Saturday, November 10, 2018

Our data are doomed

kw: book reviews, nonfiction, internet, internet security

I have read the Schneier on Security blog on and off almost since I began this blog. As far as gurus of internet security go, he is IT. So when I ran across Schneier's latest book, I nabbed it, in part to see whether it would be a collection of blog posts (it isn't). His writing is great, his ideas are spot-on, and the subject is rather depressing.

Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, by Bruce Schneier, is scary as hell, and the author isn't selling anything…not to us at least. He is indeed trying to "sell" policy ideas to the U.S. government, and in part this book is aimed at getting us to put pressure on our representatives to pay more attention to this issue.

The Internet is rapidly becoming the Internet of Things (IoT), in which to say, everything in the home that would have been bought after a certain date is not just a toaster, light bulb, or easy chair, but a computer that cooks toast and Pop-Tarts (and remembers), a computer that talks to the light switch and learns your schedule and can set mood lighting at your request, or a computer that offers you a comfy seat and records your weight and heartbeat and maybe massages you (it may also inform your doctor of your day-to-day state of health). Almost any new car is not just a computer, but a collection of computers that control a transportation machine, more or less at your demand, keep track of its own maintenance schedule, record where you go and your driving habits; in the future it will know your mood, not only from your driving habits but from your temperature, smell, and perhaps level of noise you make (do you yell at other drivers when they annoy you...or at the radio?).

What the car, light bulb, and chair may know about us is one thing. Because they all connect via the Internet, or the coming, enhanced Internet that he calls Internet+, anybody with a modicum of hacking skills can know what they know. Your phone already knows your buying habits and perhaps banking habits. Who else would you be just tickled about if they knew also? Nobody? I thought so. Well, what will you do about it? What CAN you do about it?

If you believe the book's current explanation of the state of Internet security, the answer is, "Nearly nothing." Firstly, most people will be unwilling to go to the least trouble to "do something about it." Secondly, for those few who would be willing, there is precious little they can do. And that, my friends, is the message of Click Here.

The title is intended as click bait, but its message is not entirely hype. The book begins with three scenarios, and returns to them from time to time.

  1. Control of an auto from ten miles away, via an Internet-connected laptop. This was first done in 2015.
  2. Shutdown of a power plant in  Kiev, presumably by Russian hackers, in 2016.
  3. A hacker took control of 150,000 printers on insecure networks in 2017, and had them print taunting messages. This is a 'near-white-hat' attack. I wonder how many of the printers' owners took steps to secure their equipment?

Now consider item #3. Suppose someone hacks into a 3D printer, and has it print a booby trap to injure or kill the owner, when next he/she turns on the light in the room where it is kept? Suppose a 3D bio-printer is hacked to produce a super-flu like the 1918 bug that killed about 4% of the human population that year? How about every insecure 3D bio-printer? This extended scenario is behind the title of the book.

The author thinks only government can deal with this effectively. No other entity has the scope to do so. But at the moment, every powerful player in the Cyber arena has a vested interest in an Internet that is not too secure:

  • The NSA and other agencies want access to anything, anywhere, with little fuss.
  • Businesses would rather spend to make new products than to add security to existing ones. Neither do they have incentive to design security into their new products.
  • To the biggest presences on the Internet, from Google, Yahoo, Facebook, Instagram, Alibaba, Dianping..., all have as their primary product YOU, the user, and the information you post or reveal by your posting habits. They want to sell this stuff, not secure it.

Not only that, the Internet is the most prolific espionage tool to be developed since the microdot camera. When new vulnerabilities in common software are discovered, say by someone at NSA, they don't inform the software company. No, they add the knowledge to their "virtual arms locker", as a took to be used offensively, until someone more civic-minded or someone at the company stumbles across it and it gets fixed.

So, nobody with any power has much interest in better security. Tools to help make security better have languished on the shelf for decades, unused. Schneier explains why.

If you want your own end-to-end encryption, perhaps you can get Tor, but be aware that all the world's governments keep tabs on Tor users because so many of them are criminals. That in itself argues that we all ought to have such tools available by default. In the U.S., the Second Amendment assures that, if we want to own a gun for our protection, we can do so. That way, it is not presently so that "only criminals and cops have guns." But on the Internet, and even more, the nascent Internet+, you can't find a gun anyway, so only the criminals have guns, and most of the cops have at best rather inferior ones.

Will this get better? The author thinks so. He is optimistic enough to think it can get better in just a decade or two. Maybe. It probably won't get better, at least from a governmental intervention standpoint, until a Scenario #3 leads to a few dozen, or thousand, or even million, deaths. That's what it takes to get major policies created or changed. Good luck, y'all…keep your head low.

No comments:

Post a Comment