Book review: Click Here to Kill Everybody

Posted by    on   Sep 6, 2018

Paul Baccas reviews 'Click here to Kill Everybody' by Bruce Schneier



Title: Click Here to Kill Everybody: Security and Survival in a Hyper-connected World
Author: Bruce Schneier
Publisher: W. W. Norton & Company
ISBN: 978-0393608885


The great and memorable title of Bruce Schneier's latest book, 'Click Here to Kill Everybody', certainly caught the eye of those in my household – my children kept trying to touch the button on the front cover to 'kill everybody’! (Indeed, the book's attention-grabbing title may make me a little wary about reading it openly on the Tube or while going through airport security.)

Of course, the book is not really about how to kill everybody, but rather how, from an ethical standpoint on the part of tech, and a moral standpoint on the part of government, we appear to be sleep-walking into a scenario where something, whether by accident or design, could possibly 'click here' and kill everyone.

My advance reading copy wasn’t quite ready for publishing, but as it stood the book was divided into three approximately equal sections:

  • The first section describes the issues of computing, IOT, and an Internet of the future.
  • The second section describes the things technologists and policy makers should consider in order to bring about the changes needed for the Internet of the future.

  • Finally, as with Schneier's previous book, the third section contains copious notes.

In the introduction ('Everything is a Computer'), Bruce describes three situations: hacking a car; hacking the power supply; and hacking printers (conventional, 3D and bioprinters). For each of these he expands on the potential issues: death of multiple passengers; wide-scale human and economic damage; etc. The overriding theme is that, as things get 'smarter' or more computerised, 'your "smart" X [increasingly becomes] a computer that also does X!'

For example, your 'smart' oven is a computer that makes things hot, and your 'smart' car is a computer with wheels, etc. These 'smart' devices then suffer from the same security problems as computers, in particular patching and updating. They are networked together into the ubiquitous Internet of Things, or IOT (where an 'S' for security is so silent as to be missing altogether). The convergence of IOT, AI and autonomous algorithms, and cloud computing becomes what Bruce calls the new 'Internet+' (missing, probably intentionally, the geeky pun 'Internet++').

In chapters 1 to 5, the book looks at the current state of the Internet and explores trends. Questions are posed and answered in coherent ways and the chapters cover the themes:

  • Why is the Internet hard to secure?
  • Does patching work?

  • Anonymity and trust.

  • Economics of security.

  • How are the risks growing?

It discusses how, like the Red Queen, defenders must run fast just to stay still, how attackers have the advantage of asymmetry (they can try 1,000s of attacks and only one needs to succeed), how security is an expensive add-on to a system, and how it has no tangible economic benefit. This part of the book also describes events in the recent past that have been caused by malicious and state-sponsored actors, where computers have been instrumental in causing economic damage, if not actual deaths.

As I was reviewing the book, news hit the wires of the compromise of thousands of MikroTik routers in Brazil. A vulnerability discovered, patched, but not updated in a timely manner resulted in a cryptominer being installed and stealing CPU cycles and electricity. This incident highlighted many of the themes in the book: cheap commodity hardware with little incentive to produce security-hardened products (extra expense); consumers having no level by which to gauge trust in the vendor; the failure of the patching and updating paradigm; and how it is now easier to go back to the shop and by a new router than it is to fix the issue. MikroTik is not alone in its routers being compromised: in recent months bigger vendors – who should know better – have also been fixing backdoors in their products.

In the second part of the book, Bruce discusses policy and how policy makers can affect the security of the Internet+. Technologists look for the correct answer, or at least the optimum solution. Meanwhile, politicians tend to be more pragmatic, looking for compromises, and appealing to interest groups. However, until the politicians see an issue, a.k.a. people dying, they lack the motivation to make the Internet+ secure, especially since lobby groups such as industry, law enforcement and intelligence communities will lobby for:

  • the status quo

  • backdoors

  • weakened encryption

  • surveillance capabilities.

The book's conclusions are not hopeful: the gap between 'the two cultures' that separate technologists and politicians is currently a wide abyss. There are those, like Bruce, who are trying to span the gap and create a bridge, but we still regularly hear politicians ask for things that, to a technologist's ears, are impossible. To paraphrase Scotty 'Ya cannae break the law of mathematics, Captain'. The Pandora’s box of technology is well and truly open and will never be closed. The Internet+ is now common, and to prevent a tragedy of the commons, technologists must lobby for government to provide leadership and guidance, and policy makers must seek out technologists. Moreover, technologists need to become policy makers.

This thought-provoking book will mainly have you nodding in agreement and shaking your head in frustration. The future is not yet written, and so prediction, like attribution, is hard. Hopefully, enough people will read the book to change the path of the future. I plan to re-read it, and there can be no greater praise.




Latest posts:

VB2018 paper: Fake News, Inc.

A former reporter by profession, Andrew Brandt's curiosity was piqued when he came across what appeared at first glance to be the website of a small-town newspaper based in Illinois, but under scrutiny, things didn’t add up. At VB2018 he presented a…

Paper: Alternative communication channel over NTP

In a new paper published today, independent researcher Nikolaos Tsapakis writes about the possibilities of malware using NTP as a covert communication channel and how to stop this.

VB2019 conference programme announced

VB is excited to reveal the details of an interesting and diverse programme for VB2019, the 29th Virus Bulletin International Conference, which takes place 2-4 October in London, UK.

VB2018 paper: Under the hood - the automotive challenge

Car hacking has become a hot subject in recent years, and at VB2018 in Montreal, Argus Cyber Security's Inbar Raz presented a paper that provides an introduction to the subject, looking at the complex problem, examples of car hacks, and the…

VB2018 paper and video: Android app deobfuscation using static-dynamic cooperation

Static analysis and dynamic analysis each have their shortcomings as methods for analysing potentially malicious files. Today, we publish a VB2018 paper by Check Point researchers Yoni Moses and Yaniv Mordekhay, in which they describe a method that…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.