Bruce Schneier - Click here to kill everybody

Activities Security
1

Hi all,

@mk has a really good reading recommendation on security: Bruce Schneier’s Click here to kill everybody.

Matze: do you mind if I share your notes here?

Best,
Hugo

2

As already said to Hugo, I currently do not have the time to write a real summary, but yes, I can share those rough notes here as well:

Bruce Schneier: Click here to kill everybody

  • Everything is becoming a computer, around 20-75 billion computers.
  • Internet + Things (Devices) + us is what he calls the Internet+

Part I: The trends

  • Computers are still hard to secure
    • Most software is poorly written and insecure
    • The internet was never designed with security in mind
    • The extensibility of computrs means everything can be used against
      us
    • The complexity of computerized systems means attack is easier than
      defense
    • There are new vulnerabilities in the interconnections
    • Computers fail differently (than normal things)
    • Attacks always get better, easier, and faster
  • Patching is failing as a security paradigm
    • Example 465.000 pacemakers by Abbott Labs 2017 for security update
      ) (p38)
    • No one knows how responsible disclosure looks like in IoT area
      (cars, medical devices, airplanes, …)
    • Because of inherent complexity of Internet+, we need both the
      long-term stability of the waterfall paradigm and the reaction
      capability of the agile paradigm.
  • Knowing who’s who on the internet is getting harder
    • Authentication is getting harder, and credential stealing is getting
      easier
    • Attribution is getting both harder and easier, depending
  • Everyone favors insecurity
    • Surveillance capitalism continues to drive the internet
    • Corporate control of customers and users is next
      • Hack own devices, example defibrillator (p63), none of the
        companies that make implantable devices – Medtronic, Boston
        Scientific, Abbott Labs, and Biotronik – will allow patients to
        access their own data.
    • Companies build systems that assume the customer is the attacker and
      needs to be contained (see our Secure Boot article
      https://fsfe.org/campaigns/generalpurposecomputing/secure-boot-analysis.en.html).
      This is a design requirement that runs counter to good security,
      because it gives outside attackers an avenue to gain access.
    • Governments also use the internet for surveillance and control
      • Some buy the tools by weapons manufacturers: Gamma Group (Germany
        and the UK), HackingTeam (Italy), VASTech (South Africa), Cyberbit
        (Israel), and NSO Group (also Israel).
      • Cyberwar is the new normal (example Stuxnet)
      • Criminals benefit from insecurity
  • Risks are becoming catastrophic
    • Integrity and availability attacks are increasing
      • For analysis security triad: confidentiality, integrity, and
        availability. One was of thinking about this is confidentiality
        threats are about privacy, but integrity and availability threats
        are really about safety (p79). Dams, power plants, oil refineries,
        chemical plants, and everything else are on the internet – and
        vulnerable. (Question: should we rather focus on a safety group
        than security?)
      • Software is becoming autonomous and more powerful
        • Inserting a human into the loop doesn’t count unless that human
          actually makes the call (p83).
      • Our supply chains are increasingly vulnerable
        • one way governments react is by demanding to see the source code
          (p88) and total GDP costs (direct plus systematic
      • It’s only getting worse

Part II Solutions

  • Security is a tax on the honest.

  • “cyber crime has a direct gross domestic product (GDP) cost of $275
    b illion to $6.6 trillion globally and total GDP costs (direct plus
    systematic) of $799 billion to $22.5 trillion (1.1 to 32.4 percent of
    GDP)” (p 103)

  • Technology and law have to work together

  • What a Secure Internet+ Looks like

    • Secure your devices!! (p 108+109)
      • Be transparent
      • Make the software patchable
      • test pre-production
      • Enable secure default options
      • Fail predictably and safely
      • Use standard protocols and implementations
      • Avoid known vulnerabilities
      • Preserve offline functionality
      • encrypt authenticate data
      • support responsible security research
    • Secure your data
    • Secure your algorithms
      • We expect accuracy, fairness, reproducibility, respectfulness
      • transparency not always achievable (as it can be used for
        cheating)
      • transparency not always sufficient
      • requirement to provide reasons for its decisions “Because of the
        way machine learning works, explanations might not be possible or
        understandable by humans, and requiring them often reduces the
        accuracy of the underlying algorithms because it forces them to be
        simpler than they would otherwise be” (p112)
      • Maybe what we really want is accountability or contestability.
      • Right now our goals should be as much transparency,
        explainability, and auditability as possible
    • Secure our network connections (p 113) relevant for Router Freedom
      • Provide a secure connection to consumers
      • Help configure users’ Internet devices
      • educate consumers about threats
      • Inform consumers of infections in their infrastructure
      • Publicly report security incident statistics
      • Work with other ISPs to share information about imminent threats
        and during emergencies.
    • Secure the Internet
    • Secure our critical infrastructure
      • mainly energy, finance, and telecommunications as a start
    • Disconnect systems
      • “Collect it all”, not a good approach
      • less cenralised and more-distributed systems

  • How we can Secure the Internet+

    • four places for policy: ex ante, ex post, mandating disclosure, and
      measures that affect the environment (more broad product
      improvements)
    • create incentives for safe behaviour
    • Criticises “best efforts” as justification to sell insecure products
    • We should have “outcomes-based regulation”, so require a specific
      result – e.g. that IoT products should have a secure way of being
      patched and let industries figure out how to do that. (p123) (Might
      be interesting to think more about that for RED.)
    • Correct misaligned incentives (fines for cheating companies and
      CEOs)
    • Clarify liabilities (terms of service force you to take all the risk
      yourself and protect the companies from lawsuits)
    • “Software manages to evade all of this, both because it’s often
      licensed rather than purchased, and because code is legally
      categorized as a service rather than a product. And even when it is
      a product, the manufacturer can disclaim liability in the end-user
      license agreement – something the curts have uphelp.” (p 130)
    • Correct information asymmetries
      • e.g. Product labels
      • Disclosure laws
    • Increase public education
    • raise professional standards
    • close the skill gap
    • increase research
    • fund maintenance and upkeep
      • “After we’re done upgrading our critical Internet infrastructure,
        we’ll need to keep upgrading it. The era where you can build
        systems and have it work for decades is over (if it ever existed);
        computer systems need to be upgraded continuously. We need to
        accept this new, minimalist life span; we need to figure out how
        to keep our systems current; and we need to get ready to pay for
        it. This will be expensive.” (p 143)

  • Government is who enables security

    • example of airplane security improvements through regulation
    • Create a government agency for government regulations
    • Challenges of regulation (p 152): speed, scope, efficacy, and the
      potential of stifling the industries being regulated.
    • Have to start writing laws that are technology neutral (p 153), e.g.
      “communication” instead of voice, video, e-mail, text, private
      message, etc.
    • tech companies spend record amounts for lobbying in Washington. Now
      twice what the banking industry does. (p 154)
    • Norms, treaties and international regularly bodies
      • Norms: Brad Smith (Microsoft) “Geneva convention” for cyberspace.

  • How Governments can prioritize defense over offense

    • Disclose and fix vulnerabilities
      • Tor Project offers $4,000 for vulnerability issues, while
        cyberweapons manufacturer Zerodium will pay up to $250,000 for
        vulnerabilities in Tor.
      • Recommendation of Zero day blocking by the national security
        council (p 163)
      • Guess that governments keep very small numbers of zero days,
        probably only single digits (p 165)
      • “fixing vulnerabilities isn’t disarmament; it’s making our own
        countries much safer.” (p 166)
    • Design for security and not for surveillance
    • encrypt as much as possible. Makes government on population surveillance
      more difficult and hurts repressive governments much more than
      democracies
    • separate security from spying
    • make law enforcement smarter
    • rethink the relationship between government and industry
      • Hackbacks: in the end militaries will always have better skill and more funds
        than civil defenders. Governments should be the one to respond.

  • Plan B: what’s likely to happen

    • The US will do nothing soon
      • never underestimate the lobby groups, even on the expense of
        everyone else treat all cyber threats the same way.
      • "Just as we don’t think about road rage and car bombs in the same
        way, even though they both involve cars, we can’t
    • Others will regulate
      • Guess that EU will do more in security (p 185) (see RED)
    • What we can do

  • Where policy can go wrong

    • demanding backdoors
      • happening again and again since 1990
      • FBI needs technical experts not backdoors (p 194)
      • 2016 congressional working group concluded: “Any measure that
        weakens encryption works against the national interest.” (p 196)
    • limiting encryption
    • banning anonymity
      • difficulty: example buying alcohol face-to-face already subverted
        (p 200)
    • Mass surveillance
      • ineffective mostly failure of follow-up by investigative leads
    • Hacking back
      • difficulties of attribution
      • hackback penetrates other country’s military
      • ripe for abuse
      • easy for hostilities to escalate
      • unclear if it is even an effective tactic
      • “treat hacking back like bribery” (p 204), declare it illegal
    • restricting the availability of software
      • example radio spectrum (p 204)
      • For RED: “Laws restricting access to software that allows people
        to modify their IoT computers might work against most people for a
        while, but in the end, they would be ineffective because the
        Internet allows he free flow of software and information
        worldwide, and because a domestic-only law would never keep
        computers out of a country.” […] With respect to radios, one
        solution would be to enable all the radios to police themselves.
        Radios could be transformed into a detection grid that located
        malicious or improperly configured transmitters, and then
        forwarded that information to the policy, who could then
        investigate alleged violations. Radio system would be designed to
        withstand attempts at eavesdropping and jamming so that rogue
        transmitters couldn’t interfere with their operation. […]
        DMCA-like restrictions will buy us some time, but they won’t
        solve our security problems.         (p 206)

  • Towards a trusted, resilient, and peaceful Internet+

    • “Data manipulation is more dangerous than data theft” (p 208)
    • A resilient internet
      • “Resilience is the capacity to cope with unanticipated dangers
        after they have become manifest, learning to bounce back”
    • A demilitarized internet
      • “move beyond military metaphors for internet security. For example
        conceptionalising it as public hygiene or pollution problem will
        lead us towards different sorts of solutions.” (p 213)

Conclusion

  • Bring technology and policy together
    • Dan Geer “A technology that can give you everything you want is a
      technology that can take away everything that you have.” (p 217)
    • We tend to overestimate the short-term effects of technological
      change while underestimating the long-term effects. (p 218)
    • “Otto von Bismark observed: “Politics is the art of the possible.”
      To what I reply: Technology is the science of the possible. But
      politics and technology offer different possibilities, and to
      understand this is to realise that politicians and technologists
      define “possible” very differently. As a technologist, I want to
      arrive at the correct answer or the best solution to a problem. A
      politician, on the other hand, is pragmatic, looking not for what’s
      right or what’s best, but for what he or she can actually
      accomplish.” (p 220)
    • Nick Bohm: “the lawyers and engineers whose arguments pass through
      one other like angry ghosts”
    • Two cultures that not only do not talk to each other, they simply
      act as if the other doesn’t exist.
    • “Policy makers and technologists need to work together. They need to
      learn each other’s languages and educate each other.” (p 221)
    • “In my fantasy world, policy decisions look like they do in Star
      Trek: The Next Generation. There, everyone sits around a conference
      table, and the technologists explain the meaning of data and
      scientific realities to Captain Picard. Picard listens, considers
      the facts and his options, then makes a policy decision informed by
      science and technology”. (p 221)
    • People whom we might want to get in contact: Latanya Sweeney, Susan
      Landau, Ed Felten (p 223)
    • Greate viable career path for public-interest technologists (p 224)
    • “nearly all major policy debates in the 21st century ill involve
      technology. Wether the subject is weapons of mass destruction,
      robots, climate change, food safety, or drones, understanding policy
      demands understanding the relevant science and technology. If we
      don’t get more technologists working on policy, we’ll wind up with
      bad policy.” (p 225)
    • “Our only hope of getting there is to bring together technologists
      and policy makers in that mythical Star Trek briefing room to work
      this out. Now.” (p225)
1 Like
3

After Click here to kill everybody I’m now busy with Data and Goliath.

1 Like
4

Thank you very much for the notes. I’m not sure now should I still read the book :).

5

I can recommend it.

6

As a follow-up: There is an interesting article on LWN “The properties of secure IoT devices” which I recommend if you are interested in IoT security. There are a few properties mentioned in the talk to follow if you want to build a secure device. Make sure to read the intro that puts the talk in context.

In general I agree with the author’s comments in the last paragraphs that balancing between security and ownership needs is a difficult, largely unsolved problem.

Connected with that, please see ““Secure Boot”: Who will control your next
computer?”

7

About the patching part there is another interesting read:

In “What to do about CVE numbers” in which Greg argues that devices using Linux should make sure to use updates from long-term stable-kernels. It is mentioned that Sony and Essentials are already quite good with that but that Pixel devices are lagging behind (it is also mentioned that Sony, in particular, has been insisting that its vendors have their code in the mainline kernel. "). Greg’s point is that “where security matters the most; if these devices keep up with the stable-kernel releases, they will be secure, he said.”