Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Freakonomics Q&A With Bruce Schneier

Posted by kdawson on Tue Dec 04, 2007 05:10 PM
from the thinking-like-an-economist dept.
Security
Samrobb writes "In grand Slashdot tradition, the Freakonomics blog solicited reader questions for a Q&A session with Bruce Schneier. The blog host writes that Mr. Schneier's answers '...are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for "crime pays" to see his sober assessment of why it's better to earn a living as a security expert than as a computer criminal.'" The interview covers pretty much the whole range of issues Schneier has written about, and he provides links to more detailed writings on many of the questions.
+ -
story

Related Stories

Submission: Freakonomics Q&A With Bruce Schneier by Samrobb (12731)
[+] Games: Lessons From the HD Format War 308 comments
mlimber writes "The New York Times' Freakonomics blog asks a panel of experts, 'Is the battle between HD-DVD and Blu-ray really over? What can we learn from it?' The panel suggests, among other things, that Sony achieved a Pyrrhic victory because high-def DVDs will be outmoded before they reap enough profits to make up for what they (and Toshiba) paid out for both product development and bribes to win the support of content providers."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Freakonomics Q&A With Bruce Schneier 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • His comments on terror and cameras were (Score:5, Interesting)

    by WillAffleckUW (858324) on Tuesday December 04 2007, @05:17PM (#21578431) Homepage Journal
    I found his comments on terrorism - A. Refuse to be terrorized - and cameras to be fairly well thought out.

    We choose how we live.

    We can live in fear and magnify risks that are, in reality, very minimal, or we can realize they're minimal and stop worrying about them.

    I'd rather live free from fear.

    And the answers about passwords were fairly good. When I was a regional security officer, I came up with similar concepts, based on the real threats that actually existed. When on a public site, with low real risk (e.g. public web, no linked account) it's better to have a common (but hard) password, and save more secure passwords for sites where you have real financial risk instead.

    • Re:His comments on terror and cameras were (Score:5, Insightful)

      by rindeee (530084) on Tuesday December 04 2007, @05:45PM (#21578791)
      I couldn't agree with you more. The idea that the correct reaction is overreaction is not only foolish, it's counterproductive and in many cases quite dangerous. This approach has so permeated our society that it has become a part of our psyche and now has made inroads into the military. It is my opinion that 'risk management' and 'force protection' (in their current forms) are ruining the effectiveness of our fighting forces (of which I am one...no arm-chair fighting here). Having recently returned from serving forward in the middle east and working in a mixed environment of special warfare combat forces, the idiocy of that was forced upon us in the name of 'force protection' was nothing short of crippling. Why was it needed? Because, "if you don't abide by force protection rules, someone could be injured or killed". Let me get this straight; We carry guns, explosives, etc. We're trained to use them at night, in the day, in close quarters, over long distances, etc. We signed a piece of paper when we enlisted stating that we understand we might get killed in executing our orders. In light of all of that, there is some 'other' threat, apparently outside of the obvious primary threat during war-time (people shooting at you, IEDs, etc.) that is so much greater than the primary threats that it nullifies our need to counter the primary threats efficiently and effectively. Someone has written a book on this subject from a military prospective. Sadly I cannot recall the name of the book, or the author, as I just happened to pick it up one day at an acquaintances house and peruse it a bit. If anyone knows of the book of which I speak (primary topic being that force protection insanity is ruining the military), please speak up. I'd be forever indebted. Anyway, I digress. The bottom line, fear is counterproductive save for times of fight-or-flight.

      • Re: (Score:2, Interesting)

        by WillAffleckUW (858324)
        Well, as a former Army Sergeant, I have to agree with you.

        The concept of force protection arose from the objective of battle - the imposition of chaos on the enemy and the reduction of chaos on our own military and economic supply train. But there is no cost effectiveness analysis used, sadly.

        Sometimes we need to realize that overreaction, and overprotection, are the wrong responses.

        Is it truly worth the time delays and economic disincentives we impose on air travel to screen everyone? Is it worth the dis
      • I'm a former navy officer (Canada, not US). Surely you realize that the military doesn't give a rat's ass about you personally getting killed. What they want to prevent is the long string of flag-draped coffins streaming home that is sure to undermine public support for the broader mission.

        • Of course, and I have no problem with this. I accepted the fact that I might meet my demise and I don't have any problem with the military taking an 'all business' view of this. My gripe is in the military adopting 'touchy-feely' models when it comes to killing people (sorry, but that IS the job of the military...it is NOT a policing force). Anyway, just one guys opinion. I appreciate your input.
        • What they want to prevent is the long string of flag-draped coffins streaming home that is sure to undermine public support for the broader mission.

          Well, naval burials at sea make sea battles a bit more palatable.

          However, even though Canadian popular support for the War in Afghanistan has gone down as a result of the flag-draped coffins which are more prominently shown on Canadian TV, it's still a lot higher than support here in the US where we basically ban national coverage of dead bodies or flag-draped c

        • Says the military brat: (Score:4, Informative)

          by UncleTogie (1004853) * on Tuesday December 04 2007, @08:34PM (#21580289) Homepage Journal

          What they want to prevent is the long string of flag-draped coffins streaming home that is sure to undermine public support for the broader mission.

          Correction: Actually, they're keeping us from seeing [thebostonchannel.com] the long string of flag-draped coffins streaming home...

  • it's better to earn a living as a security expert than as a computer criminal

    Watch "Catch Me If You Can", this was obvious a long time ago.
    • Better maybe, more profitable, hmmmmm.

      The key difference is that most criminals are stupid, while most consultants are much more intelligent. I would suggest that for a given IQ (or however you want to measure intelligence) the balance is far more in favour of the criminal than an equally IQ-endowed consultant.

      The reason being that there are more opportunities to get money from a criminal activity than from a security consultancy activity and it will always be easier to exploit a weakness than to fix it.

      • Did you watch the movie? The dude made millions designing tamper-proof checks for the folks that he ripped off for small change when he was a crook.

  • The more things change... (Score:5, Funny)

    by linuxwrangler (582055) on Tuesday December 04 2007, @05:23PM (#21578525)
    "...In 1957, fifty years ago, there were fewer than 2,000 computers total, and they were essentially used to crunch numbers. They were huge, expensive, and unreliable; sometimes, they caught on fire..."

    Well, now they are small, inexpensive, and relatively reliable. But at least they still sometimes catch on fire.

    • Well, now they are small, inexpensive, and relatively reliable. But at least they still sometimes catch on fire.
      That's exactly what I tell my computers when they act up, "Computers still sometimes catch on fire, you know." I keep a charred motherboard hanging on the wall in the server room, just to remind them. Helps keep the buggers running right.

    • But at least they still sometimes catch on fire.

      Mine did.

      Twice.

      The first was a cheap psu that didn't have short-protection. I'd miswired my front mic/headphone sockets (the case used individual pins instead of a solid plug, and the pins, motherboard and motherboard manual were all labelled differently). I plugged in my headset and "BOOM", I lost the psu. And the fuse in the plug. The psu was full of loose peices afterwards, and a lot of black. Oddly, the motherboard and headset both survived.

      The second was a dodgy gigabyte motherboard, with an (optional

  • Freakonomics Q&A with Jonathan Coulton (Score:4, Interesting)

    by FleaPlus (6935) on Tuesday December 04 2007, @05:26PM (#21578575) Homepage Journal
    I don't think this was mentioned on slashdot, but since this is quasi-related I thought I'd mention that a couple weeks ago Freakonomics also had a Q&A with Jonathan Coulton [nytimes.com], a really awesome (IMHO) singer-songwriter who releases many of his songs under a Creative Commons [jonathancoulton.com] license and whose music often has a rather geeky tilt. He also got quite a bit of attention recently for writing the song "Still Alive" which plays at the end of Portal. Here's a few neat quotes from the interview:

    Q: Do you think having music available for free will make releasing some of it on a traditional album more difficult? Also, why aren't more of your songs available on Yahoo Music Engine or iTunes?

    A: It's always hard to figure out the actual numbers on this, but I definitely get the feeling that having a more open attitude with MP3s has contributed to my ability to actually make a living. More and more, people don't like to buy things that they haven't heard first, which makes perfect sense when you think about it. This is why they have listening stations in record stores (er, I mean, when they used to have record stores). And because I depend so heavily on word of mouth marketing, it's extremely important that it's as easy as possible to hear my stuff. Again, it comes down to the extremely low cost that comes with digital content -- it's okay if only a small percentage of listeners buy, as long as the number of listeners is very high. That can only happen if you let people listen. ...

    Q: When you wrote "Still Alive" for Portal did you have any idea how well the synergy would be with the game? I don't think that there has every been ending credits in any media that has matched the love that people have for the end of Portal. Have you been asked to work on any other video game music since the release of Portal?

    A: One of the reasons I agreed to do it was that I understood the character so well -- it was one of those things where I looked at what they had created and it made absolute sense to me. We didn't know all the details of how we were going to finish the game, but I really could sort of feel how it was supposed to end up. Of course I'm thrilled with the reception, and it's been much larger and more positive than I could have imagined. There's nothing else in the works at the moment, but I'm definitely open to doing more things like that if it's the right project. ...

    Q: When will Valve release a video game that is also a full musical comedy?

    A: Yes please. That would be a great deal of fun to do, whether or not it was any fun to play. I'll put you in touch with Gabe and you can insist that he make it happen.
      • Yeh... like "Combat Riverine Dance", in which FPRD (First-Person River Dancers) stomp the living this, umm living shit out of da enemy... whomever "da enemy" is.

        Valve CRD Slogan: "These boots were made for trompin' and stompin'"

        Character sayings:

        "I love the smell of worn leather in the morning..."

        "We don't need no stinkin' bullets..."

        "'Air strike'? What's that? All I need is my BOOTS and dazzlin piurette (sp?) and some GRENADES..."

        "This is my RIFLE, THIS is my GUN, these are my piurettes, dazzzling by buns.

  • But first, make sure you have the Bruce facts (Score:5, Funny)

    by sien (35268) on Tuesday December 04 2007, @05:26PM (#21578579) Homepage
    To get the most out of this interview, make sure you have the facts [geekz.co.uk] on Bruce Schneier. The man is not what he seems.
  • There are several Web sites where I pay for access, and I have the same password for all of them.

    And these sites have content, content which gets stored under /.pr0n

  • Best Answer (Score:5, Funny)

    by Odin_Tiger (585113) on Tuesday December 04 2007, @05:50PM (#21578861) Journal

    Q: I recently had an experience on eBay in which a hacker copied and pasted an exact copy of my selling page with the intention of routing payments to himself. Afterwards, people informed me that such mischief is not uncommon. How can I ensure that it doesn't happen again?

    A: You can't. The attack had nothing to do with you. Anyone with a browser can copy your HTML code -- if they couldn't, they couldn't see your page -- and repost it at another URL. Welcome to the Internet.

    Poor Bruce must get awful tired of answering questions from people who don't understand how computers, etc. actually work.

  • A billion times... (Score:3, Interesting)

    by Spy der Mann (805235) <spydermann.slashdot@gmail . c om> on Tuesday December 04 2007, @05:54PM (#21578895) Homepage Journal
    FTA:

    Moore's Law predicts that in fifty years, computers will be a billion times more powerful than they are today. I don't think anyone has any idea of the fantastic emergent properties you get from a billion-times increase in computing power.


    I do have an idea. For starters, Holovideo. Computers a billion times more powerful than today's will be able to calculate the interference equations required to display true color live holograms on flat screens - or glasses.

    Just think about it, put on your glasses and everything seems normal. Turn on your (wearable?) computer and you'll be able to interact (let's assume the glasses got tiny cameras on them, thanks to transparent electronics) with holographic objects - which may include virtual displays which you can move with your hand, a-la minority report (or a-la Nadesico if you're an anime fan ^^). Who says you'll need to use physical keyboards? Probably they'll be virtual, too! No more Repetitive Strain. And that's just for starters - imagine playing with rubik cubes or analyzing/debugging code (for programmers) in 3D.

    However, I wonder if software will be advanced enough by then to have AI agents assisting you like most sci-fi flicks. Usually software is the barrier in computing. Programmers are slow.

    • FTA:

      However, I wonder if software will be advanced enough by then to have AI agents assisting you like most sci-fi flicks. Usually software is the barrier in computing. Programmers are slow.
      Programmers are slow because, like me, they're probably surfing /. :-)
    • How many Real Dolls of Congress are we talking about?

    • I don't think anyone has any idea of the fantastic emergent properties you get from a billion-times increase in computing power.
      I do. You're something similar right now.

       

  • strange answer on wireless (Score:4, Interesting)

    by SEAL (88488) on Tuesday December 04 2007, @06:39PM (#21579317)

    Q: Is there any benefit to password protecting your home Wifi network? I have IT friends that say the only real benefit is that multiple users can slow down the connection, but they state that there is no security reason. Is this correct?

    A: I run an open wireless network at home. There's no password, and there's no encryption. Honestly, I think it's just polite. Why should I care if someone on the block steals wireless access from me? When my wireless router broke last month, I used a neighbor's access until I replaced it.
    That answer is so bad it almost sounds like sarcasm. Given how easy it is to sniff sensitive data from an unencrypted wireless network, I can't imagine Bruce would allow it unless he segments his network or wires up his own PC.

    • That answer is so bad it almost sounds like sarcasm. Given how easy it is to sniff sensitive data from an unencrypted wireless network, I can't imagine Bruce would allow it unless he segments his network or wires up his own PC.
      What is more likely to happen: That someone reads sensitive data from his unprotected wireless network, or that he is killed in a complete random traffic accident?

      • Re: (Score:3, Insightful)

        by maraist (68387) *
        That someone reads sensitive data from his unprotected wireless network, or that he is killed in a complete random traffic accident?

        Or C) that an industrious/bored male techno-teenager lives within his wifi range

    • Re:strange answer on wireless (Score:5, Interesting)

      by someone300 (891284) on Tuesday December 04 2007, @07:11PM (#21579637)
      I personally use an open wireless network. I trust my open wireless network as much as I trust my ISP and unsecure wired network, and all sensitive data that I throw around internally is securely encrypted or otherwise done through a secure tunnel. If I need to put a password I care about into a HTTP site, and I want to minimize risk, I just use my proxy, which is directly and securely* wired into the switch. Generally, if you have a large wired network, you need to make the assumption that any piece of cable not in a secure room could be spliced and packets logged.

      Of course, considering a large amount of web traffic is HTTP when it should be HTTPS, and certain operating systems expose services onto the network which they probably shouldnt, it's probably a bit irresponsible to suggest that home users leave their stuff unencrypted. Personally, the reason I run an open AP is because open APs have helped me in the past. There's a form of QoS to stop people abusing and give priority to certain computers on my network.

      * Considering it's a house, 'secure' means it's in a locked cupboard ;)

    • Re:strange answer on wireless (Score:5, Insightful)

      by Kidbro (80868) <dibbeNO@SPAMlinux.nu> on Tuesday December 04 2007, @07:12PM (#21579655)
      Given how easy it is to sniff sensitive data from an unencrypted wireless network, I can't imagine Bruce would allow it unless he segments his network or wires up his own PC.

      Any data that goes unencrypted between your computer and your wifi base station will also go unencrypted between the wifi base station and the target destination. On top of this, any data that's only encrypted by your wifi network will also go unencrypted between the wifi base station and its target destination.
      Maybe Bruce is just wise enough to encrypt any sensitive data he transfers properly, and not rely on the encryption in his $30 hardware that will only protect against attackers within 50 meters?

      • Re:strange answer on wireless (Score:4, Informative)

        by Cal Paterson (881180) * on Tuesday December 04 2007, @07:57PM (#21580007)
        This is excellent logic, but I think much of the reasoning behind wifi encryption is that people who do connect to your wifi are essentially getting to fire a load of packets around the internet with your name on them.

        Which could be worrying or not, depending on their interests. The number of people connecting to open access points to use kazaa to download the latest movie blockbuster would worry me if I was in an apartment building or something.

    • Re:strange answer on wireless (Score:5, Informative)

      by Umuri (897961) on Tuesday December 04 2007, @07:13PM (#21579663)
      I think what he means is that if you are depending on your wireless connection for security, you're already doing something wrong.

      One is because most secure practices can be implemented well separate of wireless, if you are concerned with security. And in fact relying on wireless encryption as your "only" form of security is something that even most non-savvy computer users can be taught not to do, so the experienced ones should have no excuse.

      The other is that most "security" for wireless has already been broken and can be repeated in a near trivial amount of time, so if someone was dead set on sniffing your data, chances are they'd be able to do it.

      In my defense, I run an open wireless network that is sectioned off, that instead of encryption relies on MAC addresses to allow into the normal section of the network. Everyone not on the list just gets to use the internet.

      Allows friends to come over and connect happily to the web without messing with stuff, and if they need the network access adding their computer is a 10 second job.

    • Re:strange answer on wireless (Score:5, Funny)

      by flaming error (1041742) on Tuesday December 04 2007, @07:50PM (#21579969) Journal
      It only seems risky until you learn that Bruce Schneier types in TwoFish.

    • Re: (Score:3, Interesting)

      by trawg (308495)

      That answer is so bad it almost sounds like sarcasm. Given how easy it is to sniff sensitive data from an unencrypted wireless network, I can't imagine Bruce would allow it unless he segments his network or wires up his own PC.

      As others have already pointed out, as long as he's encrypting probably everywhere else it won't make any real difference. If you're on an open wifi network and everything you do is via an SSH tunnel or VPN or something, you're probably doing quite a bit better than using WEP anyway.

      I think the really interesting part of this answer is that it doesn't really address the legal issues of someone misusing and abusing your connection for their own evil deeds. I don't know if this has been tested in court but

    • My friend. The point is that is almost as easy to get data from a suposedly "encrypted" (weak ass encryption) wifi connection, as to do it from an unencrypted one.

      And I mean... what is this, Mr. SEAL, although you have an enviable 5 digit slashdot ID, im gonna HAVE to go with bruce on this one.... hell, id go with bruce on all the rest-of-them as well.

  • His Password Comment (Score:3, Interesting)

    by OldSoldier (168889) on Tuesday December 04 2007, @07:28PM (#21579805) Homepage

    I choose the same password for all low-security applications. There are [also?] several Web sites where I pay for access, and I have the same password for all of them.
    Has there been any survey of how various systems store passwords? Schneier's policy above is very similar to mine, and I was surprised recently when my Sprint password, which I thought was "secure" was plainly visible to the customer service clerk at my local Sprint store!

    Specifically I do not care how my low-security passwords are stored. But for my high security passwords, I would like them all to be stored in a unix-like way, namely only cyphertext is stored and it's impossible for anyone to know what that password is. Sure they may be able to change it on my behalf, but can they tell what it is? No!

    I've had this concern for quite a while now and I'm surprised that I haven't found a security certified label that addresses this concern. Sure there are other labels like http://www.truste.org/ [truste.org] or "Verisign Secured", but where's there one that tells me my user-password is stored in a "unix-like" manner?

    • Re:His Password Comment (Score:4, Informative)

      by RAMMS+EIN (578166) on Wednesday December 05 2007, @02:45AM (#21582509) Homepage Journal
      I can't answer which sites will actually store your passwords and which ones will only store a one-way hash of it, but I can tell you that some customers I've developed sites for insisted that the passwords be stored in cleartext. So "many sites store your password in cleartext" is my best guess.

      Also, even if the site doesn't store your password in cleartext, it will still be sent to them as cleartext. Even if it goes over SSL, the site itself will be able to decrypt it. So, one way or another, They have your password.

      I would like to suggest a feature that could be added to browsers. An idea to think about; not a request for implementation just yet. But here's the idea. Let the browser perform the one-way hashing. You enter your password, the browser hashes it, and the hashed value is sent to the site. You can use a different hash for every site, and thus use the same password on your side, but send different values to different sites. That way, no site can pick up your password and use it with another site. You are still open to replay attacks on the same site if the site doesn't protect against that (e.g. by using SSL), but it's a lot better than things are now. You never send out your actual password, so nobody ever gets to know it.

  • Writing down your password (Score:3, Interesting)

    by Beryllium Sphere(tm) (193358) on Tuesday December 04 2007, @07:39PM (#21579887) Homepage Journal
    Same point as Bruce, but put in terms of a threat analysis translated into everyday terms:
    Why you should write down your password [berylliumsphere.com]

    • This person needs to learn more about security



      You think Bruce Schneier needs to learn more about security?

        • No, you just bragged about your extremely clever system for memorizing passwords (that you didn't describe).

          Regardless, Schneier's solution is vastly more useful in practice for, well, everyone else.

          You still sound like you have no clue who this guy is.

    • Re:Too many to answer -- I'm not impressed however (Score:5, Insightful)

      by tm2b (42473) on Tuesday December 04 2007, @07:04PM (#21579561) Journal

      This person needs to learn more about security and a different way to go about handling their passwords.
      This is much like thinking that Donald Knuth needs to learn more about algorithms.

      Consider that a point is being made that you're not getting, because "this person" is not a moron, and generally talks about security as it is actually practiced instead of how it would be practiced if everybody were an expert and made good security a priority. Since people in general will not make security a priority, you have to talk about how people actually behave and how to craft security that will take actual behavior into account.

    • Based on the techniques I use I am able to remember every single password for every single site I use with 99% of them being different

      And all of those passwords are:

      • at least 10 characters in length;
      • "random", containing no dictionary words or other predictable sequences;
      • a mixture of letters (upper and lowercase), numbers and punctuation marks; and
      • not related in any way that would allow an attacker who has seen several of them to derive another one.

      Right?

      This person needs to learn more about security and a different way to go about handling their passwords.

      You do realize that this is like suggesting that the Pope learn more about Catholicism, right? Bruce Schneier started as a serious academic cryptographer and branched out into

    • Re: (Score:3, Insightful)

      by bhima (46039)
      In his defense, had he completely restated the whole of his previously published work he references his responses would be tediously long.

      I saw it as more of a "here is a more in depth answer to this question, if you are interested"

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.