Friday, June 17, 2011
BOB GARFIELD: So hacking is on the rise, hacking that strikes at the very nerve centers that control our lives, the CIA, the IMF, the Senate for cryin’ out loud, even our video game consoles are vulnerable. Everything about us is online. And everything online is in jeopardy.
Or not! Security technologist Bruce Schneier says that hacking has always been with us. In fact, he compares the recent coverage of hacking to the perennial media frenzies over shark attacks. They’re attention grabbing but not really worth the airtime expended.
But it's fun and easy, he says, when groups like LulzSec and Anonymous are only too willing to mug for the cameras.
BRUCE SCHNEIER: I don't see these attacks being out of the ordinary or more numerous, or even nastier. I mean, this is stuff we've been seeing for years and years. The criminals have always been stealing credit card numbers. I don't see it as an epidemic in anything but media attention to it.
BOB GARFIELD: Although at least one of the hacker groups, LulzSec, has a request line, for cryin’ out loud. Listen to this:
LULZSEC MESSAGE: Oh, you – you have reached the voice mailbox of Pierre Dubois and Francoise Deluxe. We are not available right now, as we are busy raping your Internets. Leave a message and we will get back to you whenever we feel like. [BEEP]
BOB GARFIELD: Isn't that worthy of media attention?
BRUCE SCHNEIER: Oh, I think it is worthy of media attention, but I'm not sure it’s anything new. I mean, honestly, there have always been hacker groups who chat online and do these, these fun things.
This is actually what hacking was before the criminals discovered it. It was just kids playing politics and looking for bragging rights by hacking into commercial websites or government websites.
So this LulzSec group, and like the Anonymous group, it's now bubbling to the top of media attention which, unfortunately, because these guys want attention, they’re doing more stuff.
BOB GARFIELD: Are you suggesting that these breaches happen all the time, putting my personal information at risk, and I don't even know about it.
BRUCE SCHNEIER: Oh yeah, all the time, for years. I guarantee you have credit card numbers in your wallet right now – every one of your listeners does - that has been hacked, maybe this month, maybe last month, maybe last year. This is what happens.
Most criminal groups don't make a lot of noise. Most of the time those attacks go unnoticed. The companies that experience them, usually they're forced to announce it. They do it as quietly as possible.
You know, generally these things aren’t made a big deal of. But yes, this happens all the time, which really lets you know how little a risk this is.
I mean, yes, there's a risk of credit card fraud, but when you see a hacking in the media, it doesn't mean the risk is greater. It just means this one, out of all the hundreds that happened, the media decided is worth paying attention to.
BOB GARFIELD: You know, we just got off the phone with the Emmanuel Goldstein of 2600: The Hacker Quarterly. And he says that all of this activity, whether more prevalent or not, is all ultimately for the cause of good, for exposing security vulnerabilities, and I should be happy that this is going on. Should I be happy that this is going on?
BRUCE SCHNEIER: Well, some of it but not a lot of it. You know, when there’s hacks from the Chinese, which, which might be government sponsored, going into US corporate and government sites, I don't see a lot of good that comes from that.
When someone LulzSec breaks into a site because they can, a lot of security professionals look at that and said, we told you so. You know, we've been telling these companies for years and years that their security isn't very good. And they’ve been not listening.
So here's a hacker group that actually is not just saying it, they're demonstrating it. And that, in the end, oddly enough, will make us safer. The vulnerability that hackers used to break into Citibank was embarrassingly stupid. It's kindergarten security they got wrong. And that shouldn't happen in 2011.
BOB GARFIELD: The, the culture of hacking is so anti- authoritarian, and they kinda get to decide for themselves what constitutes right and wrong. Are, are you concerned at all that LulzSec or some other group will create mischief that goes far beyond exposing security vulnerabilities into something, you know, far more malicious, or at least dangerous?
BRUCE SCHNEIER: Well, you know, the culture of online hacking is as varied as the culture of real crime. You’ve got groups like LulzSec, which are basically kids goofin’ off.
There's actually real criminals, both lone criminals, organized crime, national, international, that are stealing identity information, credit card numbers, that are basically committing fraud.
You also have national intelligence groups who are very quiet; they never want to make the news. But they are quietly penetrating networks, trying to get information and, and potentially doing a lot of harm to national security.
So it's really wrong to talk about sort of the one-hacker culture. You know, out of all those groups, LulzSec is by far the most benign.
BOB GARFIELD: All right, Bruce, so if this is shark attack journalism, a sudden focus on something that actually goes on all the time, what should our coverage of computer hacking be?
BRUCE SCHNEIER: You know, I think what’s important is the broad trends in criminal hacking, domestic and international, where the money flows, how it works, looking at liabilities.
There was a case, just recently decided, where a corporate customer of a bank lost hundreds of thousands of dollars to fraudsters, not because of what they did, because the banks lacked security. They sued the bank and the bank successfully argued that they were not responsible. This is extraordinarily important.
Trends in what the President and what the country does in cyber security policy are important to cover. And these things are being covered. It's not like, you know, we’re ignoring them. But these to me are far more important than the particular hack that happened last week.
BOB GARFIELD: Bruce, thank you very much.
BRUCE SCHNEIER: Thank you.
BOB GARFIELD: Author Bruce Schneier is chief technology security officer for British Telecom.