Schneier on Security

Clive Robinson • November 7, 2019 5:25 AM

@ Frankly,

Worst, the only way to stop tech crimes in the end will be draconian laws and draconian enforcement. There’s no other possible end result.

If they can not enforce the laws they have got in their jurisdiction then they can not enforce any new laws in their jurisdiction unless,

1, They get substantial new resources.

2, The new laws are blanket “we say you are guilty” laws that have no real due process in them.

Either would not be of benifit to society because they don’t solve the actual problem of the criminals being “out of jurisdiction” or attacking through another jurisdiction.

This is the consequence of “non locality” of cyber-crime.

Which is mostly caused by insecure systems connectrd to the world.

Back a while ago out side of high population density areas most people did not have locks on their doors, and if they did they probably did not use them.

Eventually at the begining of the last century due to increasing mobility crime at a distance from your home became considerably easier. In part this eas the reason the FBI was created, and we know how that turned out under J. Edgar Hoover.

Thr second consequence was more people started securing their homes because neither the police or insurance –if they had it– would sort the problem out.

Thus the historic solutions thst we know will work are,

1, Reduce your public exposure.
2, Secure your remaining public exposure.

The ultimate form of this is to not have your systems make any public connections. Secondly only use software from the Boot/BIOS up have been designed with security in mind.

But whilst you can do that now most people won’t, and the only reason cyber-crime is not far worse than it currently is, has little or nothing to do with “Guard Labour”, “Cyber-legislation”, “Cyber-regulation” or any in jurisdiction activities by politicians and legislators. It’s that the ability to commit cyber-crime far exceeds the number of cyber-criminals, that is ICT is a “target rich environment”. The reason that there is a limited number of cyber-criminals is that whilst there is a skill level way above average required to come up with new exploits, that is not the inhibitor. The actual inhibitor is that there is not the back-end systems to support the effective moniterisation of their crimes.

1, Thus better monitary control to stop money laundering etc is the area legislation will work. But politicians under the direction of lobbyists don’t want to go there.

2, Better “fit for purpose” regulation for ICT products, both hardware and software will if done correctly make cyber crime very much more difficult. But again politicians under the direction of lobbyists don’t want to go there.

3, Making “communications” more localised, back into juresdictions will make cyber-crime more difficult. But whilst some nations politicians do actively want to do that when it comes to WASP / Five-Eye nations again politicians under the direction of lobbyists and their own government entities don’t want to go there.

If you want to cutdown ICT crime then don’t do the equivalent of puting everything you own under a tarp, next to a highway where neither you nor the guard labour go. Because criminals will and steal what they like and trash the rest.

At the end of the day “Thou shalt not” legislation even with “on pain of death” penalties will not work unless thr guard labour are there to “make it happen” publically so that the risk is real and high enough to act as a real credible and imminent threat. Religion has tried the “eternal damnation line” but that clearly did not work back five centuries ago, nore does it work now. So why expect the words of politicians to work any better than the words of priests?

Clive Robinson • November 8, 2019 6:49 AM

@ SpaceLifeForm, Frankly,

And actually, there is an alternative: Shutdown the Internet.

Whilst it is the biggest ICT security fear of them all it would not realy worry me.

Because I was born at a time when it had not been thought of except by the likes of a tiny few in think tanks like Gordon Welchman. Further computers were being made with valves, and had nearly zero impact on the work force[0] untill the mid 1960’s.

In effect I grew up with the transistor and the push the “The race for the Moon” did to give us “silicon chips”. And yes I embraced them but was never enslaved by them.

Like most others of that time I had a high degree of self reliance and although when I was quite young we were considered “privileged” by our neighbours because “we had a phone”[1] for which I dutifully learnt the number. I did not actually use it untill I was well in my teens and already playing with radio with friends (and using phone boxes for “privacy” with those that did not have radios). In fact hearing the harsh clang of the phone bell at home was always a bit of a shock[2].

Before the 1980’s I was a licenced amature (Ham Radio engineer) maratime radio officer on my way to a masters ticket and design engineer working in the computer and communications industries thus had many of the benifits that mobile phones later gave us as well as data comms at my finger tips often as Ui was designing it way before others.

Importantly none of which made any real difference to the way my social life and more personal life worked.

These days if we look around we see groups of friends using mobile phones to find each other in a pub or club on a night out, which to me just elicits a sad disbelieving shake of the head.

So to me and perhaps many of my generation loosing mobile phones and the Internet would not make any real difference to our private and social lives, we’d just drop back into the self reliant behaviours we had when growing up.

Whilst later generations might feel pain or even handicaped by such loss, their pain and suffering would be minimal compared to that of a number of First World mainly WASP / Five-Eye Nations. Because they jumped into the “knowledge economy” without considering the risks.

I suspect most here remember President Obama and his global “Internet Kill Switch” idea. But perhaps not why it dissapeard fairly rapidly after a flurry of news. The reason being it would have been better named the “Nuke the US Economy Switch”.

The funny in a sad way thing, for non US Citizens or residents, is how the US gets it’s self into such technological binds or messes over and over, apparently without learning from previous lessons…

The prime example of which was 9/11, and it’s currently ongoing deleterious effects. All due to the US over reliance on leading edge technology without adequate safe-guards. Which ment it was easy for just a handfull or two of people to take “US Hi-Tech” and turn it against the US as “guided missiles” in an all to predictable way (see Tom Clancy “Jack Ryan” books amongst several others). The consequences of which is still condeming hundreds if not thousands of US citizens every year to untimely deaths, crippling the US economy, and raising US national debt to way beyond realistically recoverable limits.

If the “Nuke the US Economy Switch” was ever pushed then the results would be even more than somewhat deverstating for the US but not somuch for the rest of the world. That is many nations economies are not totaly dependent on such “Hi-Tech” thus they are much closer to doing things “the old way” and will have a minor bump rather than an earth shattering crash.

That said though, the fact the US is effectively the Internet’s “Rome” to which “all roads lead” has started other nations realising that the Obama Switch idea is in effect what will become a global ecomony “Doomsday Device”. And back since 2014 have been actively campaigning at the UN to get the Internet to come under world governance equivalent to “Maratime Law” and “National Governance” such that nations can have their own control over the Internet within their jurisdictions. Needless to say this does not sit well with the Five-Eyes SigInt agencies and the Silicon Valley Big Corporates. In part because that Obama Switch would be the equivalent of the one one an “electric chair” for them. Which might account for why they are desperately trying to diversify themselves into other technology areas that are not Internet dependent.

[0] 1973 gets quoted as being the most efficient office workers became. And that it was the introduction of computers especially the later “Personal Computers” that destroyed office work efficiency and productivity. Both of which are still dropping today because of computers (Internet / Facebook / twitter skivers and the like, with “Candy Crush” thrown in to sweeten the mix).

[1] Most phones back then were what we now call “Plain Old Telephon Service” (POTS) “Land Lines”. The likes of “phone patches” were illegal as at that time all communications was controled by the UK Government through the “Post Master General” political office and implemented by the “General Post Office” (GPO) that did not get deregulated untill the 1980’s when things got split up to be sold off. Thus we ended up with “The Royal Mail”, “British Telecom” later “BT” and a strange anomally called “Mercury Communications” that ended up being owned by “Cable and Wireless”.

[2] This was followed by an alnost instant “guilty” thought about if some one was phoning up to say I’d been seen doing XYZ, or some such. Which kind of tells you what a fun time I had when young 😉 Most of which were actually fairly harmless but have subsequently had laws passed against them 🙁 Due in the main to the idiocy and machiavellian behaviours in politicians and civil servants respectively, where they make and pass into law legislation so broad in scope that they can just say “you are guilty” without any meaningfull cause :-S