back to article We stand on the brink of global cyber war, warns encryption guru

We are in the early years of a cyber war arms race, security guru Bruce Schneier warned delegates at the Infosecurity Europe exhibition on Wednesday. Schneier, CTO of Resilient Systems, said the much publicised Stuxnet attacks on Iran by the US and Israel in 2010, Iran’s attack on Saudi Aramco, China’s apparent role in hacking …

Page:

  1. Tomato42
    IT Angle

    Sony hack costing $15 million? I think they counted only the cost of cleaning ladies and detergents, not BOFHs working overtime.

    1. Small Furry Animal

      You missed the last 5 words

      "Schneier claimed that the $15m clean-up costs booked by Sony Pictures in the wake of the attack seem to under-estimate costs and further charges will likely follow"

      The BOFH hasn't submitted his bill yet :-)

    2. Adam 1

      The math looks right to me. Clearly this damage is the same as someone pirating 660 songs.

  2. jake Silver badge

    Anybody who uses the term "cyber" in this context ...

    ... can probably be safely ignored.

    "Cyber" is an irrelevant catch-all, usually meaning "I know nothing about computers and networking".

    1. TonyJ

      Re: Anybody who uses the term "cyber" in this context ...

      "...... can probably be safely ignored."

      I bet you said the same thing about Snowden

    2. John H Woods Silver badge

      Re: Anybody who uses the term "cyber" in this context ...

      I disike the prefix "cyber-", quite possibly for many of the same reasons you do. But it's here and it's going to stay; language evolves, quite often in ways one deprecates, but one has to accept it. And I might even agree that most people using the term "can probably be safely ignored" - but this is Bruce Schneier; so it's unlikely we can so easily consider him a member of that category.

    3. Anonymous Coward
      Anonymous Coward

      Re: Anybody who uses the term "cyber" in this context ...

      Ignore Schneier at your peril

      1. Anonymous Coward
        Anonymous Coward

        Re: Anybody who uses the term "cyber" in this context ...

        Ignore him? I can't even speak his name.

      2. mrvco

        Re: Anybody who uses the term "cyber" in this context ...

        I have to question anyone touting the party line that the DPRK was actually responsible for the Sony "hack".

        1. PrivateCitizen
          Unhappy

          Re: Anybody who uses the term "cyber" in this context ...

          I have to question anyone touting the party line that the DPRK was actually responsible for the Sony "hack".

          Same here. I am a big fan of Bruce (cant spell his surname though) and I count myself as one of the "followers" who regularly read his blog and buy his books.

          However, I am at a loss as to what changed his mind on the Sony hack, other than the fact that the company he now works for (Resilient Systems, once called Co3) does a good line in incident response and the fear of Nasty Norks is better for business than "shit happens and on the interwebz a shit can be a big one."

          I hope this isnt true though.....

          Sadly, nothing in Sanger's NYT article was new, novel or really worth changing your mind over.

          1. Anonymous Coward
            Anonymous Coward

            Re: Anybody who uses the term "cyber" in this context ...

            "However, I am at a loss as to what changed his mind on the Sony hack, other than the fact that the company he now works for (Resilient Systems, once called Co3)..."

            My information is that he gained access to the classified report on the incident, a report generated by the FBI, but sourced from the NSA.

            A report that I also read, when it was first released. Released on the day that Sony admitted that they were hacked.

            There are good points to be had for holding a security clearance. Of course, the bad points are tons and tons of mind numbingly boring reports one isn't even allowed to complain about, as the only people who you could complain to is your own uncleared family.

        2. Anonymous Coward
          Anonymous Coward

          Re: Anybody who uses the term "cyber" in this context ...

          'I have to question anyone touting the party line that the DPRK was actually responsible for the Sony "hack".'

          That you question it is telling, you're a neophyte in the information security biz.

          The DPRK cyber warfare team were trained by their benefactors in the PRC. Those chaps in the PRC are damned good at their jobs!

          To the point that one global corporation has had PRC cyber spooks inside of their network for over two years. When called in to assist in the mess, I remarked that the PRC cyber operatives should be drawing a company paycheck, as they're in the network nearly full time.

          But, I'll admit, their methods are quite inventive, adaptive and occasionally, novel.

          Think of them as China's version of the BOFH, turned spook.

          Still, I have to question the wisdom of that corporation's configuration, where one manages to access the interior network and even protected networks through a DMZ machine.

          The blithering idiots.

  3. Zog_but_not_the_first
    Windows

    Just as well...

    Some us have BTI* survival skills.

    * Before the Internet.

    1. James Boag

      Re: Just as well...

      What, You didn't back up the internet just in case !

      1. Anonymous Coward
        Anonymous Coward

        Re: Just as well...

        @James Boag; Don't worry, I'm on it right now!

        Damn, has anyone got a spare floppy?

        Interesting to wonder at what rate new content was being uploaded to the Internet back in the late 90s(?) when that gif came out... and how much more is being added now. Or put another way, what's the minimum connection that would be required simply to keep up with all new content currently being uploaded worldwide?!

        1. Martin

          Re: Just as well...

          That sounds like a question for Randall Munroe...

          https://what-if.xkcd.com/

        2. Wzrd1 Silver badge

          Re: Just as well...

          "Or put another way, what's the minimum connection that would be required simply to keep up with all new content currently being uploaded worldwide?!"

          I don't know, but I have six (!) OC-48 feeds coming into my building at work.

          And we're *not* the NSA or any other government entity.

          1. Anonymous Coward
            Anonymous Coward

            Re: I have six (!) OC-48 feeds coming into my building at work.

            "I have six (!) OC-48 feeds coming into my building at work."

            Marvellous.

            Now, once this Internet feed has been de-duped by your WAN accelerators and your storage magick, and once a top secret gadget has removed everything which some judiciary somewhere regards as pornographic or terrorist-related, will half a dozen boxes of line printer paper a week be enough to print out the useful content in what's left?

            Please call 1-800-PAPER to place your order. Also available: 100MB Zip drives and media. Free limited lifetime warranty.

    2. BobRocket

      Re: Just as well...

      'Before the Internet'

      Ha, Ha, that's a good one, is that one of those tales that old people use to scare the children ? Next you will be telling us that Maccy Ds used to come in styrofoam boxes (like anyone would believe that :)

      1. Tromos

        Re: Just as well...

        I always thought the Styrofoam came between the two bits of bread.

        1. Wzrd1 Silver badge

          Re: Just as well...

          I always thought that slices of bread *were* Styrofoam.

    3. werdsmith Silver badge

      Re: Just as well...

      Before the Internet indeed.

      Protect and Survive - Government Information Film.

      Remove a door from its hinges and lean it against a structural wall.

      Take bin bags and fill them with earth from your garden, and pile them up to cover the door.

      Hide under the door with your family and a battery transistor radio to listen for government information.

      Do all of this in the four minute warning period.

      What happened to all those sirens on pylons and high buildings?

      1. Dan Paul

        Re: Just as well...(You never got the US filmstrip version)

        In the case of a nuclear emergency, please crawl under your desk, kneel on the ground facing away from the windows and cover your eyes (and kiss your ass goodbye).

        Your glowing parents will be over to pick you up as soon as the half life of Plutonium kicks in. You can play a lot of Fallout 5 in the meantime.

        Our sirens are still here but the "shelters" have all been demolished as someone figured out that that many MRVs meant there was no point unless you were in an underground bunker Terminator style.

        1. Wzrd1 Silver badge

          Re: Just as well...(You never got the US filmstrip version)

          "Your glowing parents will be over to pick you up as soon as the half life of Plutonium kicks in."

          I don't know about the plutonium bit, but I'm of the generation that has radioactive bones, courtesy of strontium-90.

          My area also still has plenty of the old CD shelters, aka school, church and older government buildings basements.

          As I said long ago, when working with nuclear field missiles, "Go toward the light, my children!".

          For, afterward shall be much suckage.

      2. P. Lee

        Re: Just as well...

        Now the government wants everyone to use a dab radio and internet companies want us to stream music so after the big one, we'll have no comms and no record of miley cyrus.

        Swings and roundabouts I guess.

      3. Wzrd1 Silver badge

        Re: Just as well...

        "What happened to all those sirens on pylons and high buildings?"

        They figured out that all of those precautions were rubbish.

        If the nuclear attack didn't get you and the firestorm didn't get you, nuclear winter would get you.

    4. RegGuy1 Silver badge

      Before the Internet

      No. That can't be true.

      There can't have been a before the Internet. How would people have survived?

      1. Message From A Self-Destructing Turnip
        Windows

        Re: Before the Internet

        It OK guys we're safe, I've put the big blue 'e' into my recycle bin, if anyone tries to blow up the internet we can just restore it from there.

        1. Wzrd1 Silver badge

          Re: Before the Internet

          "It OK guys we're safe, I've put the big blue 'e' into my recycle bin, if anyone tries to blow up the internet we can just restore it from there."

          Oy!

          The Almighty wanted me to tell you, he can get me out of this mess, but he's pretty sure you're fucked.

          I have the internet backed up on my SAN in the basement, run on a Linux cluster, secured by *BSD and managed from a Solaris box.

    5. allan wallace

      Re: Just as well...

      "BTI Survival Skills"

      - I call them "Books"

  4. Christian Berger

    Luckily defence is comparatively easy

    Just use well designed systems.

    Don't use "smart"-phones which are highly complex and let the GSM baseband chip talk directly to the memory of the CPU.

    Avoid closed source software.

    Try to get your systems as simple as possible.

    Educate your users.

    A side effect of this is that you get much faster and more reliable systems, which are easier to maintain. Also, if you are a nation state, try to build your own computers and computer chips. If a simple CPU can be designed by a small start-up in the 1970s you surely can do it, too. You don't need to do things like video decoding or 3D graphics on your main CPU, those things can be safely separated into separate chips having their own RAM.

    1. Anonymous Coward
      Anonymous Coward

      Re: Luckily defence is comparatively easy

      "Don't use "smart"-phones which are highly complex and let the GSM baseband chip talk directly to the memory of the CPU."

      HAH. Try finding one still in good working order that still operates on usable bands.

      "Avoid closed source software."

      As if Shellshock and Heartbleed would've been found any quicker. Let's face it; if a true spook wanted to pwn an open-source system, they can do it by way of hundreds of tiny pieces coming together in just the right command, and it's highly unlikely any one person would be able to figure out how all the pieces come together.

      "Try to get your systems as simple as possible."

      But then you find that the level of NECESSARY complexity is already too complex to make things easy to fix.

      "Educate your users."

      People these days DON'T WANT to learn.

      "You don't need to do things like video decoding or 3D graphics on your main CPU, those things can be safely separated into separate chips having their own RAM."

      But that entails specialization, which kinda defeats the purpose of "Keep It Simple, Stupid" by putting everything into a general-purpose processor that can do everything.

      1. Wzrd1 Silver badge

        Re: Luckily defence is comparatively easy

        "People these days DON'T WANT to learn."

        Easy. Make the people *want* to learn.

        'If you get infected due to stupidity, which is entirely the IS shop's call, you are terminated for cause and we'll sue you for damages incurred from the remediation'.

        I know of one information security shop that has just that clause in their employment contract.

      2. Anonymous Coward
        Anonymous Coward

        Re: Luckily defence is comparatively easy

        ""Don't use "smart"-phones which are highly complex and let the GSM baseband chip talk directly to the memory of the CPU.""

        "HAH. Try finding one still in good working order that still operates on usable bands."

        AND you are using an old, easily-broken encryption.

    2. Anonymous Coward
      Anonymous Coward

      Re: Luckily defence is comparatively easy

      "If a simple CPU can be designed by a small start-up in the 1970s you surely can do it, too."

      1970s was towards the end of the era of 16bit computers such as PDP11 (on a single chip towards the late 1970s?) and the start of the era of 32bit computers such as VAX (initially in the late 1970s occupying several 19" racks filled with hardware).

      I do appreciate where you're coming from, but what software are you going to run on your 'simple' PDP/VAX era CPU.

      I like RT11. Is there a torrent client for RT11?

      1. Wzrd1 Silver badge

        Re: Luckily defence is comparatively easy

        "1970s was towards the end of the era of 16bit computers such as PDP11..."

        Wow, that brings back memories. My high school had a donated PDP11/03.

  5. Joey M0usepad Silver badge

    sounds like he's touting for business

    1. James Pickett

      "Schneier, CTO of Resilient Systems.."

      Company slogan: "Things are worse than you thought".

      1. Vector

        Tag line (and possibly understatement of the year):

        "...things will get out of hand"

  6. Anonymous Coward
    Anonymous Coward

    This is what spies have always done. I don't see that the back and forth between the Soviets and the West was tremendously different either in the fact that sufficiently well resourced and determined attacks will always succeed or that collateral damage was a regular occurrence.

    Not putting critical assets on the internet seems like a sensible precaution to me, and I still don't understand the obsession with internet enabling anything and everything.

    1. Anonymous Coward
      Anonymous Coward

      "Not putting critical assets on the internet seems like a sensible precaution to me, and I still don't understand the obsession with internet enabling anything and everything."

      Because how else are you going to retrieve anything on a moment's notice when an emergency arises? It's a tradeoff: make things one step removed and you make them harder to retrieve. It's harder for the enemy to get to it, but then it's harder for YOU to get to it, too, especially when Murphy strikes and you need it yesterday.

      1. Anonymous Coward
        Anonymous Coward

        Yeah, I do get that and as someone who VPNs into a corporate network I'm aware that the risk/reward assessment mostly comes up positive for making services securely accessible.

        What I don't understand are 2 things:

        1) when the disaster scenario is sufficiently scary (critical infrastructure and especially nuclear) how on earth can the risks be deemed worth it? Onsite support can't possibly cost so much more that I can see the risks stacking up.

        2) when the rewards are as trivial as turning on a light or many of the other completely meaningless 'benefits' of the IoT revolution even a modest risk seems like a stupid thing to take on.

        1. Wzrd1 Silver badge

          "What I don't understand are 2 things:"

          What I see is someone who has not detected, responded and mitigate an APT incursion.

      2. Anonymous Coward
        Anonymous Coward

        before the internet, after the internet

        "Because how else are you going to retrieve anything on a moment's notice when an emergency arises?"

        Before the Internet, there were private networks. They were used for lots of different things, and they didn't talk to each other or visibly use anyone else's network (whether they did underneath was a different question).

        Along came the Internet and took over the world, largely because it was cheap by comparison with private networks, and beancounters always prefer cheap to robust.

        After the Internet, there will be private networks again.

        Once upon a time, in the early Internet era, I was on a working trip to the US. There was a hurricane which was advertised as quite severe, and indeed the phones and the Internet stopped working. Fortunately X.25 ran over a separate set of kit and cables, and thus survived. I managed to get a message via X.25 from the US to colleagues in the UK, so they could let my worried family know that I was OK.

        The private networks of the future may not look like X.25, but nor will they look like today's public Internet, and the private networks probably won't share many resources with the public internet either.

        Tell that to the young people of today and... sorry, how does that one end?

    2. Anonymous Coward
      Anonymous Coward

      "This is what spies have always done. I don't see that the back and forth between the Soviets and the West was tremendously different either in the fact that sufficiently well resourced and determined attacks will always succeed or that collateral damage was a regular occurrence."

      True enough, but then, every corporation with intellectual property wasn't being spied upon.

      Today, it is. *And* infrastructure is also targeted to learn how to drop it.

      Welcome to the bad new days of Cold War 33 1/3.

  7. This post has been deleted by its author

  8. amanfromMars 1 Silver badge

    Tell us something we don't already know, Bruce.

    Some universities are leading players in the virtual arms race ..... http://www.qub.ac.uk/sites/QUBJobVacancies/FeaturedJobs/CSITCareers/ .... and busy recruiting pioneers.

  9. TeeCee Gold badge
    Alert

    Next week: Sony implicated in assassination of Kim Jong Un.

    World fails to give a shit....

    Eventually the big corporates will grow tired of the failure of their governments to protect them in an environment where international borders mean sod all and take action to solve these problems their own way.

    We're sleepwalking into the demise of national governments as meaningful entities, as pan-national enforcement (regardless of treaties, jurisdiction, diplomacy and other such cruft beloved of politicians) slowly becomes a "must have".

    1. Cubical Drone

      "We're sleepwalking into the demise of national governments as meaningful entities..."

      Thought we were already there.

    2. P. Lee

      >We're sleepwalking into the demise of national governments as meaningful entities,

      Yes, one world government is what we need.

      I'm not sure what you do when you realise you don't like Kim Il Sung as leader though.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like