Three words: "desktop gene sequencing", "ebola", "script kiddies".
I dunno how to fix it either.
Cheers,
-- jra
Jay Ashworth wrote:
Our Security Models Will Never Work — No Matter What We Do | WIRED
Three words: "desktop gene sequencing", "ebola", "script kiddies".
I dunno how to fix it either.
I think that's six words - twice as scary. I dunno how to fix it either ("when in trouble, when in doubt, run in circles, scream and shout?")
When the costs of offense fall, a pretty good response is to drive the
costs of defense through the floor. E.g. how do we drive the costs of
mitigating DDoSs down further?
A second best response would be ubiquitous surveillance....
Although I don't disagree with Bruce, this sort of "scare article"
doesn't seem to be very in character for him.
I don't think script kiddies with gene sequencers will manage to kill us
with Ebola, for the same reason that script kiddies haven't managed to
kill the Internet - by the time they figure out how to not kill themselves
with the Ebola, they usually figure out that it's a losing proposition
(consider the number of nation states that *could* deploy biological weapons
compared to the number that actually have).
Anybody seriously thing the RBN couldn't kill the Internet if they really
wanted to? Why don't they? Because they can't monetize a dead Internet.
Having said that, we probably *will* see a number of incidents where the
biohazard cleanup crews have to clean up a local mess...
Not really anything all that new from a conceptual perspective:
http://www.youtube.com/watch?v=3hZo5k0V9M0
Owen
Maybe, but bio is a bigger spread hazard than nuke, and harder to test
for -- which is probably why, by policy, DOD/NCA treats it as a WMD.
Cheers,
-- jra
There's nothing much new in the article other than that the usual headline
grabbing soundbite and tortured big bang analogy
--srs (htc one x)
The DIYbio community is perfectly harmless so far. The feds are
already breathing down their necks, so there's no really no point
in adding gratuitious gasoline to the fire.
This is a problem for the future to solve. Not us.
In bioweapons, I think we are still on the "happy hackers era", where
people in a biochemical laboratory in Liverpool have access to some
fungus that can wipe half the city, but don't do, because have a lot
of fun studying the fungus to learn new antibiotics, or maybe to cure
baldness. Scientist are, of course, hackers. Fun people that make
this question: Exploitability. Can this fungus be used to cure
baldness? Can this fungus be exploited to remove plastic from our
oceans?.
Exploitablity is a fun good word, and I never see a person like Bruce
Schneier talk about it (how fucking awesome is exploitability). So
reading people like Bruce Schneier you only get half the picture.
We exist only because the carbon based chemistry is exploitable to the
x900000. If carbon where less exploitable, like silice, maybe life
will not exist. Similary, maybe you need exploitability to have a
internet.
Exploitability = usability from a different perspective.
Postel said "be conservative in what you do, be liberal in what you
accept", which seems like usability restated, and would QED this.
Granted, we think we've made something fairly usable: it's always
someone else's filter fail or multi-hour/day DDoS that ends up in the
news... until we get unlucky. 
Our Security Models Will Never Work — No Matter What We Do | WIRED
So what I gather from that:
"Calling terrorism an existential threat is ridiculous in a country
where more people die each month in car crashes than died in the 9/11
terrorist attacks."
And there you have it 
Security obviously works thus far, in the sense, that so far,
government has been preserved -- there is not total chaos, in at least
most of the world, and people do not doubt if their life or property
will still exist the next day.
There have been incidents, even serious ones, and times when security
failed -- it just means that security is not perfect, but hardly
anything humans do is perfect; devices we make fail, accidents
happen.
I never saw an article yet about why engineering can't work, or why
driver safety can't work (driver licensure/speed
limits/seatbelts/traffic signs). Accidents are inevitable, and
maybe the miscreants are able to take advantage of new faster engine
technology before the police can, but it's not the point
Abusing new technology faster doesn't trump the extreme smallness of
the numbers of truly bad actors, who have irrational thinking, would
like to end civilization, and the intersection between those and
those who have a viable method that would work + the right
resources/skill available, and a reasonable chance of success....
astronomically small
If in a few decades, there is a 0.1% chance per decade of a
script kiddie ending civilization, I think we've got few reasonable
alternatives but to accept that risk and hope for the best
Three words: "desktop gene sequencing", "ebola", "script kiddies".
Good thing genetic manipulation is highly non-trivial, and obtaining
ebola samples would require significant legwork while script kiddies
lack motivation, and there are much lazier, less risky/dangerous, more
profitable ways for them to steal.
At least for the forseeable future until financial account theft
becomes a solved problem.
Then they might move to ransomware that threatens to shut down power
grids, if they dpn't get paid, I suppose...
but
For the forseeable future; there's no mechanism for using a computer
to modify a virus to insert spam or email-cc-details commands
directly into people's brains, or to infect people's brains with
malware to create a human botnet.
At that point, perhaps in a couple hundred years, one begins to
become concerned that one of the human botnet operators, could end
civilization by accident.
"The Feds" have jurisdiction in Yemen, North Korea, Iran, and other places like
that? That's a relief, I'm glad to see we've actually got a way to stop
those places that engage in constant sabre-rattling....
Actually, it was "be conservative in what you send, liberal in what you accept."
Small nit, but does change the meaning a bit in this context.
Owen
And there you have it
Security obviously works thus far, in the sense, that so far,
government has been preserved -- there is not total chaos, in at least
most of the world, and people do not doubt if their life or property
will still exist the next day.
I'm not sure I would even put "government has been preserved" on the list of considerations for the success or failure of security.
I would put "law and order", "governance and/or the process of governance" on the list, but especially in a post-911 world, the US Government has departed from those ideals to varying degrees.
Do not get me wrong, I am not advocating radical revolution or saying that we should tear down the existing institutions. Merely that we should be careful in our default use of terminology and focus on what we really want to preserve. Ideally, we can restore the US government to its proper (and limited) function. (That does not mean eliminating government services and making it small enough to fit in our bedrooms, either.)
I'm not supporting any of the current Washington agendas and parties. I'm fed up with all of them at this point and unless they start working on solving problems instead of posturing all the time, I won't be supporting ANY incumbents.
Abusing new technology faster doesn't trump the extreme smallness of
the numbers of truly bad actors, who have irrational thinking, would
like to end civilization, and the intersection between those and
those who have a viable method that would work + the right
resources/skill available, and a reasonable chance of success....
astronomically small
The bottom line is that any system of laws and/or governance depends entirely on voluntary compliance by the majority of the actors.
If in a few decades, there is a 0.1% chance per decade of a
script kiddie ending civilization, I think we've got few reasonable
alternatives but to accept that risk and hope for the best
On the other hand, I will hold up the U.S.A.P.A.T.R.I.O.T. act and the T.S.A. as proof that we are rather adept at exploring and sometimes acting on the unreasonable alternatives.
Owen
The US law enforcement is getting closer and closer at being able to
be DDoS-ed very effectively because of all of their advisories about
"see something, say something" and all other scare tactics crap they
come up with.
I mean it's bad some guy shot up a lot of people in a theater or in a
school, but now it's sufficient to call 911 and say you saw a guy with
what looks like an assault riffle in a theater or school campus and
the just grab a bucket of popcorn and see everyone panic and SWAT
teams with guns blazing canvasing the objective.
Do it in a coordinated fashion on a daily basis and bam: DDoS at it's
finest. No one would take a chance to treat the calls as pranks
because if they get it wrong only once, they will be in a very big
s***storm.
Not to talk about economic losses because once a day a mall gets
evacuated for a few hours. The cost of pulling it off: none. 911 calls
are free :))
Today, tomorrow, someone else will shoot up a mall. What are you going
to do ? Install TSA scanners at mall entrances ? No problem, you can
shoot people in a subway station ? What, TSA at every subway station
entrance in the country ? At every bus station ? Blackwater security
with metal detectors every conference held in a hotel ?
Or just play it cool and live normally with the chance that the next
disgruntled person with a gun will not choose the same place you
happen to be at at any particular time.
The "disgruntled person with a gun" can be replaced with your favorite
type of bad guy (bio-terrorist, suicide bomber etc).
It's not a secret that people do stupid things when they're scared and
all of the world's governments know this and never loose the chance to
pass more restrictive laws whenever a tragedy happens and people would
support anything that they believe would stop another incident.
What people need is more common sense and not be get scared and
panicked by whatever scare the media throws at at them. They would
twist stories to get ratings in unimaginable ways.
Statistically speaking, everyone of us has a chance everyday to die in
an accident (get hit by a car, bus, metro, train whatever). This does
not mean that everyone should stay home and do nothing. Even at home
you can cat yourself very bad with a knife making dinner :))
Minimize the big threats using intelligence services effectively, and
smaller ones if you can in a non-intrusive way. Perfect security will
never be something that can be attained. Even from North Korea people
escape from time to time, and they are surveilled like crazy.
From: "." <oscar.vives@gmail.com>
This is a problem for the future to solve. Not us.
Seriously?
In bioweapons, I think we are still on the "happy hackers era", where
people in a biochemical laboratory in Liverpool have access to some
fungus that can wipe half the city, but don't do, because have a lot
of fun studying the fungus to learn new antibiotics, or maybe to cure
baldness. Scientist are, of course, hackers. Fun people that make
this question: Exploitability. Can this fungus be used to cure
baldness? Can this fungus be exploited to remove plastic from our
oceans?.Exploitablity is a fun good word, and I never see a person like Bruce
Schneier talk about it (how fucking awesome is exploitability). So
reading people like Bruce Schneier you only get half the picture.
We exist only because the carbon based chemistry is exploitable to the
x900000. If carbon where less exploitable, like silice, maybe life
will not exist. Similary, maybe you need exploitability to have a
internet.
You very well might. But never before have the stakes been this high.
As Spenser is so fond of quoting Clausewitz: you plan not for your
enemy's intentions, but for his capabilities.
In the next 3 years, it will become possible to build an autonomously
navigating aircraft that can a) cross the Atlantic and b) carry a
nuclear weapon.
The surveillance someone advocates in another posting won't help you
there; your first warning will be "Manhattan goes boom".
Cheers,
-- jra
[snip]
In the next 3 years, it will become possible to build an autonomously
navigating aircraft that can a) cross the Atlantic and b) carry a
nuclear weapon.
Not only is it already possible to build a human manually navigated aircraft
that can do both (a), and (b), they already exist, and computer
autonomy isn't necessary or useful, to hit a single big target; now
computer autonomous aircraft that can do only (a) could be just as
useful as decoys.
Nuclear weapons are rare, expensive, and the existing ones are
(hopefully) well-secured, due to their extremely high value. I
would be more concerned about the possibility of a large swarm -- of
half a million solar powered drones of the approximate size of a
large eagle capable of crossing the oceans and releasing a spray of
bio agents over very large distances.
From: "Jimmy Hess" <mysidia@gmail.com>
[snip]
> In the next 3 years, it will become possible to build an
> autonomously
> navigating aircraft that can a) cross the Atlantic and b) carry a
> nuclear weapon.Not only is it already possible to build a human manually navigated
aircraft that can do both (a), and (b), they already exist, and computer
autonomy isn't necessary or useful, to hit a single big target; now
computer autonomous aircraft that can do only (a) could be just as
useful as decoys.
Sure it is. An autonomous UPV *is small enough to bust the ADIZ without
returning a skin paint*.
Nuclear weapons are rare, expensive, and the existing ones are
(hopefully) well-secured, due to their extremely high value. I
would be more concerned about the possibility of a large swarm -- of
half a million solar powered drones of the approximate size of a
large eagle capable of crossing the oceans and releasing a spray of
bio agents over very large distances.
Whichever weapon is chosen, the point remains that the battlefield
is asymmetric, and it's asymmetric *against us*.
Cheers,
-- jra