I attended CyberTech 2014 on January 27th-28th. CyberTech is a respectable conference for technologies related to cyber-security. The conference consisted of lectures and an exhibition. The lectures were most given by top notch speakers from the security space, both from the public sector and from the private sector; most being highly ranked executives. The exhibition sported companies ranging from the largest conglomerates as IBM and Microsoft, to garage start-ups.
I am easy to disappoint by cyber-security conferences. Simply put, there are more cyber-security conferences than what the security industry really has to say. This implies that for the security architect or practitioner, most cyber-security conferences lack sufficient substance. I take CyberTech 2014 with mixed emotions too. The exhibition showed interesting ideas, especially by start-ups, while the lectures left more to wish for.
I have just finished reading Little Brother by Cory Doctorow. This book presents the story of a typical but tech savvy teenager who falls victim to harassment by the Department of Homeland Security and the police state, where every citizen is constantly tracked and monitored as a potential terrorist. The story is fictitious, of course, but those who follow the reaction of some nations to the terrorism threat and the ever increasing amplitude and sophistication of wholesale surveillance, cannot miss that while the story is factually fictitious, it is not at all implausible.
Congratulations to Apple for featuring a fingerprint reader as part of its new iPhone. It was reported by The Wall Street Journal here, in the blog of Bruce Schneier here, by Time Tech here, and in dozens of other places. Very much expectedly, this revelation spurred anxiety among the conspiracy theorists out there. The two common concerns that were raised are:
(There is another line of concern, related to the fifth amendment and how its protection may be foiled by authenticating using biometrics alone, but this is a legal concern which is off topic.)
While a bit of paranoid thinking is always helpful, security engineering requires more than crying out each time a mega-corporate launches a new technology that involves private data. Assets and threats need to be determined, and then we can decide whether or not the risk is worth the benefits.
There is an ongoing debate on the need for new regulations that protect individuals' personal data. Regulation is said to be required to protect the personal data of citizens, consumers, patients, etc., both against corporate service providers as well as against governments.
There is a growing concern about the implications of the data collection habits of social network operators, such as Facebook, as well as other service providers. Even those individuals who claim to not see any tangible risk behind the massive collection of data on themselves by service providers, still feel unease with the amount of data available on them, and on which they have no control.
On the state side, knowing that your government may monitor every single email and phone call reminds of George Orwell's book "nineteen eighty-four". It is largely agreed that this practice, if not outright eliminated, shall at least be better controlled.
This essay discusses the two possible domains for such better control: technology and regulation, arguing that the former is tremendously more effective than the latter.
The concept of "Cyber Security" is surely the attention grabber of the year. All security products and services enjoy a boost in their perception of importance, and sales, by merely prepending the word "cyber" to their description. But how is cyber security different than just security?
It differs, but it is not an entirely different domain, at least not from the technology perspective.
Security protects against malicious attacks. Attacks involve an attacker, an attack target, and the attack method, which exploits one or more vulnerabilities in the target. When speaking of cyber attacks, it is common to refer to a nation state attacking another, or to an organization attacking a state. Referring to unorganized individual hackers as executing "cyber attacks", while being a common trend, is a blunt misuse of the "cyber" term in its common meaning. And still, cyber security is not as dramatically different than traditional security.
I finally got to read Bruce Schneier's new book: "Liars and Outliers". The book is pleasant to read, but truth be told, I was slightly, just slightly, disappointed.
The book is written in Bruce's style, which I like and appreciate. Like all of his books and essays, it is crystal clear, and is extremely well-written. It is written in a way that makes it comprehensible by absolutely everyone. Not too many people with Bruce's knowledge can write in such clear style.
What I less liked about this book is its overall triviality. Bruce Schneier is excellent in using trivial down-to-earth facts and notions to get his point across. This is one of the best features of his texts. However, in "Liars and Outliers" I feel it went a bit too far. The book does not take you from the trivial to the "Wow!" but mostly repeats the discussion of trivial phenomenons that bring to trivial conclusions. The discussions are interesting, and the points made are valid and worthy, but I cannot avoid suspecting that the book could be cut down to half of its length without losing much of its substance.