Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security China The Internet United States Technology

Schneier: Either Everyone Is Cyber-secure Or No One Is 130

Presto Vivace sends a new essay from Bruce Schneier called "The Democratization of Cyberattack." Quoting: When I was working with the Guardian on the Snowden documents, the one top-secret program the NSA desperately did not want us to expose was QUANTUM. This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers. The cyberweapons manufacturer Hacking Team sells packet injection technology to any government willing to pay for it. Criminals use it. And there are hacker tools that give the capability to individuals as well. ... We can't choose a world where the U.S. gets to spy but China doesn't, or even a world where governments get to spy and criminals don't. We need to choose, as a matter of policy, communications systems that are secure for all users, or ones that are vulnerable to all attackers. It's security or surveillance.
This discussion has been archived. No new comments can be posted.

Schneier: Either Everyone Is Cyber-secure Or No One Is

Comments Filter:
  • not sure how packet injection breaks into my computer.

    • by Anonymous Coward on Wednesday March 04, 2015 @02:35AM (#49178741)

      Zero day vulnerability even if you don't visit an infected website.

    • Re: (Score:2, Informative)

      by kesuki ( 321456 )

      packet injection for dummies.
      1. user initiates comms
      2. MITM detects comms
      3. MITM rewrited packet headers and sends falsified packets AS user
      4. Computer reads funny joke
      5. computer spits coffee into keyboard
      6. device is fried, user is blamed.
      7. government sells broken device to user
      8. user can't push device sold to them
      9. user wishes it never happened
      10. quantum paradox occurs
      11. server reboots
      12. ???
      13. nuked from orbit
      14. goto step 1.
      15. bitch complains about tight loop.

    • Re: (Score:3, Insightful)

      not sure how packet injection breaks into my computer.

      It's not about hacking into your computer. It's about the fact that the govt spy agencies had quite sophisticated spying infrastructure installed into key parts of the internet. Why this is a surprise to anybody is beyond me. Other than the negative PR value (which I'm sure some 'we're protecting you from pedophiles rhetoric' would fix I don't even know why the govt particularly cared if people found out.

  • Stating the obvious (Score:5, Informative)

    by Anonymous Coward on Wednesday March 04, 2015 @02:19AM (#49178701)

    Its always seemed obvious to me that the system that you *know* grants unauthorised access cannot be considered to be secure. I never thought I was saying anything profound or even worthwhile, but apparently this fact is lost on a good number of people.

    • by AHuxley ( 892839 )
      Each generation has its own ability to set aside the way a telco network can be used domestically.
      The use was only for ww1, ww2, the Soviet Union, Russia, China, distant wars and long occupations.
      Tame brands, academics, political leaders all thought their generation of secure hardware and software was been looked after by different brands, legal teams, oversight or respected international standards.
      With the news of weak standards, academics been unaware or unsure where to look, brands letting other outs
    • by gweihir ( 88907 )

      Most people are both stupid and incompetent, and in addition do not realize either. Once you have accepted that, basically all problems the human race has have a conclusive and accurate explanation.

  • Insecure (Score:4, Insightful)

    by phantomfive ( 622387 ) on Wednesday March 04, 2015 @02:20AM (#49178703) Journal
    Right now there's not really an option, we're all insecure. And we will continue to be insecure as long as we favor features over security (which probably won't change).
    • And we will continue to be insecure...

      Full stop. That's it. Nothing else. The best option is to make sure nobody has the advantage.

      • What? No thankyou, I'd prefer to have my system secure.
        • by Pieroxy ( 222434 )

          What? No thankyou, I'd prefer to have my system secure.

          It's all well and good, but how do you propose to do that ?

          • Unplug the network.

            Seriously though, Daniel Bernstein has put a lot of thought into that question. You can start here [cr.yp.to].
            • by Pieroxy ( 222434 )

              Well, you're right on one thing: unplugging is probably the only option. Given the gazillion lines of code running on any net-connected machine, there is just no way in hell all this code will ever be 100% secure. Given that anyone in the world can find a flaw and then market it for the others, I'd say the future looks pretty dark on that front.

              The paper is interesting but quite idealist. No OS, driver, app is going to be rewritten with this in mind. And we need ALL of them to be rewritten. There is, for al

              • by rot26 ( 240034 )
                Penetrating air-gapped machines is old hat now. The next step will be discovering that the hardware we buy has been pre-compromised before purchase. Oh, that's right, that's already happening.

                Hurray for megabyte sized firmware... lots of room to hide anything.
                • Penetrating air-gapped machines is old hat now.

                  Some vaguely plausible demos at a few conventions is not 'old hat'.

              • *all intensive purposes

            • by Pieroxy ( 222434 )

              Also, don't forget they overfucked Iran's nuclear facilities infecting PCs that were on no network at all. It worked for more than 5 years. So all in all, network is just an accelerator, but they can get into anything with plugs. Fill the network plug, USB slots, CD-Rom drives and every other mean of communication from the computer and then it's become worthless.

            • Unplug the network

              Not enough. Quoting Spaf:

              The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts.

              http://spaf.cerias.purdue.edu/... [purdue.edu]

        • That's an illusion, unless you design your own hardware and the system that runs on it.
        • Everyone preffers. Then, the relativity kicks in...
        • Well then, the best of luck to you. You will need that, and a miracle or two...

    • False statement. Security and features are not mutually exclusive. Even though in the head of many security guys they are just looking forward to block features they haven't yet found how to make secure.
    • We are all insecure and this is not that bad. These vulnerabilities make people and corporations equal the way Colt made them in his time. We just have to maintain acceptable level of risk.
      • That's a false equality. A revolver is nice and all, but it's of almost no use against an army. Even less against a battalion of tanks. You might get lucky and take out a few soldiers, but that won't even slow them down.

      • No it doesn't. If a corporation loses your personal information, you're going to suffer more than them.
        • It is already pretty clear that we have to (and will, some way or another) build a society where the personal information is not THAT sensitive.
          • That sounds harder than building a secure system.
          • It's not that hard to build that society.

            We could start by eliminating the notion of the Social Security ID being a 'secret number.'

            There's no reason it needs to be a secret number for the Social Security system to operate. SS was set up as a pension savings plan and the SSN was never intended as an identification number.

            The government could simply publish everyone's SSN in a publicly available digest, either online or in big phone-book like volumes.

            That would fuck over the 'cheap' way that the Credit and

            • I live in Europe and I simply do not understand the crazy SSN thing you have. Our "government IDs" are not secret. We still have a lot of room for improvement, sure, but you can use a lot of hints from us.
              • The issue with the SSN is that with the number, a name, and a birth date you can get a credit card mailed to you. This happens because the credit card issuers make the mistake that if you know those 3 things then you must be that person (and, they have successfully pushed the pain onto the real person by coining the phrase identity theft, instead of what it really is, fraud).

                In your country in Europe, what do you need to do to get a credit card?
                --
                JimFive
                • At least in Bulgaria where I live, CC is never mailed. You have to go in person to a bank office and show a state-issued ID card (or passport, if you are not local), to get one. IDs are generally hard to forge (crypto-enabled coming soon here and already usual in other EU states), have your photo printed on them, last usually 10 years and are mandatory.

                  CCs became themselves crypto devices some 15 years ago and a lot of them do not have a magnetic strip now - good luck cloning them.

                  It is not that we do
    • This doesn't really need to be the case. We're used to carrying keys to access our cars and homes -- we could carry digital encryption keys to access our emails and data. The bug/feature is that losing the keys necessarily means permanently losing access to the data, from the past anyway. But that's not actually very different from today -- much of our data rots for other reasons anyway. Photos and documents disappear when we buy a new phone, or when our hard drives bite the dust. Endpoint encryption w

  • other governments are not.

    Just develop everything in house. And I do mean everything.

    • That won't make you secure. Given how government programmers operate, it will probably be less secure.
    • This way, you can only get security by obscurity. Not much. You also get all the expenses of in-house development. A LOT.
  • Hey Bruce (Score:4, Interesting)

    by 93 Escort Wagon ( 326346 ) on Wednesday March 04, 2015 @02:59AM (#49178807)

    You're preaching to the choir here... but it'd sure be great if you got a chance to explain this to the President and to Congress, though.

    • Bruce is just a blogger and a journalist. He wrote the Cryptology book that nobody else dared publish and got it into print. He's not a credentialed cytologist, and his 'security expertise' comes from him having been a blogging journalist on the topic for over a decade.

      He probably would be good at explaining the issue to the President and Congress, but that would be because he's a good communicator, not an expert or scientist.

  • This summary ends in a conclusion which seems appropriate for slashdot. But it grew from a questionable source.

    We are expected to believe that Mr. Schneier at the Guardian, one of the anointed who had access to Snowden documents ... the NSA contacted him with concerns about exposing QUANTUM? Was this done by telephone, via intermediaries or a personal visit? How did the NSA know the Guardian/Schneier knew about QUANTUM? The logistics, the timeline, the specifics of this meeting have escaped me in this short

    • Re:facts please ! (Score:5, Informative)

      by Programming Ace ( 623151 ) on Wednesday March 04, 2015 @04:04AM (#49178947)
      The guardian team has spoken before, they raise all of their publications to the Department of Defense and NSA for comment before releasing to the public. This is why some of the information coming from the Guardian is still redacted. They're trying to make sure they're not putting anyone's lives at risk in the process of disclosure.
      • by swell ( 195815 )

        "The guardian team has spoken before, they raise all of their publications to the Department of Defense and NSA for comment before releasing to the public. This is why some of the information coming from the Guardian is still redacted. They're trying to make sure they're not putting anyone's lives at risk in the process of disclosure."

        Thanks. The Guardian and other publishers are still slowly releasing documents after careful scrutiny. Partly, as you say, to avoid putting lives at risk. I had not been aware

    • I imagine, using standard journalists' practice, the Guardian phoned up the NSA and said 'we've found this in your documents. Would you like to comment?' That's what professional journalists do.

    • It could've come from GCHQ - y'know, the guys who turned up to the Guardian's offices & forced them to "symbolically" destroy a couple of their hard drives. And also the guys who harassed journalists & their partners whilst they were in the "international" zones of our airports.

  • Haven't people testing wireless security with aircrack been using packet injection for like... years??

    • Re:Top Secret? (Score:5, Insightful)

      by PhilHibbs ( 4537 ) <snarks@gmail.com> on Wednesday March 04, 2015 @04:28AM (#49178993) Journal

      It's not the idea that was top secret. It's the specific implementation and the fact that they were using it and what for that was secret.

      • There's some merit to that, in that some criminals and terrorists mistakenly believe that the infrastructure is secure, that they are not worthwhile targets, or that they are somehow anonymous. Alerting them to their mistaken beliefs doesn't make things easier for those tasked with limiting their damage.

        On the other hand, as this article points out, not disclosing, or drawing attention to, the catastrophic vulnerabilities that are used in offensive operations simultaneously makes us all vulnerable to those

  • by Tom ( 822 ) on Wednesday March 04, 2015 @04:28AM (#49178995) Homepage Journal

    What's with the clickbait headlines? By itself, the headline is total BS. The actual statement made, however, is spot on. The hole in your security doesn't care who exploits it. There's no "good guy" flag in IP headers (though I'm sure some April 1st RFC will soon introduce it).

    What worries me most is that we could win this fight, if it weren't for our own governments deciding to betray us. There are vastly more people interested in secure communication and other people not being able to spy on or subvert our computers and mobile devices than there are people interested in compromised communications and systems (basically only criminals and some deluded, criminal-if-the-laws-were-right elements of governments).

    There is just one problem to Bruce's argument: The largest and most powerful spy agency in the world disagrees with his fundamental assumption. We often forget that the NSA has two missions, and they are exactly the two things that Bruce argues cannot co-exist: To secure the computing infrastructure of the US against foreign espionage, and to provide espionage on foreign communication.
    The NSA believes, and/or is tasked with exactly these two things that Bruce says (and I agree) are mutually exclusive. No surprise they've gone rogue, their very mission statement is a recipe for a mental breakdown through cognitive dissonance.

    • by Anonymous Coward

      There's no "good guy" flag in IP headers (though I'm sure some April 1st RFC will soon introduce it).

      Young rascals. Get off my lawn.
      http://tools.ietf.org/html/rfc3514

      • by Tom ( 822 )

        Everyone knows about the evil bit. That's what prompted me to write the bracket remark. But it's not quite the same as a "we're from the NSA, nothing to see here" flag.

    • by swb ( 14022 )

      The NSA used to get by with being clever because it used to be that mathematically secure communications didn't exist, or if they did, they were extremely difficult to implement without a mathematician and only useful for small messages.

      Now we have trivial access to computing power and well-understood encryption technologies that turns this on its head and communications can be trivially secured in ways that can only be broken by compromising them so they are internally flawed or by statutory means of denyi

    • Cognitive dissonance? Those two missions aren't mutually exclusive. Defend yourself at home and go on offense abroad. It's a classic mission time-tested by history, and it has plenty of counterparts in sports metaphors. Simply asserting that something is mutually contradictory because it sounds good to use words like 'cognitive dissonance' isn't any kind of argument.
      • by Zalbik ( 308903 )

        Bruce's thesis is that if spy agencies deliberately allow for weakened security infrastructure so they can monitor communications, then the enemy can make use of those weak points. That there is no way to just let the "good guys hack".

        "the NSA has two missions...To secure the computing infrastructure of the US against foreign espionage, and to provide espionage on foreign communication."
        If they allow hacks to propagate so they can spy, then communication is not secure. (i.e. they fail the first part of t

      • by Tom ( 822 )

        Those two missions aren't mutually exclusive. Defend yourself at home and go on offense abroad.

        It works for bombs and tanks, but not for computer networks and communications. It might have even worked in the time of telegraphs and snail mail letters. But for encryption, it doesn't work. A cipher is either weak, or strong. You can compromise a foreign postal system without affecting the security of your own, but you can't secretly build a backdoor into an encryption algorithm that works only for you.

        Simply asserting that something is mutually contradictory because it sounds good to use words like 'cognitive dissonance' isn't any kind of argument.

        Now you're trying to reverse the chain of causality just to make a cute finishing sentence. :-)

    • Commenter claims: . We often forget that the NSA has two missions, and they are exactly the two things that Bruce argues cannot co-exist: To secure the computing infrastructure of the US against foreign espionage, and to provide espionage on foreign communication.

      Had you ever worked at the NSA, or served in military intelligence, you would know better, as their two missions are financial intelligence acquisition for the money masters, and command-and-control of the populace. Sometime you might study th
  • by Anonymous Coward

    "... This is the NSA's program for what is called packet injection--basically, a technology that allows the agency to hack into computers.Turns out, though, that the NSA was not alone in its use of this technology. The Chinese government uses packet injection to attack computers." ,,,that ALL the spies have much more in common with each other than they do with civilians.

    Towards the end of the Cold War the UK and Russian intelligence services were routinely exchanging data on their activities - the idea bein

  • by GauteL ( 29207 ) on Wednesday March 04, 2015 @06:53AM (#49179337)

    For those that don't know or have forgotten. The British PM made a statement [theguardian.com] that he wants to ban communication which cannot be intercepted and deciphered by the government. We may as well just send all our communication in plain text ascii.

  • Either we're all safe, or we all get destroyed.
  • by Anonymous Coward

    We choose security for our homes but why don't we all live in bank vaults? cost? aesthetics?

    There are some types of security that the average person simply can't have. Most of us have no choice but to use a commercial provider for our internet access and as long as we can't own and control every point between us and our target node and the development and manufacturer of every critical component in our devices - our governments will always be able to subvert our trust and spy on us anyway.

    You're expecting

  • Another huge problem with all this data gathering is that the amount of data is impossible to process by humans, so the agencies will have to rely on algorithms to find the "bad guys". Who can defend themself against accusations or persecution that falls out of such algorithms? It quickly becomes a case of everybody have to prove their own innocense (which of course is impossible). Add injection of false data and corruption of databases, and we are all doomed.
  • is the enemy of good.
  • ... everyone has access to the same tools.

    By way of example, it's damn near impossible for me to buy a grenade, but the military has lots.

    The way cyber warfare is developing, it's more of a level playing field.

    The major difference between capabilities of governments and civilians, on the cyber warfare stage, is money.

  • also uses DPI (packet injection) and is supposed to be the state-of-the-art full-spectrum intelligence platform: it will allow one to intercept an email, alter and forward it unknown to either the addressor or addressee, with a new meeting time and place, and then dispatch either an extreme rendition, or kill team, to the rendezvous point. Ain't life grand?

    https://www.wikileaks.org/spyf... [wikileaks.org]
    http://www.spiegel.de/internat... [spiegel.de]
    http://www.allgov.com/news/us-... [allgov.com]
    http://securityaffairs.co/word... [securityaffairs.co]

Don't get suckered in by the comments -- they can be terribly misleading. Debug only code. -- Dave Storer

Working...