intro’d to him via Mikko‘s ted playlist..
The security mirage
The feeling of security and the reality of security don’t always match, says computer-security expert Bruce Schneier. In his talk, he explains why we spend billions addressing news story risks, like the “security theater” now playing at your local airport, while neglecting more probable risks — and how we can break this pattern.(Filmed at TEDxPSU.)
Bruce Schneier thinks hard about security — as a computer security guru, and as a philosopher of the larger notion of making a safer world.
economically – security is always a trade-off
differing opinions on security.. trade offs mean different things to different people
it seems that we’d be good at this trade offs.. but we’re not.. mostly because we feed off feeling.. rather than reality
it it’s in the news – don’t worry about it – by definition – news is something that is rare
if the market drives security and people make trade offs based on their sense of security
so you can make people secure and hope they notice, or not make them secure and hope they don’t notice
feeling (intuition), model (reason), reality
if feeling is close to reality – you don’t need a model, but in a complex world you need a model..
you can work on people’s feelings.. which is manipulation .. better to fix things
if our feelings match reality, we make better security tradeoffs
If data is a toxic asset, why are we so desperate to collect more of it? Wisdom from Bruce Schneier: cnn.com/2016/03/01/opi…
We can be smarter than this. We need to regulate what corporations can do with our data at every stage: collection, storage, use, resale and disposal. We can make corporate executives personally liable so they know there’s a downside to taking chances. We can make the business models that involve massively surveilling people the less compelling ones, simply by making certain business practices illegal.
Data is a toxic asset. We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.
the data we are obsessed with.. the data we’ve been manufactured to consent to.. is toxic.. perhaps we just start thinking about.. being about.. a different sort of data.. toward ps in the open.. et al..
The more we remove humans from the loop, faster attacks can do their damage and the more we lose our ability to rely on actual smarts to notice something is wrong before it’s too late.
internet era of fun/games is over
Internet pioneer Bruce Schneier issued a dire proclamation in front of the House of Representatives’ Energy & Commerce Committee Wednesday: “It might be that the internet era of fun and games is over, because the internet is now dangerous.
As the chairman pointed out, there are now computers in everything. But I want to suggest another way of thinking about it in that everything is now a computer: This is not a phone. It’s a computer that makes phone calls.
He then outlined four truths he’s learned from the world of computer security, which he said is “now everything security.”
1) ‘Attack is easier than defense’
Complexity is the worst enemy of security. …
2) ‘There are new vulnerabilities in the interconnections’
The more we connect things to each other, the more vulnerabilities in one thing affect other things. ….
3) ‘The internet empowers attackers’
Attacks scale. The internet is a massive tool for making things more efficient. That’s also true for attacking…..
4) ‘The economics don’t trickle down’
Our computers are secure for a bunch of reasons. The engineers at Google, Apple, Microsoft spent a lot of time on this. But that doesn’t happen for these cheaper devices. … These devices are a lower price margin, they’re offshore, there’s no teams. And a lot of them cannot be patched.
Schneier then laid out his argument for why the government should be a part of the solution, and the danger of prioritizing surveillance over security.
I think government involvement is coming, and I’d like to get ahead of it. I’d like to start thinking about what this would look like
We’re now at the point where we need to start making more ethical and political decisions about how these things work. When it didn’t matter—when it was Facebook, when it was Twitter, when it was email—it was OK to let programmers, to give them the special right to code the world as they saw fit. We were able to do that. But now that it’s the world of dangerous things—and it’s cars and planes and medical devices and everything else—maybe we can’t do that anymore.
That’s not necessarily what Schneier wants, but he recognizes its necessity.
data bite #91
next 4 yrs going to be reactive..
1\i think we’re going to lose a lot and our goal is to lose as little as possible..
2\if we get out of this.. need for other answers.. how to put things in place so that when time is right answers are out there..
3\how to solve existing problems..
2111 – software eating world.. andressan
2116 – everything becoming hardware.. software eating but on lots of little computers
not the internet .. the iot: 1\ data that collects 2\ what to do w data 3\ actuators that affect us in our environment.. ie: point of smart thermostat is not to record temp but to change it
a distributive robot: no singular goal/focus/design.. emergent.. conflux of a lot of diff techs.. mobile/cloud/data/et al…
internet that senses.. thinks.. and acts..
not very smart.. but will get smarter as we attach to it..
so.. internet security.. becomes everything security..
c (confidentiality) i (integrity) a (availability) – i and a more important because effects now real world.. changes everything..
traditionally computers/phones secure.. because 1\ big teams designing security.. 2\ able to be patched quickly when problems are found – that system starts failing when get to cheaper devices..so market failure..
security is in an arms race..
1\ on internet.. attack is easier than defense.. ie: so much complexity..
2\ most software is kind of lousy.. we want fast/cheap..ok when just crashing spreadsheet.. crap was good enough.. but now stops being good enough
3\ vulnerabilities show up in intersections..ie’s: getting into peoples multiple accounts; able to guess credit card numbers..
? these are/could-be irrelevants .. no?
4\ on internet everybody has to stop best attackers.. because internet scales..
computers better at counting votes.. at driving.. but failure is then systemic.. not just random
2 basic paradigms of security a/secure well first time b/agile security..able to fix quickly… these two worlds are coming together.. and not very well
for past year.. i’ve been talking about this as a policy problem..
he sounds like mark pesce.. all knowing ish.. what if he’s wrong.. what if we’re all focusing on wrong (irrelevant to humanity/earth ness) stuff..
this is most important lesson of ed snowden: law can subvert tech.. so i actually look a lot toward reg..
i was testifying before congress.. i told them.. they’re going to need to regulate this space…
need govt structure that treats these devices as computers and not things w computers in them..
i think in next decade we’re going to see new govt agency… has to be a place to embody the expertise.. needing a govt solution..
what sorts of reg’s would be needed..? testing.. patching.. support for research.. liability regime.. et al… lack of expertise.. lack of willingness to do hard work..
i think govt will get involved regardless.. disaster will spur them into action.. our choice isn’t govt involvement vs no govt involvement.. it’s smart vs stupid govt involvement..
no matter who’s in charge.. not going away.. risks are real… if we can’t control complex systems.. we shouldn’t build them..
govt/corps are punch drunk on data.. but we have an opp here.. that all of this data is a liability..
turns out saving (all) data has costs.. and toxic.. could be changes in law and you could be compelled to turn it over..
we’re not telling people to encrypt/delete data.. data deleted can’t be turned over.. just doesn’t exist..
we need to keep laying groundwork for other ways to interact.. toward liberty and freedom..
we have big opp here..
yeah.. we can’t not miss it.. for (blank)’s sake…
Schneier Blog (@schneierblog) tweeted at 3:22 AM – 15 Dec 2016 :
My Priorities for the Next Four Years https://t.co/4TrPYaG8jQ (http://twitter.com/schneierblog/status/809342891894001664?s=17)
1\ fight the fights
2\ prep for the fights
3\ lay groundwork for better future
4\ continue to solve actual problems
that’s what 7 bn free people/art ists could/would do.. ongoingly.. energy\ness
Let’s use Trump’s victory as the wake-up call and opportunity that it is.
Trust is a norm, because most of us are trustworthy. That is a rational way to approach the world —Bruce Schneier #COALANairobi #blockchain
Original Tweet: https://twitter.com/yaoeo/status/809653478910005248
#Blockchain is a distributed time-stamping service, and should probably only be used as such—Bruce Schneier #COALANairobi @schneierblog
Original Tweet: https://twitter.com/yaoeo/status/809649214909280256