Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/07/third_annual_cy.html
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/07/gas_pump_hack.html
This is weird:
Police in Detroit are looking for two suspects who allegedly managed to hack a gas pump and steal over 600 gallons of gasoline, valued at about $1,800. The theft took place in the middle of the day and went on for about 90 minutes, with the gas station attendant unable to thwart the hackers.
The theft, reported by Fox 2 Detroit, took place at around 1pm local time on June 23 at a Marathon gas station located about 15 minutes from downtown Detroit. At least 10 cars are believed to have benefitted from the free-flowing gas pump, which still has police befuddled.
Here’s what is known about the supposed hack: Per Fox 2 Detroit, the thieves used some sort of remote device that allowed them to hijack the pump and take control away from the gas station employee. Police confirmed to the local publication that the device prevented the clerk from using the gas station’s system to shut off the individual pump.
Hard to know what’s true, but it seems like a good example of a hack against a cyber-physical system.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/06/free_societies_.html
Jack Goldsmith and Stuart Russell just published an interesting paper, making the case that free and democratic nations are at a structural disadvantage in nation-on-nation cyberattack and defense. From a blog post:
It seeks to explain why the United States is struggling to deal with the “soft” cyber operations that have been so prevalent in recent years: cyberespionage and cybertheft, often followed by strategic publication; information operations and propaganda; and relatively low-level cyber disruptions such as denial-of-service and ransomware attacks. The main explanation is that constituent elements of U.S. society — a commitment to free speech, privacy and the rule of law; innovative technology firms; relatively unregulated markets; and deep digital sophistication — create asymmetric vulnerabilities that foreign adversaries, especially authoritarian ones, can exploit. These asymmetrical vulnerabilities might explain why the United States so often appears to be on the losing end of recent cyber operations and why U.S. attempts to develop and implement policies to enhance defense, resiliency, response or deterrence in the cyber realm have been ineffective.
I have long thought this to be true. There are defensive cybersecurity measures that a totalitarian country can take that a free, open, democratic country cannot. And there are attacks against a free, open, democratic country that just don’t matter to a totalitarian country. That makes us more vulnerable. (I don’t mean to imply — and neither do Russell and Goldsmith — that this disadvantage implies that free societies are overall worse, but it is an asymmetry that we should be aware of.)
I do worry that these disadvantages will someday become intolerable. Dan Geer often said that “the price of freedom is the probability of crime.” We are willing to pay this price because it isn’t that high. As technology makes individual and small-group actors more powerful, this price will get higher. Will there be a point in the future where free and open societies will no longer be able to survive? I honestly don’t know.
EDITED TO ADD (6/21): Jack Goldsmith also wrote this.
Post Syndicated from Andy original https://torrentfreak.com/despite-us-criticism-ukraine-cybercrime-chief-receives-few-piracy-complaints-180522/
At various points over the years, The Pirate Bay, KickassTorrents, ExtraTorrent, Demonoid and raft of streaming portals could be found housed in the country’s data centers, reportedly taking advantage of laws more favorable than those in the US and EU.
As a result, Ukraine has been regularly criticized for not doing enough to combat piracy but when placed under pressure, it does take action. In 2010, for example, the local government expressed concerns about the hosting of KickassTorrents in the country and in August the same year, the site was kicked out by its host.
“Kickasstorrents.com main web server was shut down by the hosting provider after it was contacted by local authorities. One way or another I’m afraid we must say goodbye to Ukraine and move the servers to other countries,” the site’s founder told TF at the time.
In the years since, Ukraine has launched sporadic action against pirate sites and has taken steps to tighten up copyright law. The Law on State Support of Cinematography came into force during April 2017 and gave copyright owners new tools to combat infringement by forcing (in theory, at least) site operators and web hosts to respond to takedown requests.
But according to the United States and Europe, not enough is being done. After the EU Commission warned that Ukraine risked damaging relations with the EU, last September US companies followed up with another scathing attack.
In a recommendation to the U.S. Government, the IIPA, which counts the MPAA, RIAA, and ESA among its members, asked U.S. authorities to suspend or withdraw Ukraine’s trade benefits until the online piracy situation improves.
“Legislation is needed to institute proper notice and takedown provisions, including a requirement that service providers terminate access to individuals (or entities) that have repeatedly engaged in infringement, and the retention of information for law enforcement, as well as to provide clear third party liability regarding ISPs,” the IIPA wrote.
But amid all the criticism, Ukraine cyber police chief Sergey Demedyuk says that while his department is committed to tackling piracy, it can only do so when complaints are filed with him.
“Yes, we are engaged in piracy very closely. The problem is that piracy is a crime of private accusation. So here we deal with them only in cases where we are contacted,” Demedyuk said in an Interfax interview published yesterday.
Surprisingly, given the number of dissenting voices, it appears that complaints about these matters aren’t exactly prevalent. So are there many at all?
“Unfortunately, no. In the media, many companies claim that their rights are being violated by pirates. But if you count the applications that come to us, they are one,” Demedyuk reveals.
“In general, we are handling Ukrainian media companies, who produce their own product and are worried about its fate. Also on foreign films, the ‘Anti-Piracy Agency’ refers to us, but not as intensively as before.”
Why complaints are going down, Demedyuk does not know, but when his unit is asked to take action it does so, he claims. Indeed, Demedyuk cites two particularly significant historical operations against a pair of large ‘pirate’ sites.
In 2012, Ukraine shut down EX.ua, a massive cyberlocker site following a six-month investigation initiated by international tech companies including Microsoft, Graphisoft and Adobe. Around 200 servers were seized, together hosting around 6,000 terabytes of data.
Then in November 2016, following a complaint from the MPAA, police raided FS.to, one of Ukraine’s most popular pirate sites. Initial reports indicated that 60 servers were seized and 19 people were arrested.
“To see the effect of combating piracy, this should not be done at the level of cyberpolicy, but at the state level,” Demedyuk advises.
“This requires constant close interaction between law enforcement agencies and rights holders. Only by using all these tools will we be able to effectively counteract copyright infringements.”
Meanwhile, the Office of the United States Trade Representative has maintained Ukraine’s position on the Priority Watchlist of its latest Special 301 Report and there a no signs it will be leaving anytime soon.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2018/01/estimating_the_.html
It’s really hard to estimate the cost of an insecure Internet. Studies are all over the map. A methodical study by RAND is the best work I’ve seen at trying to put a number on this. The results are, well, all over the map:
Abstract: There is marked variability from study to study in the estimated direct and systemic costs of cyber incidents, which is further complicated by the considerable variation in cyber risk in different countries and industry sectors. This report shares a transparent and adaptable methodology for estimating present and future global costs of cyber risk that acknowledges the considerable uncertainty in the frequencies and costs of cyber incidents. Specifically, this methodology (1) identifies the value at risk by country and industry sector; (2) computes direct costs by considering multiple financial exposures for each industry sector and the fraction of each exposure that is potentially at risk to cyber incidents; and (3) computes the systemic costs of cyber risk between industry sectors using Organisation for Economic Co-operation and Development input, output, and value-added data across sectors in more than 60 countries. The report has a companion Excel-based modeling and simulation platform that allows users to alter assumptions and investigate a wide variety of research questions. The authors used a literature review and data to create multiple sample sets of parameters. They then ran a set of case studies to show the model’s functionality and to compare the results against those in the existing literature. The resulting values are highly sensitive to input parameters; for instance, the global cost of cyber crime has direct gross domestic product (GDP) costs of $275 billion to $6.6 trillion and total GDP costs (direct plus systemic) of $799 billion to $22.5 trillion (1.1 to 32.4 percent of GDP).
Here’s Rand’s risk calculator, if you want to play with the parameters yourself.
Note: I was an advisor to the project.
Separately, Symantec has published a new cybercrime report with their own statistics.
Post Syndicated from Andy original https://torrentfreak.com/police-shut-down-pirate-streaming-tv-provider-three-men-arrested-180120/
As prices for official multi-channel cable and satellite packages continue to increase, unauthorized streaming TV providers are providing an interesting alternative for those who demand the greatest variety of channels at a cut-down price.
Of course, none of this is legal and as such, authorities are clamping down. Today brings news of yet another pirate raid, this time in the city of Lublin, Poland.
A statement from the Provincial Police Headquarters reveals that officers from the Cybercrime and Economic Crime units conducted an investigation under the supervision of the District Prosecutor’s Office in Lublin. Locations in three provinces – Dolnośląskie, Zachodniopomorskie and Wielkopolskie – were searched.
According to prosecutors, the operators of the website illegally streamed the majority of all television channels available locally, including digital TV and state television. More than 160 channels were supplied via the site without permission. Users were initially given free access to the currently unnamed service but were then encouraged to subscribe to a premium package.
“The funds obtained from this procedure were invested in the further development of criminal activity and in foreign and Polish companies, of which [the suspects] were owners,” a police statement notes.
Local reports indicate three men, aged 30, 42 and 57, were arrested and brought to the prosecutor’s office. There they faced allegations of illegally distributing pay television and using the revenue as a permanent source of income.
“We estimate that the suspects could have benefited to the tune of nearly 3.5 million zlotys [840,663 euros] via their illegal practices,” police add.
In addition to the arrests, police also seized equipment including 12 computers, nine servers, tablets, decoders, telephones, more than 60 hard drives and similar devices, plus documentation.
The news of these raids in Poland follows on the heels of a Europol led operation to close down an IPTV operation said to be one of the largest in the world. The still-unnamed provider allegedly serviced around 500,000 subscribers from a base in Bulgaria, where a local ISP has come under the spotlight.
A video of the Polish operation, including a suspect under arrest, is available here.
Post Syndicated from Andy original https://torrentfreak.com/isp-were-cooperating-with-police-following-pirate-iptv-raid-180113/
The investigation, launched a year ago and coordinated by Europol, came to head on Tuesday when police carried out raids in Cyprus, Bulgaria, Greece, and the Netherlands. A fresh announcement from the crime-fighting group reveals the scale of the operation.
It was led by the Cypriot Police – Intellectual Property Crime Unit, with the support of the Cybercrime Division of the Greek Police, the Dutch Fiscal Investigative and Intelligence Service (FIOD), the Cybercrime Unit of the Bulgarian Police, Europol’s Intellectual Property Crime Coordinated Coalition (IPC³), and supported by members of the Audiovisual Anti-Piracy Alliance (AAPA).
In Cyprus, Bulgaria and Greece, 17 house searches were carried out. Three individuals aged 43, 44, and 53 were arrested in Cyprus and one was arrested in Bulgaria.
All stand accused of being involved in an international operation to illegally broadcast around 1,200 channels of pirated content to an estimated 500,000 subscribers. Some of the channels offered were illegally sourced from Sky UK, Bein Sports, Sky Italia, and Sky DE. On Thursday, the three individuals in Cyprus were remanded in custody for seven days.
“The servers used to distribute the channels were shut down, and IP addresses hosted by a Dutch company were also deactivated thanks to the cooperation of the authorities of The Netherlands,” Europol reports.
“In Bulgaria, 84 servers and 70 satellite receivers were seized, with decoders, computers and accounting documents.”
TorrentFreak was previously able to establish that Megabyte-Internet Ltd, an ISP located in the small Bulgarian town Petrich, was targeted by police. The provider went down on Tuesday but returned towards the end of the week. Responding to our earlier inquiries, the company told us more about the situation.
“We are an ISP provider located in Petrich, Bulgaria. We are selling services to around 1,500 end-clients in the Petrich area and surrounding villages,” a spokesperson explained.
“Another part of our business is internet services like dedicated unmanaged servers, hosting, email servers, storage services, and VPNs etc.”
The spokesperson added that some of Megabyte’s equipment is located at Telepoint, Bulgaria’s biggest datacenter, with connectivity to Petrich. During the raid the police seized the company’s hardware to check for evidence of illegal activity.
“We were informed by the police that some of our clients in Petrich and Sofia were using our service for illegal streaming and actions,” the company said.
“Of course, we were not able to know this because our services are unmanaged and root access [to servers] is given to our clients. For this reason any client and anyone that uses our services are responsible for their own actions.”
TorrentFreak asked many more questions, including how many police attended, what type and volume of hardware was seized, and whether anyone was arrested or taken for questioning. But, apart from noting that the police were friendly, the company declined to give us any additional information, revealing that it was not permitted to do so at this stage.
What is clear, however, is that Megabyte-Internet is offering its full cooperation to the authorities. The company says that it cannot be held responsible for the actions of its clients so their details will be handed over as part of the investigation.
“So now we will give to the police any details about these clients because we hold their full details by law. [The police] will find [out about] all the illegal actions from them,” the company concludes, adding that it’s fully operational once more and working with clients.
Post Syndicated from Andy original https://torrentfreak.com/students-and-youths-offered-10-to-pirate-latest-movies-in-cinemas-171219/
In common with most other countries, demand for movies is absolutely huge in India. According to a 2015 report, the country produces between 1,500 and 2,000 movies each year, more than any other country in the world.
But India also has a huge piracy problem. If a movie is worth watching, it’s pirated extremely quickly, mostly within a couple of days of release, often much sooner. These early copies ordinarily come from “cams” – recordings made in cinemas – which are sold on the streets for next to nothing and eagerly snapped up citizens. Who, incidentally, are served by ten times fewer cinema screens than their US counterparts.
These cam copies have to come from somewhere and according to representatives from the local Anti-Video Piracy Committee, piracy groups have begun to divert “camming” duties to outsiders, effectively decentralizing their operations.
Their targets are said to be young people with decent mobile phones, students in particular. Along with China, India now has more than a billion phone users, so there’s no shortage of candidates.
“The offer to youngsters is that they would get 10 US dollars into their bank accounts, if they videographed and sent it on the first day of release of the film,” says Raj Kumar, Telugu Film Chamber of Commerce representative and Anti-Video Piracy Committee chairman.
“The minors and youngsters are getting attracted to the money, not knowing that piracy is a crime,” he adds.
Although US$10 sounds like a meager amount, for many locals the offer is significant. According to figures from 2014, the average daily wage in India is just 272 Indian Rupees (US$4.24) so, for an hour or two’s ‘work’ sitting in a cinema with a phone, a student can, in theory, earn more than he can in two days employment.
The issue of youth “camming” came up yesterday during a meeting of film producers, Internet service providers and cybercrime officials convened by IT and Industries Secretary Jayesh Ranjan.
The meeting heard that the Telangana State government will soon have its own special police officers and cybercrime experts to tackle the growing problem of pirate sites, who will take them down if necessary.
“The State government has adopted a no-tolerance policy towards online piracy of films and will soon have a plan in place to tackle and effectively curb piracy. We need to adopt strong measures and countermeasures to weed out all kinds of piracy,” Ranjan said.
The State already has its own Intellectual Property Crimes Unit (IPCU) but local officials have complained that not enough is being done to curb huge losses faced by the industry. There have been successes, however.
Cybercrime officials previously tracked down individuals said to have been involved in the piracy of the spectacular movie Baahubali 2 – The Conclusion which became the highest grossing Indian film ever just six days after its release earlier this year. But despite the efforts and successes, the basics appear to elude Indian anti-piracy forces.
During October 2017, a 4K copy of Baahubali 2 was uploaded to YouTube and has since racked up an astonishing 54.7m views to the delight of a worldwide audience, many of them enjoying the best of Indian cinema for the first time – for free.
Still, the meeting Monday found that sites offering pirated Indian movies should be targeted and brought to their knees.
“In the meeting, the ISPs too were asked to designate a nodal officer who can keep a watch over websites which upload such data onto their websites and bring them down,” a cybercrime police officer said.
Next stop, YouTube?
Post Syndicated from Andy original https://torrentfreak.com/multi-national-police-operation-shuts-down-pirate-forums-171110/
Once upon a time, large-scale raids on pirate operations were a regular occurrence, with news of such events making the headlines every few months. These days things have calmed down somewhat but reports coming out of Germany suggests that the war isn’t over yet.
According to a statement from German authorities, the Attorney General in Dresden and various cybercrime agencies teamed up this week to take down sites dedicated to sharing copyright protected material via the Usenet (newsgroups) system.
Huge amounts of infringing items were said to have been made available on a pair of indexing sites – 400,000 on Town.ag and 1,200,000 on Usenet-Town.com.
“Www.town.ag and www.usenet-town.com were two of the largest online portals that provided access to films, series, music, software, e-books, audiobooks, books, newspapers and magazines through systematic and unlawful copyright infringement,” the statement reads.
Visitors to these URLs are no longer greeted by the usual warez-fest, but by a seizure banner placed there by German authorities.
Following an investigation carried out after complaints from rightsholders, 182 officers of various agencies raided homes and businesses Wednesday, each connected to a reported 26 suspects. In addition to searches of data centers located in Germany, servers in Spain, Netherlands, San Marino, Switzerland, and Canada were also targeted.
According to police the sites generated income from ‘sponsors’, netting their operators millions of euros in revenue. One of those appears to be Usenet reseller SSL-News, which displays the same seizure banner. Rightsholders claim that the Usenet portals have cost them many millions of euros in lost sales.
Arrest warrants were issued in Spain and Saxony against two German nationals, 39 and 31-years-old respectively. The man arrested in Spain is believed to be a ringleader and authorities there have been asked to extradite him to Germany.
At least 1,000 gigabytes of data were seized, with police scooping up numerous computers and other hardware for evidence. The true scale of material indexed is likely to be much larger, however.
Online chatter suggests that several other Usenet-related sites have also disappeared during the past day but whether that’s a direct result of the raids or down to precautionary measures taken by their operators isn’t yet clear.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/11/me_on_the_equif.html
Testimony and Statement for the Record of Bruce Schneier
Fellow and Lecturer, Belfer Center for Science and International Affairs, Harvard Kennedy School
Fellow, Berkman Center for Internet and Society at Harvard Law School
Hearing on “Securing Consumers’ Credit Data in the Age of Digital Commerce”
Subcommittee on Digital Commerce and Consumer Protection
Committee on Energy and Commerce
United States House of Representatives
1 November 2017
2125 Rayburn House Office Building
Washington, DC 20515
Mister Chairman and Members of the Committee, thank you for the opportunity to testify today concerning the security of credit data. My name is Bruce Schneier, and I am a security technologist. For over 30 years I have studied the technologies of security and privacy. I have authored 13 books on these subjects, including Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (Norton, 2015). My popular newsletter Crypto–Gram and my blog Schneier on Security are read by over 250,000 people.
Additionally, I am a Fellow and Lecturer at the Harvard Kennedy School of Government –where I teach Internet security policy — and a Fellow at the Berkman-Klein Center for Internet and Society at Harvard Law School. I am a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an advisory board member of Electronic Privacy Information Center and VerifiedVoting.org. I am also a special advisor to IBM Security and the Chief Technology Officer of IBM Resilient.
I am here representing none of those organizations, and speak only for myself based on my own expertise and experience.
I have eleven main points:
1. The Equifax breach was a serious security breach that puts millions of Americans at risk.
Equifax reported that 145.5 million US customers, about 44% of the population, were impacted by the breach. (That’s the original 143 million plus the additional 2.5 million disclosed a month later.) The attackers got access to full names, Social Security numbers, birth dates, addresses, and driver’s license numbers.
This is exactly the sort of information criminals can use to impersonate victims to banks, credit card companies, insurance companies, cell phone companies and other businesses vulnerable to fraud. As a result, all 143 million US victims are at greater risk of identity theft, and will remain at risk for years to come. And those who suffer identify theft will have problems for months, if not years, as they work to clean up their name and credit rating.
2. Equifax was solely at fault.
This was not a sophisticated attack. The security breach was a result of a vulnerability in the software for their websites: a program called Apache Struts. The particular vulnerability was fixed by Apache in a security patch that was made available on March 6, 2017. This was not a minor vulnerability; the computer press at the time called it “critical.” Within days, it was being used by attackers to break into web servers. Equifax was notified by Apache, US CERT, and the Department of Homeland Security about the vulnerability, and was provided instructions to make the fix.
Two months later, Equifax had still failed to patch its systems. It eventually got around to it on July 29. The attackers used the vulnerability to access the company’s databases and steal consumer information on May 13, over two months after Equifax should have patched the vulnerability.
The company’s incident response after the breach was similarly damaging. It waited nearly six weeks before informing victims that their personal information had been stolen and they were at increased risk of identity theft. Equifax opened a website to help aid customers, but the poor security around that — the site was at a domain separate from the Equifax domain — invited fraudulent imitators and even more damage to victims. At one point, the official Equifax communications even directed people to that fraudulent site.
This is not the first time Equifax failed to take computer security seriously. It confessed to another data leak in January 2017. In May 2016, one of its websites was hacked, resulting in 430,000 people having their personal information stolen. Also in 2016, a security researcher found and reported a basic security vulnerability in its main website. And in 2014, the company reported yet another security breach of consumer information. There are more.
3. There are thousands of data brokers with similarly intimate information, similarly at risk.
Equifax is more than a credit reporting agency. It’s a data broker. It collects information about all of us, analyzes it all, and then sells those insights. It might be one of the biggest, but there are 2,500 to 4,000 other data brokers that are collecting, storing, and selling information about us — almost all of them companies you’ve never heard of and have no business relationship with.
The breadth and depth of information that data brokers have is astonishing. Data brokers collect and store billions of data elements covering nearly every US consumer. Just one of the data brokers studied holds information on more than 1.4 billion consumer transactions and 700 billion data elements, and another adds more than 3 billion new data points to its database each month.
These brokers collect demographic information: names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, presence and ages of children in household, education level, profession, income level, political affiliation, cars driven, and information about homes and other property. They collect lists of things we’ve purchased, when we’ve purchased them, and how we paid for them. They keep track of deaths, divorces, and diseases in our families. They collect everything about what we do on the Internet.
4. These data brokers deliberately hide their actions, and make it difficult for consumers to learn about or control their data.
If there were a dozen people who stood behind us and took notes of everything we purchased, read, searched for, or said, we would be alarmed at the privacy invasion. But because these companies operate in secret, inside our browsers and financial transactions, we don’t see them and we don’t know they’re there.
Regarding Equifax, few consumers have any idea what the company knows about them, who they sell personal data to or why. If anyone knows about them at all, it’s about their business as a credit bureau, not their business as a data broker. Their website lists 57 different offerings for business: products for industries like automotive, education, health care, insurance, and restaurants.
In general, options to “opt-out” don’t work with data brokers. It’s a confusing process, and doesn’t result in your data being deleted. Data brokers will still collect data about consumers who opt out. It will still be in those companies’ databases, and will still be vulnerable. It just don’t be included individually when they sell data to their customers.
5. The existing regulatory structure is inadequate.
Right now, there is no way for consumers to protect themselves. Their data has been harvested and analyzed by these companies without their knowledge or consent. They cannot improve the security of their personal data, and have no control over how vulnerable it is. They only learn about data breaches when the companies announce them — which can be months after the breaches occur — and at that point the onus is on them to obtain credit monitoring services or credit freezes. And even those only protect consumers from some of the harms, and only those suffered after Equifax admitted to the breach.
Right now, the press is reporting “dozens” of lawsuits against Equifax from shareholders, consumers, and banks. Massachusetts has sued Equifax for violating state consumer protection and privacy laws. Other states may follow suit.
If any of these plaintiffs win in the court, it will be a rare victory for victims of privacy breaches against the companies that have our personal information. Current law is too narrowly focused on people who have suffered financial losses directly traceable to a specific breach. Proving this is difficult. If you are the victim of identity theft in the next month, is it because of Equifax or does the blame belong to another of the thousands of companies who have your personal data? As long as one can’t prove it one way or the other, data brokers remain blameless and liability free.
Additionally, much of this market in our personal data falls outside the protections of the Fair Credit Reporting Act. And in order for the Federal Trade Commission to levy a fine against Equifax, it needs to have a consent order and then a subsequent violation. Any fines will be limited to credit information, which is a small portion of the enormous amount of information these companies know about us. In reality, this is not an effective enforcement regime.
Although the FTC is investigating Equifax, it is unclear if it has a viable case.
6. The market cannot fix this because we are not the customers of data brokers.
The customers of these companies are people and organizations who want to buy information: banks looking to lend you money, landlords deciding whether to rent you an apartment, employers deciding whether to hire you, companies trying to figure out whether you’d be a profitable customer — everyone who wants to sell you something, even governments.
Markets work because buyers choose from a choice of sellers, and sellers compete for buyers. None of us are Equifax’s customers. None of us are the customers of any of these data brokers. We can’t refuse to do business with the companies. We can’t remove our data from their databases. With few limited exceptions, we can’t even see what data these companies have about us or correct any mistakes.
We are the product that these companies sell to their customers: those who want to use our personal information to understand us, categorize us, make decisions about us, and persuade us.
Worse, the financial markets reward bad security. Given the choice between increasing their cybersecurity budget by 5%, or saving that money and taking the chance, a rational CEO chooses to save the money. Wall Street rewards those whose balance sheets look good, not those who are secure. And if senior management gets unlucky and the a public breach happens, they end up okay. Equifax’s CEO didn’t get his $5.2 million severance pay, but he did keep his $18.4 million pension. Any company that spends more on security than absolutely necessary is immediately penalized by shareholders when its profits decrease.
Even the negative PR that Equifax is currently suffering will fade. Unless we expect data brokers to put public interest ahead of profits, the security of this industry will never improve without government regulation.
7. We need effective regulation of data brokers.
In 2014, the Federal Trade Commission recommended that Congress require data brokers be more transparent and give consumers more control over their personal information. That report contains good suggestions on how to regulate this industry.
First, Congress should help plaintiffs in data breach cases by authorizing and funding empirical research on the harm individuals receive from these breaches.
Specifically, Congress should move forward legislative proposals that establish a nationwide “credit freeze” — which is better described as changing the default for disclosure from opt-out to opt-in — and free lifetime credit monitoring services. By this I do not mean giving customers free credit-freeze options, a proposal by Senators Warren and Schatz, but that the default should be a credit freeze.
The credit card industry routinely notifies consumers when there are suspicious charges. It is obvious that credit reporting agencies should have a similar obligation to notify consumers when there is suspicious activity concerning their credit report.
On the technology side, more could be done to limit the amount of personal data companies are allowed to collect. Increasingly, privacy safeguards impose “data minimization” requirements to ensure that only the data that is actually needed is collected. On the other hand, Congress should not create a new national identifier to replace the Social Security Numbers. That would make the system of identification even more brittle. Better is to reduce dependence on systems of identification and to create contextual identification where necessary.
Finally, Congress needs to give the Federal Trade Commission the authority to set minimum security standards for data brokers and to give consumers more control over their personal information. This is essential as long as consumers are these companies’ products and not their customers.
8. Resist complaints from the industry that this is “too hard.”
The credit bureaus and data brokers, and their lobbyists and trade-association representatives, will claim that many of these measures are too hard. They’re not telling you the truth.
Take one example: credit freezes. This is an effective security measure that protects consumers, but the process of getting one and of temporarily unfreezing credit is made deliberately onerous by the credit bureaus. Why isn’t there a smartphone app that alerts me when someone wants to access my credit rating, and lets me freeze and unfreeze my credit at the touch of the screen? Too hard? Today, you can have an app on your phone that does something similar if you try to log into a computer network, or if someone tries to use your credit card at a physical location different from where you are.
Moreover, any credit bureau or data broker operating in Europe is already obligated to follow the more rigorous EU privacy laws. The EU General Data Protection Regulation will come into force, requiring even more security and privacy controls for companies collecting storing the personal data of EU citizens. Those companies have already demonstrated that they can comply with those more stringent regulations.
Credit bureaus, and data brokers in general, are deliberately not implementing these 21st-century security solutions, because they want their services to be as easy and useful as possible for their actual customers: those who are buying your information. Similarly, companies that use this personal information to open accounts are not implementing more stringent security because they want their services to be as easy-to-use and convenient as possible.
9. This has foreign trade implications.
The Canadian Broadcast Corporation reported that 100,000 Canadians had their data stolen in the Equifax breach. The British Broadcasting Corporation originally reported that 400,000 UK consumers were affected; Equifax has since revised that to 15.2 million.
Many American Internet companies have significant numbers of European users and customers, and rely on negotiated safe harbor agreements to legally collect and store personal data of EU citizens.
The European Union is in the middle of a massive regulatory shift in its privacy laws, and those agreements are coming under renewed scrutiny. Breaches such as Equifax give these European regulators a powerful argument that US privacy regulations are inadequate to protect their citizens’ data, and that they should require that data to remain in Europe. This could significantly harm American Internet companies.
10. This has national security implications.
Although it is still unknown who compromised the Equifax database, it could easily have been a foreign adversary that routinely attacks the servers of US companies and US federal agencies with the goal of exploiting security vulnerabilities and obtaining personal data.
When the Fair Credit Reporting Act was passed in 1970, the concern was that the credit bureaus might misuse our data. That is still a concern, but the world has changed since then. Credit bureaus and data brokers have far more intimate data about all of us. And it is valuable not only to companies wanting to advertise to us, but foreign governments as well. In 2015, the Chinese breached the database of the Office of Personal Management and stole the detailed security clearance information of 21 million Americans. North Korea routinely engages in cybercrime as way to fund its other activities. In a world where foreign governments use cyber capabilities to attack US assets, requiring data brokers to limit collection of personal data, securely store the data they collect, and delete data about consumers when it is no longer needed is a matter of national security.
11. We need to do something about it.
Yes, this breach is a huge black eye and a temporary stock dip for Equifax — this month. Soon, another company will have suffered a massive data breach and few will remember Equifax’s problem. Does anyone remember last year when Yahoo admitted that it exposed personal information of a billion users in 2013 and another half billion in 2014?
Unless Congress acts to protect consumer information in the digital age, these breaches will continue.
Thank you for the opportunity to testify today. I will be pleased to answer your questions.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/11/cybercriminals_.html
There’s a new criminal tactic involving hacking an e-mail account of a company that handles high-value transactions and diverting payments. Here it is in real estate:
The scam generally works like this: Hackers find an opening into a title company’s or realty agent’s email account, track upcoming home purchases scheduled for settlements — the pricier the better — then assume the identity of the title agency person handling the transaction.
Days or sometimes weeks before the settlement, the scammer poses as the title or escrow agent whose email accounts they’ve hijacked and instructs the home buyer to wire the funds needed to close — often hundreds of thousands of dollars, sometimes far more — to the criminals’ own bank accounts, not the title or escrow company’s legitimate accounts. The criminals then withdraw the money and vanish.
Here it is in fine art:
The fraud is relatively simple. Criminals hack into an art dealer’s email account and monitor incoming and outgoing correspondence. When the gallery sends a PDF invoice to a client via email following a sale, the conversation is hijacked. Posing as the gallery, hackers send a duplicate, fraudulent invoice from the same gallery email address, with an accompanying message instructing the client to disregard the first invoice and instead wire payment to the account listed in the fraudulent document.
Once money has been transferred to the criminals’ account, the hackers move the money to avoid detection and then disappear. The same technique is used to intercept payments made by galleries to their artists and others. Because the hackers gain access to the gallery’s email contacts, the scam can spread quickly, with fraudulent emails appearing to come from known sources.
I’m sure it’s happening in other industries as well, probably even with business-to-business commerce.
EDITED TO ADD (11/14): Brian Krebs wrote about this in 2014.
Post Syndicated from Andy original https://torrentfreak.com/anti-piracy-outfit-behind-pirate-site-reincarnations-171028/
Last November, the cybercrime unit of the French military police shut down the country’s largest pirate site, Zone-Telechargement (Download Zone). This was a huge problem for the millions of people who visited the site on a daily basis.
Founded in 2011, Zone-Telechargement’s popularity soared after the closure of Megaupload, which was also hugely popular in France until its shutdown early 2012. It’s been dead ever since though, despite suggestions it might somehow return to life.
Interestingly, however, a site claiming to be a reincarnation of the original is now trying to scoop up traffic, with promises that the excitement can be found at a new URL.
“Welcome to the new Zone-Telechargement! This is the new address of the indexing site to find movies and series,” a notice on the site reads.
“We make every effort to ensure that you can watch your movies and series in the best conditions and in complete safety. Therefore, we invite you as a Zone-Telechargement user to help us in our big mission! Share our site, talk about it!”
During the past couple of days, people have certainly been talking about it, but not for the usual reasons. As reported by NextInpact, the site already has 100,000 links on Google after being launched sometime in August.
But this is no ordinary pirate site. In fact, it’s not a pirate site at all. While it looks exactly like its pirate namesake, the site links only to legal content on platforms such as Amazon, iTunes, and other official sources.
NextInpact reports that the site is hosted in France and uses film posters and metadata hosted by the National Film Center, which grants official vendors access to a database of supporting content to help them sell their products online.
So, could this be an innovative and unconventional service set up by elements of the film industry to suck in pirates, perhaps?
TF decided to look into the possibility by pulling information from WHOIS, DNS and MX records, hoping to find a trace of who’s behind the operation. None of the searches yielded much information of direct value but they did turn up something else.
Zone-Telechargement.al, it seems, is not on its own. Hosted on the same server at OVH in France is Voirfilms.al which clones VoirFilms.org, a pirate site that was ordered to be blocked by the Paris District Court earlier this year.
Just like Zone-Telechargement.al, Voirfilms.al only links to legal content. However, when one searches for movies, at least the first two sets of links to content contain affiliate codes for Amazon and a local service, meaning the site’s operators get a kickback from any sale.
Given they use the same host server, mail server, and referral codes (tag=blue0d7-21 for Amazon), we considered it likely that the same people are behind both domains, passing them off as pirate sites in an effort to generate revenue.
Then, on Friday afternoon, NextInpact editor Marc Rees contacted us with a really interesting update. After further research, Rees had concluded that anti-piracy outfit Blue Efficience was probably behind the scheme. Sure enough, after contacting founder and CEO Thierry Chevillard, the company confirmed the project.
“We always had the idea to promote the legal offer. Anti-piracy protection is good, but it is insufficient without this component,” Chevillard told Rees.
Chevillard said that since video-on-demand platforms have difficulties in getting themselves noticed over pirate sites, his company took the decision to mimic the pirate strategy.
“[T]he pirate sites are extremely talented at putting themselves ahead in search engines where they beat the legal offers,” he said, adding that using similar weapons was the solution.
Chevillard told NextInpact that his company initially published links to content without the affiliate kickback but later took the for-profit route in order to “partially offset the costs, even if we are far from covering the costs of developing and operating the site.”
Of course, there’s a certain irony in an anti-piracy outfit actively pirating a pair of pirate sites, particularly since it clearly pirated the pirate sites’ logos and graphics, in order to pass the clones off as the real thing. However, Chevillard sees them as fair game and says his company will take action in the unlikely event the pirates take legal action.
The big question, of course, is whether the clone sites are having the desired effect of encouraging legal purchases. According to early data from Zone-Telechargement.al, around five purchases are made out of every 1000 clicks on content listed by the site.
While Blue Efficience’s cover has been well and truly blown, the company is undeterred and says it will expand its pirate site cloning business. If the strategy reaches any scale, that could be a whole new level of spam for would-be pirates to wade through. Nevertheless, there is a comedy ending to this story.
It appears that since the fake sites are so convincing, rival anti-piracy outfits have been asking Google to take down pages (1,2) from its indexes. Most ‘impressive’ are the efforts from takedown outfit Rivendel, which has filed dozens of complaints against these ‘pirate’ sites. Ouch.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/10/my_blogging.html
Blog regulars will notice that I haven’t been posting as much lately as I have in the past. There are two reasons. One, it feels harder to find things to write about. So often it’s the same stories over and over. I don’t like repeating myself. Two, I am busy writing a book. The title is still: Click Here to Kill Everybody: Peril and Promise in a Hyper-Connected World. The book is a year late, and as a very different table of contents than it had in 2016. I have been writing steadily since mid-August. The book is due to the publisher at the end of March 2018, and will be published in the beginning of September.
This is the current table of contents:
- Introduction: Everything is Becoming a Computer
- Part 1: The Trends
- 1. Capitalism Continues to Drive the Internet
- 2. Customer/User Control is Next
- 3. Government Surveillance and Control is Also Increasing
- 4. Cybercrime is More Profitable Than Ever
- 5. Cyberwar is the New Normal
- 6. Algorithms, Automation, and Autonomy Bring New Dangers
- 7. What We Know About Computer Security
- 8. Agile is Failing as a Security Paradigm
- 9. Authentication and Identification are Getting Harder
- 10. Risks are Becoming Catastrophic
- Part 2: The Solutions
- 11. We Need to Regulate the Internet of Things
- 12. We Need to Defend Critical Infrastructure
- 13. We Need to Prioritize Defense Over Offence
- 14. We Need to Make Smarter Decisions About Connecting
- 15. What’s Likely to Happen, and What We Can Do in Response
- 16. Where Policy Can Go Wrong
- Conclusion: Technology and Policy, Together
So that’s what’s been happening.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/wannacry_ransom.html
Criminals go where the money is, and cybercriminals are no exception.
And right now, the money is in ransomware.
It’s a simple scam. Encrypt the victim’s hard drive, then extract a fee to decrypt it. The scammers can’t charge too much, because they want the victim to pay rather than give up on the data. But they can charge individuals a few hundred dollars, and they can charge institutions like hospitals a few thousand. Do it at scale, and it’s a profitable business.
And scale is how ransomware works. Computers are infected automatically, with viruses that spread over the internet. Payment is no more difficult than buying something online – and payable in untraceable bitcoin -- with some ransomware makers offering tech support to those unsure of how to buy or transfer bitcoin. Customer service is important; people need to know they’ll get their files back once they pay.
And they want you to pay. If they’re lucky, they’ve encrypted your irreplaceable family photos, or the documents of a project you’ve been working on for weeks. Or maybe your company’s accounts receivable files or your hospital’s patient records. The more you need what they’ve stolen, the better.
The particular ransomware making headlines is called WannaCry, and it’s infected some pretty serious organizations.
What can you do about it? Your first line of defense is to diligently install every security update as soon as it becomes available, and to migrate to systems that vendors still support. Microsoft issued a security patch that protects against WannaCry months before the ransomware started infecting systems; it only works against computers that haven’t been patched. And many of the systems it infects are older computers, no longer normally supported by Microsoft – though it did belatedly release a patch for those older systems. I know it’s hard, but until companies are forced to maintain old systems, you’re much safer upgrading.
This is easier advice for individuals than for organizations. You and I can pretty easily migrate to a new operating system, but organizations sometimes have custom software that breaks when they change OS versions or install updates. Many of the organizations hit by WannaCry had outdated systems for exactly these reasons. But as expensive and time-consuming as updating might be, the risks of not doing so are increasing.
Your second line of defense is good antivirus software. Sometimes ransomware tricks you into encrypting your own hard drive by clicking on a file attachment that you thought was benign. Antivirus software can often catch your mistake and prevent the malicious software from running. This isn’t perfect, of course, but it’s an important part of any defense.
Your third line of defense is to diligently back up your files. There are systems that do this automatically for your hard drive. You can invest in one of those. Or you can store your important data in the cloud. If your irreplaceable family photos are in a backup drive in your house, then the ransomware has that much less hold on you. If your e-mail and documents are in the cloud, then you can just reinstall the operating system and bypass the ransomware entirely. I know storing data in the cloud has its own privacy risks, but they may be less than the risks of losing everything to ransomware.
That takes care of your computers and smartphones, but what about everything else? We’re deep into the age of the “Internet of things.”
There are now computers in your household appliances. There are computers in your cars and in the airplanes you travel on. Computers run our traffic lights and our power grids. These are all vulnerable to ransomware. The Mirai botnet exploited a vulnerability in internet-enabled devices like DVRs and webcams to launch a denial-of-service attack against a critical internet name server; next time it could just as easily disable the devices and demand payment to turn them back on.
Re-enabling a webcam will be cheap; re-enabling your car will cost more. And you don’t want to know how vulnerable implanted medical devices are to these sorts of attacks.
Commercial solutions are coming, probably a convenient repackaging of the three lines of defense described above. But it’ll be yet another security surcharge you’ll be expected to pay because the computers and internet-of-things devices you buy are so insecure. Because there are currently no liabilities for lousy software and no regulations mandating secure software, the market rewards software that’s fast and cheap at the expense of good. Until that changes, ransomware will continue to be profitable line of criminal business.
This essay previously appeared in the New York Daily News.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/05/yacht_security.html
Turns out, multi-million dollar yachts are no more secure than anything else out there:
The ease with which ocean-going oligarchs or other billionaires can be hijacked on the high seas was revealed at a superyacht conference held in a private members club in central London this week.
Murray, a cybercrime expert at BlackBerry, was demonstrating how criminal gangs could exploit lax data security on superyachts to steal their owners’ financial information, private photos and even force the yacht off course.
I’m sure it was a surprise to the yacht owners.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/04/analyzing_cyber.html
There’s a really interesting new paper analyzing over 100 different cyber insurance policies. From the abstract:
In this research paper, we seek to answer fundamental questions concerning the current state of the cyber insurance market. Specifically, by collecting over 100 full insurance policies, we examine the composition and variation across three primary components: The coverage and exclusions of first and third party losses which define what is and is not covered; The security application questionnaires which are used to help assess an applicant’s security posture; and the rate schedules which define the algorithms used to compute premiums.
Overall, our research shows a much greater consistency among loss coverage and exclusions of insurance policies than is often assumed. For example, after examining only 5 policies, all coverage topics were identified, while it took only 13 policies to capture all exclusion topics. However, while each policy may include commonly covered losses or exclusions, there was often additional language further describing exceptions, conditions, or limits to the coverage. The application questionnaires provide insights into the security technologies and management practices that are (and are not) examined by carriers. For example, our analysis identified four main topic areas: Organizational, Technical, Policies and Procedures, and Legal and Compliance. Despite these sometimes lengthy questionnaires, however, there still appeared to be relevant gaps. For instance, information about the security posture of third-party service and supply chain providers and are notoriously difficult to assess properly (despite numerous breaches occurring from such compromise).
In regard to the rate schedules, we found a surprising variation in the sophistication of the equations and metrics used to price premiums. Many policies examined used a very simple, flat rate pricing (based simply on expected loss), while others incorporated more parameters such as the firm’s asset value (or firm revenue), or standard insurance metrics (e.g. limits, retention, coinsurance), and industry type. More sophisticated policies also included information specific information security controls and practices as collected from the security questionnaires. By examining these components of insurance contracts, we hope to provide the first-ever insights into how insurance carriers understand and price cyber risks.
Post Syndicated from Ana Visneski original https://aws.amazon.com/blogs/aws/welcome-to-the-newest-aws-community-heroes-spring-2017/
We would like to extend a very warm welcome to the newest AWS Community Heroes:
AWS Community Heroes share their knowledge and demonstrate their enthusiasm for AWS in a plethora of ways. They go above and beyond to share AWS insights via social media, blog posts, open source projects, and through in-person events, user groups, and workshops.
Mark Nunnikhoven explores the impact of technology on individuals, organizations, and communities through the lens of privacy and security. Asking the question, “How can we better protect our information?” Mark studies the world of cybercrime to better understand the risks and threats to our digital world.
As the Vice President of Cloud Research at Trend Micro, a long time Amazon Web Services Advanced Technology Partner and provider of security tools for the AWS Cloud, Mark uses that knowledge to help organizations around the world modernize their security practices by taking advantage of the power of the AWS Cloud.
He served as a System Architect for KT’s public cloud and VDI design, and led the system operation of YDOnline and Nexon Japan, one of the leading online gaming companies. Certified both as an AWS Solutions Architect – Professional and AWS DevOps Engineer – Professional, SangUk has authored AWS books, including DevOps and AWS Cloud Design Patterns, and translated four books related to the AWS Cloud.
He’s been making efforts to revitalize the local AWS Korea User Group community as co-leader by presenting at AWS Korea User Group meetings and AWS Summits, and helping to establish small group gatherings such as the AWSKRUG System Engineers in Gangnam. Also, he has done many hands-on labs and has been running a booth as a leader of the user groups at AWS events to cultivate developers and system engineers.
SangUk maintains a close relationship with the Japanese AWS User Group (JAWS UG), using his excellent Japanese communication skills and experiences in Japan. He makes every effort to participate in events held between Japanese and Korean user groups as a facilitator and translator, and will promote cross-regional communications beyond APAC going forward.
James Hall has been working in the digital sector for over a decade. He is the author of the popular jsPDF library, and is a founder/Director of Parallax, a digital agency in the UK. He’s worked as a software developer on a wide variety of projects, from LED Billboards, car unlocking apps, to large web applications and tools.
Parallax built an online recording studio for David Guetta and UEFA using Serverless technology shortly after API Gateway was released. Since then they have consulted on various serverless projects and technologies. They run the AWS Meetup in Leeds, and help companies around the world build their businesses online. James has contributed to and promotes the Serverless Framework which allows you to elegantly build web applications on top of Lambda and related services.
Drew Firment works with business leaders and technology teams from organizations that seek to accelerate cloud adoption. He has over twenty years of experience leading large-scale technology programs, enterprise platforms, and cultural transformations in a fast-paced agile environment.
After migrating Capital One’s early adopters of AWS into production, his focus shifted toward accelerating a scaleable and sustainable transition to cloud computing. Drew pioneered the intersection of strategy, governance, engineering, agile, and education to drive an enterprise-wide talent transformation. He founded Capital One’s cloud engineering college, and implemented an innovative outcome-based curriculum oriented towards learning communities. Several thousand employees have enrolled in his cloud-fluency program, enabling well over 1,000 AWS certifications since its inception.
Drew has earned all three of the AWS associate-level certifications, enjoys developing custom Amazon Alexa skills using AWS Lambda, and believes serverless is the future of cloud computing. He also serves as an advisory partner to A Cloud Guru and is editor-in-chief of the their community-sourced publication.
Please join me in welcoming to our newest AWS Community Heroes!
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/03/hackers_threate.html
This is a weird story, and I’m skeptical of some of the details. Presumably Apple has decided that it’s smarter to spend the money on secure backups and other security measures than to pay the ransom. But we’ll see how this unfolds.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2017/02/duqu_malware_te.html
Duqu 2.0 is a really impressive piece of malware, related to Stuxnet and probably written by the NSA. One of its security features is that it stays resident in its host’s memory without ever writing persistent files to the system’s drives. Now, this same technique is being used by criminals:
Now, fileless malware is going mainstream, as financially motivated criminal hackers mimic their nation-sponsored counterparts. According to research Kaspersky Lab plans to publish Wednesday, networks belonging to at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible. Because infections are so hard to spot, the actual number is likely much higher. Another trait that makes the infections hard to detect is the use of legitimate and widely used system administrative and security tools — including PowerShell, Metasploit, and Mimikatz — to inject the malware into computer memory.
The researchers first discovered the malware late last year, when a bank’s security team found a copy of Meterpreter — an in-memory component of Metasploit — residing inside the physical memory of a Microsoft domain controller. After conducting a forensic analysis, the researchers found that the Meterpreter code was downloaded and injected into memory using PowerShell commands. The infected machine also used Microsoft’s NETSH networking tool to transport data to attacker-controlled servers. To obtain the administrative privileges necessary to do these things, the attackers also relied on Mimikatz. To reduce the evidence left in logs or hard drives, the attackers stashed the PowerShell commands into the Windows registry.
Post Syndicated from Bruce Schneier original https://www.schneier.com/blog/archives/2016/12/my_priorities_f.html
Like many, I was surprised and shocked by the election of Donald Trump as president. I believe his ideas, temperament, and inexperience represent a grave threat to our country and world. Suddenly, all the things I had planned to work on seemed trivial in comparison. Although Internet security and privacy are not the most important policy areas at risk, I believe he — and, more importantly, his cabinet, administration, and Congress — will have devastating effects in that area, both in the US and around the world.
The election was so close that I’ve come to see the result as a bad roll of the dice. A few minor tweaks here and there — a more enthusiastic Sanders endorsement, one fewer of Comey’s announcements, slightly less Russian involvement — and the country would be preparing for a Clinton presidency and discussing a very different social narrative. That alternative narrative would stress business as usual, and continue to obscure the deep social problems in our society. Those problems won’t go away on their own, and in this alternative future they would continue to fester under the surface, getting steadily worse. This election exposed those problems for everyone to see.
I spent the last month both coming to terms with this reality, and thinking about the future. Here is my new agenda for the next four years:
One, fight the fights. There will be more government surveillance and more corporate surveillance. I expect legislative and judicial battles along several lines: a renewed call from the FBI for backdoors into encryption, more leeway for government hacking without a warrant, no controls on corporate surveillance, and more secret government demands for that corporate data. I expect other countries to follow our lead. (The UK is already more extreme than us.) And if there’s a major terrorist attack under Trump’s watch, it’ll be open season on our liberties. We may lose a lot of these battles, but we need to lose as few as possible and as little of our existing liberties as possible.
Two, prepare for those fights. Much of the next four years will be reactive, but we can prepare somewhat. The more we can convince corporate America to delete their saved archives of surveillance data and to store only what they need for as long as they need it, the safer we’ll all be. We need to convince Internet giants like Google and Facebook to change their business models away from surveillance capitalism. It’s a hard sell, but maybe we can nibble around the edges. Similarly, we need to keep pushing the truism that privacy and security are not antagonistic, but rather are essential for each other.
Three, lay the groundwork for a better future. No matter how bad the next four years get, I don’t believe that a Trump administration will permanently end privacy, freedom, and liberty in the US. I don’t believe that it portends a radical change in our democracy. (Or if it does, we have bigger problems than a free and secure Internet.) It’s true that some of Trump’s institutional changes might take decades to undo. Even so, I am confident — optimistic even — that the US will eventually come around; and when that time comes, we need good ideas in place for people to come around to. This means proposals for non-surveillance-based Internet business models, research into effective law enforcement that preserves privacy, intelligent limits on how corporations can collect and exploit our data, and so on.
And four, continue to solve the actual problems. The serious security issues around cybercrime, cyber-espionage, cyberwar, the Internet of Things, algorithmic decision making, foreign interference in our elections, and so on aren’t going to disappear for four years while we’re busy fighting the excesses of Trump. We need to continue to work towards a more secure digital future. And to the extent that cybersecurity for our military networks and critical infrastructure allies with cybersecurity for everyone, we’ll probably have an ally in Trump.
Those are my four areas. Under a Clinton administration, my list would have looked much the same. Trump’s election just means the threats will be much greater, and the battles a lot harder to win. It’s more than I can possibly do on my own, and I am therefore substantially increasing my annual philanthropy to support organizations like EPIC, EFF, ACLU, and Access Now in continuing their work in these areas.
My agenda is necessarily focused entirely on my particular areas of concern. The risks of a Trump presidency are far more pernicious, but this is where I have expertise and influence.
Right now, we have a defeated majority. Many are scared, and many are motivated — and few of those are applying their motivation constructively. We need to harness that fear and energy to start fixing our society now, instead of waiting four or even eight years, at which point the problems would be worse and the solutions more extreme. I am choosing to proceed as if this were cowpox, not smallpox: fighting the more benign disease today will be much easier than subjecting ourselves to its more virulent form in the future. It’s going to be hard keeping the intensity up for the next four years, but we need to get to work. Let’s use Trump’s victory as the wake-up call and opportunity that it is.