Link

5G security

Bruce Schneier’s essay on why 5G security will be an ongoing problem as a result of short-term benefits of companies and intelligence agencies over long-term societal safeguards.

5G security is just one of the many areas in which near-term corporate profits prevailed against broader social good. In a capitalist free market economy, the only solution is to regulate companies, and the United States has not shown any serious appetite for that.

[…]

Both criminal attacks and government cyber-operations will become more common and more damaging. Eventually, Washington will have do so something. That something will be difficult and expensive­let’s hope it won’t also be too late.

The old internet was designed to deal with unreliable connections and routes, but not to deal with adversarial network components…

Link

Priviliged access to encrypted communication: why not.

Bruce Schneier on why it’s not a good idea to have “priviliged access” to eavesdropping on encrypted communication:

The basic problem is that a backdoor is a technical capability — a vulnerability — that is available to anyone who knows about it and has access to it. Surrounding that vulnerability is a procedural system that tries to limit access to that capability. Computers, especially internet-connected computers, are inherently hackable, limiting the effectiveness of any procedures. The best defense is to not have the vulnerability at all.

The examples of what we know has happened already illustrate why giving “the good guys” a backdoor will make us all less safe.

Source: Evaluating the GCHQ Exceptional Access Proposal

Link

European datacenter is no solution, recent developments show

NextCloud’s blog has an overview of where things seem to go with US companies storing data on European servers. (Hint: “Trump”).

Many Software-as-a-Service companies from abroad are currently setting up European data centers, often together with European partners. With this, they hope to ease the growing European concerns around privacy, data protection and complying with existing and upcoming regulations like the EU General Data Protection Regulation (GDPR). But recent developments in US courts show this to be a risky proposition: the problem of privacy is far from resolved by ‘just’ putting data in Europe. For companies betting on Privacy Shield, using services from US companies directly or through an intermediary storing data in Europe, all this is very bad news.

Source: European datacenter is no solution, recent developments show – Nextcloud

Link

Ethereum Hacks

My reservation with block chains and crypto currencies: they disempower the ordinary person (or user)… instead of the Bad Guy On The Corner taking your wallet, now anyone anywhere can steal all your money, and you might not even notice it at first.

The press is reporting a $32M theft of the cryptocurrency Ethereum. Like all such thefts, they’re not a result of a cryptographic failure in the currencies, but instead a software vulnerability in the software surrounding the currency — in this case, digital wallets.

[…]

This is my concern about digital cash. The cryptography can be bulletproof, but the computer security will always be an issue.

Source: Ethereum Hacks

Link

How easy is it to securely leak information to some of America’s top news organizations?

Good to spread the manual… leaking is pretty much a “standardised process” by now:

One quick download and a codename: If I can use SecureDrop, you can do it too.

Source: How easy is it to securely leak information to some of America’s top news organizations? This easy » Nieman Journalism Lab

They link to a video explaining the same thing:

Link

Class Breaks

Bruce Schneier on the different way most online risks works:

In a sense, class breaks are not a new concept in risk management. It’s the difference between home burglaries and fires, which happen occasionally to different houses in a neighborhood over the course of the year, and floods and earthquakes, which either happen to everyone in the neighborhood or no one. Insurance companies can handle both types of risk, but they are inherently different. The increasing computerization of everything is moving us from a burglary/fire risk model to a flood/earthquake model, which a given threat either affects everyone in town or doesn’t happen at all.

Source: Class Breaks