Book review: Click Here to Kill Everybody

Posted by    on   Sep 6, 2018

Paul Baccas reviews 'Click here to Kill Everybody' by Bruce Schneier



Title: Click Here to Kill Everybody: Security and Survival in a Hyper-connected World
Author: Bruce Schneier
Publisher: W. W. Norton & Company
ISBN: 978-0393608885


The great and memorable title of Bruce Schneier's latest book, 'Click Here to Kill Everybody', certainly caught the eye of those in my household – my children kept trying to touch the button on the front cover to 'kill everybody’! (Indeed, the book's attention-grabbing title may make me a little wary about reading it openly on the Tube or while going through airport security.)

Of course, the book is not really about how to kill everybody, but rather how, from an ethical standpoint on the part of tech, and a moral standpoint on the part of government, we appear to be sleep-walking into a scenario where something, whether by accident or design, could possibly 'click here' and kill everyone.

My advance reading copy wasn’t quite ready for publishing, but as it stood the book was divided into three approximately equal sections:

  • The first section describes the issues of computing, IOT, and an Internet of the future.
  • The second section describes the things technologists and policy makers should consider in order to bring about the changes needed for the Internet of the future.

  • Finally, as with Schneier's previous book, the third section contains copious notes.

In the introduction ('Everything is a Computer'), Bruce describes three situations: hacking a car; hacking the power supply; and hacking printers (conventional, 3D and bioprinters). For each of these he expands on the potential issues: death of multiple passengers; wide-scale human and economic damage; etc. The overriding theme is that, as things get 'smarter' or more computerised, 'your "smart" X [increasingly becomes] a computer that also does X!'

For example, your 'smart' oven is a computer that makes things hot, and your 'smart' car is a computer with wheels, etc. These 'smart' devices then suffer from the same security problems as computers, in particular patching and updating. They are networked together into the ubiquitous Internet of Things, or IOT (where an 'S' for security is so silent as to be missing altogether). The convergence of IOT, AI and autonomous algorithms, and cloud computing becomes what Bruce calls the new 'Internet+' (missing, probably intentionally, the geeky pun 'Internet++').

In chapters 1 to 5, the book looks at the current state of the Internet and explores trends. Questions are posed and answered in coherent ways and the chapters cover the themes:

  • Why is the Internet hard to secure?
  • Does patching work?

  • Anonymity and trust.

  • Economics of security.

  • How are the risks growing?

It discusses how, like the Red Queen, defenders must run fast just to stay still, how attackers have the advantage of asymmetry (they can try 1,000s of attacks and only one needs to succeed), how security is an expensive add-on to a system, and how it has no tangible economic benefit. This part of the book also describes events in the recent past that have been caused by malicious and state-sponsored actors, where computers have been instrumental in causing economic damage, if not actual deaths.

As I was reviewing the book, news hit the wires of the compromise of thousands of MikroTik routers in Brazil. A vulnerability discovered, patched, but not updated in a timely manner resulted in a cryptominer being installed and stealing CPU cycles and electricity. This incident highlighted many of the themes in the book: cheap commodity hardware with little incentive to produce security-hardened products (extra expense); consumers having no level by which to gauge trust in the vendor; the failure of the patching and updating paradigm; and how it is now easier to go back to the shop and by a new router than it is to fix the issue. MikroTik is not alone in its routers being compromised: in recent months bigger vendors – who should know better – have also been fixing backdoors in their products.

In the second part of the book, Bruce discusses policy and how policy makers can affect the security of the Internet+. Technologists look for the correct answer, or at least the optimum solution. Meanwhile, politicians tend to be more pragmatic, looking for compromises, and appealing to interest groups. However, until the politicians see an issue, a.k.a. people dying, they lack the motivation to make the Internet+ secure, especially since lobby groups such as industry, law enforcement and intelligence communities will lobby for:

  • the status quo

  • backdoors

  • weakened encryption

  • surveillance capabilities.

The book's conclusions are not hopeful: the gap between 'the two cultures' that separate technologists and politicians is currently a wide abyss. There are those, like Bruce, who are trying to span the gap and create a bridge, but we still regularly hear politicians ask for things that, to a technologist's ears, are impossible. To paraphrase Scotty 'Ya cannae break the law of mathematics, Captain'. The Pandora’s box of technology is well and truly open and will never be closed. The Internet+ is now common, and to prevent a tragedy of the commons, technologists must lobby for government to provide leadership and guidance, and policy makers must seek out technologists. Moreover, technologists need to become policy makers.

This thought-provoking book will mainly have you nodding in agreement and shaking your head in frustration. The future is not yet written, and so prediction, like attribution, is hard. Hopefully, enough people will read the book to change the path of the future. I plan to re-read it, and there can be no greater praise.




Latest posts:

VB2018 paper: From Hacking Team to hacked team to…?

Today we publish the VB2018 paper and video by ESET researcher Filip Kafka, who looked at the new malware by Hacking Team, after the company had recovered from the 2015 breach.

The spam that is hardest to block is often the most damaging

We see a lot of spam in the VBSpam test lab, and we also see how well such emails are being blocked by email security products. Worryingly, it is often the emails with a malicious attachment or a phishing link that are most likely to be missed.

Throwback Thursday: We're all doomed

Mydoom turns 15 this month, and is still being seen in email attachments. This Throwback Thursday we look back to March 2004, when Gabor Szappanos tracked the rise of W32/Mydoom.

VB2019 call for papers - now open!

Have you analysed a new online threat? Do you know a new way to defend against such threats? Are you tasked with securing systems and fending off attacks? The call for papers for VB2019 is now open and we want to hear from you!

VB2018 paper: Unpacking the packed unpacker: reversing an Android anti-analysis library

Today, we publish a VB2018 paper by Google researcher Maddie Stone in which she looks at one of the most interesting anti-analysis native libraries in the Android ecosystem. We also release the recording of Maddie's presentation.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.