back to article Schneier: NSA snooping tactics will be copied by criminals in 3 to 5 years

If you thought NSA snooping was bad, you ain't seen nothing yet: online criminals have also been watching and should soon be able to copy the agency's invasive surveillance tactics, according to security guru Bruce Schneier. "The NSA techniques give about a three to five year lead on what cyber-criminals will do," he told an …

COMMENTS

This topic is closed for new posts.
  1. btrower

    Security is possible (ish)

    What is currently in place is a shambles in terms of technical merit. I am not sure why the ones who know better are so quiet. Some have vested interests in keeping the status-quo, but plenty do not.

    We need a few honest people to break ranks and tell the truth. Flaws and fixes do not take a rarefied understanding of cryptography. I may be naive, but I think that we will see the 'good guys' come out of the woodwork, and finally start telling it like it is.

    The ones we have trusted with all this stuff have proven untrustworthy. The solution to this is one they do not like -- to distribute control and trust so it cannot be 'gamed'. If we build it right, their improper control of cyberspace will vanish.

    1. agricola
      Boffin

      And you think the Feds DON"T want to make an example of Edward Snowden, why?

      "I am not sure why the ones who know better are so quiet..."

      WHAAATTT ???!!!

      We have a saying in my neck of the woods which applies admirably here:

      "DAMN, BROTHER, I DON'T RIGHTLY BELIEVE I'D'A SAID THAT!

      The tooth fairy really exists; and Snow White is still a virgin.

    2. solo

      Re: Security is possible (ish)

      ".. Some have vested interests .."

      Of course, they have. If we could afford offline these 3 business activities offline, we may never need to worry about the mass-snooping:

      1) Social Media: Social chit-chat. Use the crossings / lamp posts / bars of your locality. That will give so contextually relevant content that not even Giggle/FB can provide you.

      2) Online Banking: Use paper cheques. You signature is the best private key ever invented.

      3) Online protests: Use peaceful rallies. No online petition ever caused a policy change. They will just get delayed / sneaked (even rallies don't change anything though if though).

      1. Richard 12 Silver badge

        Paper cheques?

        Your signature is not a private key in any sense if the phrase.

        It's pretty much as public as it gets!

        You publish it to everyone that cares to look for it by the act of writing it on the cheque.

        Written signatures are also known to be relatively simple to fake to a high enough standard to fool a bank, and if given enough time, to fool even the most detailed scrutiny.

        A certified signature is needed for some deals - A solicitor trusted by both parties takes a record of the document and can later be asked to confirm whether the document is unchanged and the right person signed it.

        That one is similar to "signed executables" or signed drivers, except different because those are only saying "Hasn't changed since signing" as the trusted external party has never seen the document.

        You have to fully trust the signer to be nice - and to look after their private keys.

  2. agricola
    Boffin

    There is wonderful entertainment here!

    Doesn't it give you great joy and pleasure, and an almost limitless sense of entertainment, to know that common criminals, crooks, and thieves are at LEAST as smart as the cretins and boneheads at NSA and GHCQ?

    Will Rogers--

    "I don't write jokes. I just report on what goes on in the government."

    "If it was stupidity that got us into this mess, why can't it get us out?"

    "Be glad you're not getting all the government you're paying for."

    "Reader: imagine that you're [a member of the government]. Now imagine that you're a blithering idiot. But I repeat myself." --Mark Twain

  3. Anonymous Vulture
    Boffin

    Strong crypto is not a magic bullet

    First there is the consideration of who created the various cryptosystems. If you can find one constructed by parties you have faith in, and that has been throughly vetted by experts, you are still not out of the woods. You now have to find a proper implementation that works on your preferred operating system and was coded by parties you have faith in. Clearing these hurdles is only sufficient to secure your data locally.

    Data you share with medical providers, search providers, service providers, financial institutions, and so on is a completely different matter. All of this data is being moved to the magical cloud. You have no control over the encryption used there, and more importantly over the key management used there. Even if AES-256 is bullet proof and properly implemented, if the key management system is flawed, you are just as screwed as if the data had been stored unencrypted.

    Real security is painful and costs money. It is also something that does not show up in the positive column on a balance sheet - so anyone motivated by financial gain is going to implement just enough to get you to share your data or to skate by whatever regulator might glance in their direction. Witness the Bitcoin hacks, and the recent credit card leaks.

    1. Daniel B.
      Boffin

      Re: Strong crypto is not a magic bullet

      It usually depends on how secure do you want your stuff. People or organizations that are really, really security-oriented or need to have something hard to break should get an HSM (Hardware Security Module) and use that to encrypt everything. Why? Because an HSM is FIPS 140-2 certified, tamperproof, and will keep the crypto keys in such a way they can't be extracted out of said HSM.

      Of course, even then if security isn't hardened around the servers that have direct HSM access you can still end up getting everything compromised (mostly if you don't enforce Level 3 compliance, anyone can use said HSM and thus decrypt stuff without getting asked for password/token validation). But well, it can be done.

      1. fritsd
        Big Brother

        Re: Strong crypto is not a magic bullet

        Ok, that is solved then..

        Wait a minute.. who determines if something is FIPS 140-2 certified? The American NIST?

  4. Gene Cash Silver badge
    Unhappy

    People can do strong crypto, but can they do it *well*?

    I think the recent rash of SSL idiocy answers that question.

  5. ecofeco Silver badge

    The bad news

    Most people can't be arsed to remember their passwords and make sure their AV is updated nor keep their kids from playing on their PC.

  6. earplugs

    Headline is backwards - NSA copied crooks

    Isn't the whole point of it that we paid for the NSA to protect us by closing holes in Internet security, and they turned around and kept gaping holes open so they could spy on Miss Indonesia's chatter. They copied cybercriminals' MoO, and screwed up badly.

  7. Mahou Saru

    Hmmm strong crypto is...

    well implemented crypto or else it is weak!

  8. Sir Runcible Spoon
    Holmes

    Sir

    "You think the Israeli companies are going to be better? Not a chance"

    Yes, Checkpoint, he's looking at YOU!

    1. Anonymous Coward
      Anonymous Coward

      Re: Sir

      Alledgely AMDOCS too according to a telco aquaintance of mine.

  9. Anonymous Coward
    Anonymous Coward

    The NSA are the criminals

    Anon.

  10. Anon

    The NSA are the criminals

    Anonymous Coward.

  11. Anonymous Coward
    Anonymous Coward

    This makes you want to weep...

    "Entire business plans for Facebook, Google and others are predicated on collecting personal data and using it (with some psychological techniques) to convince us to buy stuff."

    Human aspiration and communication reduced to to "buy crap now", taking security along with it. Depressing.

    For most of us, I'm not completely sure I agree with "If someone's going to spy on you then better the US than Russia.". Unless you are talking about Russia compromising bank accounts or the like, the NSA - or in my case GCHQ - is quite a bit worse, because those who control them have more motivation and opportunity for a direct and unremittingly negative impact on my life. The long history of the security services in the UK shows they are not averse to using it as many Labour ministers found out when they got into government. Given the swivel eyed paranoia that is now part and parcel of the culture, and the particularly open-ended governmental obsession with the bogeyman du jour, "terror", it is really not the Chinese or the Russians who bother me.

    It may be a long walk to freedom, but from where we are at the moment, its a very short one to something that looks very much like dictatorship.

    1. tom dial Silver badge

      Re: This makes you want to weep...

      Which is more at risk: your money or your liberty?

      In the U. S., it appears overwhelmingly to be money (Target, Nieman-Marcus, ...). Nothing I know about the UK suggests it would be different there. What these agencies do may seem creepy, may not be worth the very considerable expenditures, and certainly could be misused. However, reports of actual misuse seem to be even scarcer than verifiable successes.

      The uproar over spying by government established spy agencies is at least as much a moral panic as that over "terror". The latter at least is rooted in actual events.

  12. Squander Two

    Well, perhaps not all the tactics.

    > online criminals have also been watching and should soon be able to copy the agency's invasive surveillance tactics

    Criminals are going to persuade Congress to force telcos to hand them all our data? Well, I suppose it's worth a try.

    1. Ken Hagan Gold badge

      Re: Well, perhaps not all the tactics.

      Yes, they'll try, and you'll be laughing out of the other side of your face when they succeed.

    2. tom dial Silver badge

      Re: Well, perhaps not all the tactics.

      Schneier appears here to have been discussing hardware and software machine implants and techniques for capturing cell phone communications. Within the national boundaries, police (types) have been using similar techniques for a long time to bug machines (mostly with warrants), as have criminals. There are differences in detail, but nothing really all that new. They have no overwhelming need to build bogus cell towers, since they can obtain authorized access through the courts. Criminals may find it useful to emulate this, and with dozens of software defined radios priced in the under $1000 range it is doubtful that they will be as much as 3-5 years behind in that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Well, perhaps not all the tactics.

        Gosh - the FBI builds bogus cell towers all the time. You didn't notice?

    3. Paul_Murphy

      Re: Well, perhaps not all the tactics.

      By definition if it's against the law then they are criminals - if it's legal then they aren't.

      Wait - who are we talking about? governments, big business or criminals? it's so easy to get them confused.

  13. veti Silver badge

    I think it's time to update an old fave...

    Your post advocates a

    (*) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to privacy. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    (*) Any technical solution is only as strong as its weakest point

    (*) Regular internet users don't have time for this stuff

    (*) It requires finding people you can trust to do the implementation

    ( ) It is defenseless against brute force attacks

    (*) It will slow down the NSA for two weeks and then we'll be stuck with it

    ( ) Users of email will not put up with it

    ( ) Microsoft will not put up with it

    ( ) The police will not put up with it

    ( ) Requires too much cooperation from the enemy

    ( ) Requires immediate total cooperation from everybody at once

    ( ) Many net users cannot afford to lose business or alienate potential employers

    (*) The NSA doesn't care how much data it has to crunch

    ( ) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it

    ( ) Backdoors intentionally built into commercial equipment

    (*) Backdoors intentionally built into commercial software

    (*) Known-plaintext attacks on encrypted data

    (*) Asshats

    ( ) Jurisdictional problems

    ( ) Unpopularity of weird new technologies

    ( ) Public reluctance to accept weird new forms of communication

    ( ) Huge existing software investment in HTTP(S)

    ( ) Susceptibility of protocols other than HTTPS to attack

    ( ) Infected wireless access points

    ( ) Armies of worm-riddled broadband-connected Windows boxes

    (*) Eternal arms race involved in all cryptographic approaches

    ( ) Extreme profitability of spying

    ( ) Identity theft

    ( ) Technically illiterate politicians

    ( ) Extreme stupidity on the part of people who use the internet

    ( ) Dishonesty on the part of spies themselves

    and the following philosophical objections may also apply:

    (*) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

    (*) Any scheme based on opt-out is unacceptable

    ( ) Cryptography should not be the subject of legislation

    ( ) We should be able to talk without being censored

    ( ) Countermeasures should not involve wire fraud or credit card fraud

    ( ) Countermeasures should not involve sabotage of public networks

    ( ) Countermeasures must work if phased in gradually

    ( ) Sending email should be free

    ( ) Why should we have to trust you and your servers?

    ( ) Incompatiblity with open source or open source licenses

    ( ) Feel-good measures do nothing to solve the problem

    ( ) I don't want the government reading my email

    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about you:

    ( ) Sorry dude, but I don't think it would work.

    (*) Privacy is dead. Wake up and smell the decay.

    ( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!

  14. Mystic Megabyte
    Holmes

    Old news

    20 or more years ago some crooks tapped into the phone lines of a gold broker.

    They ordered a quantity of gold and presented a bankers draft.

    When the broker rang the bank they were diverted to the crooks who verified the draft.

    The gold was delivered and very quickly the crooks and gold vanished, never to be seen again,

    It was a brilliant scheme, the gold gets delivered to you and nobody got hurt.

    AFAIK nobody was ever caught.

  15. Cipher

    3 - 5 years? The NSA is breaking the law now, so criminals are using the tech now...

  16. Al fazed
    Black Helicopters

    Well Durr !!!!!!!!

    These are the f*cking criminals ! Is this guy for real ?

    ALF

  17. Spanners
    Black Helicopters

    Poor Headline

    The headline talks as if the NSA is not a criminal organisation.

    It is certainly not illegal in its own country but by default it breaks the law(Constitution). It is therefore a criminal organisation.

    Also I believe that the churn between criminal organisations, legal and not, is a lot less than that.

This topic is closed for new posts.

Other stories you might like