Book Read Free

Data and Goliath

Page 42

by Bruce Schneier


  It secretly inserts weaknesses: Bruce Schneier (4 Oct 2013), “Attacking Tor: How the NSA targets users’ online anonymity,” Guardian, http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity.

  “endpoint security is so terrifically weak”: Glenn Greenwald and Edward Snowden (17 Jun 2013), “Edward Snowden: NSA whistleblower answers reader questions,” Guardian, http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower.

  Discoverers can sell vulnerabilities: The ethics of this is discussed here. Serge Egelman, Cormac Herley, and Paul C. van Oorschot (9-12 Sep 2013), “Markets for zero-day exploits: Ethics and implications,” New Security Paradigms Workshop, Banff, Alberta, Canada, http://www.nspw.org/papers/2013/nspw2013-egelman.pdf.

  a robust market in zero-days: Stefan Frei (5 Dec 2013), “The known unknowns: Empirical analysis of publicly-unknown security vulnerabilities,” NSS Labs, https://www.nsslabs.com/system/files/public-report/files/The%20Known%20Unknowns_1.pdf.

  both governments and: Andy Greenberg (21 Mar 2012), “Meet the hackers who sell spies the tools to crack your PC (and get paid six-figure fees),” Forbes, http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools-to-crack-your-pc-and-get-paid-six-figure-fees. Both Russia and North Korea are big spenders when it comes to zero-days. Nicole Perlroth and David E. Sanger (13 Jul 2013), “Nations buying as hackers sell flaws in computer code,” New York Times, http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html. Office of the Secretary of Defense (4 Feb 2014), “Military and security developments involving the Democratic People’s Republic of North Korea 2013,” http://www.defense.gov/pubs/North_Korea_Military_Power_Report_2013-2014.pdf.

  discoverers can sell to criminals: Dancho Danchev (2 Nov 2008), “Black market for zero day vulnerabilities still thriving,” ZDNet, http://www.zdnet.com/blog/security/black-market-for-zero-day-vulnerabilities-still-thriving/2108.

  Undiscovered zero-day vulnerabilities: Here is the most important research into that question. Eric Rescorla (7 Feb 2005), “Is finding security holes a good idea?” RTFM, Inc., http://www.rtfm.com/bugrate.pdf. Sandy Clark et al. (6–10 Dec 2010), “Familiarity breeds contempt: The honeymoon effect and the role of legacy code in zero-day vulnerabilities,” 26th Annual Computer Security Applications Conference, Austin, Texas, http://dl.acm.org/citation.cfm?id=1920299. Andy Ozment and Stuart E. Schechter (11 May 2006), “Milk or wine: Does software security improve with age?” MIT Lincoln Laboratory, https://research.microsoft.com/pubs/79177/milkorwine.pdf.

  economics of software development: This is even worse with embedded devices and the Internet of Things. Bruce Schneier (6 Jan 2014), “The Internet of Things is wildly insecure—and often unpatchable,” Wired, http://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-a-huge-problem.

  how the NSA and GCHQ think: James Ball, Julian Borger, and Glenn Greenwald (5 Sep 2013), “Revealed: How US and UK spy agencies defeat internet privacy and security,” Guardian, http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security.

  We know the NSA: These four points were made in this document. Danielle Kehl et al. (29 Jul 2014), “Surveillance costs: The NSA’s impact on the economy, Internet freedom and cyberspace,” Open Technology Institute, New America Foundation, http://www.newamerica.net/publications/policy/surveillance_costs_the_nsas_impact_on_the_economy_internet_freedom_cybersecurity.

  the White House tried to clarify: Michael Daniel (28 Apr 2014), “Heartbleed: Understanding when we disclose cyber vulnerabilities,” White House Blog, http://www.whitehouse.gov/blog/2014/04/28/heartbleed-understanding-when-we-disclose-cyber-vulnerabilities.

  Stuxnet, used four zero-days: Ryan Naraine (14 Sep 2010), “Stuxnet attackers used 4 Windows zero-day exploits,” ZDNet, http://www.zdnet.com/blog/security/stuxnet-attackers-used-4-windows-zero-day-exploits/7347.

  agency jargon NOBUS: Andrea Peterson (4 Oct 2013), “Why everyone is left less secure when the NSA doesn’t help fix security flaws,” Washington Post, http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/why-everyone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws.

  it discloses and closes: David E. Sanger (12 Apr 2014), “Obama lets N.S.A. exploit some Internet flaws, officials say,” New York Times, http://www.nytimes.com/2014/04/13/us/politics/obama-lets-nsa-exploit-some-internet-flaws-officials-say.html. Kim Zetter (15 Apr 2014), “Obama: NSA must reveal bugs like Heartbleed, unless they help the NSA,” Wired, http://www.wired.com/2014/04/obama-zero-day.

  how to make NOBUS decisions: There have been some attempts. Andy Ozment (2–3 Jun 2005), “The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting,” Workshop on Economics and Information Security, Cambridge, Massachusetts, http://infosecon.net/workshop/pdf/10.pdf.

  They’re inherently destabilizing: Robert Axelrod and Rumen Iliev (28 Jan 2014), “Timing of cyber conflict,” Proceedings of the National Academy of Sciences of the United States of America 111, http://www.pnas.org/content/early/2014/01/08/1322638111.full.pdf.

  Backdoors aren’t new: This is a nice nontechnical description of backdoors. Serdar Yegulalp (13 Jun 2014), “Biggest, baddest, boldest software backdoors of all time,” Tech World, http://www.techworld.com.au/slideshow/547475/pictures_biggest_baddest_boldest_software_backdoors_all_time.

  the US government is deliberately: James Ball, Julian Borger, and Glenn Greenwald (5 Sept 2013), “Revealed: How US and UK spy agencies defeat Internet privacy and security,” Guardian, http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security. Guardian (5 Sep 2013), “Project Bullrun—classification guide to the NSA’s decryption program,” Guardian, http://www.theguardian.com/world/interactive/2013/sep/05/nsa-project-bullrun-classification-guide, http://cryptome.org/2013/09/nsa-bullrun-2-16-guardian-13-0905.pdf.

  One of the NSA documents: US National Security Agency (2012), “SIGINT Enabling Project,” http://www.propublica.org/documents/item/784285-sigint-enabling-project.html.

  The NSA also pressured Microsoft: Lorenzo Franceschi-Bicchierai (11 Sep 2013), “Did the FBI lean on Microsoft for access to its encryption software?” Mashable, http://mashable.com/2013/09/11/fbi-microsoft-bitlocker-backdoor.

  Deliberately created vulnerabilities: Jesse Emspak (16 Aug 2012), “FBI surveillance backdoor might open door to hackers,” NBC News, http://www.nbcnews.com/id/48695618/ns/technology_and_science-security/t/fbi-surveillance-backdoor-might-open-door-hackers. Ben Adida et al. (17 May 2013), “CALEA II: Risks of wiretap modifications to endpoints,” Center for Democracy and Technology, https://www.cdt.org/files/pdfs/CALEAII-techreport.pdf. Bruce Schneier (29 May 2013), “The FBI’s new wiretap plan is great news for criminals,” Foreign Policy, http://www.foreignpolicy.com/articles/2013/05/29/the_fbi_s_new_wiretapping_plan_is_great_news_for_criminals.

  Government-mandated access: Susan Landau (2011), Surveillance or Security? The Risks Posed by New Wiretapping Technologies, MIT Press, http://mitpress.mit.edu/books/surveillance-or-security. New York Times (21 Sep 2013), “Close the NSA’s backdoors,” New York Times, http://www.nytimes.com/2013/09/22/opinion/sunday/close-the-nsas-back-doors.html.

  Ericsson built this: Vassilis Prevelakis and Diomidis Spinellis (29 Jun 2007), “The Athens affair,” IEEE Spectrum, http://spectrum.ieee.org/telecom/security/the-athens-affair.

  Something similar occurred in Italy: Alexander Smoltczyk (5 Oct 2006), “Eavesdropping on La Bella Vita: Listening quietly in Italy,” Der Spiegel, http://www.spiegel.de/international/spiegel/eavesdropping-on-la-bella-vita-listening-quietly-in-italy-a-440880.html. John Leyden (14 Apr 2008), “Preatoni breaks silence over Telecom Italia spying probe,” Register, http://www.theregister.co.uk/2008/04/14/telecom_italia_spying_probe_update.

  Chinese hackers exploited: Bruce Schneier (23 Jan 2010), “U.S. enables Chinese hacking of Google,” CNN, http://www.cnn.com/2010/OPINION/01/23/schneier.google.h
acking/index.html.

  every phone switch sold: Susan Landau (23 Mar 2012), “The large immortal machine and the ticking time bomb,” Social Sciences Resarch Network (republished Nov 2013 in Journal of Telecommunications and High Tech Law 11), http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2028152.

  NSA regularly exploits: Lawrence Lessig (20 Oct 2014), “Institutional corruption and the NSA: Lawrence Lessig interviews Edward Snowden at Harvard Law,” LeakSourceInfo/YouTube, http://www.youtube.com/watch?v=DksIFG3Skb4.

  Bermuda phone system: Ryan Devereaux, Glenn Greenwald, and Laura Poitras (19 May 2014), “Data pirates of the Caribbean: The NSA is recording every cell phone call in the Bahamas,” Intercept, https://firstlook.org/theintercept/article/2014/05/19/data-pirates-caribbean-nsa-recording-every-cell-phone-call-bahamas.

  Another objective of the SIGINT: US National Security Agency (2012), “SIGINT Enabling Project,” http://www.propublica.org/documents/item/784285-sigint-enabling-project.html.

  NSA influenced the adoption: Craig Timberg and Ashkan Soltani (14 Dec 2013), “NSA cracked popular cellphone encryption,” Washington Post, http://www.washingtonpost.com/business/technology/by-cracking-cellphone-code-nsa-has-capacity-for-decoding-private-conversations/2013/12/13/e119b598-612f-11e3-bf45-61f69f54fc5f_story.html.

  a backdoored random number generator: Dan Shumow and Niels Ferguson (21 Aug 2007), “On the possibility of a backdoor in the NIST SP800-90 Dual_EC_PRNG,” Microsoft Corporation, http://rump2007.cr.yp.to/15-shumow.pdf. Matthew Green (18 Sep 2013), “The many flaws of Dual_EC_DRBG,” Cryptography Engineering, http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html. D.W. (18 Sep 2013), “Explaining weakness of Dual_EC_PRNG to wider audience?” Cryptography Stack Exchange, https://crypto.stackexchange.com/questions/10417/explaining-weakness-of-dual-ec-drbg-to-wider-audience.

  the NSA masquerades: Ryan Gallagher and Glenn Greenwald (12 Mar 2014), “How the NSA plans to infect ‘millions’ of computers with malware,” Intercept, https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware.

  The UK’s GCHQ can find: Glenn Greenwald (14 Jul 2014), “Hacking online polls and other ways British spies seek to control the Internet,” Intercept, https://firstlook.org/theintercept/2014/07/14/manipulating-online-polls-ways-british-spies-seek-control-internet.

  just better-funded hacker tools: Bruce Schneier (21 May 2014), “The NSA is not made of magic,” Schneier on Security, https://www.schneier.com/blog/archives/2014/05/the_nsa_is_not_.html.

  Academics have discussed ways: Nicholas Weaver (13 Mar 2014), “A close look at the NSA’s most powerful Internet attack tool,” Wired, http://www.wired.com/2014/03/quantum. Matt Brian (20 Jun 2014), “Hackers use Snowden leaks to reverse-engineer NSA surveillance devices,” Engadget, http://www.engadget.com/2014/06/20/nsa-bugs-reverse-engineered.

  one top-secret program: Bruce Schneier (4 Oct 2013), “Attacking Tor: How the NSA targets users’ online anonymity,” Guardian, http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity.

  technology that allows: We have learned a lot about QUANTUM since my initial story. Nicholas Weaver (13 Mar 2014), “A close look at the NSA’s most powerful attack tool,” Wired, http://www.wired.com/2014/03/quantum. Claudio Guarnieri (24 Jan 2014), “The Internet is compromised,” Medium, https://medium.com/@botherder/the-internet-is-compromised-4c66984abd7d. Der Spiegel (30 Dec 2013), “NSA-Dokumente: So bernimmt der Geheimdienst fremde Rechner,” Der Spiegel, http://www.spiegel.de/fotostrecke/nsa-dokumente-so-uebernimmt-der-geheimdienst-fremde-rechner-fotostrecke-105329.html. Der Spiegel (30 Dec 2013), “NSA-Dokumente: So knackt der Geheimdienst Internetkonten,” Der Spiegel, http://www.spiegel.de/fotostrecke/nsa-dokumente-so-knackt-der-geheimdienst-internetkonten-fotostrecke-105326.html.

  Chinese government uses: Nicholas Weaver, Robin Sommer, and Vern Paxson (8–11 Feb 2009), “Detecting forged TCP reset packets,” Network and Distributed System Security Symposium (NDSS 2009), San Diego, California, http://www.icir.org/vern/papers/reset-injection.ndss09.pdf.

  Hacking Team sells: Morgan Marquis-Boire (15 Aug 2014), “Schrodinger’s cat video and the death of clear-text,” Citizen Lab, Munk School of Global Affairs, University of Toronto, https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text. Morgan Marquis-Boire (15 Aug 2014), “You can get hacked just by watching this cat video on YouTube,” Intercept, https://firstlook.org/theintercept/2014/08/15/cat-video-hack. Cora Currier and Morgan Marquis-Boire (30 Oct 2014), “Secret manuals show the spyware sold to despots and cops worldwide,” Intercept, https://firstlook.org/theintercept/2014/10/30/hacking-team.

  there are hacker tools: Airpwn (27 May 2009), “Airpwn 1.4,” Sourceforge, http://airpwn.sourceforge.net/Airpwn.html.

  Techniques first developed: Tom Simonite (19 Sep 2012), “Stuxnet tricks copied by computer criminals,” MIT Technology Review, http://www.technologyreview.com/news/429173/stuxnet-tricks-copied-by-computer-criminals.

  software that Elcomsoft sells: Andy Greenberg (2 Sep 2014), “The police tool that pervs use to steal nude pics from Apple’s iCloud,” Wired, http://www.wired.com/2014/09/eppb-icloud.

  once-secret techniques: Mobistealth (2014), “Ultimate cell phone monitoring software,” http://www.mobistealth.com.

  Stuxnet’s target was Iran: Jarrad Shearer (26 Feb 2013), “W32.Stuxnet,” Symantec Corporation, http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99.

  computers owned by Chevron: Matthew J. Schwartz (12 Nov 2012), “Cyber weapon friendly fire: Chevron Stuxnet fallout,” Information Week, http://www.darkreading.com/attacks-and-breaches/cyber-weapon-friendly-fire-chevron-stuxnet-fallout/d/d-id/1107339.

  industrial plants in Germany: Robert McMillan (14 Sep 2010), “Siemens: Stuxnet worm hit industrial systems,” Computer World, http://www.computerworld.com/s/article/9185419/Siemens_Stuxnet_worm_hit_industrial_systems.

  failure of an Indian satellite: Jeffrey Carr (29 Sep 2010), “Did the Stuxnet worm kill India’s Insat-4B satellite?” Forbes, http://www.forbes.com/sites/firewall/2010/09/29/did-the-stuxnet-worm-kill-indias-insat-4b-satellite.

  Internet blackout in Syria: James Bamford (13 Aug 2014), “Edward Snowden: The untold story,” Wired, http://www.wired.com/2014/08/edward-snowden.

  a technique called DNS injection: Anonymous (Jul 2012), “The collateral damage of internet censorship by DNS injection,” ACM SIGCOMM Computer Communication Review 42, http://www.sigcomm.org/sites/default/files/ccr/papers/2012/July/2317307-2317311.pdf.

  public revelations of the NSA’s activities: Ian Bremmer (18 Nov 2013), “Lost legitimacy: Why governing is harder than ever,” Foreign Affairs, http://www.foreignaffairs.com/articles/140274/ian-bremmer/lost-legitimacy.

  US interests have been significantly harmed: Vivienne Walt (30 Jun 2013), “European officials infuriated by alleged NSA spying on friendly diplomats,” Time, http://world.time.com/2013/06/30/european-officials-infuriated-by-alleged-nsa-spying-on-friendly-diplomats. Anne Gearan (21 Oct 2013), “Report that NSA collected French phone records causing diplomatic headache for U.S.,” Washington Post, http://www.washingtonpost.com/world/national-security/report-that-nsa-collected-french-phone-records-causing-diplomatic-headache-for-us/2013/10/21/bfa74f22-3a76-11e3-a94f-b58017bfee6c_story.html. Zachary Keck (31 Oct 2013), “Outrage over NSA spying spreads to Asia,” Diplomat, http://thediplomat.com/2013/10/outrage-over-nsa-spying-spreads-to-asia. Matthew Karnitschnig (9 Feb 2014), “NSA flap strains ties with Europe,” Wall Street Journal, http://online.wsj.com/news/articles/SB10001424052702303874504579372832399168684.

  Relations between the US: David E. Sanger (1 May 2014), “U.S. and Germany fail to reach a deal on spying,” New York Times, http://www.nytimes.com/2014/05/02/world/europe/us-and-germany-fail-to-reach-a-deal-on-spying.html. Mark Landler (2 May 2014), “Merkel signals that tension persists over U.S. spying,” New York Times, http://www.nytimes.com/2014/05/03/world/europe/merkel-says-gaps-with-us-over-surveillance
-remain.html.

  Brazil’s president: Juan Forero (17 Sep 2013), “NSA spying scandal spoils dinner at the White House for Brazil’s president,” Washington Post, http://www.washingtonpost.com/world/nsa-spying-scandal-spoils-dinner-at-the-white-house-for-brazils-president/2013/09/17/24f5acf6-1fc5-11e3-9ad0-96244100e647_story.html.

  12: Principles

  if our personal spaces and records: These issues are explored in these books. Daniel Solove (2011), Nothing to Hide: The False Tradeoff between Privacy and Security, Yale University Press, http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1827982. Susan Landau (2011), Surveillance or Security? The Risks Posed by New Wiretapping Technologies, MIT Press, http://mitpress.mit.edu/books/surveillance-or-security.

  When the security versus privacy: The psychology of security explains a lot of our behavior. Bruce Schneier (11–14 Jun 2008), “The psychology of security,” in Serge Vaudenay, ed., Progress in Cryptology: AFRICACRYPT 2008: First International Conference on Cryptology in Africa, Casablanca, Morocco, Proceedings, Springer, https://www.schneier.com/paper-psychology-of-security.pdf. Daniel Gardner (2008), The Science of Fear: Why We Fear Things We Shouldn’t—And Put Ourselves in Greater Danger, Penguin, http://books.google.com/books?id=bmyboRubog4C.

  The government basically said: Of course, costs can affect different people in different ways. Politicians fear that they’ll get blamed for future attacks, so they have an incentive to push for lots of visible security measures. Citizens, especially members of unpopular political and religious groups, become the obvious targets for surveillance, but lack a strong, coherent voice to fight back. And large security programs are expensive, benefiting government contractors and the politicians they support.

  find an acceptable trade-off: This paper tries to model that with game theory. Tiberiu Dragu (Feb 2011), “Is there a trade-off between security and liberty? Executive bias, privacy protections, and terrorism prevention,” American Political Science Review 105, http://journals.cambridge.org/download.php?file=%2FPSR%2FS0003055410000614a.pdf&code=193cd836312527364579326df0a7aa58.

 

‹ Prev