Book review: Data and Goliath (Bruce Schneier)

I finally got around to finishing Bruce Schneier’s latest bestseller: Data and Goliath. I’ve read a few of Bruce’s books over the years (and own most of the rest, waiting patiently to be read). I’ve watched Bruce on many TV news segments, lectures, interviews, and web videos. I follow his blog and Twitter posts. I’ve even had the pleasure of emailing him from time to time. Some day I’d love to meet the guy. So… what I’m trying to say here is: fair warning, I’m a bit of a Bruce Schneier fan boy.

However, I feel this is completely justified. I tend to have the most respect for the even-keeled, professorial types – the ones who are passionate about what they do and highly knowledgeable about their field, but at the end of the day are most concerned with getting it right and avoiding hyperbole. That’s a small camp of people, but Bruce is definitely in it.

Bruce’s latest book is at once timely and timeless. The topics of computer security and online privacy are obviously hot right now in the wake of the Snowden revelations, but Bruce makes it clear that this stuff has been going on for a very long time now and will only get more important in the coming decades. I think Bruce was moved to write this book much as I was to write mine – people need to understand what’s going on here, but the fact of the matter is that they just don’t. At the end of the day, it’s up to us to demand change. Left to their own devices, corporations and governments will not cede the power that comes from massive data collection and mass surveillance.

Data and Goliath is remarkably comprehensive and well researched. Bruce draws on many sources – not just the Snowden documents (to which I believe he has had full access, at least for a time) but also from many insiders and security researchers, in addition to decades of experience.

In the first section, Bruce explains how we got where we are and what’s really going on. It was staggering to see it exhaustively cataloged. The enormity of the problem we face and the depth to which surveillance has already permeated our society is truly alarming. Even though I was aware of most of these things at one time or another, even I found myself shaking my head while reading this litany. One of the key take-aways from this section is how all of this data is used in concert to create a shockingly complete picture of each person’s life – not just digital life, but real life. Correlating all of these data streams results in something quite a bit larger than just the sum of its parts – which is something that I feel is lost on most people, but crucial to understand.

Bruce explores the harm that is already being done by this mass surveillance and data collection, and explores the very real future dangers in the second section of the book. Again, this is something that I believe everyday people just aren’t grasping. Too many people blow it all off thinking they have nothing to hide, so who cares? Everyone should care. I can’t do it justice in a paragraph – you’d think I was just being paranoid and blowing it out of proportion. Bruce walks you through why this all matters, with real-life examples, and clearly explains the deep impacts it is already having on our democracies.

Finally, Bruce wraps up the book with a wide range of things that we can and should be doing. What I love about Bruce’s approach is that it’s not all-or-nothing. Surveillance and espionage and even mass data collection all have their place in a civil society. Where many people get it wrong, I think, is to go to one extreme or the other. There is absolutely a sane, practical, and healthy middle ground to be found here. Targeted surveillance, when governed by transparent laws and reviewed by impartial third parties, makes perfect sense and has a place in democratic society. Collecting mass quantities of anonymous data can provide huge benefits for everyone – from medical research to traffic avoidance. It’s not always what we’re doing, it’s how we’re doing it. Still, Bruce comes down solidly on the side of an individual’s right to privacy and that computer security is essential for everyone. He just points out, very clearly, that that stance does not interfere with protecting ourselves from criminals and terrorists. That’s a false choice.

This book does not go into any detail, really, on how to protect yourself at a personal level – he even says that that would take an entire book (like, oh, say, I don’t know…. MY book). It does, however, explore many legal frameworks and “bill of rights” type proposals that are already on the table from around the world. Bruce also makes many solid and well-crafted proposals for approaching these problems – while many are politically difficult, they’re eminently rational and workable.

At the end of the day, though, it’s really up to us, as a people, to decide that we value our privacy and demand action – not just for ourselves, but truly for our society as a whole. The first step is to get educated… and if you had to pick just one book to read, Data and Goliath would be an excellent choice.

miniLock: how to send and receive encrypted files easily

For over two decades, the prevailing utility for sending and receiving encrypted files was PGP (Pretty Good Privacy) – including the popular free and open-source implementation GNU Privacy Guard (GPG). In order to use PGP, you needed to use a software tool to create at least one pair of encryption keys: one public (which you give away freely) and one private (which you guard very carefully). People use your public key to encrypt something and then send it to you via email or whatever. You then use your closely-guarded private key to decrypt it.

The problem, though, is that PGP is complicated and normal people just don’t have the patience for it. It’s also tricky to integrate PGP into things like email clients, especially web-based clients. And having to manage these keys is a real pain – they’re quite large and ugly. Here, for example, is one of my PGP public keys:

 

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

mQENBFMgmu4BCADis9lcLt4Rvu8qs557zOI+immGGHki7i8H01tXJvJOicKniWo/
IP3p3MM4dPsggyCXB1LA1qZxDsiGvJVB2H+kCWmHClFfzBi6/G/RTzaB2+ecmcdl
Etc1JHeaSzJjSEcSAAV9dwp3toQuID2JX5O6mtodCxufZnjrkyVauLL3GCAT99s7
mu5g87r+HTNiyl43RHAvZp1trsWQvwT/VtQOkUMKJBDs5s4l8UJEDLFPEN6JBJE1
dK8DplG5+i5jYQWEJi5OI/eu4/GYzkMsXfbnbk+6ufiO3Ik5rNWGxqm7zD21lwLL
+V8M19l2dGVIcu/OhBPEEsZEcJB2Bh3msRUBABEBAAG0JUNhcmV5IFBhcmtlciA8
Y2FyZXkucGFya2VyQGdtYWlsLmNvbT6JAT0EEwEKACcFAlMgmu4CGwMFCQeGH4AF
CwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQVLmNqFHnFbqKlgf/fuhtyfmf4zyb
YLUEutZFx57bkExonB33UVZZ/phgo+Z6c60XPfizmNG5qBHA9IaG5VvX9kel1mea
qtFrNdISOsVCDCzLTpI1mN3X8Dn6Fhk70APAHOiABxJr7LF+aX/t1GV4dQZjD4RL
8eRST6q7RsGrYIAFSbeUjZooeSkqUThGeeuIrKcMUhnTPG20uIGVDQ/x1tCjcnUR
fgpUUO5o1TMLEsylGYTKASJYJc5uiIcXgCV+FUmpt21OM2rxpaf7AkCx0Qcm3Cro
B8O+BiVqM7KYTRxu6CaVbb2lvYQqp+wUqSx1GussZ/Es1zno5ZXs9PVc+8LIK6XH
PQm88aabd7kBDQRTIJruAQgAoxMGQJ5ntCa1orN7emuHg4EnazmrFGH0iMT83gR7
k8rhMEs2tYc46aFsiQhPmltH6YNbzeIA+7SArIc5YwKCcoGpJxQWznGysQuuT76s
ScZnq/5AzhpOjymixAmMCXJ3X8LhWery4Ufw0mnHhJ7EhM0UP4o/7oXC1CHeXtwx
abo4tVkxc0lMvclecc5IZQCbZlxukNLCkvQz91MgT0EnTD1akSOW211gO4JQ2rdu
e0b7rVFGih+BOx6idJNfpKz+PheUo77ohLmnHFf0rWDPoCPjw/OIEiXd5JgLg8bH
xqCEV6SXmgvOZFIylwDlFLUtzlSFTSreLseAv3NeeGzZEwARAQABiQElBBgBCgAP
BQJTIJruAhsMBQkHhh+AAAoJEFS5jahR5xW6xQoH/1Yz0MT8a1tXKCOz5eX/Ed6D
f+oY0f0q0TfOFABT7AxFqDkjP/aUwS7KhpRGGFDiwReDOip/U93U7kODdsILXpxF
3BQZrs74l7tjbKa5PlE8QWjtNZuxPLtB6f3sJ2XpRH0dD8vWyykvIH/Xig+Qjl+a
wECfusncBkvrniXCSfTH0+uLtUUUpMdaT9i1DoQwGTSeUnUq/QOw+zGKyo0/b1Z3
ZwcYSz4zQhidLU5PrlOENBWDHZp2qlFFuB1f6THkHmqfUZG2mCEeUHwT6ztC0hA3
it22/PoHkXU+p1z5vIMcI5AUFFDCUBN8P/E+ghcDywfxMJruxeJ5j+kmN2od5ZI=
=rZkO
-----END PGP PUBLIC KEY BLOCK-----

 

If the computer that stores my private key dies, then I can no longer decrypt anything that was sent to me. Worse yet, if that computer is lost or stolen, then anything ever encrypted with it is vulnerable.

There’s a new kid on the block called miniLock which has three very important improvements over PGP:

  1. The private key is generated using an email address and a long passphrase. You no longer have to worry about storing and potentially losing your private key, you recreate it as needed from something you can easily remember.
  2. The public key is much, much shorter – only 44 characters long. This may seem bad since we know that shorter keys make for weaker encryption, but miniLock uses a different form of cryptography that can use smaller keys with the same level of security.
  3. Under the covers, miniLock uses a new(er) type of encryption called elliptic curve cryptography which allows for much smaller keys.

For comparison, here is my public miniLock key (or “miniLock ID”):

dtsyrmf4mQamR3G4xfMaCRe5zdRi78M6rvdJr5owgtg8z

 

That’s it! These keys are so short that you can easily send them to others, even tweet them.

This tool is brand new and hasn’t even officially been released yet, let alone fully vetted by the crypto experts. But it’s got a lot of potential and may finally allow regular people to use truly-secure, end-to-end encryption for all sorts of communication.

Until encryption is easy and built in to everything, it won’t be used. We have to find ways to make it much more accessible – and miniLock is a valiant attempt.

Security roundup (4/5/15)

Here are some top stories from the last month:

  • The FREAK bug. You can read the in-depth info here, but the gist of this is that a “man in the middle” could force an encrypted HTTPS web connection to use really old and really weak encryption, thus allowing someone (probably the man in the middle) to break the encryption and eavesdrop. These holes will be plugged soon and they don’t affect many people. The real take-away here is that our government’s policy of purposely weakening encryption standards (a legacy from the Crypto Wars of the 90s) has come back to bite us. These are some of the unintended consequences, and it happened over a decade ago.
  • BIOS hacks. There’s an even more fundamental piece of software on your PC than the operating system: it’s the BIOS. The BIOS is built into your computer and it runs before the OS even starts. Most people don’t know it’s even there – and therefore, most people don’t even know it can be updated. But as Bruce Schneier explains here, it’s a very powerful place to hack a system – and it’s in dire need of enhanced security mechanisms. The industry is moving to replace BIOS with UEFI, which is supposed to allow secure booting… but it opens up a whole case of cans containing worms (pun intended). The upshot here is that we need to completely rethink computer security from the ground up, and that’s going to take some time and a lot of transparency. (Fingers crossed.)
  • The Surveillance State Repeal Act (HR 1466). Some of the key dragnet surveillance laws in the Patriot Act are set to expire on June 1st unless Congress re-enacts them and the President signs them (which is causing some much-needed debate). However, HR 1466 will go much further. I encourage you to contact your representatives and voice your strong support for meaningful surveillance reforms.
  • Opt out of Verizon tracking. Verizon is apparently bowing to pressure and allowing their users to opt out of their nasty super-cookie tracking program. Click here for info.
  • Firefox adding new privacy option. Available in the latest Firefox builds is a new, hidden feature that helps users block web tracking. You can read about it here. This hidden option will be revealed in Firefox version 39, supposedly, but you can turn it on right now using the instructions at the link I just gave. This just re-affirms my choice of Firefox as the best current browser for security and particularly privacy.