploiters of all of
them. And since our world is one in which there's more technology than
ever before, and a faster rate of technological change than ever before,
we should expect to see a greater security gap than ever before. In
other words, there will be an increasing time period during which nimble
distributed powers can make use of new technologies before slow
institutional powers can make better use of those technologies.
This is the battle: quick vs. strong. To return to medieval metaphors,
you can think of a nimble distributed power -- whether marginal,
dissident, or criminal -- as Robin Hood; and ponderous institutional
powers -- both government and corporate -- as the feudal lords.
So who wins? Which type of power dominates in the coming decades?
Right now, it looks like traditional power. Ubiquitous surveillance
means that it's easier for the government to identify dissidents than it
is for the dissidents to remain anonymous. Data monitoring means easier
for the Great Firewall of China to block data than it is for people to
circumvent it. The way we all use the Internet makes it much easier for
the NSA to spy on everyone than it is for anyone to maintain privacy.
And even though it is easy to circumvent digital copy protection, most
users still can't do it.
The problem is that leveraging Internet power requires technical
expertise. Those with sufficient ability will be able to stay ahead of
institutional powers. Whether it's setting up your own e-mail server,
effectively using encryption and anonymity tools, or breaking copy
protection, there will always be technologies that can evade
institutional powers. This is why cybercrime is still pervasive, even as
police savvy increases; why technically capable whistleblowers can do so
much damage; and why organizations like Anonymous are still a viable
social and political force. Assuming technology continues to advance --
and there's no reason to believe it won't -- there will always be a
security gap in which technically advanced Robin Hoods can operate.
Most people, though, are stuck in the middle. These are people who don't
have the technical ability to evade large governments and corporations,
avoid the criminal and hacker groups who prey on us, or join any
resistance or dissident movements. These are the people who accept
default configuration options, arbitrary terms of service, NSA-installed
backdoors, and the occasional complete loss of their data. These are the
people who get increasingly isolated as government and corporate power
align. In the feudal world, these are the hapless peasants. And it's
even worse when the feudal lords -- or any powers -- fight each other.
As anyone watching "Game of Thrones" knows, peasants get trampled when
powers fight: when Facebook, Google, Apple, and Amazon fight it out in
the market; when the US, EU, China, and Russia fight it out in
geopolitics; or when it's the US vs. "the terrorists" or China vs. its
dissidents.
The abuse will only get worse as technology continues to advance. In the
battle between institutional power and distributed power, more
technology means more damage. We've already seen this: Cybercriminals
can rob more people more quickly than criminals who have to physically
visit everyone they rob. Digital pirates can make more copies of more
things much more quickly than their analog forebears. And we'll see it
in the future: 3D printers mean that the computer restriction debate
will soon involves guns, not movies. Big data will mean that more
companies will be able to identify and track you more easily. It's the
same problem as the "weapons of mass destruction" fear: terroris
