Schneier: Everyone Wants You To Have Security, But Not From Them 114
An anonymous reader writes: Bruce Schneier has written another insightful piece about the how modern tech companies treat security. He points out that most organizations will tell you to secure your data while at the same time asking to be exempt from that security. Google and Facebook want your data to be safe — on their servers so they can analyze it. The government wants you to encrypt your communications — as long as they have the keys. Schneier says, "... we give lots of companies access to our data because it makes our lives easier. ... The reason the Internet is a worldwide mass-market phenomenon is that all the technological details are hidden from view. Someone else is taking care of it. We want strong security, but we also want companies to have access to our computers, smart devices, and data. We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices. ... We want our data to be secure, but we want someone to be able to recover it all when we forget our password. We'll never solve these security problems as long as we're our own worst enemy.
He's being polite. (Score:5, Insightful)
What he means to say is what most of have known in our darkest heart of hearts since the first help ticket: The vast majority of users are technically illiterate idiots, and you can't fix stupid.
Re: (Score:1)
...and the number of people who identify as techies and still have no clue whatsoever about technical things is on the rise. Superstitions about the way things work are absolutely rampant.
Re:He's being polite. (Score:4, Insightful)
No they are not Techies they are "Power Users"
They think they are technical because the can navigate a gui, click on a button, and fill in a field. However they have no clue where the data is stored or what is going on under the GUI.
Hmm, that describes most windows admins. Wonder what they will do when windows goes command line and the GUI is no longer installed by default?
Re: (Score:1)
In 2012 and 2012 R2, the default is a Server Core install. Yes, you can get the UI back as this is part of the SConfig utility, but if you are using SCCM for managing machines and one isn't on the console (for example, it is a server that doesn't need any UI access like AD), then might as well just leave it in Server Core mode, just because less stuff will be running.
The Windows admin role has changed... in a medium to large IT shop, you are generally using PowerShell and other management tools, as opposed
Re:He's being polite. (Score:4, Funny)
I originally posted that tongue in cheek. The company I'm at, as well as many I know of, is running some 2003 and most are 2008. They are starting to move to 2012 and the windows admins are having a fit because there is no GUI and they can't just RDP into the system.
This has lead to "Your the Unix guy, you know command line stuff. Why don't you take over running these windows servers? They're just like Linux."
lol
Re: (Score:2)
Re: (Score:2)
I got a call from a new admin today having trouble with some large files after he transfered them over a network and so I asked him how he verified the files weren't corrupted like fciv... Is that in the command line??? yes.
Re: (Score:2)
And the industry wants it that way.
More and more products have a "user" mode, and (maybe) a "developer" mode.
the user mode will be locked down to tight that moving files around is virtually impossible without bouncing them off some cloud service.
the developer mode is wide open, but they will refuse you access to any kind of for pay service because you may be a pirate...
Re: (Score:2)
...and the number of people who identify as techies and still have no clue whatsoever about technical things is on the rise.
Worse is some of them are selling their services as a "techie" to normal people.
I talked to an auto parts store a couple weeks back replacing a POS PC and it couldn't get online, but the other machine in the store could, and they were calling us (the ISP) about the issue. They were both hardwired to a router (that was not supplied by us) and the store's third-party tech who installed the computer was there. He didn't know how to check an IP address and hadn't even looked at the router itself. He'd just conn
Re: (Score:2)
Yeah, I was a field tech for a number of years and would often have to clean up the mess left by other "techs".
It would always make me wonder how these people got employed in the first place....
...Until I learned about technical recruiters... then it all made sense.
Re: (Score:2)
For the most part this is an article written to people who don't read these articles and being read by people who don't need to read it.
The average knuckle dragging simian could not care less about any of this. They are just cattle chewing their consumer cud and waiting to be milked as per usual.
For the rest I bet that while most are on the "privacy bandwagon" very few of them take all the steps required to ensure their privacy.To me this does not mean that the system is wrong, just that people don'
Did you read it? (Score:5, Insightful)
That's not what he said at all. I mean, I'm not disagreeing with you substantially, but that's completely separate from the actual point of the piece.
It's all about the fact that, in order to do many or most of the things we want to do today, we have no choice but to give someone access to our data—but that almost everyone we could give that access to wants to (ab)use it to make money.
More importantly, that's even true of those who actually want to help keep our data secure from others—even our governments.
The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone—and that there are so many, even those that theoretically should be trying to do so, working directly against that end—is definitely something we need to be concerned about, far beyond simply bemoaning the stupidity of all the "lusers" who will happily give away their data for free because they just don't know any better.
Dan Aris
There is one major entity - Apple (Score:5, Insightful)
The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone
Apple does this. Look at HealthKit for example, all data is stored locally, Apple doesn't mine it. They allow you to control who has what access to specific parts of the data.
It's not exactly true of all data, but Apple tries to give you specific control of data where it can.
The reason why Apple does this and other companies do not is simple - Apple actually makes money selling hardware. Google and Facebook have no revenue except what they can extract from you data, so they have totally different motivations.
Re:There is one major entity - Apple (Score:4, Insightful)
The fact that there is really no major entity working to keep our data safe for ourselves and ourselves alone
Apple does this. Look at HealthKit for example, all data is stored locally, Apple doesn't mine it. They allow you to control who has what access to specific parts of the data.
It's not exactly true of all data, but Apple tries to give you specific control of data where it can.
The reason why Apple does this and other companies do not is simple - Apple actually makes money selling hardware. Google and Facebook have no revenue except what they can extract from you data, so they have totally different motivations.
This is true—I tend not to think of Apple as "an entity working to keep our data safe," since I primarily think of them as a hardware/OS vendor. But yes, any data Apple does happen to hold of yours is as safe as they can make it from those who want to monetize it—and they don't care to do so themselves.
Dan Aris
Re: (Score:1)
Do we really know that for sure?
Re: (Score:1)
"Apple doesn't mine it"
Yeah, ok. Show me where/how you can guarantee that any more than anyone else who already has your data? Apple in this case *already has your data* without HealthKit. Apple is identical to google and facebook and every tech company that collects user data in this regards.
Re:There is one major entity - Apple. Not. (Score:2)
Re: (Score:2)
And Siri only does offline voice recognition and never send sound clips to the Apple for data mining?
"It's not exactly true of all data"
I said that explicitly thinking of Siri. They absolutely send that raw voice data to Siri but in theory the server could only be doing processing, to convert the speech to text and then return you a result.
The question is what is remember from that transaction. Do they use that data to improve further conversions? I would image so. But what I DON'T think Apple does is
Re: (Score:3)
Devil's advocate here:
What about DISA/NIST and their publications/guidelines? This is paid for by the taxpayers, and can be very useful, even though the info might be obvious in some places [1]. They have decent checklist guides on recent operating systems under their national vulnerability database.
It is nice to be able to fetch info, even if one doesn't have to worry about stuff like FISMA and SCAP, just to have a decent baseline of security.
[1]: Things like using group policies, not allowing multiple
Re: (Score:2)
The same NIST that pushed the adoption of Dual_EC_DRBG [nist.gov] even when it was evident that it was flawed? I mean, even the organizations that nobody trusts, like the NSA, publish helpful guides and information [nsa.gov].
Re: (Score:2)
It's all about the fact that, in order to do many or most of the things we want to do today, we have no choice but to give someone access to our data—but that almost everyone we could give that access to wants to (ab)use it to make money.
The need to outsource (transfer responsibility) is fast becoming the "techno Nuremburg defence". tl:dr is just a symptom of the blame disease.
If you can't take responsibility for the risks of your actions, or fail to understand and measure them - then you have no right to demand it of others. Especially if you're unable to see the irony of calling for a "major entity" to "keep our data safe" (sigh).
Summary (for the Too Lazy:Dumb and Recalcitrant): if you won't do it (security) yourself for any reason, you
Re: Did you read it? (Score:2)
Summary (for the TDumb and Recalcitrant): if you won't do
Post too long;didnt read
Re: (Score:2)
Summary (for the Too Dumb and Recalcitrant): if you won't do
Post too long;didnt read
(APK is that you? Damn, I must update muh hosts file) Sore lips or sore head? Try lube for the former, a grease gun for the later
Satire, sarcasm, and irony. The Holy Trinity
My personal mission is make everyone equal - I've got the chainsaw and the club of knowledge, it's finding the time that's proving difficult.
I figured the first place to start was with myself - so I cut off half a leg and the top part of my head (equalised my height and IQ). The bad news is it hurt, I lost a lot of blood, and wind far
Re: (Score:2)
Re: (Score:3)
Note that there is a difference between "stupid" and "ignorant".
Note that being "technically illiterate" puts you into the "ignorant" category, but that claiming that "technically illiterate" is the same as "idiot" puts you well into the "stupid" category.
Now, arguably you can claim that the vast majority of users
Re: (Score:2)
Note that there is a difference between "stupid" and "ignorant".
One has it's charms.
Re: (Score:2)
Well it hasn't helped that we have had a generation or two of marketing saying that you don't need to know anything to operate a computer.
Computers may well be the most complex things humanity has constructed, yet the claim is that the interfaces can be refined so much that a infant can operate them unassisted.
Sorry, but we can't have it both ways...
Good Points. (Score:2)
The idea of 100% security just doesn't happen... However they are things that everyone can do that will reduce their risk.
Biometrics is one method, it isn't 100% but it is better than password use on the average. We have Encryption Standards, we just need to find a way to get the Official Certificate issue, so it can be free, and really prove who you are.
There seem from some reason to not push SSH on windows platform, so we are having the many unsecure port issues still...
Sure it isn't 100% but I think w
Re: (Score:1)
But be aware, your Mac logs virtually everything, and what the OS isn't logging, the Spotlight search feature is. Spotlight already sends a lot back up to the mothership. And if you call Apple for assistance and they ask you to use their system information and troubleshooting tool, it scoops up ALL the logs and ALL Spotlight metadata and sends them home. So they have information on what's in you machine's latest memory dump, every application that's installed, and quite possibly a lot of what applications m
Re: (Score:2)
This IS really annoying by Apple, even if you believe nobody (or nothing) actually looks at the data. Spotlight is always wanting to send this or that out and I've spent a lot of time moderating it's bad behavior using Little Snitch.
Apple *really* should mellow out and at least shut down the conduit. Even if you opt out of web searching with Spotlight, it STILL sends stuff back to Apple.
Re: (Score:2)
Re: (Score:2)
> We have Encryption Standards, we just need to find a way to get the Official Certificate issue, so it can be free, and really prove who you are.
There's a way to do that. I think. See my other post in this thread.
http://it.slashdot.org/comment... [slashdot.org]
Re: (Score:2)
Biometrics have problems. The "password" is based on something I can lose (yeah, it's attached to me, but accidents happen, and I don't know how a fingerprint reader's going to react to a bad cut). (Without loss of generality, I'm going to assume fingerprints.) If used remotely, it's data going over a connection and can't be tested to see if it's a live finger. That makes it copyable, and I've only got ten fingerprints. If all of those are compromised, I can't grow another finger to get fresh fingerpr
Do they (Score:3)
Re: (Score:2)
Yeah but they have enough manpower to try to figure out every possible type of encryption scheme.
Huh? Everyone has access to open source encryption algorithms. That is a strength, not a weakness. Strong encryption algorithms rely on the fact that everyone has equal knowledge of the algorithm employed. It is the encryption key that is secret, not the algorithm.
That's the beauty of it. Evey mathemetician the world over can know what the problem is, but they cannot solve it in any reasonable time frame without the key. That's the whole point.
Time to sing along! (Score:1)
This tech is your tech
This tech is my tech
From the lowly Bitcoin
To SSL/TLS
From the AES cipher
To S/MIME and GPG
This tech was made by you and me.
Re: (Score:2)
To SSL/TLS
That line is tough to sing.
Welcome to reality (Score:2)
We'll never solve these security problems as long as we're our own worst enemy.
We'll never solve these security problems.
FTFY
Welcome to the real world, where the only way for three people to keep a secret is if two of them are dead. And even that's not a 100% guarantee. Not much has changed over the centuries.
Re: (Score:2)
We'll never solve these security problems as long as we're our own worst enemy.
We'll never solve these security problems. FTFY
Welcome to the real world, where the only way for three people to keep a secret is if two of them are dead. And even that's not a 100% guarantee. Not much has changed over the centuries.
Sorry, Barbara, but that's a useless oversimplification of the issues here. There are things that a person or an organization can do the make things more secure and/or more private (the two are not really the same thing). Technical ignorance is certainly a reason that many take your view and just throw up their hands, but the fact is that there are solutions for those willing to expend the effort to understand what's going on.
Re: (Score:2)
No solution yet has withstood the test of time. Enigma fell. DVD encryption was broken. Various pay tv's "unbreakable" nagra encryption was broken. Various password hashing techniques have been broken. Various implementations of RSA have been broken, and RSA-1024 is probably breakable now by the NSA. What the NSA can do today, you'll be doing on your home computer in 20 years.
And then there are the leaks, the bad choices of implementations, random number generators that are not so random after all, social
Re: (Score:2)
No one of any credibility has ever claimed that anything can be made 100% secure. However, the bar for cracking today's state-of-the-art encryption schemes is significantly higher than older standards. Not just a little higher, but exponentially higher. At the moment, it would take a modern PC until far past the heat death of the universe to crack a modern 4096-bit encoded certificate. That means that unless a fundamental weakness is found or we invent quantum computers, no one will brute force that key
Like People and Rules (Score:2)
Re: (Score:2)
I beg to differ. I moved from sysadmin to security because this is where the growth is, and doubled my salary. I get headhunters and poachers several times a week trying to lure me away with wheelbarrows full of money. Companies are finally starting to realize they need to take security seriously.
Re: (Score:2)
I beg to differ. I moved from sysadmin to security because this is where the growth is, and doubled my salary. I get headhunters and poachers several times a week trying to lure me away with wheelbarrows full of money. Companies are finally starting to realize they need to take security seriously.
Out of curiosity, what kind of money are you seeing people make for what you do?
Re: (Score:2)
Re: (Score:3)
This is a good thing. In the past, a company would get breached, and it would have a minimal impact after paying for a PR campaign, definitely forgotten after six months.
However, the Sony hack with E-mails leaked which got celebs mad and data destroyed is different. Before that, a company got hacked... but their data was still there, so a lot of managers just brushed it off. However, if an intrusion means that the entire company is unable to do business and likely will fail in days to weeks [1], security
Re: (Score:3, Interesting)
A great thought, that--especially when set to some fine blues:
Everybody wants to hear the truth
But yet, everybody wants to tell a lie
I say everybody wants to hear the truth
But still they all want to tell a lie
Oh everybody wants to go to heaven
But nobody wants to die
But-but-but (Score:2)
I think there are more shades of grey than 50, here.
The phrase "I want my data to be secure" makes no sense. There's no such thing as "secure data". One can't even define "secure data". Data can only be considered secure within context, e.g. my pictures stored on SpiderOak are secure... as long as someone doesn't beat the username and password out of me with a $5 wrench. My Facebook data isn't secure by definition, anyone could save those pictures or that text. And yes, each company wants their piece of the
What? (Score:3)
I don't agree with this. it *IS* possible to change. The internet userbase ha
Re: (Score:2)
Nope. "We" didn't use it. A few select people used it.
That's a big difference.
Yes, a company can keep the servers to themselves, and thus give up other advantages. Again, balancin one with the other is held true.
Schneier's opinion isn't what it once was (Score:2, Interesting)
We want strong security, but we also want companies to have access to our computers, smart devices, and data
No, we don't actually want them to have that access, they don't give us a choice if we want their services. We can solve these by teaching people that you don't need to put your data online and then voting with our wallets by buying software that doesn't force us to do so.
We want someone else to manage our computers and smart phones, organize our e-mail and photos, and help us move data between our various devices
No, we don't. We want it to not be so ridiculously difficult to do so, but companies have determined that they can use this to their advantage and get us to give them our data to make it easier. Android's SD card behavior is so absolute
Re: (Score:2, Insightful)
The professional paranoia peddlers don't like reality very much. It cuts into their schtick.
A generation ago, there was this thing called a phone book - it had everyone's name, address, and phone number - and nobody went nuts about "OMG they have my address!" You could go to the public library and use the Lovell's "upside-down phone book" to look up any address and get the names and phone numbers of the people living there. And it would also tell what economic quintile that area fell into. the Again, no bi
Re: (Score:3)
A generation ago,
There was a high barrier to this sort of public information being used. If you wanted to use the libraries' reverse directory, you had to actually go there. Now, with this sort of data on-line, marketers can slice and dice it any way they want for little more than the cost of processing power. But so can the 'bad guys'.
Re: (Score:2)
Re: (Score:3)
That's true, but there was no book at the library that listed which articles in the newspaper we decided to read and which ones we decided to skip. The post office didn't make copies of all our letters and the phone company didn't record all our calls. When we used a map to find directions, none of this information used to be recorded. When we had our photographs developed, we could be quite sure the photo lab wasn't making copies of all of them.
Records of our financial transactions were much more limited
Re: (Score:2)
I'm going to make a guess that you really don't mean it about everything being public. I could be wrong, but I'd bet you have some sort of bank account or bitcoin wallet or something, and, while you might be perfectly comfortable with us knowing everything about how you use it, you really don't want to share the access codes so we can drain your accounts and wallet and whatever.
Not everybody is in a position where they can afford full disclosure. I'm pretty open about things, but there are a few things
Re: (Score:2)
This isn't like a door lock where its possible to overcome them and we can't stop them from being overcome, so we take advantage of locksmiths when we screw up. Locks can not be 100% secure, encrypted data can be effectively 100% secure and thats a different environment.
While I agree with most of your points there is no such things as 100% secure data; some is only harder to get than others. It only take step right approach to get it.
Re: (Score:2)
When Schneider says "we", I understood that to mean he's talking about the vast majority of the public, not security or privacy-conscious people - who, let's face it, are almost certainly a minority. It feels like you're reading those statements as *advocating* those positions, when instead I think he's just describing the reality of the current situation.
Re: (Score:2)
If Google were to have the idea that I have depression issues, I don't think they'd share it with others, but would use it as part of my profile to target ads to me. On the other hand, they probably would be able to make money selling that information to insurance companies and the credit rating companies, so I wouldn't count on it.
Even targeted ads can have consequences. There was a case here a while back when Target sent coupons for baby-related items to a teenaged girl who had done some searches on
the solution (Score:3)
Re: (Score:2)
Same. Mr Homer J. Simpson of 742 Evergreen Terrace has a lot of internet accounts. That Ned Flanders that lives next door has a lot of porn accounts.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The added bonus is that you can very easily add the relevant information to your spam filter. Provided, of course, that you use a different pseudonym for different occasions.
Re: (Score:2)
And the online companies in question probably have deanonymized all those accounts and know exactly who is really behind them
Example: How hard is it to 'de-anonymize' cellphone data? [mit.edu]
I hate everything he said (Score:2)
Open Source FTW (Score:3)
Re: (Score:1)
You mean like the OpenSSL heartblead bug? Or the bash ShellShock bug?
Re: (Score:2)
How many people actually look for bugs? ShellShock has been around since September 1989. Or Heartbleed, since the end of 2011? Or the multipe security holes in pgp and gpg?
A programmer who isn't familiar with the codebase and tries to do a quick fix will probably introduce as many bugs as they fix.
For the vast majority of users, it doesn't matter if it's open or closed - they can't fix it.
Breaking News! (Score:3)
Security is inversely proportional to convenience.
Confused terminology (Score:1)
Maybe it's time to start over (Score:1)
Re: (Score:2)
Ok, how do we keep governments and industry out of it AND still provide funding for it?
Nice play on words (Score:1)
Google and Facebook want *your* data to be safe — on their servers so they can analyze it.
No
They want their data to be safe on their servers so they can analyze their data as they see fit. Private property: essential to liberty and freedom.
What Schneier is saying, as interpreted by Homer.. (Score:2)
Can't someone else do it?
https://www.pinterest.com/pin/... [pinterest.com]
Security's hurdle - being useful for something (Score:2)
Why haven't we fully embraced security, as consumers? Even as business, we do a lousy job of it. It's because we don't get anything out of it. Immediately. It isn't immediately useful. Yes, it's great if someone hacks your servers, or if you know someone is trying to steal your identity, then you think about it. But other than that, security just makes you WORK rather than give you something. That's why it hasn't been embraced.
Here's how I think that can change. We need to build a service that anyone, and e
Erh... Bruce, I usually like your insightful posts (Score:2)
But this one is one of the "gee, really, you don't say?" kind.
OF COURSE everyone wants to be the only one who has access to something. Monopolies are something really awesome, and only cool if they are, well, monopolies.
Data is worthless if everyone has it, only if you have the exclusive ability to use it it becomes valuable. In our world, the value of something is determined by its scarcity. Data is now something that can, by its very nature, be reproduced with near zero cost in infinite amounts. It only b
Re: (Score:2)
Hm, I think data doesn't have to be worthless if everyone has it, it has worth to those who take the time to do something with that data. For everyone else, it's worthless. EG if the inner details of a business's day to days was public and accessible to all - you might not care, particularly if the business isn't near by, but a competitor would definitely be interested, or regulators looking for fraud, etc. I get what you're saying, and I'm not trying to be pedantic, but the value doesn't automatically decr
Encoding vs Encrypting. (Score:2)
"Mother" is the Chief of Staff
"Uncle James" is the head of state,
"Maisie's house" is the UN building
"Fishing" is 'discussing nuclear limitations'>br> "Peeling Plums" is 'advising of invasion plans for country xxx
Message starts: "Mother and Uncle James are on their way to Maisie's house to peel some plums. After that they hope to go fishing, then see a movie. Have a lovely weekend. Cousin Sam"
Message is indecipherable without a code book.
I don't agree (Score:2)
The sad fact is that most companies aren't even implementing basic controls that everyone knew were important 10 years ago. If you look at a lot of the high profile breaches, they're due to fundamental stuff, not a lack of super high end ultra-expensive security appliances. Its something consumers reasonably expect companies to be doing, but they aren't doing.
I believe it is possible to have companies manage things and have good security. You could accomplish this by having individual consumers take more
Consumers fault, but not the way most think (Score:2)
We are all elitist pigs. (Score:1)