bruce schneier

/Tag: bruce schneier

Who and why.

When you’re being physically attacked, you can call on a variety of organizations to defend you — the police, the military, whoever does antiterrorism security in your country, your lawyers. The legal structure justifying that defense depends on knowing two things: who’s attacking you, and why. Unfortunately, when you’re being attacked in cyberspace, the two things you often don’t know are who’s attacking you, and why.

Whose job was it to defend Sony? Was it the US military’s, because it believed the attack to have come from North Korea? Was it the FBI, because this wasn’t an act of war? Was it Sony’s own problem, because it’s a private company? What about during those first weeks, when no one knew who the attacker was? These are just a few of the policy questions that we don’t have good answers for.

–Bruce Schneier on attack attribution.

Schneier is talking geopolitics here, but this could just as easily be applied to online harassment. Laws and institutions just aren’t keeping up with the technology.

2015-03-24T07:06:10+10:0026th April, 2015|Tags: bruce schneier, infosec|

Computers work in binary.

[T]echnological capabilities cannot distinguish based on morality, nationality, or legality; if the US government is able to use a backdoor in a communications system to spy on its enemies, the Chinese government can use the same backdoor to spy on its dissidents.

Even worse, modern computer technology is inherently democratizing. Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.

We can’t choose a world where the US gets to spy but China doesn’t, or even a world where governments get to spy and criminals don’t. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It’s security or surveillance.

–Bruce Schneier reminds us it’s either secure or it isn’t.

2015-03-17T08:33:38+10:001st April, 2015|Tags: bruce schneier, infosec|

Everyone wants you to have security (but not from them).

You can’t have privacy without security, and I think we have glaring failures in computer security in problems that we’ve been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they’re very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I’m not sure of any practical alternative.

–Bruce Schneier on the “everyone else” problem.

2015-03-06T07:39:23+10:0025th March, 2015|Tags: bruce schneier, infosec, privacy|

The Return of the Crypto Wars.

A little while back now, Apple announced it was beefing up the encryption in its iPhone devices. In the US, the Feds promptly flipped their shit, dragging out all the old “drug dealers, kidnappers, and terrorists (oh my)” talking points as to why full-device encryption (that they couldn’t get into) was Letting The Bad Guys Win. Meanwhile, INFOSEC guru Bruce Schneier explains what’s really at stake.

2014-10-13T08:41:33+10:0030th November, 2014|Tags: apple, bruce schneier, infosec, ios|

Speaking of…

By treating the Internet as a giant surveillance platform, the NSA has betrayed the Internet and the world. It has subverted the products, protocols, and standards that we use to protect ourselves. It has left us all vulnerable—to foreign governments, to cybercriminals, to hackers. And it has transformed the Internet into a medium that no one can trust.

–Bruce Schneier wants to break the NSA to save the ‘net.

This article is part of a series published in WIRED titled “How to Save the Net“. For those of you out there who, yanno, use the internet, the whole thing is definitely worth a read.

2016-11-17T20:55:47+10:007th October, 2014|Tags: bruce schneier, infosec|

Internet colonialism.

This is kind of technical but, in a nutshell, it’s describing the way Five Eyes countries are en masse  infecting/colonising innocent computers in order to create their own massive botnet. Bruce Schneier has an accessible rundown of what’s going on and why.

Bonus points: of course the name for this program (HACIENDA) would be racist on at least two levels. Because of course it would be.

2018-04-27T14:00:00+10:006th October, 2014|Tags: bruce schneier, infosec|

The NSA is not magic.

I am regularly asked what is the most surprising thing about the Snowden NSA documents. It’s this: the NSA is not made of magic. Its tools are no different from what we have in our world, it’s just better-funded. X-KEYSCORE is Bro plus memory. FOXACID is Metasploit with a budget. QUANTUM is AirPwn with a seriously privileged position on the backbone. The NSA breaks crypto not with super-secret cryptanalysis, but by using standard hacking tricks such as exploiting weak implementations and default keys. Its TAO implants are straightforward enhancements of attack tools developed by researchers, academics, and hackers; here’s a computer the size of a grain of rice, if you want to make your own such tools. The NSA’s collection and analysis tools are basically what you’d expect if you thought about it for a while.

–Bruce Schneier on the surprising mundanity of the NSA.

Honestly, this isn’t all that surprising. I mean, it’s boring, but it’s not that surprising; most (all?) network security architecture is built around assumptions of attackers not being able to get access to something, from your password right up to TAT-14. The fact that this is possible to circumvent by anyone who’s able to think, ironically, not like a security researcher is not a new concept.

And this isn’t even going into the fact that, for the most part, all the NSA does to get data a hell of a lot of the time is just walk up to companies and ask for it.

It’s sort of sad. Because the INFOSEC community really is hanging out for The Magic. The Magic has been whispered about for years. The Magic was what we were promised when we started out. It’s the idea that there must–there just must–be some kind of James Bond-ish bank of supercomputers decrypting everything on the fly with the might of their 1337 Hax0r Skillz. Somewhere. There must be. If not in our organisation then surely someone else’s. Because the truth of this industry? The truth is it’s actually kinda boring. It isn’t rappelling down the roof and haxxing the HTTPs in the firewall. This isn’t Hollywood. A good 90-99% of all INFOSEC is dealing with one group of people fucking up and another group of people exploiting that fuckup.

No magic, in other words. Only people.

2019-01-17T08:24:22+10:0019th July, 2014|Tags: bruce schneier, infosec, nsa, tech|