Bruce Schneier

An op-ed by Bruce Schneier. The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which,of course, is not a solution -- is to throw them all away and buy new ones that may be available in a few years. On Wednesday, researchers announced a series of major security vulnerabilities in the microprocessors at the heart of the world's computers for the past 15 to 20 years. They've been named Spectre and Meltdown, and they operate by manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets from elsewhere on the computer.

...The whole concept of "cyberspace" implies the occupancy by people, or entities that represent people, accessing resources, data files, and applications by moving from place to place like browsing a shopping mall..."There's going to be a lot more 'what's,'" described noted security expert and author Bruce Schneier, referring to a communications system whose ratio of entities to people will only grow. "What sent this? It's going to be a streetlight sensor that's telling me the traffic on this street is such that I'm going to try this other way. Or that I should brake now and not in fifteen milliseconds, because that'll save my life."

An op-ed by Bruce Schneier. The cellphones we carry with us constantly are the most perfect surveillance device ever invented, and our laws haven’t caught up to that reality. That might change soon. This week, the Supreme Court will hear a case with profound implications on your security and privacy in the coming years. The Fourth Amendment’s prohibition of unlawful search and seizure is a vital right that protects us all from police overreach, and the way the courts interpret it is increasingly nonsensical in our computerized and networked world. The Supreme Court can either update current law to reflect the world, or it can further solidify an unnecessary and dangerous police power.

In real life, in the natural course of conversation, it is not uncommon to talk about a person you may know. You meet someone and say, “I’m from Sarasota,” and they say, “Oh, I have a grandparent in Sarasota,” and they tell you where they live and their name, and you may or may not recognize them. You might assume Facebook’s friend recommendations would work the same way: You tell the social network who you are, and it tells you who you might know in the online world. But Facebook’s machinery operates on a scale far beyond normal human interactions. And the results of its People You May Know algorithm are anything but obvious...Facebook doesn’t keep profiles for non-users, but it does use their contact information to connect people. “Mobile phone numbers are even better than social security numbers for identifying people,” said security technologist Bruce Schneier by email. “People give them out all the time, and they’re strongly linked to identity.”

When the Department of Homeland Security notified 21 states that Russian actors had targeted their elections systems in the months leading up to the 2016 presidential election, the impacted states rolled out a series of defiant statements...Still, most states lack the mechanisms to deal with large-scale changes to voter registration, said Bruce Schneier, a cybersecurity specialist at Harvard’s Berkman Center who has written frequently about the security vulnerabilities of U.S. election systems. “Imagine an election in a state office, where 20 percent of the people can’t vote, and everyone says the voting roll was hacked. There’s no system to deal with that — there’s no plan, no rules,” he said.

The Trump administration is exploring ways to replace the use of Social Security numbers as the main method of assuring people’s identities in the wake of consumer credit agency Equifax Inc.’s massive data breach...Over the decades, the Social Security number became valuable for what could be gained by stealing it, said Bruce Schneier, a fellow at Harvard’s Kennedy School of Government. It was the only number available to identify a person and became the standard used for everything from confirming someone at the doctor’s office to school. “They appeared at an age when we didn’t have other numbers,” Schneier said in an interview. “Think of this as part of our aging infrastructure” from roads and bridges to communications. “Sooner or later we as a society need to fix our aging infrastructure.”

Of the smorgasbord of features stuffed into Apple's new thousand-dollar iPhone X, one of the most intriguing is Face ID — a new feature that lets you unlock your iPhone with your gaze after the system has learned what you look like, using Apple’s first-ever neural engine. “In the iPhone X, your phone is locked — until you look at it, and it recognizes you," Phil Schiller, Apple’s senior vice president of worldwide marketing, said onstage at today’s iPhone event. “Nothing has ever been simpler, more natural, and effortless.”...Meanwhile, Bruce Schneier, an internet security expert and chief technology officer at Resillient Systems, a subsidiary of IBM, said Apple’s “one in a million” failure claim may well hold up — but that it doesn’t matter if even one person in a million is still able to break into your phone. “That’s why [security] professionals don’t unlock phones that way,” Schneier wrote to BuzzFeed News in an email.

An op-ed by Bruce Schneier. Last Thursday, Equifax reported a data breach that affects 143 million US customers, about 44% of the population. It's an extremely serious breach; hackers got access to full names, Social Security numbers, birth dates, addresses, driver's license numbers -- exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, and other businesses vulnerable to fraud. Many sites posted guides to protecting yourself now that it's happened. But if you want to prevent this kind of thing from happening again, your only solution is government regulation (as unlikely as that may be at the moment).

A few weeks ago, the Bridgehampton Chamber Music Festival held one of its occasional outdoor concerts at a nearby Long Island winery...Afterward, when someone inquired about the presence of these heavily armed police, he was told that the Southampton police department required the extra protection...The militarization of local police forces, of course, is a trend that began after the Sept. 11 attacks, when many departments added “fighting terror” to their mission statements, and when the federal government began to make money available to local police to buy military-style equipment, including automatic weapons, night vision goggles and other paraphernalia. As the security expert Bruce Schneier points out, “when they get this stuff, they want to trot it out. So now it is being used.”

An interview with Bruce Schneier. In the internet era, consumers seem increasingly resigned to giving up fundamental aspects of their privacy for convenience in using their phones and computers, and have grudgingly accepted that being monitored by corporations and even governments is just a fact of modern life. In fact, internet users in the United States have fewer privacy protections than those in other countries. In April, Congress voted to allow internet service providers to collect and sell their customers’ browsing data.

John Essey and family live in a modest, two-story home on a tree-lined street in the suburbs north of Pittsburgh. From the outside, it looks like any other house in the neighborhood. But this house has a brain...While Essey's setup might sound a little like science fiction, it's a prototype of the future. Some critics are worried these devices won't be secure and that companies will use them to spy on us to make money..."Surveillance is now the business model of the Internet. Companies make money spying on you," says Bruce Schneier, an Internet security expert and the chief technology officer at IBM's cybersecurity arm.

An op-ed by Trey Herr and Bruce Schneier. Software and computer systems are a standard target of intelligence collection in an age where everything from your phone to your sneakers has been turned into a connected computing device. A modern government intelligence organization must maintain access to some software vulnerabilities into order to target these devices. However, the WannaCry ransomware and NotPetya attacks have called attention to the perennial flipside of this issue—the same vulnerabilities that the U.S. government uses to conduct this targeting can also be exploited by malicious actors if they go unpatched.

We’re all aware of the deal we make when we sign up with Facebook: we get somewhere to post vacation photos and stalk friends, and Mark Zuckerberg gets to sell your passion for fishing trips to fishing equipment retailers. What you might not realize is how deep or extensive the tracking goes—so let’s shed some light on it...“Even if people are aware of what data they’re telling Facebook about themselves, they’re unaware about the types of correlations that Facebook can make based on that data,” Bruce Schneier, a security expert and fellow at Harvard’s Berkman Center, told Gizmodo. “This is normal—we tend to focus on the data collection because that’s easier to see. I think the real problem are the correlations, which are much harder to see.”

An op-ed by Bruce Schneier. There is plenty of blame to go around for the WannaCry ransomware that spread throughout the Internet earlier this month, disrupting work at hospitals, factories, businesses, and universities. First, there are the writers of the malicious software, which blocks victims’ access to their computers until they pay a fee. Then there are the users who didn’t install the Windows security patch that would have prevented an attack. A small portion of the blame falls on Microsoft, which wrote the insecure code in the first place. One could certainly condemn the Shadow Brokers, a group of hackers with links to Russia who stole and published the National Security Agency attack tools that included the exploit code used in the ransomware. But before all of this, there was the NSA, which found the vulnerability years ago and decided to exploit it rather than disclose it.

An op-ed by Bruce Schneier. As devastating as the latest widespread ransomware attacks have been, it’s a problem with a solution. If your copy of Windows is relatively current and you’ve kept it updated, your laptop is immune. It’s only older unpatched systems on your computer that are vulnerable...But it is a system that’s going to fail in the “internet of things”: everyday devices like smart speakers, household appliances, toys, lighting systems, even cars, that are connected to the web. Many of the embedded networked systems in these devices that will pervade our lives don’t have engineering teams on hand to write patches and may well last far longer than the companies that are supposed to keep the software safe from criminals. Some of them don’t even have the ability to be patched.

An op-ed by Bruce Schneier. Ransomware isn’t new, but it’s increasingly popular and profitable...The ransomware that has affected systems in more than 150 countries recently, WannaCry, made press headlines last week, but it doesn’t seem to be more virulent or more expensive than other ransomware...The lessons for users are obvious: Keep your system patches up to date and regularly backup your data. This isn’t just good advice to defend against ransomware, but good advice in general. But it’s becoming obsolete.

An op-ed by Bruce Schneier. The Department of Homeland Security is rumored to be considering extending the current travel ban on large electronics for Middle Eastern flights to European ones as well. The likely reaction of airlines will be to implement new traveler programs, effectively allowing wealthier and more frequent fliers to bring their computers with them. This will only exacerbate the divide between the haves and the have-nots -- all without making us any safer.

The WikiLeaks publication of hacking tools and malware the CIA has allegedly used continues to stir the ire and fear of those concerned about the possible risk of the US government’s backdoor access to private data. But WikiLeaks’ publication of alleged CIA-created malware instructions, which the CIA has not confirmed as authentic, diverts attention away from how numerous other state-sponsored agents are aggressively seeking to steal intellectual property and other data, security experts say...Tools developed by governmental agencies also often eventually trickle down for use by hackers once they are leaked. The hacking tools revealed in the Vault 7 data, have been “around for a while” because of the dates on the files, Bruce Schneier, the chief technology officer of IBM Resilient and a fellow at Harvard’s Berkman Center, told Intellectual Property Watch. “Today’s top-secret NSA programs become tomorrow’s PhD theses and tomorrow’s hacker tools,” Schneier said. “These capabilities goes downhill.”

A message from Vladimir Putin can take many forms. It can be as heavy-handed as a pair of Russian bombers buzzing the Alaska coast, or as lethal as the public assassination of a defector on the streets of Kiev. Now Putin may be sending a message to the American government through a more subtle channel: an escalating series of U.S. intelligence leaks that last week exposed an NSA operation in the Middle East and the identity of an agency official who participated...“I think there’s something going on between the U.S. and Russia that we’re just seeing pieces of,” said security technologist Bruce Schneier, chief technology officer at IBM Resilient. “What happens when the deep states goes to war with each other and doesn’t tell the rest of us?”

Last week, President Donald Trump signed a controversial new law, allowing internet providers to continue gathering sensitive information on their users and selling that data to advertisers. News sites erupted with recommendations for keeping browsing history private—but because all the data people send and receive online goes through their service providers, that’s easier said than done...Bruce Schneier, a fellow at Harvard’s Berkman Center and the author of Schneier on Security, warned against underestimating internet providers’ ability—and drive—to see through data-obfuscation tactics. “The question is, after 100 years of coding theory, how good are those algorithms at finding the signal in the noise?” he asked.