Wednesday, December 15, 2010

Bruce Schneier on WikiLeaks

In his CRYPTO-GRAM internet newsletter for December 15, 2010 Bruce Schneier includes a short take on WikiLeaks' place in history published December 9, 2010, in Schneier on Security.

Treat it for what it is, it's just a website, worry instead about your employees who are leaking stuff, says Schneier.

From my read, WikiLeaks is as important as the US government wants to make it. Could this attack on the website and Assange just be more security theatre? If it is, it's backfiring; the role of security theatre is to empower government like a father figure, not like Hitler beginning the round-ups. By making WikiLeaks public enemy number one, WikiLeaks actually becomes more effective at what it does - people thinking about leaking stuff now see the website as antagonist to their superiors; what better way is there now to, 'stick it to the man'?

Mightn't it be better policy to ignore the site and as Schneier says, focus on technological fixes like in-house encryption and log-in logs?


By Bruce Schneier

I don't have a lot to say about WikiLeaks, but I do want to make a few points.

1. Encryption isn't the issue here. Of course the cables were encrypted, for transmission. Then they were received and decrypted, and -- so it seems -- put into an archive on SIPRNet, where lots of people had access to them in their unencrypted form.

2. Secrets are only as secure as the least trusted person who knows them. The more people who know a secret, the more likely it is to be made public.

3. I'm not surprised these cables were available to so many people. We know access control is hard, and it's impossible to know beforehand what information people will need to do their jobs. What is surprising is that there weren't any audit logs kept about who accessed all these cables. That seems like a no-brainer.

4. This has little to do with WikiLeaks. WikiLeaks is just a website. The real story is that "least trusted person" who decided to violate his security clearance and make these cables public. In the 1970s, he would have mailed them to a newspaper. Today, he used WikiLeaks. Tomorrow, he will have his choice of a dozen similar websites. If WikiLeaks didn't exist, he could have made them available via BitTorrent.

5. I think the government is learning what the music and movie industries were forced to learn years ago: it's easy to copy and distribute digital files. That's what's different between the 1970s and today. Amassing and releasing that many documents was hard in the paper and photocopier era; it's trivial in the Internet era. And just as the music and movie industries are going to have to change their business models for the Internet era, governments are going to have to change their secrecy models. I don't know what those new models will be, but they will be different.

Read the Schneier on Security stream here...


No comments:

Post a Comment