#schneier
Text
A "secure" system can be the most dangerous of all
Two decades ago, my life changed forever: hearing Bruce Schneier explain that “security” doesn’t exist in the abstract. You can only be secure from some threat. A fire alarm won’t protect you from burglaries. A condom won’t protect you from mass shootings. It seems obvious, but how often do we hear about “security” without any mention of who is being made secure, and from which threat?
Take the US welfare system. It is very “secure” in that it is hedged in by a thicket of red-tape, audits, inspections and onerous procedures. To get food stamps, housing vouchers, or cash aid, you must navigate a Soviet-grade bureaucratic system of Kafkaesque proportions. Indeed, one of the great ironies of the post-Cold War world is that the USA has become a “Utopia Of Rules” (as David Graeber put it), subjecting everyday people to the state-run bureacracies that the USAUSAUSA set endlessly ridiculed the USSR for:
https://memex.craphound.com/2015/02/02/david-graebers-the-utopia-of-rules-on-technology-stupidity-and-the-secret-joys-of-bureaucracy/
(The right says it wants to “shrink the US government until fits in a bathtub — and then drown it” — but not the whole government. They want unlimited government bloat for that part of the state that is dedicated to tormenting benefits claimants, especially if its functions are managed by a Beltway Bandit profiteer who bills Uncle Sucker up the wazoo for rubber-stamping “DENIED” on every claim.)
The US benefits system has a sophisticated, expensive, fully staffed anti-fraud system — but it’s a highly selective form of anti-fraud. The system is oriented solely to prevent fraud against itself, with no thought to protecting benefits recipients themselves from fraud.
And those recipients — by definition the poorest and most vulnerable among us — are easy pickings for continuous, ghastly, eye-watering acts of fraud. These benefits are distributed via prepaid debit cards — EBT Cards — that lack the basic security measures that every other kind of card has had for years. These are simple magstripe cards, lacking basic chip-and-pin defenses, to say nothing of contactless countermeasures.
That means that fraudsters can — and do — install skimmers in the point-of-sale terminals used by benefits recipients to withdraw their cash benefits, pay for food using SNAP (AKA Food Stamps), and receive other benefits.
It’s impossible to overstate how widespread these skimmers are, and how much money criminals make by stealing from poor people. Writing for Businessweek, Jessica Fu describes the mad scramble benefits recipients go through every month, standing by ATMs at midnight on the night of the first of every month in hopes of withdrawing the cash they use to pay for their rent and utility bills before it is stolen by a crook who captured their card number with a skimmer:
https://www.bloomberg.com/news/features/2023-06-28/ebt-theft-takes-millions-of-dollars-from-the-neediest-americans
One of Fu’s sources, Lexisnexis Risk Solutions’s Haywood Talcove, describes these EBT cards as having the security of a “glorified hotel room key.” He recounts how US police departments saw a massive explosion in EBT skimming: from 300 complaints in January 2022 to 18,000 in January 2023.
The skimmer rings are extremely well organized. The people who install the skimmers — working in pairs, with one person to distract the cashier while the other quickly installs the skimmer — don’t know who they work for. Neither do the people who use cards cloned from skimmer data to cash out benefits recipients’ accounts. When they are arrested, they refuse to turn on their immediate recruiters, fearing reprisals against their families.
These low-level crooks stroll up to ATMs and feed a succession of cloned cards into them, emptying account after account. Or they swipe cards at grocery checkouts, buying cases of Red Bull and other easily sold grocery products with some victim’s entire SNAP balance.
Some police agencies are pursuing these criminal gangs and trying figure out who’s running them, but the authorities who issue SNAP cards are doing little to nothing to stop the pipeline at their end. Simply upgrading SNAP terminals to chip-and-pin would exponentially raise the cost and complexity that thieves incur.
Indeed, that’s why every other kind of payment card uses these systems. How is it that these systems were upgraded, while SNAP cards remain in mired in 20th century “glorified hotel room key” territory? Well, as our friends on the right never cease to remind us: “incentives matter.”
When your credit card gets cloned, it’s your banks and credit card company that pays for the losses, not you. So the banks demanded (and funded) the upgrade to new anti-fraud measures. By contrast, most states have no system for refunding stolen benefits to skimmers’ victims.
In other words, all of the anti-fraud in the benefits system is devoted to catching benefits cheating — a phenomenon that is so rare as to be almost nonexistent (1.54%), notwithstanding right wingers’ fevered, Reagan-era folktales about “welfare queens”:
https://blog.gitnux.com/food-stamp-fraud-statistics/
Meanwhile, the most widespread and costly form of fraud in the benefits system — fraud perpetrated against benefits recipients — is blithely ignored.
Really, it’s worse than that. In deciding to protect the welfare system rather than welfare recipients, we’ve made it vastly harder for benefits claimants who’ve been victimized by fraudsters to remain fed and sheltered. After all, if we made it simple and straightforward for benefits recipients to re-claim money that was stolen from them, we’d make it that much easier to defraud the system.
“Security” is always and forever a matter of securing some specific thing, against some specific risk. In other words, security reflects values — it reveals whose risk matters, and whose doesn’t. For the American benefits system, risks to the system matter. Risks to people don’t.
It’s not just the welfare system that prioritizes its own risks against the people it exists to serve. Think of the systems used to fight drug abuse in clinical settings.
Medical facilities that use or dispense powerful pain-killers have exquisitely tuned, sophisticated, frequently audited security systems to prevent patients from tricking their doctors or pharmacists into administering extra drugs (especially opioids). “Extra” in this case means “more drugs than are strictly necessary to manage pain.”
The rationale for this is only incidentally medical. Someone who gets a little too much painkiller during a medical procedure or an acute pain episode is not at any particular risk of enduring harm — the risks are minor and easily managed (say, by keeping a patient in bed a little longer while they recover from sedation).
The real agenda here is preventing addiction and abuse by addicted people. There’s a genuine problem with opioid abuse, and that problem does have its origins in overprescription. But — crucially — that overprescription wasn’t the result of wimpy patients insisting on endless painkillers until they enslaved themselves to their pills.
Rather, the opioid epidemic has its origins in the billionaire Sackler crime family, whose Purdue Pharma used scientific fraud, cash incentives, and other deceptive practices to trick, coerce, or bribe doctors into systematically overprescribing their Oxycontin cash cow, even as they laundered their reputation with showy charitable donations:
https://pluralistic.net/2021/07/12/monopolist-solidarity/#sacklers-billions
The Sacklers got to keep their billions — and people undergoing painful medical procedures or living with chronic pain are left holding the bag, subject to tight pain-med controls that forces them to prove — through increasingly stringent systems — that they truly deserve their medicine.
In other words, the beneficiary of the opioid control system is the system itself — not the patients who need opioids.
There’s an extremely disturbing — even nightmarish — example of this in the news: the Yale Fertility Clinic, where hundreds of women endured unimaginably painful egg harvesting procedures with no anaesthesia at all.
These women had complained for years about the pain they suffered, and many had ended up needing emergency care after the fact because of traumatic injuries caused by undergoing the procedure without pain control. But the doctors and nurses at the Yale clinic ignored their screams of pain and their post-operative complaints.
It turned out that an opioid-addicted nurse had been swapping the fentanyl in the drug cabinet for saline, and taking the fentanyl home for her own use.
This made national headlines at the time, and it is the subject of “The Retrievals,” a new New York Times documentary series podcast:
https://www.nytimes.com/2023/06/22/podcasts/serial-the-retrievals-yale-fertility-clinic.html
If the pain medication management system was designed to manage pain, then these thefts would have been discovered early on. If the system was designed so that anyone who experienced pain was treated until the pain was under control, the deception would have been uncovered almost immediately.
As Stafford Beer said, “the purpose of any system is what it does.” The pain medication management system was designed to manage pain medication, not pain itself.
The system was designed to be secure from opioid-seeking addicted patients. It was not designed to make patients secure from pain. Its values — our values, as a society — were revealed through its workings.
If you’d like an essay-formatted version of this thread to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
https://pluralistic.net/2023/07/13/whose-security/#for-me-not-thee
[Image ID: A down-the-barrel view of a massive, battleship-gray artillery piece protruding from the brick battlement of a fortress. From the black depths of the barrel shines a red neon 'EBT' sign.]
Image:
Bjarne Henning Kvaale (modified)
https://commons.wikimedia.org/wiki/File:Oscarsborg_28cm_Krupp_cannon_4_-_panoramio.jpg
CC BY-SA 3.0
https://creativecommons.org/licenses/by-sa/3.0/deed.en
#pluralistic#incentives matter#chip and pin#security#yale#drugs#war on drugs#war on some drugs#fertility clinic#fentanyl#opioids#skimmers#ebt#food stamps#finance#theft#fraud#social safety net#crime#schneier#indifference#luddism
214 notes
·
View notes
Text
Let's play, "Where's John-O?" ...
Red Rocks 2023. The performer is Allie Crow Buckley, the opening act for Lord Huron. I can't say if this photo was taken at the May 31 show, or the June 1 show. I attended both.
Which is the whole point of "Where's John-O?." I'm there, but where?
Hint: I'm a dozen or so rows down from the front of the sound shed, then a dozen human bodies or so to the right. I'm there with fellow semi-groupies of various kinds.
You may see your own face among the rabble
18 notes
·
View notes
Text
If we spent just one-tenth of the effort we spend prosecuting the poor on prosecuting the rich, it would be a very different world.
Bruce Schneier
10 notes
·
View notes
Quote
If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology
Bruce Schneier
0 notes
Text
The End of Trust
New Post has been published on https://www.aneddoticamagazine.com/the-end-of-trust/
The End of Trust
EFF and McSweeney’s have teamed up to bring you The End of Trust (McSweeney’s 54). The first all-nonfiction McSweeney’s issue is a collection of essays and interviews focusing on issues related to technology, privacy, and surveillance.
The collection features writing by EFF’s team, including Executive Director Cindy Cohn, Education and Design Lead Soraya Okuda, Senior Investigative Researcher Dave Maass, Special Advisor Cory Doctorow, and board member Bruce Schneier.
Anthropologist Gabriella Coleman contemplates anonymity; Edward Snowden explains blockchain; journalist Julia Angwin and Pioneer Award-winning artist Trevor Paglen discuss the intersections of their work; Pioneer Award winner Malkia Cyril discusses the historical surveillance of black bodies; and Ken Montenegro and Hamid Khan of Stop LAPD Spying debate author and intelligence contractor Myke Cole on the question of whether there’s a way law enforcement can use surveillance responsibly.
The End of Trust is available to download and read right now under a Creative Commons BY-NC-ND license.
#bruce schneier#Cindy Cohn#collection of essays and interviews#Cory Doctorow#Dave Maass#Edward Snowden#EFF#Gabriella Coleman#privacy#Soraya Okuda#surveillance#technology#The End of Trust
1 note
·
View note
Text
Schneier's Law: Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break.
— Schneier's Law, written by cryptographer Bruce Schneier
0 notes
Text
Limits of AI and LLM for attorneys
Note: Creepio is a featured player among Auralnauts.
The current infatuation with Artificial Intelligence (AI), especially at the state bar which is pushing CLEs about how lawyers need to get on the AI bandwagon, is generally an un-serious infatuation with a marketing concept.
AI and LLM – language learning models, on which much of recent AI is based – has nothing to do with accuracy. So, for a…
View On WordPress
0 notes
Text
Artificial intelligence will change so many aspects of society, largely in ways that we cannot conceive of yet. Democracy, and the systems of governance that surround it, will be no exception. In this short essay, I want to move beyond the “AI generated disinformation” trope and speculate on some of the ways AI will change how democracy functions – in both large and small ways.
When I survey how artificial intelligence might upend different aspects of modern society, democracy included, I look at four different dimensions of change: speed, scale, scope, and sophistication. Look for places where changes in degree result in changes of kind. Those are where the societal upheavals will happen.
Some items on my list are still speculative, but non require science-fictional levels of technological advance. And we can see the first stages of many of them today.
—Bruce Schneier [a major dude in cybersecurity btw]
0 notes
Text
Do AI detectors work?
In short, no. While some (including OpenAI) have released tools that purport to detect AI-generated content, none of these have proven to reliably distinguish between AI-generated and human-generated content.
Additionally, ChatGPT has no “knowledge” of what content could be AI-generated. It will sometimes make up responses to questions like “did you write this [essay]?” or “could this have been written by AI?” These responses are random and have no basis in fact.
1 note
·
View note
Text
''When most people look at a system, they focus on how it works. When security technologists look at the same system, they can’t help but focus on how it can be made to fail: how that failure can be used to force the system to behave in a way it shouldn’t, in order to do something it shouldn’t be able to do—and then how to use that behavior to gain an advantage of some kind.
That’s what a hack is: an activity allowed by the system that subverts the goal or intent of the system.
...
Hacking is how the rich and powerful subvert the rules to increase both their wealth and power. They work to find novel hacks, and also to make sure their hacks remain so they can continue to profit from them.
...It’s not that the wealthy and powerful are better at hacking, it’s that they’re less likely to be punished for doing so. Indeed, their hacks often become just a normal part of how society works. Fixing this is going to require institutional change. Which is hard, because institutional leaders are the very people stacking the deck against us.''
-Bruce Schneier, A Hacker's Mind
0 notes
Text
Bruce Schneier's "A Hacker's Mind"
A Hacker’s Mind is security expert Bruce Schneier’s latest book, released today. For long-time readers of Schneier, the subject matter will be familiar, but this iteration of Schneier’s core security literacy curriculum has an important new gloss: power.
https://wwnorton.com/books/9780393866667
If you’d like an essay-formatted version of this post to read or share, here’s a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:
https://pluralistic.net/2023/02/07/trickster-makes-the-world/#power-play
Schneier started out as a cryptographer, author of 1994’s Applied Cryptography, one of the standard texts on the subject. He created and co-created several important ciphers, and started two successful security startups that were sold onto larger firms. Many readers outside of cryptography circles became familiar with Schneier through his contribution to Neal Stephenson’s Cryptonomicon, and he is well-known in science fiction circles (he even received a Hugo nomination for editing the restaurant guide for MiniCon 34 in 1999).
https://www.schneier.com/wp-content/uploads/2016/02/restaurants-san-jose.pdf
But Schneier’s biggest claim in fame is as a science communicator, specifically in the domain of security. In the wake of the 9/11 bombings and the creation of a suite of hasty, ill-considered “security” measures, Schneier coined the term “security theater” to describe a certain kind of wasteful, harmful, pointless exercise, like forcing travelers to take off their shoes to board an airplane.
Schneier led the charge for a kind of sensible, reasonable thinking about security, using a mix of tactics to shift the discourse on the subject: debating TSA boss Kip Hawley, traveling with reporters through airport checkpoints while narrating countermeasures to defeat every single post-9/11 measure, and holding annual “movie-plot threat” competitions:
https://www.schneier.com/tag/movie-plot-threat-contests/
Most importantly, though, Schneier wrote long-form books that set out the case for sound security reasoning, railing against security theater and calling for policies that would actually make our physical and digital world more secure — abolishing DRM, clearing legal barriers to vulnerability research and disclosure, and debunking security snake-oil, from “unbreakable proprietary ciphers” to “behavioral detection training” for TSA officers.
Schneier inspired much of my own interest in cryptography, and he went on to design my wedding rings, which are cipher wheels:
https://www.schneier.com/blog/archives/2008/09/contest_cory_do.html
And then he judged a public cipher-design contest, which Chris Smith won with “The Fidget Protocol”:
http://craphound.com/FidgetProtocol.zip
Schneier’s books — starting with 2000’s Secrets and Lies — follow a familiar, winning formula. Each one advances a long-form argument for better security reasoning, leavened with a series of utterly delightful examples of successful and hacks and counterhacks, in which clever people engage in duels of wits over the best way to protect some precious resource — or bypass that protection. There is an endless supply of these, and they are addictive, impossible to read without laughing and sharing them on. There’s something innately satisfying about reading about hacks and counterhacks — as authors have understood since Poe wrote “The Purloined Letter” in 1844.
A Hacker’s Mind picks up on this familiar formula, with a fresh set of winning security anaecdotes, both new and historical, and restates Schneier’s hypothesis about how we should think about security — but, as noted, Hacker’s Mind brings a new twist to the subject: power.
In this book, Schneier broadens his frame to consider all of society’s rules — its norms, laws and regulations — as a security system, and then considers all the efforts to change those rules through a security lens, framing everything from street protests to tax-cheating as “hacks.”
This is a great analytical tool, one that evolved out of Schneier’s work on security policy at the Harvard Kennedy School. By thinking of (say) tax law as a security system, we can analyze its vulnerabilities just as we would analyze the risks to, say, your Gmail account. The tax system can be hacked by lobbying for tax-code loopholes, or by discovering and exploiting accidental loopholes. It can be hacked by suborning IRS inspectors, or by suborning Congress to cut the budget for IRS inspectors. It can be hacked by winning court cases defending exotic interpretations of the tax code, or by lobbying Congress to retroactively legalize those interpretations before a judge can toss them out.
This analysis has a problem, though: the hacker in popular imagination is a trickster figure, an analog for Coyote or Anansi, outsmarting the powerful with wits and stealth and bravado. The delight we take in these stories comes from the way that hacking can upend power differentials, hoisting elites on their own petard. An Anansi story in which a billionaire hires a trickster god to evade consequences for maiming workers in his factory is a hell of a lot less satisfying than the traditional canon.
Schneier resolves this conundrum by parsing hacking through another dimension: power. A hack by the powerful against society — tax evasion, regulatory arbitrage, fraud, political corruption — is a hack, sure, but it’s a different kind of hack from the hacks we’ve delighted in since “The Purloined Letter.”
This leaves us with two categories: hacks by the powerful to increase their power; and hacks by everyone else to take power away from the powerful. These two categories have become modern motifs in other domains — think of comedians’ talk of “punching up vs punching down” or the critique of the idea of “anti-white racism.”
But while this tool is familiar, it takes on a new utility when used to understand the security dimensions of policy, law and norms. Schneier uses it to propose several concrete proposals for making our policy “more secure” — that is, less vulnerable to corruption that further entrenches the powerful.
That said, the book does more to explain the source of problems than to lay out a program for addressing them — a common problem with analytical books. That’s okay, of course — we can’t begin to improve our society until we agree on what’s wrong with it — but there is definitely more work to be done in converting these systemic analyses into systemic policies.
Next week (Feb 8-17), I'll be in Australia, touring my book Chokepoint Capitalism with my co-author, Rebecca Giblin. We'll be in Brisbane on Feb 8, and then we're doing a remote event for NZ on Feb 9. Next are Melbourne, Sydney and Canberra. I hope to see you!
https://chokepointcapitalism.com/
[Image ID: The WW Norton cover for Bruce Schneier's 'A Hacker's Mind.']
#pluralistic#schneier#bruce schneier#books#reviews#hacking#power#punching up#punching down#gift guide#tax evasion#regulatory capture
56 notes
·
View notes
Photo
Ghost deer
i’ll freely admit that when it comes to white-tailed deer, I’m a little obsessed. The fact is, the creatures fascinate me. This posh barrier iIsland doesn’t feel like deer habitat, yet, they’re definitely here.
Hilton Head white-tails are actually a subspecies indigenous to the island. Aside from occasional losses to alligators, the deer have no natural predator on the island. In fact, the U.S. Fish and Wildlife Service has to cull the heard every so often to keep the population under control.
The HH deer are smaller than their Northern cousins, but you couldn’t prove it by me. In the four years we’ve been coming here, I’ve yet to lay eyes on one. But every morning when I walk down to the beach, I see their calling cards - tracks in the sand.
8 notes
·
View notes
Photo
Life After Food
A diabetes miracle drug has become an off-label appetite suppressant, changing the definition of being thin and what it takes to get there.
https://www.thecut.com/article/weight-loss-ozempic.html
0 notes
Photo
See Rabbi Marc Schneier President Founadtion of Ethnic Understanding's NY Celebrates Kazakhstan's Reception in our World Liberty TV, Cultural PG @ https://www.worldlibertytv.org/portfolio-view/cultural/
#Rabbi Marc SChneier#President ffeu#World Liberty TV Cultural Channel#Hotwinc org#Bentley Hotel NYC#Kazakhstan
0 notes
Last Seen Blogs
