Le Show; 2018-11-11

From deep inside your audio device of choice, just a quick survey of apologies of the week ladies and gentlemen at the Star of the program, Wells Fargo, that bank that's been in so much trouble, has identified 145 more customers whose homes were foreclosed on because of an apparent computer glitch. They always favor the bank, don't those glitches? The bank first revealed a disastrous calculation error and its mortgage modification underwriting tool a couple months ago. Wells now estimates about 545 homeowners lost their homes after they were incorrectly denied a loan modification. We're very sorry that these errors occurred. That you can take to the bank. A Georgia principal, school principal apologized after members of a high school marching band spelled out a racial slur, it's not Raccoon, said one of the officials, with our instruments in a Friday night football game in Gwyneth County, Georgia, where they're

still recounting. We're a very inclusive community we care about all of our students who are concerned that this situation occurred and are committed to taking steps to ensure this does not happen again, said Brent Brookwood High School principal, William Ford. Rebel Wilson took to Twitter to apologize for blocking critics after being challenged in her claim that she's the first plus-size woman to have a starring role in a major studio romantic comedy. Two Canadian apologies, Prime Minister Justin Trudeau apologized to the telecortuan community for the hanging of six chiefs of that community more than 150 years ago. One chief says that brought an end to a difficult journey. They are one of the indigenous nations in Canada and he also apologized for the country's 1939 refusal to take in more a ship carrying more than 900 Jewish refugees, the St. Louis, and in the country would do more to protect Canadian Jews from violence. 17% of all Canadian hate crimes target Jewish people. Canada, a, Delta Airlines is apologized after a customer had to endure filthy conditions

as a result of a service animal having an accident during a flight from Atlanta to Miami. And Roman Catholic diocesan Iowa City, Iowa, actually in Sue City issued an apology for covering up an Iowa priest's sexual abuse of boys for decades and promised to identify all priests who have faced credible allegations. The apologies of the week, ladies and gentlemen, a copy right to feature this broadcast. A busy post midterms week for President Trump. He had Jeff Sessions's Attorney General resign. Sessions was asked to resign by Chief of Staff John Kelly. This is in lieu of Trump, actually. Being like himself on TV and firing him, the acting Attorney General named is Matt Whitaker, who presumably replaces Rod Rosenstein. Whitaker has a past which has been uncovered since he was named, including legal advisor to a company that was cited by the Federal Trade Commission for scamming

inventors who were seeking patents. Whitaker also was on record earlier as criticizing the Mueller investigation, which he's now supervising, and for saying that he would trust judges, new judges to be appointed. As long as they were biblical judges, had a biblical worldview. President Trump had a couple of confrontations with reporters this week at news conferences. He had the press pass of CNN's Jim Acosta withdrawn after they had a little tussle of the news conference. He sharply criticized three reporters for asking questions, all of whom were female African American reporters. He said one asked a stupid question and asked a lot of stupid questions. The next cabinet member likely to go, so we're told, is Ryan Zinke, the Interior Secretary, who is being plagued by a lot of ethical questions. That's it in a nutshell. Now let's look at the nut.

This week for the first time, winning looks a lot like losing, and for the businessman turned chief executive, vice versa. But now, as the teams prepare for the second half of the series, the moment of truth is in hand, even if it's not true. John. Sorry, I'm late, sir. I was preparing the list of the other journalists whose passes were revoking. The fly girl threw all on it. The what, sir? You know, the solid gold dancers, the two times of fun. The African American women? Yes, but that's a racist description. I don't know about the Marines, but John, I can tell you this. Yes, sir. That stuff doesn't go in this organization. Yes, sir. Not John. Who's this Matt Whitaker who's taken over as an acting attorney general? What's his deal? We gave you a background summary last week, sir. The two page thing. Yes, sir. Well, wait, you couldn't boil it down like I don't have enough to do with the Democrats getting ready to treat me like the president of friggin

vendors away, lah? We, we, we tried a fairly brutal edit. Great, great, brutal is good, but it left out all the corporate scam type material. Let me tell you a little secret about the business world, general. Yes, sir. One man's so-called scam is another man's million dollar trip to the bank, hopefully in the Bahamas. Got it. Got it. Beautiful this time of year. Banks? The Bahamas. You have to ask Michael Kohn about that. The little bishop probably never even got a tan. So, John. That's security. Sessions is trying to retrieve some of his stuff. Get him out. Tell him his stuff has been recused. Got it. Think he'll get it? The stuff? The joke. It's a joke. He's recused. Now we crap. General. It's like Don King told me. If you have to explain the joke, you're too smart. Okay, look. He's a stinky guy. He was one of your favorites a few months ago. He looked good on TV, right? The name? I have to confess, sir. I'm way behind you when it comes to television viewing

time. Okay. I could tell you this. He looked great on TV, but now people are telling me he's a bad ombre. If I may, sir, what people? I'm not really sure if you may, John, but many people believe me. Here's the deal. I can't keep winning with losers on my team, right? Mr. President, firing Jeff Sessions was hard to know. It's not what I'm good at. I'm not sure what you're good at anymore, but I bet you fired plenty of people in your marine days. We don't actually fire them, sir. We relieve the move of command. I could tell you this. If my TV catch phrase was, you're relieved. I wouldn't be sitting here right now. So is your task? Can you do it? Win. Look, you can do it quick and easy. Fire him on Twitter like I do. Small problem, sir. I'm not on Twitter. Better yet. Sign up. This is your first tweet. Boom. You own a new cycle. All right, sir. I'm sure someone in my office knows how to just don't own two. I never thought when I was running Southern

command that someday I'd be getting an instruction to join something called Twitter, but I've heard worse. And I've heard it right here. Mitch, you got a new, stronger team. Well, we've still got some votes to count. They're fake votes. Elections over. The Democrats always do this. Well, in all honesty, sir, they didn't do this in 2000s. Mitch, can I tell you something? In the year 2000, the biggest thing I had to worry about is my stakes puter fine during shipment, okay? I'm sure that turned out fine. We sank the company and stuck the other investors with the losses. So the answer was yes. Now, Mitch, your task, sir, as I told you in our last pre-election, get together losing the house, he's going to narrow or legislative opportunities to a significant extent. Why? They said it's more important anyway. I always knew my senators, especially at the donation time. How's people?

So much like that at all. I don't remember one congressperson I could call for a favor. So let's just push stuff through the Senate and the Democrats in the house will not even bring it to the floor for vote. That's what I do. Heck, that's what I did. Great. And then it comes to me and I veto the house. Come again, sir. I wish I could. Oh, you were talking something. Yeah. So I veto the house with all due respect, sir. That's not how it works. That's not how it worked for those losers before me. I don't know if you've noticed, Mitch, but I do a lot of things nobody's done before. How to economy. I love affair with North Korea, sir. Kanye West shitting across the desk. Now that you have you mentioned it, sir, I have noticed that this particular thing, the veto thing, that's in the Constitution. You can veto bills, sir, but you can't veto the house, not passing a bill. Okay, but plenty of people say that I can. Well, I guess we'll cross that bridge.

All right. But why don't we pass a lot of our stuff during the cold duck? The lame duck. I don't give a rat's ass what's wrong with the duck. Can we do it? Can you do it? We've still got the house till January. I can't speak for the house, but I'd say let's focus on what we can do, sir. Packed a judiciary with our kind of judges. Bible believing conservative judges, just like Matt Whitaker says. Who? You're acting attorney. Right. Scammy, Matt. Mitch, sue me. I don't like acting. I like doing. She attached this week. It's bring me something I can sign. I'll sign it when I pardon the turkey. We probably could get a resolution passed, endorsing the pardon. Sounds like winning to me. New team, new tasks, same mission. We're going to make vetoing braiding in now. The world is his boardroom. The president is this week too real to be true. Regular listeners to this program know that there are two features that have started to predominate in recent years. One is

called Smart House and the other is called It's a Smart World. Both pronounced with the appropriate degree, I believe, of snark. The current practice of turning every device into an internet connected device, whether it be your bathtub, your toilet, or your car, is proceeding at reckless, I should think, speed. And I have a guest today here on the program. I don't know if he agrees with everything I just said, but his new book will, I think, alarm you if you haven't been paying close attention. He's the author of a regular blog about security, Schneier on security, because his name is Bruce Schneier. He's an internationally renowned security technologist. The author of 14 books, including a New York Times best seller, Data and Goliath. He's a fellow at the Klein Center for Internet and Society at Harvard University, Electric and Public Policy at the Harvard Kennedy School, and board member

of the Electronic Frontier Foundation, and an advisory board member of EPIC and verified voting.org, and a special advisor to IBM security. So that's who he is. Welcome to the show, Bruce Schneier. Thank you. Thanks for having me. And he's also mentioned that my new book is called Click Here to Kill Everybody. Well, I thought that you would do it with the required degree of gusto, so I left that for you. You describe the problem of Internet security going forward. You've always found Internet security to be a problematic area. And I hope you will talk about that going back, but going forward into the Internet of Things era, you describe it as a, quote, wicked problem. What do you mean by that? So wicked problems actually a term of art. And there are problems that are don't have easy solutions that have a lot of feedback loops that trying to solve them creates other problems like things like poverty and world hunger and climate change. These are

known as as wicked problems. And computer security and security is becoming one of those because it is so deeply embedded in our society because it affects everything because everything affects it because it's really hard to isolate the problem from everything else. And that makes it wicked, which means there's no actual solution. You can't just solve it and be done like you might solve a crossword puzzle that any solution has to be revisited that'll always be wanting that will constantly be iterating and tweaking and fixing and making it better like other wicked problems in our society. When I first bought my electric car, and I'm not going to mention the name because their customer service is so bad, they don't deserve a name check. I realized in short order, this is not a car. This is a computer on wheels. And in a click here to kill everything you stayed fairly early on. Everything is now a computer.

And that is the way to think of things. Right. Your car is a computer with four wheels on an engine. And by the same token, your refrigerator is a computer that keeps things cold and a microwave oven is a computer that makes things hot that all these devices are becoming computers. And you said your toilet is a computer that we know what that does. You know, mine isn't, but you know, some are and more will be. And this is happening at all aspects of our lives. It's happening at the level of toys and small consumer goods at small and major appliances. It's happening at the grander level or at a power plant is just a computer that produces electricity. You mentioned toys and you mentioned in the book a specific toy, my friend Kayla. So that is a toy that actually used in my class to demonstrate how easy it is to hack something. I teach public policy students, Internet security and Internet security policy. And I bring this doll in and you can literally hack it from your cell phone, even if you

have no experience, the security is that bad. But you know, in the introduction you talked about us moving to this world where everything is a computer where computers are becoming ubiquitous and not just ubiquitous in terms of screens we visit, but things in our environment by things we interact with in other ways. Cars, thermostats, appliances, toys, smart city, everything. And you talked about this, I forget the phrase you used, but whether we're doing this too quickly, this sort of headstrong rush into turning everything into the Internet. Breakfast is very used. It's worth stepping back and looking at the reasons why we're doing it. It's not because the refrigerator manufacturer wants to go on the Internet. I mean, they didn't have this meeting where they said, let's make our refrigerated Internet capable. It's more the way technology is moving. So 15 years ago, if a refrigerator company wanted to build new refrigerator, there would be some type of computation in it,

right? It would be some sort of computer controlled compressor and light at all. That isn't new. But back then, the designers would create and build a custom chip to run that refrigerator. They'd be the refrigerator chip that the company would make. Today doesn't work that way. Today, the manufacturer, the designers pull a standard computer chip off the shelf like a Raspberry Pi or something else and write software to control the refrigerator parts. And that chip comes with already built in an operating system and Internet capability and a video driver and microphone capability. All of these features are already there. So the marginal cost of adding the functionality drops so cheaply that the designers just add it. They say, hey, we've got the Internet on this refrigerator, whether we like it or

not, how can we use it? And it's a different question you ask. And that leads to much more interneting of things. Now, some of it's being done because you want to make the control simpler, right? Putting controls on a device is expensive. It's much cheaper to build the Internet in and put the controls in an app on the user's cell phone. Why is that cheaper? Because you don't have to buy dials and buttons and screens and all those things. Oh, so they're all virtual. Right. They're all virtual. The smartphone comes with dials and buttons and screens and everything. So all you have to is write software. So those are the really the drivers. Now, it is resulting in this reckless rush to the Internet, but it is more a tide. We're being swept along and less a conscious decision. Now, I too bought a car a couple of years ago and I tried to buy a car that wasn't Internet capable and

I failed. Not that it didn't exist, but it didn't exist in the class of car I wanted to buy. And I would ask the dealers things like, well, can you switch it off? And they would look at me like I was from Mars. Why would you want to do that? Just humor me. And in some cases, yes, you could switch it off, but I don't believe for a minute that it can't be switched on again remotely. So yes, you know, even if we don't want to have these devices on the Internet, we're going to be increasingly incapable of keeping them off the Internet. Well, you in the example you gave, there was one question you had the engineers ask, which is, what can we do with this? And one question you didn't have the engineers ask, what are the risks of doing this? That's because to the engineer's perspective, there really aren't any risks, right? It's cool features. It's stuff you can sell. The risk for them that they don't recognize that there are risks in anything. They're human. They're responding to the requirements

of their job, and they are engineers. Nothing is wrong with them. This is a perfectly reasonable way of thinking. I mean, we might not like the antenna consequences, but as an engineer, building a refrigerator, you are rewarded for functionality, for price and for speed. You are not rewarded for abstract things like security. And given that you are not rewarded for it, it is not going to be four months, foremost, in your thinking. That is simply the way we've built our economic system. In my book, I spent a lot of time in government regulation because of these broken incentives. I don't blame the engineers. It's the incentives they're working under. Right. So for example, in the financial services of financial industry, we're at large, there are officers usually now post 2008, probably at a higher level in the organizational chart than they were before, called risk assessment

officers, or vice president for risk assessment. And it's their job to say what could go wrong, right? That's right. And two reasons why that's true. One, what can go wrong actually costs money. And two, there are regulatory requirements for them to not let things go wrong. And to those drivers are why that industry in particular is much better at risk assessment than the appliance industry, which kind of has never had to care before. Well, I mean, you gas range if something goes wrong with the gas connection could kill you. But aside from that, yeah, there's there's very little risk of harm or death in the use of those appliances, right? I mean, that's right. People can commit suicide with them, but otherwise it's not really germane. And those are physical risks. And certainly liability law has led to manufacturers of ranges thinking about security and making sure that these

devices fail safely, right? I mean, toasters usually regularly catch on fire. Yes, right? And what stopped that was not the toaster manufacturers getting ethics or deciding that their users should be protected was that laws were passed that if toasters caught on fire manufacturers would be held liable. People would go to jail, fines would be levied. And it was now cheaper for the companies to produce toasters that wouldn't catch on fire than toasters that would catch on fire, right? That's the mechanism. But until that mechanism starts working for internet connected anything, we're not going to get that sort of outcome. Okay. The second part of your book deals with possible solutions. I want to go back to the first part of your book, which deals with the problem because I think until folks realize the scale and the scope of the problem, they won't be that interested in the solutions. But, you know, my mind goes back to a few years and you mentioned this person

a lot in the book, Edward Snowden. And eight months after his revelations about how the NSA was doing bulk surveillance and all of this, the CES show in Las Vegas, debuted the Internet of Things. And I thought to myself and said to a few friends, what bad timing? This is like the death sentence for Internet of Things to bring it out in the wake of this Snowden revelations. In a couple of years, people will have forgotten the Internet of Things because the Snowden revelations will still be in their heads. And I was 180 degrees wrong. Right. Turns out it's the exact opposite. Yes, exactly right. And just recently, there's an ad in an Internet publication from Coke industries of all people, of all companies, which says we need to have a regime of permissionless innovation. And that's, it seems to me, that's what we're in. We are. I mean, that's, that's certainly

the United States. That's where the United States tends to be a rights culture that everything is permitted unless expressly forbidden. That's, I mean, that's, that's where we are. And that works great as long as the innovation is benign. I mean, the Internet has largely been that regime. It's been permissionless. You could do whatever you want on the Internet. And whether it's, it's immoral, whether it is different, whether it disrupts existing industries, whether it causes employment or unemployment, whether it causes income inequality or inequality, whatever it does, you can do it. And that's been an enormous source of innovation. Right. It is the engine of an incredible amount of wealth in our society. This permissionless Internet and the Internet was kind of designed with that way at its core that you don't need permission to put something on the Internet. You can invent a new business model and put on the Internet tomorrow and no one can stop you. And, and again, that works great as long as the Internet is benign. What changes and when I talk about my book is now the Internet can affect

the world in a direct physical manner. Right. Your refrigerator can, if it goes bad, spoil your food. Your car, if it's hacked, can kill you. Your thermostat, if it's hacked, can turn off the heat and I live in Minnesota in the winter, can freeze my pipes and I will have property damage. Medical devices, drones, sort of on and on that implantable implantable medical device. Yes, implantable medical devices that that suddenly the Internet affects the world in a direct physical manner. And that changes things. And we are, we as a society are much less likely to say this area is permissionless when it is deadly. Right. Airplane design is not permissionless. Automobile design is not permissionless. Pharmaceuticals are not permissionless. Toys largely are except if they're like really small and kids can swallow them. Right. So there's some rules

but the more harmful an industry is, the more permissions society demands of it. And the Internet is moving from one extreme to the other. Right. I would interpose one thought on that subject. One way that the Internet has over the last two decades definitely affected the real world is the death of a lot of retail establishments. And not only was that not really necessarily well, it may have been permissionless but it's certainly occurred with the help of governments because at least in California and I think in many states, sales taxes weren't levied on online commerce. You know, to help the Internet get on its feet and we would turn around a few years later and Amazon is the biggest e-commerce, maybe one of the biggest retailers in the world and physical retail of brick and mortar is dying everywhere. Yeah. And that's an example that's kind of outside my area of expertise. I mean,

that's an unintended social consequence of a business model. I think more of direct security consequences. Right. But certainly that is an example of it only because of the sense of government intervention. Right. And that's one type of consequence. You could look at Uber, you could get Airbnb, Amazon. I mean, lots of examples of of Internet ways of doing business, you know, Expedia and any of the travel websites really disrupting existing business models. Right. And anyway, that's good or bad. I mean, there's lots of, but they didn't, but they didn't have government intervention. I braze this only because later in your book, when you're talking about solutions, government is a big part of it. And so, I mean, you're not solving a problem with that government. The market will not solve this problem. Period, end of sentence. This is a truly a market failure. This is not when markets do if we want to solve the government is how we solve it. That's, I mean, that's not, I don't even think that's controversial, except in like the, you know, the weird libertarian areas of enough society.

So back to the describing the nature of the problem, on almost abstract level, the advantage that attackers have over defenders. Talk about that a little bit. So it's interesting. And I can actually spend an entire hour on this. And I'll try to be quick. That complexity is the worst enemy of security. As systems get more complex, they become harder to secure. And an easy intuition might be that the defender has what's known the military circles as a position of the interior. The defender must defend all possible attacks, while the attacker can choose the time, place, and nature of the attack. And as systems get more complex, what's known as the attack surface increases, right? It's harder to secure a large commercial building than a home is harder to secure a home than a small shed. Because they, I mean, those things are just more complex. And the internet is really the most complex machine mankind

has ever built. And your smartphone is the most complex object that you own. And these things are very hard to secure. The attacker has an enormous advantage. And that's something that is not solvable. I mean, it's not easily solvable. We like complexity. When we like our smartphones, we like the internet. Complexity is a feature. But in terms of security, it is a disadvantage. And securing complex systems of any kind is very difficult. You also say in your book that attacks always get better. What do you mean by that? So technology improves, right? Your phone gets better, your computer gets better, internet services get better, drones get better, everything gets just gets better. But defenses don't get better. They do, but they tend to be reactive. A lot of arms races

in security. And you might think of what does somebody use example spam versus spam detectors? More recently fake video versus fake video detectors. ATM machine hacks versus ATM machine defenses. And yes, so this is arms race where things get better on both sides. But attackers have an advantage in this arms race. So for a couple of reasons, they have a first mover advantage. You know, we pretty much never implement defenses until we see the attacks. Mm hmm. Right. So we're always responding. You know, if I can't, if I'm, you know, here I am, I'm working on a refrigerator design. And I go to my boss and I say, here are 17 vulnerabilities in our refrigerators. I think we should spend money to fix them. And the boss is going to say, do we have a problem yet? And I'll say no, but we're going to have one. And they're going to say, look, we've got to get our product out tomorrow. We can't think about this now. Let's wait until it's actually a problem. Right. And that's true all up and down the line that security tends to

be defensive. We don't defend against terrorist attacks until we see them occur again and again. So, so the first mover advantage, attackers are tend to be more nimble, right? They're not encumbered by bureaucracy or kind of either law or ethics. And, and they will adapt to new things faster. So imagine a hundred so years ago someone events the motor car. And the police say, well, that's a really good idea. Let's use them. So they have an exploratory committee for how to use the motor car and policing. And they have a procurement process and they have a training system. And eventually two years later, police departments get cars. Meanwhile, the criminal looks at and says, oh, neat, new getaway vehicle. And within 15 minutes, they're using it to rob banks. And that kind of asymmetry is pervasive on the internet. So attacks get better. I mean, several things. I mean this, this arms race. I also mean that attackers are adaptive and smart.

That they will figure out new ways to attack systems. And also that computer just get faster. So for example, passwords that might be secure might have been secure 10 years ago are no longer secure today. Not because password guessing is getting smarter because computers are now faster and can guess more passwords more quickly. And so Moore's law just favors the attack. So so meaning brute force. Right. Right. Right. But trying every password becomes more capable. Now, the difference between this world and the normal world or the previous world is in that arms race that you're describing is that there's another factor which could be influential in the balance between attack and defense. And that's white hat hackers. Right. They're people who make it their jobs or their hobby to go find vulnerabilities and reveal them, report them to the

places where they exist with the obvious implied. If not expressed message, go fix this. Right. So this is part of both the wicked problem of security and this problem of complexity that we don't know how to design system secure out of the box. We actually don't. And the market doesn't reward that you know with with notable exceptions like the space shuttle. Most software is poorly written and insecure. Right. The market doesn't reward taking the time to doing it right. So so no one does. So what we have instead of getting it right the first time, we have a system of fix it quickly. And that means we want to find vulnerabilities and issue patches as fast as possible. And a lot of these vulnerabilities are found by the bad guys. And some of them are found by good guy researchers. And they will report them to the manufacturers. They'll they'll publish their results. And the goal is that these vulnerabilities get fixed before the bad guys start

exploiting them. You mean a lot of issues with this process, but it really is the best we got. This is how we get security in our computers and phones. The the danger now is that kind of ecosystem doesn't really work for low cost embedded systems. Right. They they don't have dedicated security teams like Apple and Microsoft and Google do a lot of the devices are not patchable. And there isn't this this this ecosystem of fighting vulnerabilities fixing them and improving security. And right now the way you patch your home router is you throw it away and buy a new one. That's the mechanism. Yeah. And again, you know, that's that's a market issue that the market doesn't reward a more complex patchable router. With the market rewards producing it quickly at low cost and not worrying about it. Well, how are you supposed to patch your internet internet internet connected light bulb? You're not supposed to, but possibly the manufacturer does. I mean,

how do you patch your iPhone? You don't Apple does. And Apple pushes the patch to your iPhone and you click OK. And if you have a Kindle, you don't even get to click OK. Right. Amazon just pushes the patch to your Kindle automatically. So if you want a light bulb patchable, you need to require Phillips or G or whomever to make the light bulbs patchable. Write the patches and automatically send the light bulbs. That will be the mechanism. It will not be a consumer patch device. It will be a manufacturer patch device. Well, I laughed when that big botnet denial of service attack occurred a couple of years ago. And the manufacturers were asked about it and they said, well, the consumers have to change their passwords on their light bulbs. And I'm thinking, um, isn't it possible for a manufacturer to connect their manufacturing process to a random password or random number generator? And so each each light bulb that comes

off the line has a different non default password. And that's the easy way to fix that. Of course, the easy way, but it is more expensive than ignoring the problem. I mean, I mean, think about Equifax. Year and what, 15 months ago, Equifax lost the personal information pretty much every American. And that was a, that was a big deal in the press. There were angry ledges. I testified before Congress before a House committee. And there were angry Congress people on both sides of the aisle. This is awful. Something must be done fast forward to today. And nothing was done. So the lesson to Equifax and everybody watching was skimp on security, save money, hope for the best. If the worst happens, whether the press storm, whether the angry words, and you'll be fine. I assure you, Facebook is learning the exact same message today and nothing will change. I want to go back to remote patching for a moment. And again, my electric car. I got into it recently. And it, it sends down software updates all the time. And I'm used to that. And usually

there are tweaks to the suspension system or the braking system. And it's just, you know, we fixed the, we made, we made it better or something. It tells you that after it's done the, downloaded the update. And this time there was an update notice. And I couldn't fathom what it was. They were saying they'd done start the car, look at the screen, the interface screen. They had changed the entire interface overnight. I'm pulling out of the garage and I'm going, where's this? Where's that? Where's this? Where's that? While I'm driving because I actually have to be somewhere. And they had seemingly randomly what used to be at the top is now at the bottom, what used to be at the bottom is now at the top. And you used to be able, this, this sounds like Apple in a way, used to be able to customize your screen. So all I want to see is this and this. And now you cannot turn off the map. And the map, of course, is constantly redrawing as you drive, not redrawing smoothly, drawing like reconstituting itself completely. So there's something in your

peripheral vision that's constantly moving. And the four worst words in software updating is, are you can't go back. But this is the future. I mean, this is, you're right. It sounds like Apple. It sounds like Tesla. It sounds like your car. And yes, they push patches automatically because they are much more of a computer company than a car company. And, but this is the way things are going to go. And you know this, you get a new operating system and suddenly everything's different. You get a new version of Microsoft Word and everything's different. Right, but you're not driving, but you're not driving a car at the time. You know, I understand that that the stakes are higher. Yeah. And I mean, that's what I spent a lot of time my book about. But this is the way we do software. You know, and these old paradigms are moving into this new world. And the difference is that unlike, you know, Microsoft Word, your car affects the world in a direct physical manner. And if you can't get to your controls intuitively, that is actually a safety risk. That's right.

In the way it's not if you can't find italics. It's just a no and annoyance or an inconvenience. Um, you talk in your book about contributing to the security problem of the internet connected world, what you call hardware and software monoculture. You want to explain what that means? So we all tend to use the same stuff. And that means failures are more catastrophic. Just stick with cars. We know how cars fail. Right. Cars have parts parts fail once in a while. And there's this entire industry of auto repair that handles the steady stream of broken cars in our society. That is a decades old industry that's pretty optimized for the way cars work. Computer cars fail differently. They all work perfectly until one day when none of them do. And that's how we when it happens for Microsoft Word that happens for PDF files for all computer

things. We they have these catastrophic failures. And so now if we are all using the exact same thing, we all fail at the same time. Same operating system. Right. You know, right. So let's say they're now they're kind of three basic operating systems. So when something fails, you know, two of them are still working. There might be a dozen auto manufacturers just made that up. One fails. The rest of the cars are working. As we move to a monoculture, as more of us use the same thing, more of us are affected by the same vulnerability. So there's a problem in internet routing, everything stops working. And if there's a failure in the domain name system, like the the Dine botnet took out a domain name server and surprise a bunch of popular websites fell off the internet because they were all using the same service. So monoculture is dangerous because it

exacerbates security problems. It turns small problems into disasters. And since that's what I'm invoking in my title, click here to kill everybody. Right. That is a only an internet thing. You can't ever crash all the cars or unlock all the doors if they're not internet connected. But once they are, that's possible. So monoculture is the flip side of network effects. Interesting points you make. No. Well, network effects. No, I don't think so. I mean, to me, the network effect is that the usefulness of an object is a function of the number of connections, not the number of users. Right. So the usefulness of a normal object might depend on how many people are using it. Like so if more people drink Coke than Pepsi, then Coke is more valuable. But it's

linear. But for a fax machine, one fax machine is completely useless. Two fax machines are usable, but uninteresting. A thousand fax machines suddenly you got something because it's not the number of users. It's a number of links between them. And so Facebook gets more valuable the more people use Facebook. And all your listeners know this, right? The moment. Try to remember the moment you got on Facebook wasn't because you wanted to be on Facebook because so many of your friends were on Facebook that you had no choice but to be on Facebook. That's the network effect. Yeah. I would just intercede. I've never been on Facebook. Yeah. I mean, either. I know. But we are three sigma. We don't count. So far you've been talking about the world of corporations and private enterprises. But there's a moment in your book where you say everybody wants you to have security except for them. And by the them, you mean not only Google and Facebook,

but the United States government that gets us back, of course, to Edward Snowden. And not just the United States government. I mean, certainly Chinese government is doing a lot to spy on its citizens. The Russian government and European government. So not just the US, Israeli government. Let's spread the blame around. That this kind of surveillance, which is fundamental to the business of the internet, is being used by governments. It's being used by governments for criminal investigation at the FBI. It's being used by governments from national intelligence. It's being used by governments for social control. That all this information is valuable to governments. I spent a lot of time in the book on governments and how they're using some of this. Social credit in China is it probably the most frightening example of where this can go, right? And I think that's the most fleshed out system. And this is a Chinese sort of meta system of surveillance and control that collects data about citizens

from a variety of sources. And then tries to determine some kind of citizenship score based on whatever criteria the Chinese government finds laudable and then hands out privileges based on that. And yes, this is very much the sort of end game of surveillance for social control. And while China is doing it, I think a bunch of other countries are eyeing it and to see how it works. And China can certainly export this to other totalitarian regimes around the world. Yeah. And then there are tentative steps towards what seems to be past the end game. I think in Scandinavia, some people are already doing this voluntarily chipping themselves. I mean, I don't think if this is past the end game, or this is this is just a convenience factor. I mean, instead of an iPhone, you've got a chip. It's the same thing. I mean, carrying an iPhone and

having a chip under your skin is functionally the same thing, except in the latter case, you can't lose it. Exactly. I don't actually see this as a big change. I see this as kind of a small change. It's creepy. It sure is. And also incredibly useful. Like pretty much all these technologies. Now, as to data, which were all of this that we're talking about as data, there's a moment in your book where you just pause to say something about the number of companies, people, outfits in the world whose business is being data brokers. And this isn't a very opaque industry. In mostly US, Europe has stronger privacy laws. But there are thousands of data brokers in the United States. And these are companies that are collecting data on all of us without our knowledge or consent. And using it against their interests, right, selling it, carlating it, using it to influence us.

It is a very secretive industry. Two states that I know of, Washington state and Vermont have been trying to pass laws just to get data brokers to register. Just tell us who you are and kind of basically what you got. And those have been successfully fought by the industry in the courts. Not in the courts. In the legislator, lobbying. So these laws really don't exist in any useful way yet. We haven't seen any information. And here again, right, the market can function if people don't know about this industry. And even if they did know, this is not something you can opt out of. We all got information stolen by someone who broke into Equifax. We can't fire Equifax. We didn't hire them. We are not their customers. So our market power is kind of zero here. And our ability to improve Equifax's security is also zero. So again, unless government

steps in, this is what we got. The situation you described suggests that if there is to be legislative cure for any of this, Europe is going to be the leader, not the United States. The United States set up this system, you point out in the book, invented Al Gore, notwithstanding the United States, invented the internet originally for either military or academic purposes, but set it up the way it is, including it's with security not designed to do it. And Europe has taken the lead in privacy regulation and companies. In the way that California took the lead with air pollution controls for cars and the industry had to follow because California was such a big market. Europe's a big enough market that Europe's regulations will influence the entire industry. Is that, is that where we stand? I mean, sort of, I mean, right now, Europe is certainly the regulatory superpower on the planet. I mean, they are willing to regulate

this industry in way nobody else's and willing to levy fines that are not basically rounding errors behind that company's notice. So yes, I do look to Europe to lead the EU, but also don't discount the US states. Right now, specifically, California and New York and Massachusetts are stepping in where the US federal government is advocating responsibility. California just passed an IOT security law. Now, it's not that much. It doesn't take effect on 2020. There's a lot more to be done, but it's a start. And they started New York is looking at something similar. I mean, New York is regulating crypto currencies, Massachusetts is trying to do things in both security and privacy. And yes, in a lot of these cases, a large enough market will move the entire industry, especially in security. I mean, if a company has to redesign their thermostat or their refrigerator or their toy to comply with a California law or an EU law, they're not going to maintain two

separate software bills. That's, that's inefficient. That's done. They will have that improved security available to everybody on the planet, because that's just easier by default, because it's easier. It's cheaper. They'll make a virtue out of necessity. So I do look towards Europe to the EU and towards some of the US states as ways to improve this. There's a detail in your book that if I were in the documentary business, I would want to go get the information and go shoot this. You describe something momentarily called the wiretappers ball. What is that? So I know, I know very little about it because I've been in there just what I've read and you can Google it and you'll see bunches of articles about it. This is a conference that is only open to governments and law enforcement, right, government agencies and manufacturers that sell, but I think of as cyber weapons exhibit there. So it is companies that sell e-dropping equipment

to police, to militaries that sell, you know, abilities to hack someone's phone or computer, or I guess car refrigerator to governments that this is a government surveillance and control conference. Now I, you would not be allowed in with a camera, right? As a documentary producer, you would have a very short documentary of how you were turned away. Yeah. But yes, occasionally reporters have gotten in and their reports are fascinating and for those listeners interested, just Google the terms, you'll find all sorts of interesting things. Back to this internet of things, which seems to be the, you know, the really growing danger. You say two things, pardon me, in the book that seem to sum up the scope of the danger as everything is connected to the internet, everything is hackable. And all the major tech companies

want to be a hub that is to be the place where all your internet connected things are controlled from. Talk about those two concepts, please. So if you think about it, if you have an IoT, anything, you probably control it from your smartphone, right, that the phone is now the de facto internet of things, internet controller. And there is this battle for your home, Alexa wants to be that. But different devices want to be the centralized hub. And that is an important battle for control in the market that the company that sort of wins that is able to dictate a lot of policies and extract a lot of money from us. But doesn't that become the next model culture, then? Of course it does. But my monocultures are profitable. The reason we have them is not because we like them is because monopolies are powerful. You make more money as a monopoly.

That's why companies like to be them. But yes, this is going to be a source of vulnerability. But it's also in a sense, we like it. I mean, we want a singular device to control everything. I don't want to learn 30 interfaces. Are you think you're mad when your car changes interface? Imagine you had 50 of those and they all changed every two weeks. You go absolutely crazy. Way better if someone in parts of order on this whole ecosystem. But yes, there is now this battle for the home IoT controller hub, the thing by which everything else is controlled. The one ring to rule them all, I guess. And then, you know, everything being hackable means you cite an example where a refrigerator has been used to send spam. Right. You laugh at because that sounds kind of dumb. But here is back to where we started. Everything's becoming a computer. 15 years ago, you refrigerated could not send spam.

That would make no sense. It could keep spam cold. Okay, fair enough. But, you know, today because your refrigerator is a computer and it's on the internet, of course it can send spam. Right. We've seen ransomware against thermostats. Of course, that's possible in a way that wasn't possible when you thermostat wasn't a computer. And this is the central thesis of the book. As everything becomes a computer, computer risks become everything risks. Right. And the title, click here to kill everybody, evokes that catastrophic risk of a vulnerability being discovered in every car, every door lock, every refrigerator. And suddenly, we have a big problem on our hand. Briefly, I want to turn to the second half of the book, which, as I said, before deals with solutions, possible solutions. We've talked about one of them, which is increasing the liability risk for corporations when things go wrong. And you go into great

and fascinating detail about that. But you mentioned something else, which I always wonder about. And you kind of prioritize this, I think. The need to start thinking seriously about disconnecting systems. You know, I always wondered why power grid controllers are on the internet. Why? And the answer, of course, is it makes economic sense to do so. And it's more expensive not to do so. And yes, and why vote tabulating machines are on the internet as opposed to vote reporting machines. They could be two different things than they could be airgapped, right? They can. But of course, the economics of voting machines means you put them on the internet. I mean, this is again, companies are not being rewarded for security in the marketplace. And disconnecting is a great idea for me to talk about and you to talk about. But until the economics favor that, it's not going to happen. And the economics aren't going to favor that until the regulation forces the economics to favor that. So yes, I'm a big fan of

decentralization and disconnection. I don't think it'll happen anytime soon, but I think it's certainly where we're going to go. It's a fascinating subject. It's a truly fascinating book. Click here to kill everybody by Bruce Schneire. And the name of your newsletter that people can subscribe to for Schneire and security. A Schneire and security comes out every month. I also have a blog. You can find everything about me on Schneire.com. That's SCH N E I E R. I'd say it's just as it sounds, but it kind of isn't. And that has my my essays and my books and my blog and my newsletter and everything else. And that's sort of where you can find me. It's it's the one stop hub for everything I do. You got a hub. Okay. Even you got a hub. Everyone needs a hub. You have a hub. We all have a hub. Bruce Schneire, thanks for sharing your time with us today. Thanks for having me. It is a smart world. General Motors has been using NCAR Wi-Fi to track the habits of some of

its drivers in hopes of seeing whether there's a relationship with between what drivers listen to and what they buy. You're never alone. Ladies and gentlemen, that concludes this week's edition of the show, cobbled together in New Orleans, Los Angeles, and Seattle, Washington with help from Tyler Heath at Apex, post in New Orleans, and Graham Ball at the Harvard University studio. And I'm just guessing that's at Harvard. And thanks to Bruce Schneire, thanks to you for listening. There'll be another edition of the show in about a week, almost exactly a week on the radio and then approximately a week because you'll decide when you want to check in with your audio device or choice in it. It would be just like nobody listening in on you. If you'd agree, join with me then. Would you? Already. Thank you very much. A typical show chef out of the San Diego Pittsburgh Chicago, not an ex-Hawaii desk,

thanks as always Pam Hallstead. And to Thomas Walsh at WWNO, New Orleans for help with this broadcast. Get the playlist of the music heard here on your chance to get cars I talk t-shirts at harryshere.com and I'm on Twitter at the harryshere. The show comes to you from Century of Progress Productions and originates through the facilities of WWNO, New Orleans, flagship station of the Changes Easy Radio Network. So long from Seattle.