Tag Archives: Bruce Schneier

Bruce Schneier Sees Three Emerging Cyber Threats – NOT Cybercrime Related

imageParadoxically, a significant percentage of the very people (self described security experts), who love to paint computer users as “sheeple” (people unable to think for themselves, followers, lemmings, ….. ), adhere religiously to the party line when it comes to cyber threats – the party, in this case, being the security application industry – and, its unrelenting “scare them to death”, marketing tactics. I can’t help but wonder, who the real “sheeple” are.

It’s hardly surprising, that this type of “harum-scarum” focus, has the potential to camouflage other significant cyber threat issues (other than the cyber criminal issue). Issues which include Internet privacy (now there’s an oxymoron), censorship, and illegal law enforcement tracking – just to name a few – all of which should be a focus of examination, and analytical conversation.

Bruce Schneier, the Chief Security Technology Officer of BT (British Telecom)and the author of the best sellers “Schneier on Security,” “Beyond Fear,” “Secrets and Lies,” and “Applied Cryptography,” as well as the inventor of the Blowfish, Twofish, Threefish, Helix, Phelix, and Skein algorithms, recently revealed his top three emerging cyberspace threats – none of which, you’ll notice, has anything to do with cyber crime security, per se.

Here’s Schneier’s take on these issues – issues which, in his view, have the potential to be more dangerous than cybercriminals.

Last month, I participated in a panel at the Information Systems Forum in Berlin.  The moderator asked us what the top three emerging threats were in cyberspace.   I went last, and decided to focus on the top three threats that are not criminal.

The Rise of Big Data – By this I mean industries that trade on our data. These include traditional credit bureaus and data brokers, but also data-collection companies like Facebook and Google.  They’re collecting more and more data about everyone, often without their knowledge and explicit consent, and selling it far and wide: to both other corporate users and to government.  Big data is becoming a powerful industry, resisting any calls to regulate its behavior.

Ill-Conceived Regulations from Law Enforcement – We’re seeing increasing calls to regulate cyberspace in the mistaken belief that this will fight crime.  I’m thinking about data retention laws, Internet kill switches, and calls to eliminate anonymity.  None of these will work, and they’ll all make us less safe.

The Cyberwar Arms Race – I’m not worried about cyberwar, but I am worried about the proliferation of cyber weapons.  Arms races are fundamentally destabilizing, especially when their development can be so easily hidden.  I worry about cyberweapons being triggered by accident, cyberweapons getting into the wrong hands and being triggered on purpose, and the inability to reliably trace a cyberweapon leading to increased distrust.  Plus, arms races are expensive.

Obviously, it’s important to have a functional understanding of cybercrime and, the steps one must take to lessen its impact at an individual level. But, it’s equally as important to be aware, that behind the scenes, in a manner of speaking, major changes are occurring which will impact how you use the Internet and the risks and exposures, unrelated to cyber criminals, you may be required to accept.

Forewarned is forearmed, and all that.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

8 Comments

Filed under Opinion, Point of View

Weak Password Control – A Self Inflicted Injury

imageOver the weekend, Gawker.com was attacked, leading to a compromise of some 1.5 million user login credentials on Gawker owned sites, including Gizmodo, and Lifehacker.

According to Gawker Media

Our user databases appear to have been compromised. The passwords were encrypted. But simple ones may be vulnerable to a brute-force attack. You should change your Gawker password and on any other sites on which you’ve used the same passwords.

In an ironic twist to this tale of woe, it turns out that Nick Denton, the site’s founder, had not followed his own advice and in fact, used the same password for his Google Apps account, his Twitter account, and others.

So what gives? Why would someone with the supposed technical competence of Denton be so boneheaded? I suspect it’s because the reality is – he’s no different than any typical user when it comes to establishing and enforcing proper password control. A lackadaisical effort is the norm.

I understand the the dilemma. Complicated, in other words, safe passwords are hard to remember, whereas easy passwords, in other words unsafe passwords, are easy to remember. And, a single password is surely easier to remember than a series of passwords, simple or not. No surprise then, that most computer users’ employ a single, easy to remember, and consequently – unsafe password.

So what’s a user to do to avoid this critical security lapse? Well, you could follow the most common advice you’re likely to find when it comes to password control, and install a “password safe” – an application designed to store and retrieve password.

The Internet is full of advice that on the face of it seems reasonable, responsible and accurate. You know how it is – if you hear it often enough then it must be true. In my view, the password safe advice falls into this category.

Let me pose this question – you wouldn’t hang your keys outside your front door, would you? Of course you wouldn’t. Then why would you save passwords on the Internet, or on your computer? If there is one computer truism that is beyond dispute, it’s this – any computer application can be hacked, including password safes.

I have never saved passwords online, or on a local machine. Instead, I write my passwords down, and record them in a special book; a book which I keep ultra secure. There are some who disagree, for many reasons, with this method of password control, but I’m not about to change my mind on this issue.

I know that on the face of it, writing down your password seems counter intuitive, and flies in the face of conventional wisdom, since the issue here is one of security and safety.

But, ask yourself this question – is your home, office, wallet etc., more secure than your computer? If the answer isn’t “yes”, then you have additional issues that need to be addressed.

While it may be true that you don’t want your wife, lover, room mate, or the guy in the next office, to gain access to your written list of passwords – and writing down your passwords will always present this risk; the real risk lies in the cyber-criminal, who is perhaps, thousands of miles away.

Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember.

Here are some guidelines on choosing a strong password:

Make sure your password contains a minimum of 8 characters.

Use upper and lower case, punctuation marks and numbers.

Use a pass phrase (a sentence), if possible. However, not all sites allow pass phrases.

Since brute force dictionary attacks are common, keep away from single word passwords that are words in a dictionary.

Use a different password for each sign-in site. This should be easy since you are now going to write down your passwords. Right?

You are entitled, of course to disregard the advice in this article, and look at alternatives to writing down your passwords, including Password Safe, a popular free application. As well, a number of premium security applications include password managers.

Interestingly, Bruce Schneier, perhaps the best known security guru and a prime mover, some years back, behind the development of  Password Safe, is now an advocate of – you guessed it; writing down your passwords.

If you have difficulty in devising a strong password/s, take a look at Random.org’s, Random Password Generator – a very cool free password tool.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

15 Comments

Filed under cybercrime, Don't Get Hacked, downloads, Freeware, Interconnectivity, Internet Safety, Online Safety, Password Control, Software, System Security, Windows Update

Tech Thoughts Nominated for Best Non-Technical Blog

Searching the Web can often yield some astonishing surprises, and here’s a perfect example.

While searching the Net recently, referencing the upcoming 2010 RSA Conference, which will be held, once more, in San Francisco, I found an item which surprised me. Pleasantly, I might add.

Unbeknownst to me, Tech Thoughts, had been nominated at the 2009 RSA Conference, in the category – Best Non-Technical Blog.

Let me be clear – I didn’t win (not even close, I suspect). But when the nominees in this category consisted of some of the most astute, and well known, technology writers in the world, including Bruce Schneier –  Schneier is the Chief Security Technology Officer of British Telecom (Schneier on Security), and Graham Cluley – Cluley is the Senior Technology Consultant at Sophos (Graham Cluley’s Blog), well……..

Best Blog

Other top technology sites nominated included, McAfee Security Insights, Dark Reading,  Infosecurity, F-SECURE, TechRepublic IT Security Blog, ThreatFire Research Blog, Trend Micro’s Malware Blog, Windows Secrets, and more.

Being considered worthy, to be chosen as a nominee in such an impressive field of internationally known technology writers, and popular web sites, I must confess, made my heart go “pitter, patter”.

All bloggers, and writers, have their reasons, and justifications, for what they do, and what they choose to write about. Personally, I write Tech Thoughts simply to take part in the battle against those who threaten the viability of the Internet, by continuously attacking users for criminal gain. And of course, to offer my opinion on issues that are often contentious. It’s very cool to be recognized for those efforts.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

22 Comments

Filed under blogging, Interconnectivity, Personal Perspective, Writing

Google’s CEO’s Privacy Statement – A Freudian Slip?

image In a recent interview with CNBC, Google’s CEO Eric Schmidt, made the following assertion on Internet privacy: “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place…………………….” A statement, in my view, that is essentially the equivalent of moralistic claptrap.

Moreover, it’s a statement which translates easily into that foolishly held belief, “If you’ve done nothing wrong – you have nothing to worry about.” The truth is, the realities of the world we now live in continue to emphasize; despite the fact you have done nothing wrong – you have everything to worry about.

Consider this:

Disk wipe utilities, disk cleaning utilities, and file shredding utilities, are among the most popular free downloads on the Internet.

Most web Browsers offer a private browsing mode.

Encryption software is often advertised as a way to protect private, personal, or sensitive files.

Anonymizer applications, such as Hotspot Shield, are advertised as a way to protect a user’s online identity.

While there are multiple uses for the software applications, or application options, described above, a primary use of such software is to ensure a certain level of privacy. Of course, if you’ve done nothing wrong you don’t need to use these applications, right?

image

You have your own reasons for seeking out privacy of course, in both your private and your online life, and I wouldn’t begin to presume to query, or to comment on those reasons. But, I seriously doubt it’s because you’ve done something “wrong”. Instead, it comes down to a fundamental human need – and the need for privacy is fundamental to who we are.

Noted security guru Bruce Schneier, puts it in a relevant context when he says:

“Privacy protects us from abuses by those in power, even if we’re doing nothing wrong at the time of surveillance. If we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness.

We become children, fettered under watchful eyes, constantly fearful that — either now or in the uncertain future — patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable”.

The Internet is a reasonably true international digital representation of our world. A world with conflicting views on what’s right and what’s wrong, what’s socially acceptable and what’s not, and with varying degrees of both the recognition of, and the need for personal privacy.

For Eric Schmidt to state that he has the answer to this privacy riddle, in a highly complex world, or to assert his moralistic view as to what we should or shouldn’t do, is hardly the perspective one would expect from someone in his position.

He may be a whiz bang when it comes to search engines, but I suggest that he’s a dud when it comes to the psychology of human beings.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

8 Comments

Filed under Google, Interconnectivity, Living Life, Personal Perspective, Privacy, Surveillance