This part of the interview reflects Steele’s thoughts on computer security, biohacking, cyber warfare exemplified by Stuxnet, and online authenticity models.
– How would you characterize the current state of things around computer and Internet security? Are you seeing any good new tendencies? Do you think it will get worse or better within the next 3 years?
– Here is what my esteemed colleague Winn Schwartau has to say, followed by my own comments.
“As abysmal as ever. Sure, we have improved defense (CND) in some areas, but lowlan APTs are virtually undetectable with current technology and undetected penetrations go on for an average of 416 days. We have continuously spent billions on technology when the majority of the problems are the human components. The best new tendency is the ability to blame China for everything, but that only deflects the true problems so endemic throughout enterprises. Re next three years, we are hosed. It’s going to keep getting worser and worser… and it will be much worser if Congress attempts to legislate what they cannot begin to fathom.”
Anything less than code-level security and data at rest encryption that does NOT have a negotiated back door with NSA, which has totally hosed the security of US commercial communications for its own convenience, will not do the job. I do not follow this area but I can say with certainty that nothing is going to get better in the next three years – the Obama Administration gave Open Government lip service, and then ignored the #1 demand made by a majority of the 4,000 people that participated – the legalization of marijuana. As goes the Republic, so goes security. We’re over the cliff and in free-fall. Congress is corrupt to the bone, such laws and regulations as we have are bought and paid for, not in the public interest.
– In terms of computer security, what are the short-range tactical solutions for each individual or business, like what should a company do in 2013 to not be breached?
– Winn’s answer: “There is NO perfect answer. Establishing more controls over what humans can do and access is critical. Buidling in my TBS formulas to processes would be a big step. Use superglue on all USB ports. DO NOT use mobile devices for business, especially BYOD, unless your security implementation includes everything you currently use in the fixed enterprise. Only use HTTPS on servers; use AES256 on all non-enterprise comm and all wireless. Vet and profile your mission critical folks on a regular basis to avoid the Hanson/Ames issue.”
For companies that really want to be secure, they have to get off the electrical grid. As NSA has discovered to its great dismay in recent years, the Chinese have perfected (scaled) what you can buy at Best Buy for extending Ethernet via any two sockets – riding the electrical wires into any computer. Personally, I don’t think our companies have many legitimate secrets – what they all seem to be eager to hide is their criminal misbehavior against their employees and their pension plans. Since the FBI is not doing its job, I’m all for public counterintelligence against all targets.
– What do you think of biohacking, haptic implants, subdermal electronics?
– We cannot understand our own government, much less Mother Earth. While I am a huge believer in bio-mimicry, I am scared to death of anything that presumes to manipulate or mutate natural processes centuries in the making. Until we can finally achieve free quality education for everyone, I would hold off on any “interventions”. Show me free energy and free desalinated clean water and free cell phones and free Internet access for everyone on the planet, and I will be less worried. The “Precautionary Principle” applies, and is ignored by everyone with enough money to buy liability exemptions from Congress.
– Commenting on Bruce Schneier’s book “Liars and Outliers”, in particular his words that the Stuxnet cyberattack by the U.S. was a destabilizing and dangerous course of action, you wrote: “Bruce Schneier is wrong. This is not something that cannot be micro-managed.” Could you further elaborate on this perspective of yours?
– I certainly agree that Stuxnet, which was an Israeli initiative not a US initiative, was destabilizing. It has bled over to other countries. What was written at Phi Beta Iota by the editor on duty was:
To this I would add myself that Robert Garigue’s pioneering work before he died all too young at 50, put the emphasis where it needs to be put: security is about trust, not control and security must be decentralized and cannot be centralized. It is not possible to micro-manage agility, insight, and trust. Will Durant’s 1916 thesis, Philosophy and the Social Problem, is still “Ref A:” we have to educate the entire population to the highest possible standards – for life.
– Security researcher Moxie Marlinspike argues that the current online authenticity model based on Certificate Authorities is inefficient. As an alternative, he advocates the “Trust Agility” concept and such models as “Perspectives” and “Convergence”. What do you think of that?– I totally agree that Certificate Authorities are inefficient and I would incompetent. They do not do the job. Here to the side is a graphic that I developed with Robert Garigue, whose memory I cherish. He did more for 21st century information security in a decade than anyone now living that I know of. I urge one and all to seek out his work and build on it. I tried at least twice to get John Chambers to rethink routers so that they could not only be recyclable, but so that individuals would have the rule-making and content control that CISCO’s Application Oriented Network (AON) offered major financial and other global institutions. In a world of infinite bandwidth, which is what you get when you go to Open Spectrum, every datum will have its own provenance of authenticity, at the same time that every individual will have multiple authenticated identities and also multiple anonymnity cloaking measures.
– Who do you consider the best influencers in information security and also in OSINT? Do you look up to anyone?
– Winn Schwartau is the only person I follow in information security, I’m sure you can provide a better sidebar on information security. In OSINT, I look up to the pioneers I mentioned above, and to all those that have made historic contributions — all 253 of them.
– Security industry uses full disclosure to develop scare-tactics and thus convince people into buying their services. What is your attitude towards the Anti-Sec Movement which is against full disclosure of information relating to vulnerabilities, exploits, attacks, etc.?
– The truth at any cost lowers all other costs.