Book review: Click Here to Kill Everybody

Posted by    on   Sep 6, 2018

Paul Baccas reviews 'Click here to Kill Everybody' by Bruce Schneier

 

schneier-book.png

Title: Click Here to Kill Everybody: Security and Survival in a Hyper-connected World
Author: Bruce Schneier
Publisher: W. W. Norton & Company
ISBN: 978-0393608885

 

The great and memorable title of Bruce Schneier's latest book, 'Click Here to Kill Everybody', certainly caught the eye of those in my household – my children kept trying to touch the button on the front cover to 'kill everybody’! (Indeed, the book's attention-grabbing title may make me a little wary about reading it openly on the Tube or while going through airport security.)

Of course, the book is not really about how to kill everybody, but rather how, from an ethical standpoint on the part of tech, and a moral standpoint on the part of government, we appear to be sleep-walking into a scenario where something, whether by accident or design, could possibly 'click here' and kill everyone.

My advance reading copy wasn’t quite ready for publishing, but as it stood the book was divided into three approximately equal sections:

  • The first section describes the issues of computing, IOT, and an Internet of the future.
  • The second section describes the things technologists and policy makers should consider in order to bring about the changes needed for the Internet of the future.

  • Finally, as with Schneier's previous book, the third section contains copious notes.

In the introduction ('Everything is a Computer'), Bruce describes three situations: hacking a car; hacking the power supply; and hacking printers (conventional, 3D and bioprinters). For each of these he expands on the potential issues: death of multiple passengers; wide-scale human and economic damage; etc. The overriding theme is that, as things get 'smarter' or more computerised, 'your "smart" X [increasingly becomes] a computer that also does X!'

For example, your 'smart' oven is a computer that makes things hot, and your 'smart' car is a computer with wheels, etc. These 'smart' devices then suffer from the same security problems as computers, in particular patching and updating. They are networked together into the ubiquitous Internet of Things, or IOT (where an 'S' for security is so silent as to be missing altogether). The convergence of IOT, AI and autonomous algorithms, and cloud computing becomes what Bruce calls the new 'Internet+' (missing, probably intentionally, the geeky pun 'Internet++').

In chapters 1 to 5, the book looks at the current state of the Internet and explores trends. Questions are posed and answered in coherent ways and the chapters cover the themes:

  • Why is the Internet hard to secure?
  • Does patching work?

  • Anonymity and trust.

  • Economics of security.

  • How are the risks growing?

It discusses how, like the Red Queen, defenders must run fast just to stay still, how attackers have the advantage of asymmetry (they can try 1,000s of attacks and only one needs to succeed), how security is an expensive add-on to a system, and how it has no tangible economic benefit. This part of the book also describes events in the recent past that have been caused by malicious and state-sponsored actors, where computers have been instrumental in causing economic damage, if not actual deaths.

As I was reviewing the book, news hit the wires of the compromise of thousands of MikroTik routers in Brazil. A vulnerability discovered, patched, but not updated in a timely manner resulted in a cryptominer being installed and stealing CPU cycles and electricity. This incident highlighted many of the themes in the book: cheap commodity hardware with little incentive to produce security-hardened products (extra expense); consumers having no level by which to gauge trust in the vendor; the failure of the patching and updating paradigm; and how it is now easier to go back to the shop and by a new router than it is to fix the issue. MikroTik is not alone in its routers being compromised: in recent months bigger vendors – who should know better – have also been fixing backdoors in their products.

In the second part of the book, Bruce discusses policy and how policy makers can affect the security of the Internet+. Technologists look for the correct answer, or at least the optimum solution. Meanwhile, politicians tend to be more pragmatic, looking for compromises, and appealing to interest groups. However, until the politicians see an issue, a.k.a. people dying, they lack the motivation to make the Internet+ secure, especially since lobby groups such as industry, law enforcement and intelligence communities will lobby for:

  • the status quo

  • backdoors

  • weakened encryption

  • surveillance capabilities.

The book's conclusions are not hopeful: the gap between 'the two cultures' that separate technologists and politicians is currently a wide abyss. There are those, like Bruce, who are trying to span the gap and create a bridge, but we still regularly hear politicians ask for things that, to a technologist's ears, are impossible. To paraphrase Scotty 'Ya cannae break the law of mathematics, Captain'. The Pandora’s box of technology is well and truly open and will never be closed. The Internet+ is now common, and to prevent a tragedy of the commons, technologists must lobby for government to provide leadership and guidance, and policy makers must seek out technologists. Moreover, technologists need to become policy makers.

This thought-provoking book will mainly have you nodding in agreement and shaking your head in frustration. The future is not yet written, and so prediction, like attribution, is hard. Hopefully, enough people will read the book to change the path of the future. I plan to re-read it, and there can be no greater praise.

 Tags

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

VB2018 preview: commercial spyware and its use by governments

Today, we preview three VB2018 presentations that look at threats against civil society in general and the use of commercial spyware by governments for this purpose in particular.

VB2018 preview: Wipers in the wild

Today we preview the VB2018 paper by Saher Naumaan (BAE Systems Applied Intelligence) on the use of wipers in APT attacks.

VB2018 preview: IoT botnets

The VB2018 programme is packed with a wide range of security topics featuring speakers from all around the world. Today we preview two of them: one by Qihoo 360 researchers on tracking variants of Mirai and one by researchers from Bitdefender on the…

VB2018: last-minute talks announced

We are excited to announce the final additions to the VB2018 programme in the form of 10 'last-minute' papers covering up-to-the-minute research and hot topics and two more invited talks.

VB2018 preview: Since the hacking of Sony Pictures

At VB2018, AhnLab researcher Minseok Cha will look at activities of the Lazarus Group on the Korean peninsula going back as early as April 2011.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.