WW: Bruce Schneier on why security can't work
http://www.wired.com/opinion/2013/03/security-when-the-bad-guys-have-technol... Three words: "desktop gene sequencing", "ebola", "script kiddies". I dunno how to fix it either. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Jay Ashworth wrote:
http://www.wired.com/opinion/2013/03/security-when-the-bad-guys-have-technol...
Three words: "desktop gene sequencing", "ebola", "script kiddies".
I dunno how to fix it either.
I think that's six words - twice as scary. I dunno how to fix it either ("when in trouble, when in doubt, run in circles, scream and shout?") -- In theory, there is no difference between theory and practice. In practice, there is. .... Yogi Berra
On Thu, 14 Mar 2013 19:56:51 -0400, Miles Fidelman said:
I think that's six words - twice as scary. I dunno how to fix it either ("when in trouble, when in doubt, run in circles, scream and shout?")
I don't think script kiddies with gene sequencers will manage to kill us with Ebola, for the same reason that script kiddies haven't managed to kill the Internet - by the time they figure out how to not kill themselves with the Ebola, they usually figure out that it's a losing proposition (consider the number of nation states that *could* deploy biological weapons compared to the number that actually have). Anybody seriously thing the RBN couldn't kill the Internet if they really wanted to? Why don't they? Because they can't monetize a dead Internet. Having said that, we probably *will* see a number of incidents where the biohazard cleanup crews have to clean up a local mess...
Not really anything all that new from a conceptual perspective: http://www.youtube.com/watch?v=3hZo5k0V9M0 Owen On Mar 14, 2013, at 5:39 PM, Valdis.Kletnieks@vt.edu wrote:
On Thu, 14 Mar 2013 19:56:51 -0400, Miles Fidelman said:
I think that's six words - twice as scary. I dunno how to fix it either ("when in trouble, when in doubt, run in circles, scream and shout?")
I don't think script kiddies with gene sequencers will manage to kill us with Ebola, for the same reason that script kiddies haven't managed to kill the Internet - by the time they figure out how to not kill themselves with the Ebola, they usually figure out that it's a losing proposition (consider the number of nation states that *could* deploy biological weapons compared to the number that actually have).
Anybody seriously thing the RBN couldn't kill the Internet if they really wanted to? Why don't they? Because they can't monetize a dead Internet.
Having said that, we probably *will* see a number of incidents where the biohazard cleanup crews have to clean up a local mess...
---- Original Message -----
From: "Owen DeLong" <owen@delong.com>
Not really anything all that new from a conceptual perspective:
Maybe, but bio is a bigger spread hazard than nuke, and harder to test for -- which is probably why, by policy, DOD/NCA treats it as a WMD. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
On Thu, Mar 14, 2013 at 08:39:20PM -0400, Valdis.Kletnieks@vt.edu wrote:
Having said that, we probably *will* see a number of incidents where the biohazard cleanup crews have to clean up a local mess...
The DIYbio community is perfectly harmless so far. The feds are already breathing down their necks, so there's no really no point in adding gratuitious gasoline to the fire.
On Fri, 15 Mar 2013 11:02:29 +0100, you said:
The DIYbio community is perfectly harmless so far. The feds are already breathing down their necks, so there's no really no point in adding gratuitious gasoline to the fire.
"The Feds" have jurisdiction in Yemen, North Korea, Iran, and other places like that? That's a relief, I'm glad to see we've actually got a way to stop those places that engage in constant sabre-rattling....
On 2013-03-14 13:56, Jay Ashworth wrote:
http://www.wired.com/opinion/2013/03/security-when-the-bad-guys-have-technol...
Three words: "desktop gene sequencing", "ebola", "script kiddies".
When the costs of offense fall, a pretty good response is to drive the costs of defense through the floor. E.g. how do we drive the costs of mitigating DDoSs down further? A second best response would be ubiquitous surveillance....
On Thu, Mar 14, 2013 at 1:56 PM, Jay Ashworth <jra@baylink.com> wrote:
http://www.wired.com/opinion/2013/03/security-when-the-bad-guys-have-technol...
Although I don't disagree with Bruce, this sort of "scare article" doesn't seem to be very in character for him. -- Darius Jahandarie
There's nothing much new in the article other than that the usual headline grabbing soundbite and tortured big bang analogy --srs (htc one x) On 15-Mar-2013 6:04 AM, "Darius Jahandarie" <djahandarie@gmail.com> wrote:
On Thu, Mar 14, 2013 at 1:56 PM, Jay Ashworth <jra@baylink.com> wrote:
http://www.wired.com/opinion/2013/03/security-when-the-bad-guys-have-technol...
Although I don't disagree with Bruce, this sort of "scare article" doesn't seem to be very in character for him.
-- Darius Jahandarie
On 14 March 2013 18:56, Jay Ashworth <jra@baylink.com> wrote:
http://www.wired.com/opinion/2013/03/security-when-the-bad-guys-have-technol...
Three words: "desktop gene sequencing", "ebola", "script kiddies".
I dunno how to fix it either.
Cheers, -- jra
This is a problem for the future to solve. Not us. In bioweapons, I think we are still on the "happy hackers era", where people in a biochemical laboratory in Liverpool have access to some fungus that can wipe half the city, but don't do, because have a lot of fun studying the fungus to learn new antibiotics, or maybe to cure baldness. Scientist are, of course, hackers. Fun people that make this question: Exploitability. Can this fungus be used to cure baldness? Can this fungus be exploited to remove plastic from our oceans?. Exploitablity is a fun good word, and I never see a person like Bruce Schneier talk about it (how fucking awesome is exploitability). So reading people like Bruce Schneier you only get half the picture. We exist only because the carbon based chemistry is exploitable to the x900000. If carbon where less exploitable, like silice, maybe life will not exist. Similary, maybe you need exploitability to have a internet. -- -- ℱin del ℳensaje.
On 2013-03-15 12:33, . wrote:
Similary, maybe you need exploitability to have a internet.
Exploitability = usability from a different perspective. Postel said "be conservative in what you do, be liberal in what you accept", which seems like usability restated, and would QED this. Granted, we think we've made something fairly usable: it's always someone else's filter fail or multi-hour/day DDoS that ends up in the news... until we get unlucky. ;)
On Mar 15, 2013, at 5:16 AM, Patrick <nanog@haller.ws> wrote:
On 2013-03-15 12:33, . wrote:
Similary, maybe you need exploitability to have a internet.
Exploitability = usability from a different perspective.
Postel said "be conservative in what you do, be liberal in what you accept", which seems like usability restated, and would QED this.
Actually, it was "be conservative in what you send, liberal in what you accept." Small nit, but does change the meaning a bit in this context. Owen
On 2013-03-15 06:44, Owen DeLong wrote:
Actually, it was "be conservative in what you send, liberal in what you accept."
Maybe you're thinking of another time/place, I was referring to: http://tools.ietf.org/html/rfc761
----- Original Message -----
From: "." <oscar.vives@gmail.com>
This is a problem for the future to solve. Not us.
Seriously?
In bioweapons, I think we are still on the "happy hackers era", where people in a biochemical laboratory in Liverpool have access to some fungus that can wipe half the city, but don't do, because have a lot of fun studying the fungus to learn new antibiotics, or maybe to cure baldness. Scientist are, of course, hackers. Fun people that make this question: Exploitability. Can this fungus be used to cure baldness? Can this fungus be exploited to remove plastic from our oceans?.
Exploitablity is a fun good word, and I never see a person like Bruce Schneier talk about it (how fucking awesome is exploitability). So reading people like Bruce Schneier you only get half the picture. We exist only because the carbon based chemistry is exploitable to the x900000. If carbon where less exploitable, like silice, maybe life will not exist. Similary, maybe you need exploitability to have a internet.
You very well might. But never before have the stakes been this high. As Spenser is so fond of quoting Clausewitz: you plan not for your enemy's intentions, but for his capabilities. In the next 3 years, it will become possible to build an autonomously navigating aircraft that can a) cross the Atlantic and b) carry a nuclear weapon. The surveillance someone advocates in another posting won't help you there; your first warning will be "Manhattan goes boom". Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
On 3/18/13, Jay Ashworth <jra@baylink.com> wrote: [snip]
In the next 3 years, it will become possible to build an autonomously navigating aircraft that can a) cross the Atlantic and b) carry a nuclear weapon.
Not only is it already possible to build a human manually navigated aircraft that can do both (a), and (b), they already exist, and computer autonomy isn't necessary or useful, to hit a single big target; now computer autonomous aircraft that can do only (a) could be just as useful as decoys. Nuclear weapons are rare, expensive, and the existing ones are (hopefully) well-secured, due to their extremely high value. I would be more concerned about the possibility of a large swarm -- of half a million solar powered drones of the approximate size of a large eagle capable of crossing the oceans and releasing a spray of bio agents over very large distances.
-- jra -- -JH
----- Original Message -----
From: "Jimmy Hess" <mysidia@gmail.com>
On 3/18/13, Jay Ashworth <jra@baylink.com> wrote: [snip]
In the next 3 years, it will become possible to build an autonomously navigating aircraft that can a) cross the Atlantic and b) carry a nuclear weapon.
Not only is it already possible to build a human manually navigated aircraft that can do both (a), and (b), they already exist, and computer autonomy isn't necessary or useful, to hit a single big target; now computer autonomous aircraft that can do only (a) could be just as useful as decoys.
Sure it is. An autonomous UPV *is small enough to bust the ADIZ without returning a skin paint*.
Nuclear weapons are rare, expensive, and the existing ones are (hopefully) well-secured, due to their extremely high value. I would be more concerned about the possibility of a large swarm -- of half a million solar powered drones of the approximate size of a large eagle capable of crossing the oceans and releasing a spray of bio agents over very large distances.
Whichever weapon is chosen, the point remains that the battlefield is asymmetric, and it's asymmetric *against us*. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
In history, people get taken unawares, by their neighbours. We don't implement systems to protect against that - no matter how much betrayal stares us in the face. The price of peace is eternal diligence and no-one writes that cheque.
From Troy to Chamberlain - it's not an issue of finding new regimes of trust. We look to trust whether or not it's warranted. That's a failure point.
Therefore somebody's going to get screwed at some point. Anything less and we're already dead - only the dead have seen the end of war ... The difference here is the battleground and maybe the scale. Otherwise there's nothing special about information systems. Some time later the black plague/spanish flu comes along and teaches us about fragility and brittleness. I'm a fan of Bruce but looking to trust is not a prophylactic. Yes we trust ... and scheme about destroying our neighbours or defending ourselves or whatever. Engineering against nature/mathematics is a much loftier pursuit. Turn off the internet tomorrow for a day ... or a week or a year and carry on. That's the only kind of resilience worth worrying about. Everything else is a side show. Crazy talk sure, the internet's JAM - Just Another Machine - but worrying about bad people as the only stressor is setting the bar pretty low. We're much better off asking our hospitals "what will you do when the network is broken for a year" than asking our network people how they'll cope with bad guys and bad packets. That's the difference between a real scenario and a faux pas and there's a big mix of the two in the linked article ...
On Mon, Mar 18, 2013 at 06:31:03PM -0500, Jimmy Hess wrote:
On 3/18/13, Jay Ashworth <jra@baylink.com> wrote: [snip]
In the next 3 years, it will become possible to build an autonomously navigating aircraft that can a) cross the Atlantic and b) carry a nuclear weapon.
Not only is it already possible to build a human manually navigated aircraft that can do both (a), and (b), they already exist, and computer
Or you could use a shipping container, or just bring in the parts in hand luggage, and assemble on site.
autonomy isn't necessary or useful, to hit a single big target; now computer autonomous aircraft that can do only (a) could be just as useful as decoys.
Nuclear weapons are rare, expensive, and the existing ones are
Far from expensive, a bargain-basement version would only cost you 100 kUSD in materials. Even at MUSD level, the kill costs at about 1 USD/kill is extremely cost-effective.
(hopefully) well-secured, due to their extremely high value. I would be more concerned about the possibility of a large swarm -- of half a million solar powered drones of the approximate size of a large eagle capable of crossing the oceans and releasing a spray of bio agents over very large distances.
On Mar 19, 2013, at 3:07 PM, Eugen Leitl wrote:
Or you could use a shipping container, or just bring in the parts in hand luggage, and assemble on site.
Folks, this topic is far, far off-topic for this list. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Luck is the residue of opportunity and design. -- John Milton
On 3/14/13, Jay Ashworth <jra@baylink.com> wrote:
http://www.wired.com/opinion/2013/03/security-when-the-bad-guys-have-technol...
So what I gather from that: "Calling terrorism an existential threat is ridiculous in a country where more people die each month in car crashes than died in the 9/11 terrorist attacks." And there you have it :) Security obviously works thus far, in the sense, that so far, government has been preserved -- there is not total chaos, in at least most of the world, and people do not doubt if their life or property will still exist the next day. There have been incidents, even serious ones, and times when security failed -- it just means that security is not perfect, but hardly anything humans do is perfect; devices we make fail, accidents happen. I never saw an article yet about why engineering can't work, or why driver safety can't work (driver licensure/speed limits/seatbelts/traffic signs). Accidents are inevitable, and maybe the miscreants are able to take advantage of new faster engine technology before the police can, but it's not the point :) Abusing new technology faster doesn't trump the extreme smallness of the numbers of truly bad actors, who have irrational thinking, would like to end civilization, and the intersection between those and those who have a viable method that would work + the right resources/skill available, and a reasonable chance of success.... astronomically small If in a few decades, there is a 0.1% chance per decade of a script kiddie ending civilization, I think we've got few reasonable alternatives but to accept that risk and hope for the best :)
Three words: "desktop gene sequencing", "ebola", "script kiddies".
Good thing genetic manipulation is highly non-trivial, and obtaining ebola samples would require significant legwork while script kiddies lack motivation, and there are much lazier, less risky/dangerous, more profitable ways for them to steal. At least for the forseeable future until financial account theft becomes a solved problem. Then they might move to ransomware that threatens to shut down power grids, if they dpn't get paid, I suppose... but For the forseeable future; there's no mechanism for using a computer to modify a virus to insert spam or email-cc-details commands directly into people's brains, or to infect people's brains with malware to create a human botnet. At that point, perhaps in a couple hundred years, one begins to become concerned that one of the human botnet operators, could end civilization by accident.
-- jra -- -JH
And there you have it :)
Security obviously works thus far, in the sense, that so far, government has been preserved -- there is not total chaos, in at least most of the world, and people do not doubt if their life or property will still exist the next day.
I'm not sure I would even put "government has been preserved" on the list of considerations for the success or failure of security. I would put "law and order", "governance and/or the process of governance" on the list, but especially in a post-911 world, the US Government has departed from those ideals to varying degrees. Do not get me wrong, I am not advocating radical revolution or saying that we should tear down the existing institutions. Merely that we should be careful in our default use of terminology and focus on what we really want to preserve. Ideally, we can restore the US government to its proper (and limited) function. (That does not mean eliminating government services and making it small enough to fit in our bedrooms, either.) I'm not supporting any of the current Washington agendas and parties. I'm fed up with all of them at this point and unless they start working on solving problems instead of posturing all the time, I won't be supporting ANY incumbents.
Abusing new technology faster doesn't trump the extreme smallness of the numbers of truly bad actors, who have irrational thinking, would like to end civilization, and the intersection between those and those who have a viable method that would work + the right resources/skill available, and a reasonable chance of success.... astronomically small
The bottom line is that any system of laws and/or governance depends entirely on voluntary compliance by the majority of the actors.
If in a few decades, there is a 0.1% chance per decade of a script kiddie ending civilization, I think we've got few reasonable alternatives but to accept that risk and hope for the best :)
On the other hand, I will hold up the U.S.A.P.A.T.R.I.O.T. act and the T.S.A. as proof that we are rather adept at exploring and sometimes acting on the unreasonable alternatives. Owen
The US law enforcement is getting closer and closer at being able to be DDoS-ed very effectively because of all of their advisories about "see something, say something" and all other scare tactics crap they come up with. I mean it's bad some guy shot up a lot of people in a theater or in a school, but now it's sufficient to call 911 and say you saw a guy with what looks like an assault riffle in a theater or school campus and the just grab a bucket of popcorn and see everyone panic and SWAT teams with guns blazing canvasing the objective. Do it in a coordinated fashion on a daily basis and bam: DDoS at it's finest. No one would take a chance to treat the calls as pranks because if they get it wrong only once, they will be in a very big s***storm. Not to talk about economic losses because once a day a mall gets evacuated for a few hours. The cost of pulling it off: none. 911 calls are free :)) Today, tomorrow, someone else will shoot up a mall. What are you going to do ? Install TSA scanners at mall entrances ? No problem, you can shoot people in a subway station ? What, TSA at every subway station entrance in the country ? At every bus station ? Blackwater security with metal detectors every conference held in a hotel ? Or just play it cool and live normally with the chance that the next disgruntled person with a gun will not choose the same place you happen to be at at any particular time. The "disgruntled person with a gun" can be replaced with your favorite type of bad guy (bio-terrorist, suicide bomber etc). It's not a secret that people do stupid things when they're scared and all of the world's governments know this and never loose the chance to pass more restrictive laws whenever a tragedy happens and people would support anything that they believe would stop another incident. What people need is more common sense and not be get scared and panicked by whatever scare the media throws at at them. They would twist stories to get ratings in unimaginable ways. Statistically speaking, everyone of us has a chance everyday to die in an accident (get hit by a car, bus, metro, train whatever). This does not mean that everyone should stay home and do nothing. Even at home you can cat yourself very bad with a knife making dinner :)) Minimize the big threats using intelligence services effectively, and smaller ones if you can in a non-intrusive way. Perfect security will never be something that can be attained. Even from North Korea people escape from time to time, and they are surveilled like crazy. On Fri, Mar 15, 2013 at 3:53 PM, Owen DeLong <owen@delong.com> wrote:
And there you have it :)
Security obviously works thus far, in the sense, that so far, government has been preserved -- there is not total chaos, in at least most of the world, and people do not doubt if their life or property will still exist the next day.
I'm not sure I would even put "government has been preserved" on the list of considerations for the success or failure of security.
I would put "law and order", "governance and/or the process of governance" on the list, but especially in a post-911 world, the US Government has departed from those ideals to varying degrees.
Do not get me wrong, I am not advocating radical revolution or saying that we should tear down the existing institutions. Merely that we should be careful in our default use of terminology and focus on what we really want to preserve. Ideally, we can restore the US government to its proper (and limited) function. (That does not mean eliminating government services and making it small enough to fit in our bedrooms, either.)
I'm not supporting any of the current Washington agendas and parties. I'm fed up with all of them at this point and unless they start working on solving problems instead of posturing all the time, I won't be supporting ANY incumbents.
Abusing new technology faster doesn't trump the extreme smallness of the numbers of truly bad actors, who have irrational thinking, would like to end civilization, and the intersection between those and those who have a viable method that would work + the right resources/skill available, and a reasonable chance of success.... astronomically small
The bottom line is that any system of laws and/or governance depends entirely on voluntary compliance by the majority of the actors.
If in a few decades, there is a 0.1% chance per decade of a script kiddie ending civilization, I think we've got few reasonable alternatives but to accept that risk and hope for the best :)
On the other hand, I will hold up the U.S.A.P.A.T.R.I.O.T. act and the T.S.A. as proof that we are rather adept at exploring and sometimes acting on the unreasonable alternatives.
Owen
participants (13)
-
. -
Darius Jahandarie -
David Walker -
Dobbins, Roland -
Eugen Leitl -
Eugeniu Patrascu -
Jay Ashworth -
Jimmy Hess -
Miles Fidelman -
Owen DeLong -
Patrick -
Suresh Ramasubramanian -
Valdis.Kletnieks@vt.edu