Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/6/2013
09:35 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Schneier: Make Wide-Scale Surveillance Too Expensive

Lessons from NSA revelations hit at heart of the 'fundamental issue of the information age,' says Bruce Schneier

As custodians of the Internet mull over the lessons that revelations about National Security Agency (NSA) surveillance offer about the insecurity of the Internet's infrastructure, architects must find ways to make wholesale spying more expensive. So said noted cryptographer and security evangelist Bruce Schneier in a talk today about Internet hardening at the Internet Engineering Task Force (IETF) plenary session.

"There are a lot of technical things we can do. The goal is to make eavesdropping expensive," Schneier said. "That's the way to think about this, is to force the NSA to abandon wholesale collection in favor of targeted collection of information." As things stand now, the NSA's surveillance efforts are aided and abetted by the information economy as it stands today, he explained. With data being collected about consumers at every step of their movement online and very little of it being purged from corporate systems, it is only a matter of time that someone puts that data to use.

"This is not a question of malice in anybody's heart, this is the way computers work. So what you're ending up with is basically a public-private surveillance partnership," he says. "NSA surveillance largely piggybacks on corporate capabilities—through cooperation, through bribery, through threats and through compulsion. Fundamentally, surveillance is the business model of the Internet. The NSA didn't wake up and say let's just spy on everybody. They looked up and said, 'Wow, corporations are spying on everybody. Let's get ourselves a cut.'"

[How do you know if you've been breached? See Top 15 Indicators of Compromise.]

According to Schneier, groups like IETF need to find a way to get everyone to understand that a secure Internet is in everybody's best interest. And beyond the political and legal solutions to the problems, technologists must find ways to make it more onerous for wide-scale surveillance to be carried out.

This starts first with ubiquitous encryption on the Internet backbone, Schneier said, along with useable application layer encryption. Additionally, thought needs to put into target dispersal.

"We were safer when our email was at 10,000 ISPs than it was at 10," he said. "It makes it easier for the NSA and others to collect. So anything to disperse targets makes sense."

Additionally, increasing use of endpoint security products and better integrated anonymity tools can help thwart widespread spying. Finally, security and technology assurance needs to be fixed, so that back doors aren't left behind for any one person or group to take advantage.

"This is a hard one, but it's an important one," he said. "We need some way to guarantee, to determine, and to have some confidence that the software we have does what it's supposed to do and nothing else."

Additionally, people need to understand that while the NSA is in the limelight at the moment, it is a symptom of a much bigger disease. Not only is the NSA not the only government agency across the world to engage in these behaviors, but so too are private organizations to some extent.

"This is a fundamental problem of data-sharing and of surveillance as a business model. This is about the benefits of big data versus the individual risks of big data," he said. "When you look at behavioral data of advertising, of health data of education data, of movement data, the question becomes how do we design systems that benefit society as a whole while protecting people individual. I believe this is the fundamental issue of the information age."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
11/7/2013 | 11:57:41 AM
re: Schneier: Make Wide-Scale Surveillance Too Expensive
security and surveillance are originated at your desk. all those programs you use. what do they really do ? open source puts the source on the table, face up. you might not inspect it yourself but there are those who do and they love to blog about what they find.

and that is a good thing. It's time to think about Linux.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0063
PUBLISHED: 2020-02-21
Insecure plugin update mechanism in tucan through 0.3.10 could allow remote attackers to perform man-in-the-middle attacks and execute arbitrary code ith the permissions of the user running tucan.
CVE-2013-3551
PUBLISHED: 2020-02-21
Kernel/Modules/AgentTicketPhone.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.20, 3.1.x before 3.1.16, and 3.2.x before 3.2.7, and OTRS ITSM 3.0.x before 3.0.8, 3.1.x before 3.1.9, and 3.2.x before 3.2.5 does not properly restrict tickets, which allows remote attackers with a valid agent ...
CVE-2013-4088
PUBLISHED: 2020-02-21
Kernel/Modules/AgentTicketWatcher.pm in Open Ticket Request System (OTRS) 3.0.x before 3.0.21, 3.1.x before 3.1.17, and 3.2.x before 3.2.8 does not properly restrict tickets, which allows remote attackers with a valid agent login to read restricted tickets via a crafted URL involving the ticket spli...
CVE-2019-19865
PUBLISHED: 2020-02-21
Atos Unify OpenScape UC Web Client 1.0 allows XSS. An attacker could exploit this by convincing an authenticated user to inject arbitrary JavaScript code in the Profile Name field. A browser would execute this stored XSS payload.
CVE-2019-19866
PUBLISHED: 2020-02-21
Atos Unify OpenScape UC Web Client 1.0 allows remote attackers to obtain sensitive information. By iterating the value of conferenceId to getMailFunction in the JSON API, one can enumerate all conferences scheduled on the platform, with their numbers and access PINs.