Vulnerabilities / Threats

11/6/2013
09:35 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

Schneier: Make Wide-Scale Surveillance Too Expensive

Lessons from NSA revelations hit at heart of the 'fundamental issue of the information age,' says Bruce Schneier

As custodians of the Internet mull over the lessons that revelations about National Security Agency (NSA) surveillance offer about the insecurity of the Internet's infrastructure, architects must find ways to make wholesale spying more expensive. So said noted cryptographer and security evangelist Bruce Schneier in a talk today about Internet hardening at the Internet Engineering Task Force (IETF) plenary session.

"There are a lot of technical things we can do. The goal is to make eavesdropping expensive," Schneier said. "That's the way to think about this, is to force the NSA to abandon wholesale collection in favor of targeted collection of information." As things stand now, the NSA's surveillance efforts are aided and abetted by the information economy as it stands today, he explained. With data being collected about consumers at every step of their movement online and very little of it being purged from corporate systems, it is only a matter of time that someone puts that data to use.

"This is not a question of malice in anybody's heart, this is the way computers work. So what you're ending up with is basically a public-private surveillance partnership," he says. "NSA surveillance largely piggybacks on corporate capabilities—through cooperation, through bribery, through threats and through compulsion. Fundamentally, surveillance is the business model of the Internet. The NSA didn't wake up and say let's just spy on everybody. They looked up and said, 'Wow, corporations are spying on everybody. Let's get ourselves a cut.'"

[How do you know if you've been breached? See Top 15 Indicators of Compromise.]

According to Schneier, groups like IETF need to find a way to get everyone to understand that a secure Internet is in everybody's best interest. And beyond the political and legal solutions to the problems, technologists must find ways to make it more onerous for wide-scale surveillance to be carried out.

This starts first with ubiquitous encryption on the Internet backbone, Schneier said, along with useable application layer encryption. Additionally, thought needs to put into target dispersal.

"We were safer when our email was at 10,000 ISPs than it was at 10," he said. "It makes it easier for the NSA and others to collect. So anything to disperse targets makes sense."

Additionally, increasing use of endpoint security products and better integrated anonymity tools can help thwart widespread spying. Finally, security and technology assurance needs to be fixed, so that back doors aren't left behind for any one person or group to take advantage.

"This is a hard one, but it's an important one," he said. "We need some way to guarantee, to determine, and to have some confidence that the software we have does what it's supposed to do and nothing else."

Additionally, people need to understand that while the NSA is in the limelight at the moment, it is a symptom of a much bigger disease. Not only is the NSA not the only government agency across the world to engage in these behaviors, but so too are private organizations to some extent.

"This is a fundamental problem of data-sharing and of surveillance as a business model. This is about the benefits of big data versus the individual risks of big data," he said. "When you look at behavioral data of advertising, of health data of education data, of movement data, the question becomes how do we design systems that benefit society as a whole while protecting people individual. I believe this is the fundamental issue of the information age."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
11/7/2013 | 11:57:41 AM
re: Schneier: Make Wide-Scale Surveillance Too Expensive
security and surveillance are originated at your desk. all those programs you use. what do they really do ? open source puts the source on the table, face up. you might not inspect it yourself but there are those who do and they love to blog about what they find.

and that is a good thing. It's time to think about Linux.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.