It’s been a huge year for information security in the public eye. Security was constantly in the news and has popped up in ways we never expected. Who could have guessed that phishing attacks and a private email server would help derail a US presidential campaign?
We had Apple vs the FBI. Much like the movie Batman v Superman they both thought they were the good guys. The rest of us wondered what would happen when an impressive object meets an irresistible farce. Would Apple have to stop and recharge their legal team if the case lasted longer than six hours? Tempers flared. People got hysterical. And that was just the FBI’s legal team. Not all the commentary was credible. The well-known encryption experts the National Sheriffs’ Association stated that Apple was “putting profit over safety” and that this had “nothing to do with privacy”. Aw bless.
Yahoo announced yet another huge breach. It’s sad to see the once mighty internet giant slowly transitioning from respected internet pioneer to a honeypot experiment with live customer data. The official line was that Yahoo had been the victim of “state-sponsored” attacks, which sounds a lot better than inviting attacks by using outdated security methods. There are diaries of fourteen-year-old girls with stronger security. Yahoo was specifically criticised for using MD5 encryption. To be fair, MD5 encryption can be considered very strong. But only if your threat model is Russian cryptographers attacking through a star gate from the 1990’s.
James Clapper announced his resignation. The man who denied to congress that data was being collected on millions of Americans is leaving the building. His performance in front of Congress, while sadly overlooked for an Oscar nomination, was cited by Snowden as proof that the system was broken. Clapper’s exit interview would have been a hoot. Have you held anything back? Is there any classified information that you’ve failed to return? “Not wittingly”. Which either means “sorry I thought we were talking about something else”, “I needed more than 24 hours to put my truthful hat on” or “yes but I didn’t inhale”.
Under Clapper’s direction, national security institutions have prospered. However, technologies we all depend on have been weakened exposing us to risk from cyber criminals and repressive regimes. The profits of US companies have suffered as they’ve struggled to convince global customers that their data is safe with a US company. If you’re a US citizen you might think the national security trade off was worth it. However, if you live anywhere else in the world, or you’re a US company who has lost customers then you might have a different view. This is only going to get worse now Trump is in the White House. Every time you put on weight, your electronic scales will dob you in and you’ll get 3am phone calls from The Donald, shouting “Sad!” down the line. But only if you’re a woman. Non-female obesity won’t grab his attention the same way.
The most intrusive powers ever proposed for the UK intelligence services were made law in the UK. Critics protested that the new law gave too many government agencies access to people’s browsing history without the need for a warrant. In fact, the list of agencies that can access browsing data without a warrant is so large it might have been quicker just to list those that can’t. On the plus side, we can all sleep safely knowing that the Welsh Ambulance Services can see what we’re doing online. Privacy activists took the UK government to the European Court of Justice, which ruled that government agencies needed a search warrant from an independent judiciary and that access had to be in response to serious crime. The Government pronounced itself disappointed with the judgement. That’s nothing. If the government thinks the appeal judgement was disappointing then just wait until they get a look at my web history.
There were persisting concerns about the security weaknesses of voting machines in the US elections. We should be grateful that the winner of this partly automated vote count wasn’t Select *. The FBI learned that Hillary Clinton’s campaign chief John Podesta’s email had been compromised. Unfortunately, all their agents were busy ogling Anthony Weiner’s laptop so they just left a message with Podesta’s IT helpdesk. Apparently, this is standard operating procedure when you learn that a hostile foreign power is trying to fix your elections.
2016 was also the year that the burgeoning Internet of trash really started to stink. Brian Kreb’s website was hit with the largest distributed denial of service attack ever. A great amorphous pudding of hijacked IP enabled household appliances. People started waking up to the risks. Some even asked, what’s the point of a vacuum cleaner having an IP address? Maybe our appliances rising up against us will be the start of Skynet. To be honest, who can blame them. They probably saw the decisions humans made in 2016 and thought they could do a better job.
Here’s to 2017. May our breaches be bigger and better than ever.