Government, big data pose bigger 'Net threat than criminals - Schneier

By Dan Goodin
Ars Technica
Feb 23, 2012
[emphasis added]

As Bruce Schneier spent the past decade watching the growing rash of phishers, malware attacks, and identity theft, a new Internet threat has emerged that poses even greater risks, the security expert said.

Unlike the security risks posed by criminals, the threat from government regulation and data hoarders such as Apple and Google are more insidious because they threaten to alter the fabric of the Internet itself.

They're also different from traditional Internet threats because the perpetrators are shielded in a cloak of legitimacy. As a result, many people don't recognize that their personal information or fortunes are more susceptible to these new forces than they ever were to the Russian Business Network or other Internet gangsters.

"Taken as a whole, there's a lot of things going on that affect our industry from outside our industry," Schneier, who is the author of five security books, said during a Wednesday keynote at the 24th General Meeting of the Messaging Anti-Abuse Working Group. "These are things that might be imposed on us. More capability, more usability, less control."

The first of three pillars propping up this outside threat are big data collectors, which in addition to Apple and Google, Schneier identified as Amazon and Facebook. (Notice Microsoft didn't make the cut.) 

The goal of their data collection is for marketers to be able to make snap decisions about the product tastes, credit worthiness, and employment suitability of millions of people. Often, this information is fed into systems maintained by governments.

Schneier didn't discuss the effect this unprecedented level of data scavenging has on individual privacy. Instead, he focused on how it ties the hands of people working at ISPs and software companies who work to secure their customers' personal information.

"We in security face enormous threats here because there are things we might want to do that we won't be able to do," he told about 400 people attending the three-day San Francisco conference. "You could see a law that limits what we can do about cookie deletion." Laws that require smartphones or other devices to be equipped with unique identifiers aren't a stretch, either, he said.

Schneier said the threat is often obfuscated by the tremendous technical advances the big data players have offered. Google mail is a safer alternative for average users because there's almost no chance they'll ever lose a message.

Apple's iPhone is wildly popular because it's easy to use and to date has proved largely impervious to real-world malware attacks. But behind the security and reliability, there are threats many don't consider.

"I can't find a program that will erase the data on this thing to a reasonable assurance without jailbreaking it," he said, holding up his iPhone. "For me that's bad."

The age of feudal security

He called the new model "feudal security" in which Kindle Fire owners trust their security to Amazon, iPhone users trust their Apple, and so on. As a result, the devices no longer come with general-purpose capabilities.

Open environments are increasingly being replaced with closed systems that are designed to give users less control.

In addition to the threat from big data—which Schneier coined "the risks of Layer 8 and Layer 9 attacks"—he said Internet users are being harmed by the surge in government attempts to redesign Internet infrastructure. As more and more of the world goes online, it's a given more crime will follow, he said. As a result, laws such as the 1994 Communications Assistance for Law Enforcement Act—which mandated telecom companies redesign switches and other gears so law enforcement agents could tap them—are slowly being extended to Internet technologies, possibly such as Skype and Hushmail.

Another example is a push among governments in Europe to require ISPs to store logs of user activity for 12 months or longer in case the information is needed in an investigation.

"Here, we have an example of government coming in an effort they believe will make us all safer," he said. "I look at it and say it's much less safe because once you have that data you're going to have to secure it. And the securest thing you can do is to delete it. So again we're seeing people who are not Internet security people trying to push a security policy."

The third force of this outside, nontechnical threat is posed by a "cyberwar" arms race, in which countries around the planet develop weapons such as the Stuxnet worm, case each other's networks, and possibly even plant backdoors in case they're needed during a time of war.

"We're now living in a world where nations are stockpiling cyber weapons," he said. "The military industrial complex is alive and well and quite happy to spend lots of money on cyber weapons and cyberwar and cyber defense. This feels incredibly destabilizing to me. I'm not convinced these things couldn't go off by accident "

Schneier's hour-long talk barely touched on his newest book, Liars and Outliers: Enabling the Trust that Society Needs to Thrive, which was published earlier this month. He said Wednesday's talk was a preview of one he's scheduled to give next Tuesday at the RSA security conference.

Source:
http://arstechnica.com/business/news/2012/02/schneier-gov-big-data-pose-bigger-net-threat-than-criminals.ars
______________________

The Afghanistan Report the Pentagon Doesn't Want You to Read

By Michael Hastings
Rolling Stone
February 10, 4:25

Earlier this week, the New York Times’ Scott Shane published a bombshell piece about Lt. Colonel Daniel Davis, a 17-year Army veteran recently returned from a second tour in Afghanistan. According to the Times, the 48-year-old Davis had written an 84-page unclassified report, as well as a classified report, offering his assessment of the decade-long war.

That assessment is essentially that the war has been a disaster and the military's top brass has not leveled with the American public about just how badly it’s been going. "How many more men must die in support of a mission that is not succeeding?" Davis boldly asks in an article summarizing his views in The Armed Forces Journal.

Davis last month submitted the unclassified report –titled "Dereliction of Duty II: Senior Military Leader’s Loss of Integrity Wounds Afghan War Effort" – for an internal Army review. Such a report could then be released to the public. However, according to U.S. military officials familiar with the situation, the Pentagon is refusing to do so.  

Rolling Stone has now obtained a full copy of the 84-page unclassified version, which has been making the rounds within the U.S. government, including the White House. We've decided to publish it in full; it's well worth reading for yourself. It is, in my estimation, one of the most significant documents published by an active-duty officer in the past ten years.

Here is the report's damning opening lines: "Senior ranking U.S. military leaders have so distorted the truth when communicating with the U.S. Congress and American people in regards to conditions on the ground in Afghanistan that the truth has become unrecognizable. This deception has damaged America’s credibility among both our allies and enemies, severely limiting our ability to reach a political solution to the war in Afghanistan."

Davis goes on to explain that everything in the report is "open source" – i.e., unclassified – information. According to Davis, the classified report, which he legally submitted to Congress, is even more devastating. "If the public had access to these classified reports they would see the dramatic gulf between what is often said in public by our senior leaders and what is actually true behind the scenes," Davis writes. "It would be illegal for me to discuss, use, or cite classified material in an open venue and thus I will not do so; I am no WikiLeaks guy Part II."

According to the Times story, Davis briefed four members of Congress and a dozen staff members and sent his reports to the Defense Department’s inspector general, and of course spoke to a New York Times reporter; only after all that did he inform his chain of command what he'd been up to.

Evidently Davis's truth-telling campaign has rattled the Pentagon brass, prompting unnamed officials to retaliate by threatening a bogus investigation for "possible security violations," according to NBC News.

Although Davis's critics have tried to brush off his claims as merely the opinions of a "reservist," – as Max Boot put it – his report is full of insight, analysis, and hard data that back up each one of his claims. He details the gross failure of training the Afghan Army, the military's blurring of the lines between public affairs and "information operations" (meaning, essentially, propaganda), and the Pentagon's manipulation of the U.S. media. (He expertly contrasts senior military officials public statements with the actual reality on the ground.)

Davis concludes: "It is my recommendation that the United States Congress – the House and Senate Armed Services Committees in particular – should conduct a bi-partisan investigation into the various charges of deception or dishonesty in this report and hold broad hearings as well," he writes. "These hearings need to include the very senior generals and former generals whom I refer to in this report so they can be given every chance to publicly give their version of events."

In other words, put the generals under oath, and then see what story they tell.

Michael Hastings is a contributing editor to Rolling Stone and author of The Operators: The Wild and Terrifying Inside Story of America's War in Afghanistan.


Source:
http://www.rollingstone.com/politics/blogs/national-affairs/the-afghanistan-report-the-pentagon-doesnt-want-you-to-read-20120210#ixzz1m1NVY1Cb
__________________

FBI in the market for app to monitor social networks

By Zeljka Zorz
Help Net Security
January 27, 2012

The US FBI is looking into the possibility of using an "Open Source and social media alert, mapping, and analysis application" for increasing its situational awareness, and to that effect has issued a request for information to determine if there are companies that could provide them with it.

"This must be a secure, light weight web application portal, using mash-up technology," it says in the request. "The application must have the ability to rapidly assemble critical open source information and intelligence that will allow[FBI's]Strategic Information and Operations Center [SOIC] to quickly vet, identify, and geo-locate breaking events, incidents and emerging threats. The product must have the capacity to allow the user to retain control of cached and real-time proprietary data; the ability to share it with selected partners, and[…]the ability to adapt quickly to changing threats to maintain the strategic and tactical advantage."

The FBI wants the application to be able to search and scrape social networking and news sites (Twitter, Facebook, CNN, MSNBC, and others) for breaking events, crisis and threats; to automatically filter the data according to definable parameters; to notify the users about these events and show them on maps (Google Maps, ESRI, Yahoo Maps, and others) according to priority; and to be able to quickly summarize threats and incidents and send out these summaries to FBI management and field offices.

Special interest has been shown for information that can be collected from social sites, so the application must be able to "instantly search and monitor key words and strings in all 'publicly available' tweets across the Twitter Site and other 'publicly available' social networking sites/forums (i.e. Facebook, MySpace, etc.)," because "social media will be a valued source of information to the SIOC intelligence analyst in a crisis because it will be both eyewitness and first response to the crisis."

Source:
http://www.net-security.org/secworld.php?id=12302
___________________________