Security in 2020

Bruce Schneier sees the future, and sounds a warning. After reading the whole article, I say be afraid, be very afraid.

Amplify’d from www.schneier.com

The “Internet of things” won't need you to communicate. The smart appliances in your smart home will talk directly to the power company. Your smart car will talk to road sensors and, eventually, other cars. Your clothes will talk to your dry cleaner. Your phone will talk to vending machines; they already do in some countries. The ramifications of this are hard to imagine; it’s likely to be weirder and less orderly than the contemporary press describes it. But certainly smart objects will be talking about you, and you probably won't have much control over what they’re saying.

One old trend: deperimeterization. Two current trends: consumerization and decentralization. Three future trends: deconcentration, decustomerization, and depersonization. That’s IT in 2020—­it’s not under your control, it’s doing things without your knowledge and consent, and it’s not necessarily acting in your best interests. And this is how things will be when they’re working as they’re intended to work; I haven't even started talking about the bad guys yet.

That’s because IT security in 2020 will be less about protecting you from traditional bad guys, and more about protecting corporate business models from you. Deperimeterization assumes everyone is untrusted until proven otherwise. Consumerization requires networks to assume all user devices are untrustworthy until proven otherwise. Decentralization and deconcentration won’t work if you’re able to hack the devices to run unauthorized software or access unauthorized data. Deconsumerization won’t be viable unless you’re unable to bypass the ads, or whatever the vendor uses to monetize you. And depersonization requires the autonomous devices to be, well, autonomous.

In 2020—­10 years from now­—Moore’s Law predicts that computers will be 100 times more powerful. That'll change things in ways we can't know, but we do know that human nature never changes. Cory Doctorow rightly pointed out that all complex ecosystems have parasites. Society’s traditional parasites are criminals, but a broader definition makes more sense here. As we users lose control of those systems and IT providers gain control for their own purposes, the definition of “parasite” will shift. Whether they’re criminals trying to drain your bank account, movie watchers trying to bypass whatever copy protection studios are using to protect their profits, or Facebook users trying to use the service without giving up their privacy or being forced to watch ads, parasites will continue to try to take advantage of IT systems. They'll exist, just as they always have existed, and­like today­security is going to have a hard time keeping up with them.

Welcome to the future. Companies will use technical security measures, backed up by legal security measures, to protect their business models. And unless you’re a model user, the parasite will be you. Read more at www.schneier.com

 

See this Amp at http://amplify.com/u/iimp

Wikileaks Clones

I definitely think there is a place for something like Wikileaks, although I might have more use something that provides some context and interpretation to them as opposed just dumping hundreds of thousands of documents into the public. I also honestly believe that there is more to Assange than he allows us to see; at any rate, and effective leaks forum independent of Assange can only be beneficial in the long term.

Amplify’d from thenextweb.com

Even if Wikileaks does end up getting closed down for good it has a legacy. We could be about to see the dawning of a new age of Wikileaks-inspired sites, each with their own take on the idea.

As we’ve already reported, OpenLeaks is a site hoping to open as soon as Monday, now it looks like European politics could be getting its own specific whistleblowing destination.

BrusselsLeaks says it aims to expose “Dodgy dealings behind closed doors” at the heart of Europe. Seemingly created by people who work within the European Union’s political machine, the site’s WordPress-hosted front page states: “There are plenty of good people in powerful positions who too often see shocking information pass them by. How do we know this? We’ve been there.”

UPDATE: Just after we published this post, the founders replied saying that they’re not really courting media attention “But it helps”. “We want to support a transparent and fair EU system which could benefit many millions”, they say. Read more at thenextweb.com

 

See this Amp at http://amplify.com/u/i3uy

A tale of evolution. How Facebook and I grew apart.

An interesting story of someone's disenchantment with Facebook. His story certainly speaks to me, even if his ultimate solution is not Amplify (though perhaps it could be!).

Amplify’d from gilest.ro

I am leaving facebook or at least I am going to concentrate my social activity somewhere else. Most people leave because they are worried about privacy violations and similia but I don’t really care about that. I am well aware that my credit card companies, my banks, my favorite grocery stores¹ and my postman know more about me than facebook does – and more importantly they know things I never actually told them directly. So facebook privacy invasion is the least of my worries.

I am leaving simply because I realized facebook didn’t evolve at all during the five years I have been using it but my social needs did. I joined facebook to keep in touch with old friends (the second most common reason after getting laid, I suppose) but eventually found myself trapped in a network of people that I barely knew or didn’t know at all, sharing mostly contents I really don’t care about or that were trivial to find. I interact regularly with probably less than 10% of my facebook friends and it turns out it’s not because they posted a new picture of a cat doing funny things but because they shared interesting reading, worth following or commenting. I figured that if this has become my main use of facebook, than the platform is badly flawed for that use. As people say when they split:  it’s not you, it’s me.

Seeing how things are going, it doesn’t look like facebook is interested in targeting my needs. None of the points here above had been even remotely addressed since I joined (2005). They had half a dozen of UI changes, a little more power in grouping people and a myriad of flash games. No effort versus organizing contents the way I need, really. So Long, Facebook (and thanks for all the phishing.)

Why don’t you just reorganize your friends, you silly!

Yes I could do that. I could just get rid of that 90% of people I care little about and my signal to noise ration will get better. But I doubt it would work fully for I noticed that even that 10% of people I follow is posting less and less or even disappeared in the past months. I presume it’s because they are experiencing the same frustration so there is no good in having only interesting friends who are hardly active anymore. I am feeling so it’s better to leave the sinking ship.

Hello Google!

So, where to concentrate my networking now? Looking at the four points above, it seems that what I miss the most is the possibility to organize and search for contents and not for people: “search” and “contents” being the keywords here. What is a good internet company specialized in searching contents?

Here we go, Google. To be honest, I tried a couple of alternative before. Never been a fan of twitter but I figured I should give it a try. I also gave a chance to friendfeed and delicious. None of them did it for me: again way too much noise. Then I took my virtual ladder and climbed up to my virtual dusty loft where I restored a completely unused Google buzz account and a Google Reader account filled with bold numbers.

Buzz gives me the chance to share status updates and pics if I want; Google reader the opportunity to organize my readings and the tools to discover new contents and people, based on my interests and likes. Also the environment seems unfriendly enough to attract the people I care to meet. The only problem so far is very few friends of mine use any of the two. In fact, if you are reading this post most likely is because you have been shortlisted to be one of those I want to bring with me (congratulations) and I am trying get you to use your buzz and/or reader account.

The good thing about the new combination is that in fact they are split tools with different purposes that cover different needs. The former is a bit more facebook like and it’s about sharing your status, pictures and such; the latter is mainly a way to organize your readings on the web that also happens to be socially integrate so that you can actually share and discuss with other people what you find. So, it’s completely possible to just use the Reader without joining yet-another-social-yadayada. That’s how you do it:

Will it last? A couple of nerdy observations.

I think so. It seems Google and I share the same outlook on what I need and how has to evolve. There are only a couple of things that worry me: first, the Android app for Google Buzz sucks big time and this may be a sign that they are not investing so much in this direction as I wish they were. But that may be not necessarily true: at the end of the day, most of the Google developed Android app still suck²  yet there is no doubt Google has no plan of dropping Gmail or the Android market. The second thing that worries me is how Google wave was handled and failed. Buzz didn’t have the publicity it deserved and Google profiles never really took off. Yet, the tool is really nice and worthy and that’s why I am writing this, to make my friends aware. Read more at gilest.ro

 

See this Amp at http://amplify.com/u/ho76

Full Body Scanners: What's Next?

It appears that Bruce is starting to lose patience over the airport security situation, along with the rest of us. Money quotes:

"Airport security is the last line of defense, and it's not a very good one."

"We have a job here, too, and it's to be indomitable in the face of terrorism. "



Congress critters need to read this one, too.

Amplify’d from www.schneier.com

Organizers of National Opt Out Day, the Wednesday before Thanksgiving when air travelers were urged to opt out of the full-body scanners at security checkpoints and instead submit to full-body patdowns -- were outfoxed by the TSA. The government pre-empted the protest by turning off the machines in most airports during the Thanksgiving weekend. Everyone went through the metal detectors, just as before.

Now that Thanksgiving is over, the machines are back on and the "enhanced" pat-downs have resumed. I suspect that more people would prefer to have naked images of themselves seen by TSA agents in another room, than have themselves intimately touched by a TSA agent right in front of them.

But now, the TSA is in a bind. Regardless of whatever lobbying came before, or whatever former DHS officials had a financial interest in these scanners, the TSA has spent billions on those scanners, claiming they're essential. But because people can opt out, the alternate manual method must be equally effective; otherwise, the terrorists could just opt out. If they make the pat-downs less invasive, it would be the same as admitting the scanners aren't essential. Senior officials would get fired over that.

So not counting inconsequential modifications to demonstrate they're "listening," the pat-downs will continue. And they'll continue for everyone: children, abuse survivors, rape survivors, urostomy bag wearers, people in wheelchairs. It has to be that way; otherwise, the terrorists could simply adapt. They'd hide their explosives on their children or in their urostomy bags. They'd recruit rape survivors, abuse survivors, or seniors. They'd dress as pilots. They'd sneak their PETN through airport security using the very type of person who isn't being screened.

And PETN is what the TSA is looking for these days. That's pentaerythritol tetranitrate, the plastic explosive that both the Shoe Bomber and the Underwear Bomber attempted but failed to detonate. It's what was mailed from Yemen. It's in Iraq and Afghanistan. Guns and traditional bombs are passé; PETN is the terrorist tool of the future.

The problem is that no scanners or puffers can detect PETN; only swabs and dogs work. What the TSA hopes is that they will detect the bulge if someone is hiding a wad of it on their person. But they won't catch PETN hidden in a body cavity. That doesn't have to be as gross as you're imagining; you can hide PETN in your mouth. A terrorist can go through the scanners a dozen times with bits in his mouth each time, and assemble a bigger bomb on the other side. Or he can roll it thin enough to be part of a garment, and sneak it through that way. These tricks aren't new. In the days after the Underwear Bomber was stopped, a scanner manufacturer admitted that the machines might not have caught him.

Once again, the TSA is covering their own asses by implementing security-theater measures to prevent the previous attack while ignoring any threats of future attacks. It's the same thinking that caused them to ban box cutters after 9/11, screen shoes after Richard Reid, limit liquids after that London gang, and -- I kid you not -- ban printer cartridges over 16 ounces after they were used to house package bombs from Yemen. They act like the terrorists are incapable of thinking creatively, while the terrorists repeatedly demonstrate that can always come up with a new approach that circumvents the old measures.

The truth is that exactly two things have made air travel safer since 9/11: reinforcing cockpit doors and convincing passengers they need to fight back. The TSA should continue to screen checked luggage. They should start screening airport workers. And then they should return airport security to pre-9/11 levels and let the rest of their budget be used for better purposes. Investigation and intelligence is how we're going to prevent terrorism, on airplanes and elsewhere. It's how we caught the liquid bombers. It's how we found the Yemeni printer-cartridge bombs. And it's our best chance at stopping the next serious plot.

Because if a group of well-planned and well-funded terrorist plotters makes it to the airport, the chance is pretty low that those blue-shirted crotch-groping water-bottle-confiscating TSA agents are going to catch them. The agents are trying to do a good job, but the deck is so stacked against them that their job is impossible. Airport security is the last line of defense, and it's not a very good one.

We have a job here, too, and it's to be indomitable in the face of terrorism. The goal of terrorism is to terrorize us: to make us afraid, and make our government do exactly what the TSA is doing. When we react out of fear, the terrorists succeed even when their plots fail. But if we carry on as before, the terrorists fail -- even when their plots succeed. Read more at www.schneier.com

 

See this Amp at http://amplify.com/u/hcxr

Close the Washington Monument

Amen. Perhaps it is the only way. I wish our congress critters would read this in its entirety, and be ashamed.





Clipped via Android

Amplify’d from www.schneier.com

Securing the Washington Monument from terrorism has turned out to be a surprisingly difficult job. The concrete fence around the building protects it from attacking vehicles, but there's no visually appealing way to house the airport-level security mechanisms the National Park Service has decided are a must for visitors. It is considering several options, but I think we should close the monument entirely. Let it stand, empty and inaccessible, as a monument to our fears.

An empty Washington Monument would serve as a constant reminder to those on Capitol Hill that they are afraid of the terrorists and what they could do. They're afraid that by speaking honestly about the impossibility of attaining absolute security or the inevitability of terrorism -- or that some American ideals are worth maintaining even in the face of adversity -- they will be branded as "soft on terror." And they're afraid that Americans would vote them out of office if another attack occurred. Perhaps they're right, but what has happened to leaders who aren't afraid? What has happened to "the only thing we have to fear is fear itself"?

An empty Washington Monument would symbolize our lawmakers' inability to take that kind of stand -- and their inability to truly lead.

Terrorism isn't a crime against people or property. It's a crime against our minds, using the death of innocents and destruction of property to make us fearful. Terrorists use the media to magnify their actions and further spread fear. And when we react out of fear, when we change our policy to make our country less open, the terrorists succeed -- even if their attacks fail. But when we refuse to be terrorized, when we're indomitable in the face of terror, the terrorists fail -- even if their attacks succeed.

The grand reopening of the Washington Monument will not occur when we've won the war on terror, because that will never happen. It won't even occur when we've defeated al Qaeda. Militant Islamic terrorism has fractured into small, elusive groups. We can reopen the Washington Monument when we've defeated our fears, when we've come to accept that placing safety above all other virtues cedes too much power to government and that liberty is worth the risks, and that the price of freedom is accepting the possibility of crime.

I would proudly climb to the top of a monument to those ideals. Read more at www.schneier.com

 

See this Amp at http://amplify.com/u/h8h5

Risk Reduction Strategies on Social Networking Sites

I don't currently use Facebook. If I did, I might consider practices something like these.

Amplify’d from www.schneier.com

Mikalah uses Facebook but when she goes to log out, she deactivates her Facebook account. She knows that this doesn’t delete the account ­ that’s the point. She knows that when she logs back in, she’ll be able to reactivate the account and have all of her friend connections back. But when she’s not logged in, no one can post messages on her wall or send her messages privately or browse her content. But when she’s logged in, they can do all of that. And she can delete anything that she doesn’t like. Michael Ducker calls this practice “super-logoff” when he noticed a group of gay male adults doing the exact same thing.

Shamika doesn’t deactivate her Facebook profile but she does delete every wall message, status update, and Like shortly after it’s posted. She’ll post a status update and leave it there until she’s ready to post the next one or until she’s done with it. Then she’ll delete it from her profile. When she’s done reading a friend’s comment on her page, she’ll delete it. She’ll leave a Like up for a few days for her friends to see and then delete it.

I've heard this practice called wall scrubbing.

In any reasonably competitive market economy, sites would offer these as options to better serve their customers. But in the give-it-away user-as-product economy we so often have on the Internet, the social networking sites have a different agenda. Read more at www.schneier.com

 

See this Amp at http://amplify.com/u/h5uo