Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Encryption Facebook Google Government Privacy

Schneier: Everyone Wants You To Have Security, But Not From Them 114

An anonymous reader writes: Bruce Schneier has written another insightful piece about the how modern tech companies treat security. He points out that most organizations will tell you to secure your data while at the same time asking to be exempt from that security. Google and Facebook want your data to be safe — on their servers so they can analyze it. The government wants you to encrypt your communications — as long as they have the keys. Schneier says, "... we give lots of companies access to our data because it makes our lives easier. ... The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices. ... We want our data to be secure, but we want someone to be able to recover it all when we forget our password. We'll never solve these security problems as long as we're our own worst enemy.
This discussion has been archived. No new comments can be posted.

Schneier: Everyone Wants You To Have Security, But Not From Them

Comments Filter:
  • He's being polite. (Score:5, Insightful)

    by some old guy ( 674482 ) on Thursday February 26, 2015 @01:35PM (#49139247)

    What he means to say is what most of have known in our darkest heart of hearts since the first help ticket: The vast majority of users are technically illiterate idiots, and you can't fix stupid.

    • by Anonymous Coward

      ...and the number of people who identify as techies and still have no clue whatsoever about technical things is on the rise. Superstitions about the way things work are absolutely rampant.

      • by Anon-Admin ( 443764 ) on Thursday February 26, 2015 @02:12PM (#49139663) Journal

        No they are not Techies they are "Power Users"

        They think they are technical because the can navigate a gui, click on a button, and fill in a field. However they have no clue where the data is stored or what is going on under the GUI.

        Hmm, that describes most windows admins. Wonder what they will do when windows goes command line and the GUI is no longer installed by default?

        • I got a call from a new admin today having trouble with some large files after he transfered them over a network and so I asked him how he verified the files weren't corrupted like fciv... Is that in the command line??? yes.

        • by hitmark ( 640295 )

          And the industry wants it that way.

          More and more products have a "user" mode, and (maybe) a "developer" mode.

          the user mode will be locked down to tight that moving files around is virtually impossible without bouncing them off some cloud service.

          the developer mode is wide open, but they will refuse you access to any kind of for pay service because you may be a pirate...

      • by SeaFox ( 739806 )

        ...and the number of people who identify as techies and still have no clue whatsoever about technical things is on the rise.

        Worse is some of them are selling their services as a "techie" to normal people.

        I talked to an auto parts store a couple weeks back replacing a POS PC and it couldn't get online, but the other machine in the store could, and they were calling us (the ISP) about the issue. They were both hardwired to a router (that was not supplied by us) and the store's third-party tech who installed the computer was there. He didn't know how to check an IP address and hadn't even looked at the router itself. He'd just conn

        • Yeah, I was a field tech for a number of years and would often have to clean up the mess left by other "techs".
           
          It would always make me wonder how these people got employed in the first place....
           
          ...Until I learned about technical recruiters... then it all made sense.

    • I agree.
      For the most part this is an article written to people who don't read these articles and being read by people who don't need to read it.

      The average knuckle dragging simian could not care less about any of this. They are just cattle chewing their consumer cud and waiting to be milked as per usual.

      For the rest I bet that while most are on the "privacy bandwagon" very few of them take all the steps required to ensure their privacy.To me this does not mean that the system is wrong, just that people don'
    • Did you read it? (Score:5, Insightful)

      by danaris ( 525051 ) <danaris@m a c .com> on Thursday February 26, 2015 @02:13PM (#49139675) Homepage

      That's not what he said at all. I mean, I'm not disagreeing with you substantially, but that's completely separate from the actual point of the piece.

      It's all about the fact that, in order to do many or most of the things we want to do today, we have no choice but to give someone access to our data—but that almost everyone we could give that access to wants to (ab)use it to make money.

      More importantly, that's even true of those who actually want to help keep our data secure from others—even our governments.

      The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone—and that there are so many, even those that theoretically should be trying to do so, working directly against that end—is definitely something we need to be concerned about, far beyond simply bemoaning the stupidity of all the "lusers" who will happily give away their data for free because they just don't know any better.

      Dan Aris

      • by SuperKendall ( 25149 ) on Thursday February 26, 2015 @02:32PM (#49139983)

        The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone

        Apple does this. Look at HealthKit for example, all data is stored locally, Apple doesn't mine it. They allow you to control who has what access to specific parts of the data.

        It's not exactly true of all data, but Apple tries to give you specific control of data where it can.

        The reason why Apple does this and other companies do not is simple - Apple actually makes money selling hardware. Google and Facebook have no revenue except what they can extract from you data, so they have totally different motivations.

        • by danaris ( 525051 ) <danaris@m a c .com> on Thursday February 26, 2015 @03:10PM (#49140505) Homepage

          The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone

          Apple does this. Look at HealthKit for example, all data is stored locally, Apple doesn't mine it. They allow you to control who has what access to specific parts of the data.

          It's not exactly true of all data, but Apple tries to give you specific control of data where it can.

          The reason why Apple does this and other companies do not is simple - Apple actually makes money selling hardware. Google and Facebook have no revenue except what they can extract from you data, so they have totally different motivations.

          This is true—I tend not to think of Apple as "an entity working to keep our data safe," since I primarily think of them as a hardware/OS vendor. But yes, any data Apple does happen to hold of yours is as safe as they can make it from those who want to monetize it—and they don't care to do so themselves.

          Dan Aris

        • Apple does this. Look at HealthKit for example, all data is stored locally, Apple doesn't mine it. They allow you to control who has what access to specific parts of the data.

          Do we really know that for sure?

        • "Apple doesn't mine it"

          Yeah, ok. Show me where/how you can guarantee that any more than anyone else who already has your data? Apple in this case *already has your data* without HealthKit. Apple is identical to google and facebook and every tech company that collects user data in this regards.

      • by mlts ( 1038732 )

        Devil's advocate here:

        What about DISA/NIST and their publications/guidelines? This is paid for by the taxpayers, and can be very useful, even though the info might be obvious in some places [1]. They have decent checklist guides on recent operating systems under their national vulnerability database.

        It is nice to be able to fetch info, even if one doesn't have to worry about stuff like FISMA and SCAP, just to have a decent baseline of security.

        [1]: Things like using group policies, not allowing multiple

      • It's all about the fact that, in order to do many or most of the things we want to do today, we have no choice but to give someone access to our data—but that almost everyone we could give that access to wants to (ab)use it to make money.

        The need to outsource (transfer responsibility) is fast becoming the "techno Nuremburg defence". tl:dr is just a symptom of the blame disease.

        If you can't take responsibility for the risks of your actions, or fail to understand and measure them - then you have no right to demand it of others. Especially if you're unable to see the irony of calling for a "major entity" to "keep our data safe" (sigh).

        Summary (for the Too Lazy:Dumb and Recalcitrant): if you won't do it (security) yourself for any reason, you

        • Summary (for the TDumb and Recalcitrant): if you won't do

          Post too long;didnt read

          • Summary (for the Too Dumb and Recalcitrant): if you won't do

            Post too long;didnt read

            (APK is that you? Damn, I must update muh hosts file) Sore lips or sore head? Try lube for the former, a grease gun for the later

            Satire, sarcasm, and irony. The Holy Trinity

            My personal mission is make everyone equal - I've got the chainsaw and the club of knowledge, it's finding the time that's proving difficult.
            I figured the first place to start was with myself - so I cut off half a leg and the top part of my head (equalised my height and IQ). The bad news is it hurt, I lost a lot of blood, and wind far

    • Users aren't supposed to need to be technically literate, any more than automobile drivers should need to be mechanics or engineers or machinists or metallurgists. A lot of us get paid *specifically* to make this stuff simple enough for a child to use. The problem is that we've been so successful that the common user is not just passively clueless, but actively self-harming - just like the automobile industry making the *average* car equal to an old sports car without anyone suggesting that drivers should
    • What he means to say is what most of have known in our darkest heart of hearts since the first help ticket: The vast majority of users are technically illiterate idiots, and you can't fix stupid.

      Note that there is a difference between "stupid" and "ignorant".

      Note that being "technically illiterate" puts you into the "ignorant" category, but that claiming that "technically illiterate" is the same as "idiot" puts you well into the "stupid" category.

      Now, arguably you can claim that the vast majority of users

    • by hitmark ( 640295 )

      Well it hasn't helped that we have had a generation or two of marketing saying that you don't need to know anything to operate a computer.

      Computers may well be the most complex things humanity has constructed, yet the claim is that the interfaces can be refined so much that a infant can operate them unassisted.

      Sorry, but we can't have it both ways...

  • The idea of 100% security just doesn't happen... However they are things that everyone can do that will reduce their risk.
    Biometrics is one method, it isn't 100% but it is better than password use on the average. We have Encryption Standards, we just need to find a way to get the Official Certificate issue, so it can be free, and really prove who you are.
    There seem from some reason to not push SSH on windows platform, so we are having the many unsecure port issues still...
    Sure it isn't 100% but I think w

    • by AK Marc ( 707885 )
      100% doesn't exist. Better security than a more attractive target is all you need. And sadly, that's a pretty low target.
    • by Coolfish ( 69926 )

      > We have Encryption Standards, we just need to find a way to get the Official Certificate issue, so it can be free, and really prove who you are.

      There's a way to do that. I think. See my other post in this thread.
      http://it.slashdot.org/comment... [slashdot.org]

    • Biometrics have problems. The "password" is based on something I can lose (yeah, it's attached to me, but accidents happen, and I don't know how a fingerprint reader's going to react to a bad cut). (Without loss of generality, I'm going to assume fingerprints.) If used remotely, it's data going over a connection and can't be tested to see if it's a live finger. That makes it copyable, and I've only got ten fingerprints. If all of those are compromised, I can't grow another finger to get fresh fingerpr

  • by invictusvoyd ( 3546069 ) on Thursday February 26, 2015 @01:42PM (#49139343)
    Have control over all the encryption algos of this world? Its hard to believe that all these smart people will let them get away with this .. having saild all that .. The prsident , the director of the NSA and all the pezzenovantes dont make this stuff .. This stuf is made by you and me ..
    • This tech is your tech
      This tech is my tech
      From the lowly Bitcoin
      To SSL/TLS
      From the AES cipher
      To S/MIME and GPG
      This tech was made by you and me.

  • We'll never solve these security problems as long as we're our own worst enemy.

    We'll never solve these security problems.
    FTFY

    Welcome to the real world, where the only way for three people to keep a secret is if two of them are dead. And even that's not a 100% guarantee. Not much has changed over the centuries.

    • by Jawnn ( 445279 )

      We'll never solve these security problems as long as we're our own worst enemy.

      We'll never solve these security problems. FTFY

      Welcome to the real world, where the only way for three people to keep a secret is if two of them are dead. And even that's not a 100% guarantee. Not much has changed over the centuries.

      Sorry, Barbara, but that's a useless oversimplification of the issues here. There are things that a person or an organization can do the make things more secure and/or more private (the two are not really the same thing). Technical ignorance is certainly a reason that many take your view and just throw up their hands, but the fact is that there are solutions for those willing to expend the effort to understand what's going on.

      • No solution yet has withstood the test of time. Enigma fell. DVD encryption was broken. Various pay tv's "unbreakable" nagra encryption was broken. Various password hashing techniques have been broken. Various implementations of RSA have been broken, and RSA-1024 is probably breakable now by the NSA. What the NSA can do today, you'll be doing on your home computer in 20 years.

        And then there are the leaks, the bad choices of implementations, random number generators that are not so random after all, social

        • No one of any credibility has ever claimed that anything can be made 100% secure. However, the bar for cracking today's state-of-the-art encryption schemes is significantly higher than older standards. Not just a little higher, but exponentially higher. At the moment, it would take a modern PC until far past the heat death of the universe to crack a modern 4096-bit encoded certificate. That means that unless a fundamental weakness is found or we invent quantum computers, no one will brute force that key

  • Everyone wants everyone else to follow rules, but not themselves.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      A great thought, that--especially when set to some fine blues:
      Everybody wants to hear the truth
      But yet, everybody wants to tell a lie
      I say everybody wants to hear the truth
      But still they all want to tell a lie
      Oh everybody wants to go to heaven
      But nobody wants to die

  • I think there are more shades of grey than 50, here.
    The phrase "I want my data to be secure" makes no sense. There's no such thing as "secure data". One can't even define "secure data". Data can only be considered secure within context, e.g. my pictures stored on SpiderOak are secure... as long as someone doesn't beat the username and password out of me with a $5 wrench. My Facebook data isn't secure by definition, anyone could save those pictures or that text. And yes, each company wants their piece of the

    • We're not our worst enemy. We are how we are and it's impossible to change it. Try explaining your mom that she needs to enter an overly complicated password and then receive a code through SMS and then type that code manually in a little text box every time she wants to look at each of her granskid's pictures. Won't work. And it's not because your mom is lazy, but because the perceived need for security for such data is very low.

      I don't agree with this. it *IS* possible to change. The internet userbase ha

      • Nope. "We" didn't use it. A few select people used it.
        That's a big difference.

        Yes, a company can keep the servers to themselves, and thus give up other advantages. Again, balancin one with the other is held true.

  • We want strong security, but we also want companies to have access to our computers, smart devices, and data

    No, we don't actually want them to have that access, they don't give us a choice if we want their services. We can solve these by teaching people that you don't need to put your data online and then voting with our wallets by buying software that doesn't force us to do so.

    We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices

    No, we don't. We want it to not be so ridiculously difficult to do so, but companies have determined that they can use this to their advantage and get us to give them our data to make it easier. Android's SD card behavior is so absolute

    • Re: (Score:2, Insightful)

      The professional paranoia peddlers don't like reality very much. It cuts into their schtick.

      A generation ago, there was this thing called a phone book - it had everyone's name, address, and phone number - and nobody went nuts about "OMG they have my address!" You could go to the public library and use the Lovell's "upside-down phone book" to look up any address and get the names and phone numbers of the people living there. And it would also tell what economic quintile that area fell into. the Again, no bi

      • by PPH ( 736903 )

        A generation ago,

        There was a high barrier to this sort of public information being used. If you wanted to use the libraries' reverse directory, you had to actually go there. Now, with this sort of data on-line, marketers can slice and dice it any way they want for little more than the cost of processing power. But so can the 'bad guys'.

        • Not really that much different. Many companies bought annual subscriptions to Lovell's upside down phone books. The poll lists were public - just go and pick them up at the central polling office. And normal phone books were dropped off at the door yearly. Ditto with yellow pages for lists of business.
          • by Sean ( 422 )

            That's true, but there was no book at the library that listed which articles in the newspaper we decided to read and which ones we decided to skip. The post office didn't make copies of all our letters and the phone company didn't record all our calls. When we used a map to find directions, none of this information used to be recorded. When we had our photographs developed, we could be quite sure the photo lab wasn't making copies of all of them.

            Records of our financial transactions were much more limited

      • I'm going to make a guess that you really don't mean it about everything being public. I could be wrong, but I'd bet you have some sort of bank account or bitcoin wallet or something, and, while you might be perfectly comfortable with us knowing everything about how you use it, you really don't want to share the access codes so we can drain your accounts and wallet and whatever.

        Not everybody is in a position where they can afford full disclosure. I'm pretty open about things, but there are a few things

    • This isn't like a door lock where its possible to overcome them and we can't stop them from being overcome, so we take advantage of locksmiths when we screw up. Locks can not be 100% secure, encrypted data can be effectively 100% secure and thats a different environment.

      While I agree with most of your points there is no such things as 100% secure data; some is only harder to get than others. It only take step right approach to get it.

    • When Schneider says "we", I understood that to mean he's talking about the vast majority of the public, not security or privacy-conscious people - who, let's face it, are almost certainly a minority. It feels like you're reading those statements as *advocating* those positions, when instead I think he's just describing the reality of the current situation.

  • by slashmydots ( 2189826 ) on Thursday February 26, 2015 @02:01PM (#49139543)
    My 14 year and still running policy of giving fake names, fake e-mails, fake phone numbers etc and no personally identifiable data other than my IP address to most online companies is working great. They ask me for data I don't want them to have and they get useless bullshit. Problem solved.
    • by nobuddy ( 952985 )

      Same. Mr Homer J. Simpson of 742 Evergreen Terrace has a lot of internet accounts. That Ned Flanders that lives next door has a lot of porn accounts.

      • You should look how many Rusty Shacklefords there are on Facebook. Get it? Dale from King of Hill used it when he didn't want to give the government or a company his real name for privacy reasons?
    • Although when doing things like this you may end up with Facebook believing that you are a gay Jew looking for a Jamaican lover to join you Yellow knife Canada. So to that end I believe I have sufficiently poisoned that well.
    • I just had to update my information with my employer's insurance broker. Among the info they needed was name, address, SSN, and mother's maiden name. Assuming you have health insurance, your info is out there.
    • by AK Marc ( 707885 )
      And I've always used my real name and information and never had a problem.
    • The added bonus is that you can very easily add the relevant information to your spam filter. Provided, of course, that you use a different pseudonym for different occasions.

    • And the online companies in question probably have deanonymized all those accounts and know exactly who is really behind them

      Example: How hard is it to 'de-anonymize' cellphone data? [mit.edu]

      Researchers at MIT and the Université Catholique de Louvain, in Belgium, analyzed data on 1.5 million cellphone users in a small European country over a span of 15 months and found that just four points of reference, with fairly low spatial and temporal resolution, was enough to uniquely identify 95 percent of them.

  • I don't want companies and apps having any of my information. They want it, and in exchange for using their services I have to hand it over for them to lose. Yet somehow they aren't responsible for that loss. Then all the someone else stuff is really you want an ecosystem that works on your computer or phone, true I do want it to work togther, but I don't want them knowing anything about my pics or texts or whatever. The last part is ridiculous. The only, only, only reason I need to be able to do a pass
  • by mrflash818 ( 226638 ) on Thursday February 26, 2015 @02:37PM (#49140073) Homepage Journal

    partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you

    ...Open Source software, FTW!

    • partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you

      ...Open Source software, FTW!

      You mean like the OpenSSL heartblead bug? Or the bash ShellShock bug?

  • by SeaFox ( 739806 ) on Thursday February 26, 2015 @02:47PM (#49140211)

    Security is inversely proportional to convenience.

  • This, like so many articles, and commenters, there is a lot of confusion about the terms security, privacy, and secrecy, equating them as being the same thing. One thing they have in common is that they're each inversely proportional to convenience and violating one compounds the breach of the others.
  • The Internet has turned out to be an ugly, hostile den-of-thieves. It isn't going to get better because the thieves own it. Maybe we should abandon http and the World Wide Web and build something with inherent security and anonymity.
  • by Anonymous Coward

    Google and Facebook want *your* data to be safe — on their servers so they can analyze it.

    No

    They want their data to be safe on their servers so they can analyze their data as they see fit. Private property: essential to liberty and freedom.

  • Why haven't we fully embraced security, as consumers? Even as business, we do a lousy job of it. It's because we don't get anything out of it. Immediately. It isn't immediately useful. Yes, it's great if someone hacks your servers, or if you know someone is trying to steal your identity, then you think about it. But other than that, security just makes you WORK rather than give you something. That's why it hasn't been embraced.

    Here's how I think that can change. We need to build a service that anyone, and e

  • But this one is one of the "gee, really, you don't say?" kind.

    OF COURSE everyone wants to be the only one who has access to something. Monopolies are something really awesome, and only cool if they are, well, monopolies.

    Data is worthless if everyone has it, only if you have the exclusive ability to use it it becomes valuable. In our world, the value of something is determined by its scarcity. Data is now something that can, by its very nature, be reproduced with near zero cost in infinite amounts. It only b

    • by Coolfish ( 69926 )

      Hm, I think data doesn't have to be worthless if everyone has it, it has worth to those who take the time to do something with that data. For everyone else, it's worthless. EG if the inner details of a business's day to days was public and accessible to all - you might not care, particularly if the business isn't near by, but a competitor would definitely be interested, or regulators looking for fraud, etc. I get what you're saying, and I'm not trying to be pedantic, but the value doesn't automatically decr

  • In the following example:
    "Mother" is the Chief of Staff
    "Uncle James" is the head of state,
    "Maisie's house" is the UN building
    "Fishing" is 'discussing nuclear limitations'>br> "Peeling Plums" is 'advising of invasion plans for country xxx

    Message starts: "Mother and Uncle James are on their way to Maisie's house to peel some plums. After that they hope to go fishing, then see a movie. Have a lovely weekend. Cousin Sam"

    Message is indecipherable without a code book.
  • The sad fact is that most companies aren't even implementing basic controls that everyone knew were important 10 years ago. If you look at a lot of the high profile breaches, they're due to fundamental stuff, not a lack of super high end ultra-expensive security appliances. Its something consumers reasonably expect companies to be doing, but they aren't doing.

    I believe it is possible to have companies manage things and have good security. You could accomplish this by having individual consumers take more

  • It's not that typical users don't understand how anything works and aren't willing to find out (though that annoys many of us). It's that they're busy salivating over the latest hyped product ("can't way for 6!") instead of demanding decent security and demanding that things be done right. When did parents stop teaching their kids to not take candy from a stranger? Everyone's eating apples with razor blades and only complaining when they nearly bleed to death.
  • We need to remember that most of us would not know how to create a financial derivative wrapping up bad mortgages into a pretty package and then selling them to banks who then get the government to cover the losses at the high end leaving the luzr$ holding underwater assets that they have to just give up. $12T worth of equity vanishing in the process. Yet these are the guys who pay us the best. The "techs" who lurk at the fringe, and who do not really know a packet from a pickle should be treated like physi

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...