8 internautes sur 9 ont trouvé ce commentaire utile
- Publié sur Amazon.com
Surveillance or Security?: The Risks Posed by New Wiretapping Technologies is a hard book to categorize. It is not about security, but it deals extensively with it. It is not a law book, but legal topics are pervasive throughout the book. It is not a telecommunications book, but extensively details telco issues. Ultimately, the book is a most important overview of security and privacy and the nature of surveillance in current times.
Surveillance or Security? is one of the most pragmatic books on the topic is that the author never once uses the term Big Brother. Far too many books on privacy and surveillance are filled with hysteria and hyperbole and the threat of an Orwellian society. This book sticks to the raw facts and details the current state, that of insecure and porous networks around a surveillance society.
In this densely packed work, Susan Landau, a fellow at the Radcliffe Institute for Advanced Study at Harvard University details the myriad layers around surveillance, national security, information security and privacy. Landau writes that her concern is not about legally authorized law enforcement and nationally security wiretapping; rather about the security risks of building surveillance into communications infrastructures.
Landau details numerous reasons why communications security is hard to do right; but an imperative for our ultimate security, privacy and digital wellbeing.
In 250 pages, Landau makes a compelling case. In addition to her superb handle on the topic, the book has over 80 pages of footnotes, where every quote, statement and claim is verified and confirmed. The book is a great launching pad for a much deeper analysis on the topic.
The main theme of the book is that digital communications have revolutionized the way in which society interacts. The Internet is now the lifeblood of many businesses and governments, including a significant part of our critical infrastructure. The fact that this infrastructure lacks comprehensive security and privacy controls are a troubling concern.
In 11 dense chapters, Landau notes that since security and privacy have not been fully integrated into this infrastructure; this leaves us exposed and vulnerable to cyberattacks.
In the introduction, Landau notes that with this new computing and telecommunications paradigm, the job of law enforcement has become much more challenging. In previous years, surveillance was relatively easy. Once law enforcement had physical access to a phone line, they were in. Today, with cell phones, VoIP, Internet cafes, anonymizing services and more, the dynamics have changed and this has caused quite a shock for law enforcement; who are often struggling to deal with this new paradigm.
Landau notes that the surveillance and eavesdropping technologies that have been deployed since 9/11 are being used to catch one set of enemies. But other antagonists may be posed to turn these tools against us, and we are putting into place something for our enemies to use that they could not afford to do on their own. As to this and other difficult questions that Landau brings up; there are no simple answers.
Chapter 3 - Securing the Internet is Difficult - notes that the original creators of TCP/IP did not have security in their design. Their concerns were more along the lines of traffic breakdowns, packet loss, robustness and more; but not security and privacy. In some ways, this may be been a blessing, as Dennis Jennings, who ran the NSF program that built the NFSNET; states that "had we known what was to come, we'd have been terrified and the Internet would never have happened.
In chapter 5 - The Effectiveness of Wiretapping - Landau notes that the biggest use of wiretapping tools is not actually the capture of conversation. But something that is not really wiretapping at all: the capture of transactional information.
Chapter 7 - Who are the Intruders? What are They Targeting? - is one of the best chapters in the book. Landau details both the internal threat and industrial espionage, and it is not a pretty picture. Landau provides numerous cases where nation-states used networks, rather than people to infiltrate US interests, governmental, industrial and scientific areas. She notes that these insider attacks are often the most difficult to detect; the reason being that insiders know the systems, know where the important data is, and what the auditors are looking at. This ultimately makes insiders attack particularly pernicious.
So how significant are nation-states infiltrating US networks? Landau quotes a confidential government source that the NASA network was "completely open to the Chinese".
Landau makes her message loud and clear in chapter 8 when she notes that it does not help to tell people to be secure; rather security must be built into their communications systems. Security must be ubiquitous, from the phone to the central office and from the transmission of a cell phone to its base station to the communications infrastructure itself.
In chapter 9 - Policy Risks Arising from Wiretapping - Landau details how deep packing inspection (DPI) is used by ISP's. It is the ISP's who have the capability to know what you are browsing, what your email says, your VoIP conversation and much more. In a short amount of time, the ISP can develop a dossier on the user, and as noted, it has the ability to amass data to an amount that the Stasi could only dream of. This surveillance ability is what is most troubling to the author.
Landau continues that the only way for a person to avoid the risk from ubiquitous uses of DPI by an ISP would be to encrypt everything. While not completely done now, Gmail and Skype do bulk encryption.
The book closes with chapter 11 - Getting Communications Security Right - and there are no easy answers. Landau notes that across the globe, there are projects on clean-slate network architectures. But our current infrastructure is quite insecure and porous.
Surveillance or Security?: The Risks Posed by New Wiretapping Technologies is an extremely important book on the topic of the many risks posed by new wiretapping technologies. Landau has the remarkable talent of taking very broad issues and detailing them in a concise, yet comprehensive manner. The book should be seen as the starting point for discussion on a most important topic.
Landau does an excellent job of detailing how unwarranted surveillance can undermine security and affect our rights, while noting that security for every citizen is paramount to the very spirit of the Constitution.
The book closes with the very principles of what it means to get communications security right and that adhering to these principles cannot guarantee that we will be completely secure. But failure to adhere to them will guarantee that we will not.
As to Surveillance or Security?: The Risks Posed by New Wiretapping Technologies, required reading it is, but that term does not do justice to the importance of this book. Simply put, this book is the definitive text on the topic and it is a title that needs to be read.
1 internautes sur 1 ont trouvé ce commentaire utile
Keith A. Comess
- Publié sur Amazon.com
In the world of computer security and surveillance, it's almost axiomatic that any book accepted for publication will be dated by the time it appears in print (or electronically). Certainly, anything that antedates Snowden's stunning revelations of NSA surveillance can be considered ante diluvian. So, accepting that premise, if you do, why bother with Susan Landau's book on the topic? Basically, her work is worthy of consideration for her concise historical synopsis (beginning more or less in recent/modern computer era) and her legal perspectives on the pre-Snowden era.
Landau begins with a survey of internet architecture (a couple of chapters she advises that some readers may wish to skip). She progresses to a pithy synopsis of the legal aspects of wiretapping and notes that postal privacy extends to a 1792 act which was re-affirmed in an 1878 US Supreme Court decision, this specifying the need for a warrant to open first class mail. She notes that government wiretapping began with the advent of the telegraph and ramped up during Prohibition (the Roy Olmsted case being an intriguing example of court dealings with the matter). Setting somewhat of a precedent for future rulings, the Court found in favor of the government in that case, but the sanctity of electronic communications was ardently defended in a lone dissenting opinion rendered by the distinguished jurist, Louis Brandeis. In a rare act of virtue, in 1934 Congress passed legislation which prohibited "unauthorized" interception of wired communications as a follow-up to the Radio Act of 1927. The entire precarious edifice (what constitutes, "unauthorized"?) was unwittingly crumbled by FDR during WW-II in response to a "national security" plea to wiretap "spies" by the Surveillance King, J. Edgar Hoover, a man whose subsequent career as a monster snoop and nefarious troublemaker hardly requires elaboration. Still, with the revelations of the Hoover inspired and directed COINTELPRO (subject of the Church Committee hearings resulted in the 1978 FISA legislation), Congress was eventually moved to reinforce the "taboo" by passing the 1986 Electronic Communications Privacy Act.
Skipping ahead, Landau deals with the effectiveness of wiretapping. She concludes that the method, excepting certain specific circumstances (such as exposing organized criminal conspiracies) probably isn't terribly helpful. She expends considerable effort on the interplay between some aspects of rapidly advancing technology (e.g., the internet) and legislative measures intended to contain surveillance whilst preserving some modicum of privacy. She musters an impressive array of data supporting her contention that privacy encourages innovation, fosters intellectual interchange and is a foundational aspect of the "trust" needed as the basis for a balanced relationship between government and the governed (as others have done; see Bruce Shneier's excellent book on this topic for a thorough discussion).
There the matter might have rested but for the beginning of a cavalcade of revelations on new efforts by the government to implement mass surveillance. In an unjustly overlooked (by the general public, at least) disclosure in 2006, ATT technician Mark Klein documented NSA installation of monitoring equipment in a San Francisco communications switching facility. Landau notes that, "Although the secret room was supposed to be secret, there was no reasonable chance it could be": this was a prescient observation, as eventually demonstrated by Mr Snowden.
Then, on to post-September 11 America. Now, in the name of national security (yet again), mass surveillance moved front and center: "...the US government has been highly enamored of the idea that the terrorists can be easily found by simply connecting the dots if sufficient data are collected and mined." This is yet another prescient observation, as it serves as the foundational principle of the current NSA program (even though its effectiveness has never been convincingly demonstrated). Despite "unintended" interceptions (unbeknownst to some readers, including this one, Bill Clinton's personal e-mails were swept up by NSA [see p. 192]) nothing was done to curb the excesses and, as technology advanced, so did the scope of surveillance.
Another subject of Landau's book is the then nascent symbiotic collaboration between private industry (the IT companies and various contractors in other fields) and the government as shown in the 2002 FBI Communication Analysis Unit. This, of course has ramped up dramatically, as Snowden's documents have shown. She pointedly notes the use of "exigent letters" (now with another name); then, as now, a clever legalistic ellipsis that is tantatmount to a warrantless search.
This is all very relevant information and very interesting. Where the book falls short, however, is in the unwarranted confidence Landau evidences in the robustness of the internet and the near "impossibility" of universal data mining, "daisy chaining" and her failure to predict the brilliant (and cynical) advances of NSA cryptographers and computer experts. She fails to predict the predictable: precipitous cost decreases for data storage; major advances in computational analysis; the corrosive effects of collaboration with private (for profit) companies; and, most especially, the susceptibility to fear mongering and pandering of the American public. Allowing for the inevitable limitations imposed by such a dynamic field, the last chapter is a near masterpiece of nuanced analysis, balancing the competing (and potentially irreconcilable) needs of "security" vs. "surveillance". On balance, security concerns and the inherent constraints of mass surveillance tilt the balance in favor of the former, per her analysis.
Where does that leave this book? It is a valuable and interesting historical document that is now of almost archival significance (hence, the rating). It is obsolete and in need of major revision and updating. However, if a second edition is printed, it will be well worth the time expended in reading it. Surveillance and state secrets are "risky business" and it behooves the average citizen to have some perspective on the topic before allowing the system to be formally and publicly legally enshrined as the "law of the land"