Bruce Schneier Talks Brain Heuristics and Security

ancientribe writes "Bruce Schneier is at it again: the security icon shares his latest research and insight on the interplay between psychology and security in this article in Dark Reading. The focus of Schneier's latest research is on brain heuristics and perceptions of security, which may be the basis for the best-selling author's next book. His goal for the topic, which he'll be presenting at the RSA Conference next week, is to focus on how people think, and feel, about security, and how neuroscience can help explain how our perception of risk doesn't always match reality."

Its all in your..

[scoot80 (1017822)]

head.. as a matter of fact.. this reply is all in your head too.. it doesn't exist..

Re:

[Dark Kenshin (764678)]

I think that's the general synopsis of the book. If you really, really, really believe you are secure, then you are... till you get hit by a bus or something.

A slightly different analogy.

[khasim (1285)]

You really really believe your wife is monogamous ..... then she's busted in a prostitution sting. With your best friend. And now she wants a divorce. And she'll take 1/2 of everything you own.

Re:A slightly different analogy.

[MillionthMonkey (240664)]

He's got herpes. She doesn't. They take VALTREX to keep it that way. So her neocortex is all hot for him. But her amygdala isn't convinced. Because he has herpes.

Re:

[MillionthMonkey (240664)]

I tend to believe that people take Valtrex so they can continue sleeping around without using protection while eliminating the risk of a partner noticing their open sores. I mean, how'd they get herpes in the first place?

That's assuming they have it. Smart people take Valtrex so they can start sleeping around without using protection while eliminating the risk of a partner giving them herpes in the first place. But of course, the pharmaceutical industry lacks the balls to produce the obvious commercial, an

Re:

[aeoo (568706)]

Ultimate security cannot be guaranteed through protection from ill will. Once ill will has formed, there is insecurity already.

The best path is to prevent ill will from forming. That is done by convincing the disenfranchised people that they are cared for.

Encryption and ease of use.

[Kelson (129150)]

At one point in the article, Schneier comments on email encryption:

"Over the years, no one used encryption" in email, he says. "It had nothing to do with the technology," but instead the ease of use, he says.

This is a good example, because encryption is in common use on the web. To the end user, using a website over an SSL or TLS connection is no different from using one in the clear. It's almost too easy, which is why browsers have lock icons, color changes, and "You are leaving a secure site!" messages.

Of course, the problem is slightly different, since HTTPS is all about protecting a client-server connection from eavesdropping, not protecting the data itself. Once the data reaches the server, the server is entirely capable of doing something boneheaded with it like saving it in plain text in index.html. Similarly, data sent to the client can easily be printed out and left face up on the car seat.

Client-server connections are easy to deal with, because the only people that need to manage them are the software developers and the admins managing the server. Similarly, it's trivial for an end-user to send/retrieve mail using a TLS-encrypted SMTP, POP3, or IMAP connection.

Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity.

Re:Encryption and ease of use.

[Em Adespoton (792954)]

The interesting thing about this is that I tend to at least use digital signatures now, and started for one big reason:

I have to enter my passphrase before I send something I might regret. This has been a boon to me on innumerable occasions. It means I send fewer emails than I otherwise would, but I don't tend to send anything I'll regret years down the road.

Re:Encryption and ease of use.

[owlstead (636356)]

"Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity."

That, and email encryption is mostly done either through soft-certificates or - more commonly - through PGP. There are hardly any mail systems that integrate PGP, although they are available as add on. Even so, I believe the user interface is still much harder than e.g. websites with SSL. Also, as you rightly said, end users not only have to manage a digital identify, most of the time they have to handle the other person's digital identities as well. E.g. here at home I cannot verify any signatures that I can verify on the computer at my work, because I do not have an up to date certificate store.

Of course there is also SSL with client side authentication. Although this is very usefull for B2B transactions (web services), you will hardly see any uses for end users. Even though both Mozilla and IE have build in support (although the Mozilla version tended to be broken for a pretty long time, and the IE version also has its fair share of problems).

Re:

[h4ck7h3p14n37 (926070)]

"Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity."

I have to disagree with this statement since end users could use a notary to manage this identity. Specifically, I'm thinking of a website that allows users to send and read encrypted messages. One would create an account on the site which would then generate the necessary crptographic keys; the user could then send enc

MUA makes a big difference.

[Kadin2048 (468275)]

I think everything you say is true, but a big part of the problem is that most people's mail-user-agents are set up with encryption as an afterthought, rather than as a core feature. When users have their email set up to use encryption from the very beginning, from the moment that they're issued their computers by their employer, they use it.

The environments where I've seen the heaviest use of encryption are Lotus Notes shops, because Notes was basically designed around encryption. Granted, it uses some str

That word. . .

[Skadet (528657)]

Bruce Schneier once again is turning security on its head -- literally.

That word. . . I don't think it means what you think it means.

Re:

[poopdeville (841677)]

Please look in a dictionary. Only one of the five to six meanings for the word 'literal' is opposite in meaning to 'figurative.' The rest are orthogonal. Indeed, the primary and secondary definitions are "conforming to the exact meaning of words",[1] and adverbial forms of 'real', 'factual', and 'unembellished'.

Really, it's good that you paid attention in high school. You learned a lot of great rules of thumb that will help you avoid making grammatical errors. But they're just rules of thumb. They don

Re:

[rkanodia (211354)]

So your validity-seeking tweed jackets propose that the word 'literally' has no semantic content. I can't wait to hear other ways in which emergent online paradigms can synergistically leverage new value-adding phenomena!

Re:

[vertinox (846076)]

Actually, security is a man named Steve at the front desk. Bruce has been getting him in a head lock and pile driving him in a wrestling move during the company get together.

Re:

[Michael Woodhams (112247)]

He's changing the direction of (turning) security, taking as fixed* what goes on in people's brains. It is pretty close to literal - the main problem being that it isn't (as implied by the phrase) security's head but rather the heads of people needing security. I think you'll find the journalist has a paid-up poetic license for this sort of minor stretch of truth (even though it doesn't rhyme.)

* That is 'immovable', not 'repaired'.

It's just the usual social engineering

[elucido (870205)]

I think everyone already knows that humans are always the weakest link in security.

Bruce Schneier is my homeboy

[bigredradio (631970)]

More facts about Bruce. http://geekz.co.uk/schneierfacts/ [geekz.co.uk]

Perception

[bwthomas (796211)]

Part of the problem is with our perception of probability. We see it mathematically, but we still expect cause and effect rather than randomosity. Most users will say things like "why would someone monitor me," not realizing that there's usually no direct causal relation between who they are and interest others might have in their information, and the question is better put, "how probable is it that someone like me might be monitored."

In other words, we feel relatively safe in a crowd. We are completely visible, but because we cannot see why someone would single us out as unique, we feel obfuscated. All the while not realizing that it's more opportunity than it is causality.

This is why we feel safe sharing information on websites like myspace, or using our credit cards over insecure wireless connections, because we believe that because everyone else is engaging in this fundamentally insecure behavior, we have safety in numbers. No one will read our blog for information about our identity, no one will try to use our amazon account to buy electronics.

But they will, with a probabilistically determined frequency.

Re:

[Yartrebo (690383)]

We also have a major bias towards catastrophic risks that we have no control over mundane risks that we think we have control of.

Take the risk of getting wiped out by an asteroid vs. the risk of getting framed and sent to prison. The former is far less likely (less than 1 in a million), but it also gets people a lot more scared. Your odds of being framed and sent to prison are greater than 1 in a 100 over a lifetime (at least in the USA, the odds are far lower in countries with lower incarceration rates), b

Re:

[Sique (173459)]

The same can be said about the terrorism panic. It's still more likely to choke on a fishbone and die than to be hit by a terroristic attack. For Germany [pop. 80 mio] there are about 700 reported dead each year because of choking on a fishbone. I wonder if the number of all Germans ever dying during a terroristic attack since 1947 has ever reached 700.
And the perception still gets it wrong if two risks are very similar: Think about the craze because of the H5N1 bird flu. Worldwide we have now ~200 people w

Re:

[h4ck7h3p14n37 (926070)]

A very common comment that I hear from people regarding computer security is, "we're not a target". This of course assumes that crackers select their targets based on some criteria other than they can hit your system over the 'net. Sadly, it's been my experience that when such a person's system is compromised they just want it brought back up and the particular exploit that was used remedied.

5 tough user-space factors

[G4from128k (686170)]

I see five factors that make the user-space side of security so hard.

1. Incentives: Most people, especially employees, don't face personal consequences when their PC is infected or the company database gets pwned.
2. Rarity: Most people see security problems as something that happens to someone else. That so few breaches are publicized only enhances the belief in the low likelihood of problems.
3. Hubris: Most people believe they know what they are doing.
4. Boredom: Ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click "Yes, Install."
5. Sociality: Most people are nice and assume that other people are nice too. They hold the door open for the social engineering intruder, they click on the "cool link", they open email that looks like it might be from someone important. Malware creators prey on our desire to "do the right thing."

Some of these five are easier to address but some reflect deeper realities about being human.

fear and power

[wall0159 (881759)]

Seems to me it would be good if more people understood the ways that their gut reaction to fear is often incorrect. It would at least make it harder for politicians to manipulate the populace.

It was interesting how Schneider said "you can feel secure even if you're not" - maybe this is also known as herd-mentality..

Re:

[oostevo (736441)]

All kidding aside, this guy came to speak at my college. I got a seat in the second-to-front row well before the presentation started. The school photographer came up to him to ask him to sign a silly little photography release so he could take photos. He signed it, stared at the poor guy, and said, "I want three copies of this, okay?"

The poor photographer nodded meekly.

True story.