Let’s Be Careful Out There

I ended my my blog post Secure? You better believe it about the discovery of microprocessor security vulnerabilities with this:

I wonder what Bruce Schneier will say?

The question has been answered. Here are some notable points:

“Throw it away and buy a new one” is ridiculous security advice, but it’s what US-CERT recommends. It is also unworkable. The problem is that there isn’t anything to buy that isn’t vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.

In short, we are all stuck in a hole not of our making.

Later on, there is some practical advice about what you should do:

This isn’t to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method amongst many. All the major vendors are working on patches and workarounds for the attacks they can mitigate. All the normal security advice still applies: watch for phishing attacks, don’t click on strange e-mail attachments, don’t visit sketchy websites that might run malware on your browser, patch your systems regularly, and generally be careful on the Internet.

As they used to say on Hill Street Blues, let’s be careful out there.

Share:

The Paris attacks and the exploitation of fear

Bruce Schneier has an excellent blog piece entitled Policy Repercussions of the Paris Terrorist Attacks (which I have only just come across) that is the usual breath of fresh air about terrorism, security, and surveillance.

For example:

The politics of surveillance are the politics of fear. As long as the people are afraid of terrorism — regardless of how realistic their fears are — they will demand that the government keep them safe. And if the government can convince them that it needs this or that power in order to keep the people safe, the people will willingly grant them those powers.

In short, governments use fear as a justification to acquire more intrusive powers.

It doesn’t matter that mass surveillance isn’t an effective anti-terrorist tool: a scared populace wants to be reassured.

That point is worth emphasizing, too. For example, there already was surveillance operating before the Paris terror attacks. Increasing it wouldn’t have increased the chances of preventing the attacks. Mass surveillance does not work in this arena. It does work in terms of keeping tabs on your political opponents…

So far as the opportunities and politicians are concerned, Schenier writes:

And politicians want to reassure. It’s smart politics to exaggerate the threat. It’s smart politics to do something, even if that something isn’t effective at mitigating the threat. The surveillance apparatus has the ear of the politicians, and the primary tool in its box is more surveillance. There’s minimal political will to push back on those ideas, especially when people are scared…

…Terrorism is singularly designed to push our fear buttons in ways completely out of proportion to the actual threat. And as long as people are scared of terrorism, they’ll give their governments all sorts of new powers of surveillance, arrest, detention, and so on, regardless of whether those powers actually combat the threat. This means that those who want those powers need a steady stream of terrorist attacks to enact their agenda. It’s not that these people are actively rooting for the terrorists, but they know a good opportunity when they see it.

So, even though it does not work, the politicians are going to keep trying to secure more surveillance and other intrusive powers.

Do read the whole post (which includes some excellent links to other material on the same issues) here.

Share:

Watchmen

This is from the latest Crypto-Gram:

Last Month I Briefed Congress on the NSA

One morning in January, I spent an hour in a closed room with six members of Congress: Rep. Lofgren, Rep. Sensenbrenner, Rep. Bobby Scott, Rep. Goodlatte, Rep. Mike Thompson, and Rep. Amash. No staffers, no public: just them. Lofgren had asked me to brief her and a few Representatives on the NSA. She said that the NSA wasn’t forthcoming about their activities, and they wanted me — as someone with access to the Snowden documents — to explain to them what the NSA was doing. Of course, I’m not going to give details on the meeting, except to say that it was candid and interesting. And that it’s extremely freaky that Congress has such a difficult time getting information out of the NSA that they have to ask me. I really want oversight to work better in this country.

Surreal part of setting up this meeting: I suggested that we hold this meeting in a SCIF, because they wanted me to talk about top-secret documents that had not been made public. The problem is that I, as someone without a clearance, would not be allowed into the SCIF. So we had to have the meeting in a regular room.

This really was an extraordinary thing.

First, the Crypto_gram comes from Bruce Schneier, an independent IT security consultant. Second, the SCIF referred to is, according to Wikipedia:

In United States security and intelligence parlance, a Sensitive Compartmented Information Facility (SCIF; pronounced “skiff”) is an enclosed area within a building that is used to process Sensitive Compartmented Information (SCI) types of classified information. SCI is classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems established by the Director of National Intelligence (DNI).

In other words, a SCIF is a secure room where you can have secrets available.

I get that Bruce finds it extraordinary that, due to his lack of clearance, they could not use a SCIF. I find it extraordinary that the members of the Senate do not know what the NSA is doing. And, it’s extraordinary that to solve that problem, they ask an independent security consultant? Something is very wrong there.

Share:

State of fear

The latest Crypto-gram from Bruce Schneier has a piece about the massacre in Aurora which should be mandatory reading; young, old, employed, unemployed, lawyers, legislators, politicians, policemen, soldiers, sailors, teachers, technicians, programmers, plumbers, civil rights activists, sportsmen, butchers, bakers and candlestick makers to name a few. Everyone should read it! Continue reading

Share:

Is it safe?

Bruce Schneier, to quote from his website

“…is an internationally renowned security technologist and author. Described by The Economist as a “security guru,” he is best known as a refreshingly candid and lucid security critic and commentator. When people want to know how security really works, they turn to Schneier.”

The quote saved me thinking and writing time, because it’s damn accurate. I’ve been a subscriber to Bruce’s Crypto-Gram Newsletter for some time, and it’s always lived up to the billing. Continue reading

Share: