Showing posts from March, 2016

Should companies be allowed to "hack back" against thieves?

Here are my comments on New America responding to the question of whether companies should be allowed to hack back against thieves.
Companies should absolutely not hack back against cyber thieves. One major concern is attribution, namely knowing that you have identified the right parties. Intruders typically use other people’s computers and servers, so odds are high that a company would simply be attacking an innocent party. Furthermore, if a company does take down an attacking server, they might take down many other innocent third-party web sites and services, which would make the company potentially liable for damages. Companies also have varying levels of talent and resources. While a very large tech company might be able to mount a proportional countermeasure, the vast majority of companies can’t. It would only be a matter of time before one of these other companies oversteps its bounds and inadvertently causes collateral damage and a great deal of embarrassment. Lastly, in the un…

My Article in Slate on Human Weaknesses in Cybersecurity

I published an article on Slate about human aspects of cybersecurity.
A great deal of metadata and surrounding context can still be inferred from unclassified emails. These inferences might include the social connections between people, the names of projects a person is working on, how emails are formatted, and what jargon a person uses. On the surface, this kind of information might seem innocuous. However, in the hands of a skilled and patient adversary, this information can be used to exploit human weaknesses in cybersecurity.