Showing posts with label bruce schneier. Show all posts
Showing posts with label bruce schneier. Show all posts

26 February 2010

Schneier Nails it on CCTV Folly

Another brilliant essay on security from Bruce Schneier. It's all well-worth reading, but here's the nub:


If universal surveillance were the answer, lots of us would have moved to the former East Germany. If surveillance cameras were the answer, camera-happy London, with something like 500,000 of them at a cost of $700 million, would be the safest city on the planet.

We didn't, and it isn't, because surveillance and surveillance cameras don't make us safer. The money spent on cameras in London, and in cities across America, could be much better spent on actual policing.

When will the politicians face up to the facts on CCTV? (Via Boing Boing.)

Follow me @glynmoody on Twitter or identi.ca.

09 May 2009

Should Software Developers Be Liable for their Code?

Should Microsoft pay for the billions of dollars of damage that flaws in its software have caused around the world? It might have to, if a new European Commission consumer protection proposal becomes law. Although that sounds an appealing prospect, one knock-on consequence could be that open source coders would also be liable for any damage that errors in their software caused....

On Linux Journal.

13 April 2009

Of Bruce's Law and Derek's Corollary

Much will be written about the events of the last few days concerning the leaked Labour emails, and the plans to create a scurrilous blog. The focus will rightly be on the rise of blogs as a powerful force within the world of journalism, fully capable of bringing down politicians. But here I'd like to examine an aspect that I suspect will receive far less attention.

At the centre of the storm are the emails: what they say, who sent them and who received them. One suggestion was that they were stolen from a cracked account, but that version seems increasingly discounted in favour of the idea that someone who disapproved of the emails' contents simply leaked them. What's interesting for me is how easy this has become.

Once upon a time – say, ten years ago – you would have needed to break into an office somewhere to steal a document in order to leak it. Now, though, the almost universal use of computers means that all this stuff is handily stored in digital form. As a result, sending it to other people is as simple as writing their name (or just the first few letters of their name, given the intelligence built into email clients these days.) This means that multiple copies probably exist in different physical locations.

Moreover, making a further copy leaves *no* trace whatsoever; indeed, the whole of the Internet is based on copies, so creating them is nothing special. Trying to stop copies being made of a digital document, once sent out, is an exercise in futility, because that implies being in control of multiple pre-existing copies at multiple locations – possibly widely separated.

Bruce Schneier has memorably written "trying to make digital files uncopyable is like trying to make water not wet." I'd like to call this Bruce's Law. What has happened recently to the Labour emails is an inevitable consequence of Bruce's Law – the fact that digital documents, once circulated, can and will be copied. Tender and thoughtful alike, perhaps we should dub this fact as Derek's Corollary, in honour of one of the people who has done so much to bring its effects to our attention.

Follow me on Twitter @glynmoody

13 February 2009

Firefox (In)Security Update Dynamics Exposed

One of the great things about Firefox is its automatic update scheme. Here's some interesting research on the subject:

Although there is an increasing trend for attacks against popular Web browsers, only little is known about the actual patch level of daily used Web browsers on a global scale. We conjecture that users in large part do not actually patch their Web browsers based on recommendations, perceived threats, or any security warnings. Based on HTTP useragent header information stored in anonymized logs from Google's web servers, we measured the patch dynamics of about 75% of the world's Internet users for over a year. Our focus was on the Web browsers Firefox and Opera. We found that the patch level achieved is mainly determined by the ergonomics and default settings of built-in auto-update mechanisms. Firefox' auto-update is very effective: most users installed a new version within three days. However, the maximum share of the latest, most secure version never exceeded 80% for Firefox users and 46% for Opera users at any day in 2007. This makes about 50 million Firefox users with outdated browsers an easy target for attacks. Our study is the result of the first global scale measurement of the patch dynamics of a popular browser.

What's interesting, too, is that this was research done using data drawn from Google: there must be a lot of really useful info there to be mined - suitably anonymised, of course. (Via Bruce Schneier.)

30 January 2009

Why Adware Authors Love IE and Windows

An adware author explains:


Most adware targets Internet Explorer (IE) users because obviously they’re the biggest share of the market. In addition, they tend to be the less-savvy chunk of the market. If you’re using IE, then either you don’t care or you don’t know about all the vulnerabilities that IE has.

IE has a mechanism called a Browser Helper Object (BHO) which is basically a gob of executable code that gets informed of web requests as they’re going. It runs in the actual browser process, which means it can do anything the browser can do– which means basically anything. We would have a Browser Helper Object that actually served the ads, and then we made it so that you had to kill all the instances of the browser to be able to delete the thing. That’s a little bit of persistence right there.

If you also have an installer, a little executable, you can make a Registry entry and every time this thing reboots, the installer will check to make sure the BHO is there. If it is, great. If it isn’t, then it will install it.

(Via Bruce Schneier.)

29 October 2008

Uncle Brucie Frightens Me

Eek:

Measures such as ID cards are a temporary measure before biometric technology becomes ubiquitous; That was the warning from security guru Bruce Schneier this week who claims that surveillance technology will get more sophisticated and, more importantly, smaller and harder to detect. "We live in a very unique time in our society. The cameras are everywhere and you can still see them," said Schneier, BT's chief security technology officer. "Five years ago they weren't everywhere, five years from now you are not going to see them."

...

Biometric technologies such as face recognition, or systems based on a particular type of mobile phone owned or even clothes, may also be used for identity checks. The increase in background ID checks means that the current debate around national ID cards in the UK is only a short-term issue, according to Schneier. "I know there are debates on ID cards everywhere but in a lot of ways, they are only very temporary. They are only a temporary solution till biometrics takes over," he said.

Eventually, even airports won't actually require people to show ID, as the checks will just happen in the background while you queue for check-in or move through the terminal. "When you walk into the airport they will know who you are. You won't have to show an ID – why bother? They can process you quicker," he said.

18 September 2008

St. Bruce Nails it Again

airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer.

Read the whole thing - it says it all.

08 July 2008

How to Get Rid of the "War on Terror"

Bruce Schneier has some has his usual wise words on the subject of "terror":

Terrorism is a heinous crime, and a serious international problem. It's not a catchall word to describe anything you don't like or don't agree with, or even anything that adversely affects a large number of people. By using the word more broadly than its actual meaning, we muddy the already complicated popular conceptions of the issue. The word "terrorism" has a specific meaning, and we shouldn't debase it.

But, sorry Brucie, it's too late: they've already debased it.

But debasement is a two-edged sword. What we should do now is to use "terrorism" for even the most trivial infraction: "parking terrorism", "litter terrorism", "noise terrorism" - you get the idea. In no time at all, even the politicians will recognise that the whole concept of "terror" has become eviscerated, and risible. The "War on Terror" will sound - rightly - about as sensible as a "War on Flatulence".

29 January 2008

Schneier on the False Dichotomy

Once more, Brucie tells it as it is:


Security and privacy are not opposite ends of a seesaw; you don't have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it's based on identity, and there are limitations to that sort of approach.

When are they going to make this man President of the USA?

05 December 2007

What's the Opposite of Openness?

Not simply being closed, but something like this:


If I make a computer security mistake — in a book, for a consulting client, at BT — it’s a mistake. It might be expensive, but I learn from it and move on. As a criminal, a mistake likely means jail time — time I can’t spend earning my criminal living. For this reason, it’s hard to improve as a criminal. And this is why there are more criminal masterminds in the movies than in real life.

BTW, this interview with security god Bruce Schneier is just amazing - not least because it goes on for ever. Luckily, you just can't have too much of Brucie.

10 August 2007

The Liability of Closed Source Software

It's a pity that reports from the House of Lord's Science and Technology Committee are so long, because they contain buckets of good stuff - not least because they draw on top experts. A case in point is the most recent, looking at personal Internet security, which includes luminaries such as Bruce Schneier and Alan Cox.

The recommendations are a bit of a mixed bag, but one thing that caught my eye was in the context of making suppliers liable for their software. As Bruce puts it:

“We are paying, as individuals, as corporations, for bad security of products”—by which payment he meant not only the cost of losing data, but the costs of additional security products such as firewalls, anti-virus software and so on, which have to be purchased because of the likely insecurity of the original product. For the vendors, he said, software insecurity was an “externality … the cost is borne by us users.” Only if liability were to be placed upon vendors would they have “a bigger impetus to fix their products”

Of course, product liability might be a bit problemtatic for free software, but again Schneier has a solution:

Any imposition of liability upon vendors would also have to take account of the diversity of the market for software, in particular of the importance of the open source community. As open source software is both supplied free to customers, and can be analysed and tested for flaws by the entire IT community, it is both difficult and, arguably, inappropriate, to establish contractual obligations or to identify a single “vendor”. Bruce Schneier drew an analogy with “Good Samaritan” laws, which, in the United States and Canada, protect those attempting to help people who are sick or injured from possible litigation. On the other hand, he saw no reason why companies which took open source software, aggregated it and sold it along with support packages—he gave the example of Red Hat, which markets a version of the open source Linux operating system—should not be liable like other vendors.

12 February 2007

The Deeper View on Vista

Once more, Brucie tells it like it is:

Microsoft is reaching for a much bigger prize than Apple: not just Hollywood, but also peripheral hardware vendors. Vista's DRM will require driver developers to comply with all kinds of rules and be certified; otherwise, they won't work. And Microsoft talks about expanding this to independent software vendors as well. It's another war for control of the computer market.

A must-read.

14 December 2006

MyPassword

In case you hadn't noticed, we live in a digital world cordoned off by passwords. Nearly everything online requires them, so you are faced with the classic dilemma: use one, hard-to-guess, hard-to-remember one for everything, or use lots of easy-to-remember, easy to guess ones - or maybe just one easy-to-guess.

This fascinating analysis by Bruce Schneier of a clutch of compromised passwords from MySpace is slightly better news than you might have expected:

We used to quip that "password" is the most common password. Now it's "password1." Who said users haven't learned anything about security?

But seriously, passwords are getting better. I'm impressed that less than 4 percent were dictionary words and that the great majority were at least alphanumeric.

The story has some good links to historical studies of passwords, as well as the usual sharp Brucie thoughts. Alas, these include the following:

None of this changes the reality that passwords have outlived their usefulness as a serious security device. Over the years, password crackers have been getting faster and faster. Current commercial products can test tens -- even hundreds -- of millions of passwords per second. At the same time, there's a maximum complexity to the passwords average people are willing to memorize (.pdf). Those lines crossed years ago, and typical real-world passwords are now software-guessable.

"Hundreds of millions of passwords per second"??? Gulp.

25 October 2006

Bruce Schneier, the Man from BT???

Say it ain't true, Bruce:

Britain's BT Group has snapped up United States-based Counterpane Internet Security for a sum of more than $20 million as part of a continuing commitment to the security offering and overall growth of its Global Services business.

Counterpane provides managed network security services.

As part of the deal, Counterpane's founder, CTO and highly regarded security guru, Bruce Schneier, will join the BT payroll. Schneier will maintain his position as CTO within Counterpane, based in Mountain View, Calif.

Bruce Schneier, security god, meets BT, ex-monopolistic monster.

Ah, well, I suppose you deserve the dosh, if nothing else.

31 August 2006

Security Engineering - the Book

I've mentioned Ross Anderson before in this blog, and my own failed attempt to interact with him. But I won't let a little thing like that get in the way of plugging his book Security Engineering - especially now that it can be freely downloaded. If you want to know why that's good news, try reading the intro to said tome, written by the other Mr Security, Bruce Schneier. (Via LWN.net.)

02 July 2006

The Economics of Security

In his lastest Wired column, Bruce S. is writing about a subject particularly dear to my heart: the economics of security. He was lucky enough to go up to the fifth Workshop on the Economics of Information Security at Cambridge: I had hoped to go, but a sudden influx of work prevented me.

My own interest in this area was sparked by a talk that Ross Anderson, now a professor at Cambridge, gave down in London. I vaguely knew Ross at university, when both of us had rather more hair than we do now. Since this was 30 years ago, it's not suprising that he didn't remember me when I introduced myself at the London talk, pointing out that the last time I had seen him was in Whewell's Court: he stared at me as if I was completely bonkers. Ah well.

Schneier gives a good summary of what this whole area is about, and why it is so important:

We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: The people who could protect a system are not the ones who suffer the costs of failure.

When you start looking, economic considerations are everywhere in computer security. Hospitals' medical-records systems provide comprehensive billing-management features for the administrators who specify them, but are not so good at protecting patients' privacy. Automated teller machines suffered from fraud in countries like the United Kingdom and the Netherlands, where poor regulation left banks without sufficient incentive to secure their systems, and allowed them to pass the cost of fraud along to their customers. And one reason the internet is insecure is that liability for attacks is so diffuse.

Read the whole column, and then, if you are feeling strong, try Ross's seminal essay on the subject: "Why Information Security Is Hard -- An Economic Perspective".

18 May 2006

What Do You Have to Hide?

Trust one of my digital heroes - Bruce Schneier - to provide a definitive rebuttal to the tired cliché trotted out by all those who would put us under surveillance: "If you aren't doing anything wrong, what do you have to hide?" Basically, it comes down to the fact that

Privacy is ... a requirement for maintaining the human condition with dignity and respect.

Read the piece for Schneier's paean to the "eternal value of privacy", as he puts it.