Freakonomics Q&A With Bruce Schneier 147
Samrobb writes "In grand Slashdot tradition, the Freakonomics blog solicited reader questions for a Q&A session with Bruce Schneier. The blog host writes that Mr. Schneier's answers '...are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for "crime pays" to see his sober assessment of why it's better to earn a living as a security expert than as a computer criminal.'" The interview covers pretty much the whole range of issues Schneier has written about, and he provides links to more detailed writings on many of the questions.
His comments on terror and cameras were (Score:5, Interesting)
We choose how we live.
We can live in fear and magnify risks that are, in reality, very minimal, or we can realize they're minimal and stop worrying about them.
I'd rather live free from fear.
And the answers about passwords were fairly good. When I was a regional security officer, I came up with similar concepts, based on the real threats that actually existed. When on a public site, with low real risk (e.g. public web, no linked account) it's better to have a common (but hard) password, and save more secure passwords for sites where you have real financial risk instead.
Re:His comments on terror and cameras were (Score:5, Insightful)
Re: (Score:2, Interesting)
The concept of force protection arose from the objective of battle - the imposition of chaos on the enemy and the reduction of chaos on our own military and economic supply train. But there is no cost effectiveness analysis used, sadly.
Sometimes we need to realize that overreaction, and overprotection, are the wrong responses.
Is it truly worth the time delays and economic disincentives we impose on air travel to screen everyone? Is it worth the dis
Re: (Score:2)
The trick is figuring out which response is apropriate.
Independently from that, you should make a conscious evalutaion of what is risky, and pay special attention to the fact that human beings are hardwired to notice the seldom but spectacular events while ignoring the many mundane ones, even when the cumulative risk from the latter is orders of magnitud
Re: (Score:2)
It's probably more a fear of the unknown factor, but I was thinking recently that a lot of the risks people are seemingly overworried about are risks that "natural selection" doesn't adapt well to.
If you drive a car, and you make mistakes and die, that might be good for the species overall
But if the plane crashes into a mountain - you're likely to be dead even if your g
Re: (Score:2)
First, remember that evolution only works on stuff that changes the chance that you'll have children, or the number of children you have. If you die of lung-cancer at 60 or live healthily to 80, this likely makes no difference whatsoever to the number of children you'll have, or the survival-chance of the children you do have.
Evolution does however work just fine for risky behaviour. Flying by plane ain't (normally) risky behaviour, dying as a result of it is just plain
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Insightful)
Well, naval burials at sea make sea battles a bit more palatable.
However, even though Canadian popular support for the War in Afghanistan has gone down as a result of the flag-draped coffins which are more prominently shown on Canadian TV, it's still a lot higher than support here in the US where we basically ban national coverage of dead bodies or flag-draped c
Says the military brat: (Score:4, Informative)
Correction: Actually, they're keeping us from seeing [thebostonchannel.com] the long string of flag-draped coffins streaming home...
I'll third that. (Score:2, Interesting)
One important thing to note is that you have to be careful about password reuse. Oh, and email, no matter what, should NOT be considered "low security" no matter how boring your private life is because it can often be used as leverage to get more sensitive data.
Why hard? (Score:2)
No. The point is, it's better to have a common, and super easy to remember password that requires no difficulty at all to use and retain.
Low risk, remember? Why make it more likely you'll forget your common password after a two week trip. KISS.
This is why I despise sites of obviously low security interest, that enforce ANY kind of password limiting (like mandatory mix of numbers
Re: (Score:2)
If you're in a trend where you gain a few pounds a year, this will quite likely kill you, *certainly* make you more sick and limit your quality of life.
If you're participating in traffic regularily, this is the area where you're most likely to die a violent death.
If you're smoking, quitting that would give a larger benefit than anything else.
Quit smoking, don't *ever* drive while intoxicated, wear a seatbelt, don't be obese, get some exersize if your wor
Duh... (Score:2)
Watch "Catch Me If You Can", this was obvious a long time ago.
Re:Duh... ... not convinced (Score:2)
The key difference is that most criminals are stupid, while most consultants are much more intelligent. I would suggest that for a given IQ (or however you want to measure intelligence) the balance is far more in favour of the criminal than an equally IQ-endowed consultant.
The reason being that there are more opportunities to get money from a criminal activity than from a security consultancy activity and it will always be easier to exploit a weakness than to fix it.
Re:Duh... (Score:2)
Re: (Score:2)
A: Basically, you're asking if crime pays. Most of the time, it doesn't, and the problem is the different risk characteristics. If I make a computer security mistake -- in a book, for a consulting client, at BT -- it's a mistake. It might be expensive, but I learn from it and move on. As a criminal, a mistake likely means jail time -- time I can't spend earning my criminal living. For this reason, it's hard to improve as a criminal.
1. Most criminals discount the risks that they're taking, which means they do not have a rational view of their "risk characteristics".
2. His conclusion, "it's hard to improve as a criminal" doesn't really follow from his previous sentence. Many criminals do improve in prison. Learning crime isn't hard when you have lots of free time, are surrounded by other criminals and have access to a library. His point may be somewhat valid for a hacker/cracker, but for all we know, the person will come out with a who
Re: (Score:1)
The more things change... (Score:5, Funny)
Well, now they are small, inexpensive, and relatively reliable. But at least they still sometimes catch on fire.
Re:The more things change... (Score:5, Funny)
Re:The more things change... (Score:5, Funny)
Re: (Score:2)
Re: (Score:1)
Funny, I often say the same thing about roommates.
Re: (Score:1)
Re: (Score:1)
No...nevermind...that's my laptop battery.
Re: (Score:2)
But at least they still sometimes catch on fire.
Mine did.
Twice.
The first was a cheap psu that didn't have short-protection. I'd miswired my front mic/headphone sockets (the case used individual pins instead of a solid plug, and the pins, motherboard and motherboard manual were all labelled differently). I plugged in my headset and "BOOM", I lost the psu. And the fuse in the plug. The psu was full of loose peices afterwards, and a lot of black. Oddly, the motherboard and headset both survived.
The second was a dodgy gigabyte motherboard, with an (optional
Freakonomics Q&A with Jonathan Coulton (Score:4, Interesting)
A: It's always hard to figure out the actual numbers on this, but I definitely get the feeling that having a more open attitude with MP3s has contributed to my ability to actually make a living. More and more, people don't like to buy things that they haven't heard first, which makes perfect sense when you think about it. This is why they have listening stations in record stores (er, I mean, when they used to have record stores). And because I depend so heavily on word of mouth marketing, it's extremely important that it's as easy as possible to hear my stuff. Again, it comes down to the extremely low cost that comes with digital content -- it's okay if only a small percentage of listeners buy, as long as the number of listeners is very high. That can only happen if you let people listen.
Q: When you wrote "Still Alive" for Portal did you have any idea how well the synergy would be with the game? I don't think that there has every been ending credits in any media that has matched the love that people have for the end of Portal. Have you been asked to work on any other video game music since the release of Portal?
A: One of the reasons I agreed to do it was that I understood the character so well -- it was one of those things where I looked at what they had created and it made absolute sense to me. We didn't know all the details of how we were going to finish the game, but I really could sort of feel how it was supposed to end up. Of course I'm thrilled with the reception, and it's been much larger and more positive than I could have imagined. There's nothing else in the works at the moment, but I'm definitely open to doing more things like that if it's the right project.
Q: When will Valve release a video game that is also a full musical comedy?
A: Yes please. That would be a great deal of fun to do, whether or not it was any fun to play. I'll put you in touch with Gabe and you can insist that he make it happen.
Re: (Score:1)
A: Yes please. That would be a great deal of fun to do, whether or not it was any fun to play. I'll put you in touch with Gabe and you can insist that he make it happen.
I got it. The musical Gordon Sings! Released from his mute state, turns out that all he wanted to do was sing and dance, but instead had to save the world. Twice. (Maybe three times)
Re: (Score:2)
Valve CRD Slogan: "These boots were made for trompin' and stompin'"
Character sayings:
"I love the smell of worn leather in the morning..."
"We don't need no stinkin' bullets..."
"'Air strike'? What's that? All I need is my BOOTS and dazzlin piurette (sp?) and some GRENADES..."
"This is my RIFLE, THIS is my GUN, these are my piurettes, dazzzling by buns.
But first, make sure you have the Bruce facts (Score:5, Funny)
Re: (Score:2)
For full credit, please show your work.
Re: (Score:2)
1. Nutcracker
2. MacGyver
3. http://www.youtube.com/watch?v=N96DWI5wuB4 [youtube.com]
Re: (Score:2, Funny)
I'm not sure, but I do know that Jason Bourne would limp away.
Oh, and don't forget about the explosion that almost (ALMOST) kills John McClane.
Re: (Score:2)
Oh, three-way FIGHT. Whoops.
Re: (Score:2)
Re: (Score:2)
Bruce Schneier doesn't bother to secure his wireless network at all. Who would dare, anyway?
Re: (Score:2, Funny)
Re: (Score:2)
"Bruce Schneier slashdotted slashdot."
This [geekz.co.uk] one is also quite clever.
FTA: several websites (Score:2, Funny)
And these sites have content, content which gets stored under
Re: (Score:2)
Best Answer (Score:5, Funny)
Poor Bruce must get awful tired of answering questions from people who don't understand how computers, etc. actually work.
A billion times... (Score:3, Interesting)
I do have an idea. For starters, Holovideo. Computers a billion times more powerful than today's will be able to calculate the interference equations required to display true color live holograms on flat screens - or glasses.
Just think about it, put on your glasses and everything seems normal. Turn on your (wearable?) computer and you'll be able to interact (let's assume the glasses got tiny cameras on them, thanks to transparent electronics) with holographic objects - which may include virtual displays which you can move with your hand, a-la minority report (or a-la Nadesico if you're an anime fan ^^). Who says you'll need to use physical keyboards? Probably they'll be virtual, too! No more Repetitive Strain. And that's just for starters - imagine playing with rubik cubes or analyzing/debugging code (for programmers) in 3D.
However, I wonder if software will be advanced enough by then to have AI agents assisting you like most sci-fi flicks. Usually software is the barrier in computing. Programmers are slow.
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
strange answer on wireless (Score:4, Interesting)
A: I run an open wireless network at home. There's no password, and there's no encryption. Honestly, I think it's just polite. Why should I care if someone on the block steals wireless access from me? When my wireless router broke last month, I used a neighbor's access until I replaced it.
Re: (Score:2)
Re: (Score:3, Insightful)
Or C) that an industrious/bored male techno-teenager lives within his wifi range
Re:strange answer on wireless (Score:5, Interesting)
Of course, considering a large amount of web traffic is HTTP when it should be HTTPS, and certain operating systems expose services onto the network which they probably shouldnt, it's probably a bit irresponsible to suggest that home users leave their stuff unencrypted. Personally, the reason I run an open AP is because open APs have helped me in the past. There's a form of QoS to stop people abusing and give priority to certain computers on my network.
* Considering it's a house, 'secure' means it's in a locked cupboard
Re:strange answer on wireless (Score:5, Insightful)
Any data that goes unencrypted between your computer and your wifi base station will also go unencrypted between the wifi base station and the target destination. On top of this, any data that's only encrypted by your wifi network will also go unencrypted between the wifi base station and its target destination.
Maybe Bruce is just wise enough to encrypt any sensitive data he transfers properly, and not rely on the encryption in his $30 hardware that will only protect against attackers within 50 meters?
Re:strange answer on wireless (Score:4, Informative)
Which could be worrying or not, depending on their interests. The number of people connecting to open access points to use kazaa to download the latest movie blockbuster would worry me if I was in an apartment building or something.
Re: (Score:2)
Re: (Score:2)
Re:strange answer on wireless (Score:5, Informative)
One is because most secure practices can be implemented well separate of wireless, if you are concerned with security. And in fact relying on wireless encryption as your "only" form of security is something that even most non-savvy computer users can be taught not to do, so the experienced ones should have no excuse.
The other is that most "security" for wireless has already been broken and can be repeated in a near trivial amount of time, so if someone was dead set on sniffing your data, chances are they'd be able to do it.
In my defense, I run an open wireless network that is sectioned off, that instead of encryption relies on MAC addresses to allow into the normal section of the network. Everyone not on the list just gets to use the internet.
Allows friends to come over and connect happily to the web without messing with stuff, and if they need the network access adding their computer is a 10 second job.
Re: (Score:2, Informative)
Re:strange answer on wireless (Score:5, Funny)
Re:strange answer on wireless (Score:4, Funny)
Gee, what happened to OneFish, and the RedFish and BlueFish?
Re: (Score:3, Interesting)
That answer is so bad it almost sounds like sarcasm. Given how easy it is to sniff sensitive data from an unencrypted wireless network, I can't imagine Bruce would allow it unless he segments his network or wires up his own PC.
As others have already pointed out, as long as he's encrypting probably everywhere else it won't make any real difference. If you're on an open wifi network and everything you do is via an SSH tunnel or VPN or something, you're probably doing quite a bit better than using WEP anyway.
I think the really interesting part of this answer is that it doesn't really address the legal issues of someone misusing and abusing your connection for their own evil deeds. I don't know if this has been tested in court but
Committing a felony is OK (Score:2)
From the context, it appears that he used his neighbor's network without permission. Depending on where you live this is considered a felony.
http://money.cnn.com/2005/07/07/technology/personaltech/wireless_arrest/index.htm
You also might be violating terms of service with your ISP by sharing your connection.
Another person using bittorrent to download movies and music can easily swamp your wireless router with the number
Re: (Score:2)
You realize, though, that "clearing up" the issues and responsibilities might mean making it illegal to share your WIFI? Let's keep it murky. The law is only going to overreact to the threat, if it even exists.
Which it may not.. how many cases have there been? I suggest that people doing a lot of illegal downloading need a lot of bandwidth. Your neighbor's wifi ain't that.
Re: (Score:2)
I used to download distros on business class Road Runner shared through a small apartment building by wifi. The main issues were too many connections would swamp or kill the wifi. A lot of home routers can only handle 128 connections. I lowered the connections and set the scheduler to avoid times commonly used by others to avoid complaints. Bandwidth wa
Re: (Score:3, Funny)
And I mean... what is this, Mr. SEAL, although you have an enviable 5 digit slashdot ID, im gonna HAVE to go with bruce on this one.... hell, id go with bruce on all the rest-of-them as well.
Re: (Score:2)
I mean, in the USA, *could* you let neighbours use your open WiFi point *without* paying huge $$$ in over-usage charges? If you could, then I guess I'd be happy with running an open access point myself, as long as I implemented my own local
Re: (Score:2)
Thus is doesn't matter if your neighbors use your WiFi. (unless they are doing something illegal with it)
Re: (Score:2)
Most people use their wireless network pretty much exclusively to bridge the gap between their couch and the Internet. Since the Internet is basically public, it really doesn't matter that the last metre is unencrypted, over the air.
Re: (Score:2)
Agreed. I know if anyone wants to rob my house, a door lock isn't going to stop them. Guess what? I still lock the door when I leave.
"Is there any benefit to password protecting your home Wifi network? I have IT friends that say the only real benefit is that multiple users can slow down the connection, but they state that there is no security reason. Is this correct?"
The answer is, of course, an emphatic "yes". Mr. Dubner needs new IT friends.
Re: (Score:1)
Re: (Score:2)
As the man himself says [schneier.com]: "For the record, I have an ultra-secure wireless network that automatically reports all hacking attempts to unsavory men with bitey dogs."
Seriously though, Bruce has explained several times that the best choice is "secure the hosts, open the network". I perso
His Password Comment (Score:3, Interesting)
Specifically I do not care how my low-security passwords are stored. But for my high security passwords, I would like them all to be stored in a unix-like way, namely only cyphertext is stored and it's impossible for anyone to know what that password is. Sure they may be able to change it on my behalf, but can they tell what it is? No!
I've had this concern for quite a while now and I'm surprised that I haven't found a security certified label that addresses this concern. Sure there are other labels like http://www.truste.org/ [truste.org] or "Verisign Secured", but where's there one that tells me my user-password is stored in a "unix-like" manner?
Re:His Password Comment (Score:4, Informative)
Also, even if the site doesn't store your password in cleartext, it will still be sent to them as cleartext. Even if it goes over SSL, the site itself will be able to decrypt it. So, one way or another, They have your password.
I would like to suggest a feature that could be added to browsers. An idea to think about; not a request for implementation just yet. But here's the idea. Let the browser perform the one-way hashing. You enter your password, the browser hashes it, and the hashed value is sent to the site. You can use a different hash for every site, and thus use the same password on your side, but send different values to different sites. That way, no site can pick up your password and use it with another site. You are still open to replay attacks on the same site if the site doesn't protect against that (e.g. by using SSL), but it's a lot better than things are now. You never send out your actual password, so nobody ever gets to know it.
Re: (Score:2)
That way, the hash is site specific and it wouldn't matter if you used the same password or not.
The problem is implementation. Maybe one for Firefox and Apache together?
Re: (Score:2)
OK, so we have a plug-in.. (Score:2)
From a code perspective you'd have something like
(0) init - maybe a start 'magic word' to make it individual?
(1) take website name
(2) strip "www" from it (so 'bare' use is identical)
(3) request password from user
(4) store user password for re-use (as normal if Firefox is set up that way)
(5) get hash (MD5 or better) of magic word + sitename + user provided password
(6) take first/last/middle 5..32 characters (not all sites allow more than 8 chars) - maybe derive this from web name as well so
Re: (Score:1)
http://www.angel.net/~nic/passwdlet.html [angel.net]
http://supergenpass.com/genpass/ [supergenpass.com]
http://supergenpass.com/ [supergenpass.com]
(there are surely others)
Not an extension, but that can be a good thing.
Superb! (Score:2)
Re: (Score:2)
I'm imagining a firefox plugin that prompts you for your password when you go to a site. You type in the master password, it gets salt from the source, hashes it, then sends the hash to the site as you "password". The best part is if you sign up for an account for site a on one ma
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Writing down your password (Score:3, Interesting)
Why you should write down your password [berylliumsphere.com]
Re: (Score:2)
The article mentions the possibility of storing passwords on a USB flash drive and carring it around your neck. A Corsair Flash Padlock USB flash drive would be ideal for that purpose because it has the added security of buttons on the side like a padlock. It is works with Windows, MAC or Linux. I don't know what type of encryption it uses, but it might not matter since they would have to slowly enter the various possibilities manually. The FBI or NSA might know how to splice directly into the electroni
ehh, not a great interview (Score:2)
Re: (Score:3, Insightful)
I saw it as more of a "here is a more in depth answer to this question, if you are interested"
Bruce insinuates: No competition with Microsoft (Score:2)
Q: ...can't we design a computer that can "cold boot" nearly instantaneously?
A: This is an economics blog, so you tell me: why don't the computer companies compete on boot-speed?
I know! I know! Because there's no competition?
The desktop competitors are*: 90% Microsoft, 5% Apple, 5% other. With a distribution like that, there's hardly any real competition to cause things to improve. Even if Linux is modified to boot in 3 seconds, it won't make Microsoft change anything.
* (This is just a ball park guess to make the point, not warranting for accuracy)
Re: (Score:2)
Q: ...can't we design a computer that can "cold boot" nearly instantaneously?
A: This is an economics blog, so you tell me: why don't the computer companies compete on boot-speed?
(snip)
Even if Linux is modified to boot in 3 seconds, it won't make Microsoft change anything.
I dunno. If it actually turned heads, it would. Windows 95 needed a reboot to change IP address. People would live with it -- assume that's just how computers had to be. When you showed someone (er, the right sort of someone) how you could change IP address on the fly with Linux, they'd be really impressed. I'm convinced that if Linux hadn't shown some portion of impressionable consumers that kind of thing was possible (also, stable multitasking, convenience in CLIs like tab-completion, etc.), those featur
Hey Bruce... (Score:2)
Re:Too many to answer -- I'm not impressed however (Score:3, Funny)
This person needs to learn more about security
You think Bruce Schneier needs to learn more about security?
Re: (Score:2)
Regardless, Schneier's solution is vastly more useful in practice for, well, everyone else.
You still sound like you have no clue who this guy is.
Re:Too many to answer -- I'm not impressed however (Score:5, Insightful)
Consider that a point is being made that you're not getting, because "this person" is not a moron, and generally talks about security as it is actually practiced instead of how it would be practiced if everybody were an expert and made good security a priority. Since people in general will not make security a priority, you have to talk about how people actually behave and how to craft security that will take actual behavior into account.
Re:Too many to answer -- I'm not impressed however (Score:2)
Based on the techniques I use I am able to remember every single password for every single site I use with 99% of them being different
And all of those passwords are:
Right?
This person needs to learn more about security and a different way to go about handling their passwords.
You do realize that this is like suggesting that the Pope learn more about Catholicism, right? Bruce Schneier started as a serious academic cryptographer and branched out into
Re: (Score:2)
Yeah, they are. All of them. Thanks for posting what I figured was obvious and unnecessary.
I strongly doubt it. Especially the part about not being related to one another. That's very difficult to do effectively, without using a strong one-way function.
Re: (Score:2)
Re: (Score:2)
First of all, you saying "[Bruce Schneier] needs to learn more about security" is like me saying "the Pope needs to learn mor
Re: (Score:1, Offtopic)
Stupid mods fell for my trap! (Score:2)
Mods forever! Dumbness rules!
WARNING: Yet Another unsafe redirect (Score:2)
WARNING: Unsafe Redirect. (Score:1)