Inside The Twisted Mind of Bruce Schneier

I Don't Believe in Imaginary Property writes "Bruce Schneier has an essay on the mind of security professionals like himself, and why it's something that can't easily be taught. Many people simply don't see security threats or the potential ways in which things can be abused because they don't intend to abuse them. But security pros, even those who don't abuse what they find, have a different way of looking at things. They always try to figure out all the angles or how someone could beat the system. In one of his examples, Bruce talks about how, after buying one of Uncle Milton's Ant Farms, he was enamored with the idea that they would mail a tube of live ants to anyone you asked them to. Schneier's article was inspired by a University of Washington course in which the professor is attempting to teach the 'security mindset.' Students taking the course have been encouraged to post security reviews on a class blog."

Comment removed

[account_deleted]

Comment removed based on user account deletion

Open network ?

[davro]

I couldn't help but wonder how you reconcile your security mindset with an open wireless network at home. A while ago you proposed an open network in the name of politeness http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html [schneier.com]

In security

[Z00L00K]

It's not necessarily to have a destructive mindset but a great deal of imagination and some paranoia.

Such a personality may be disastrous in many other cases but works well when it comes to security work.

And remember that most computer viruses in the beginning weren't really malicious - they just were there "because I can". Even those cases has to be taken into account by security people.

Ant farms are nothing.

[evanbd]

You can get a port-a-potty delivered without ever providing positive identification. You don't even have to pay for it until it shows up, and they'll happily deliver while you're at work. They're quite used to people preparing to have renovations done by contractors.

Of course, I would never decide someone else needed a port-a-potty on their front lawn. But, much like the ants, it's something you can't help but notice if you have the right mindset.

Re:yawn, another "superior geek" complex

[TheP4st]

RTFA! "There's nothing magical about this particular university class; anyone can exercise his security mindset simply by trying to look at the world from an attacker's perspective."

I have to agree

[2.7182]

I used to look forward to reading what he had to say - in the 1990's. Now when I see these articles about what the almightly Bruce Schneier says I cringe. He did some decent work, but I think the main reason for his high profile comes from a book which was essentially a derivative of several other classic tomes in cryptography, like Stinson. For me, he has become the Dvorak of security.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Destructive mindset

[strider44]

Why does being invented later mean that it's harder? Usually it goes the other way around - people find better and easier ways of doing things.

For an example of how hard symmetric key cryptography is consider this: The session key exchange algorithm that is in most common use (Diffie Hellman) was invented in 1976. The public key cryptographic algorithm most commonly in use now (RSA) was invented in 1973. These haven't been broken. The current symmetric algorithm in use was invented in 2000 and the reason is that every previous algorithm was broken. There are dozens of attacks against symmetric algorithms and almost none against public key cryptography. While symmetric cryptography isn't nearly as hard as hashing, it's still pretty damn hard.

(also, RSA can be implemented in about five lines of code. Not quite as easy for AES)

There's a fine line

[petes_PoV]

between being "security conscious" and being completely paranoid. When it boils down to it, there's risk involved in everything we do. Nothing is completely secure and there's always a chance that something will go wrong.

Sadly the world we live in today has massively overestimated the possiblity of problems and hugely inflates the effects they will have (in the tiny percent of occasions when they happen). I think this is a side-effect of improved communications: we all get to hear about the 1 in a million disaster stories, but never about all the other times, when everything goes right. This leads us to think that problems are more common than they actually are.

The great thing about being a security professional is that you can never be proved wrong. If you claim a security hole and it is never exploited, no-one will say you're wrong - just that it hasn't been exploited yet. If we beleived everything these guys say, no-one would ever do anything as we'd all be too scared. Personally I think we should avoid the obvious problems, get on with our lives and accept that on a few, very few, occasions we might have to spend a little time sorting out a problem.

Re:Destructive mindset

[Anonymous Coward]

You are only half right. The concept, the algorithm, and the math may be correct, but that does *not* mean the product is secure. One of the key problems with cryptography, indeed with most security, is in its implementation. There is a famous quote from Donald Knuth, it goes something like this: "Beware of bugs in the above code. I have only proven it correct, not tested it." Proof does not make a program correct. So often programmers make small but fundamental mistakes that compromise the security of the concept/algorithm. This is part of what Bruce Schneier is talking about - how is it compromised. It is this issue that makes your first assumption wrong as well: "I could probably invent a reasonable public key algorithm with a maths textbook to hand [...]".

Re:paranoia yes .....

[TheRaven64]

Have you contacted the bank and asked if they would be interested in you performing a free evaluation of their network security? Send them your credentials as a security professional and say that you are willing to give them a documented appraisal for free since you are a customer and the security of their system affects you. If they say no, then publish their refusal online somewhere, and approach another bank. If they say no, add them to the list. Start sending the list to consumer groups and mainstream media publications. Then contact another bank.

If you're in the USA, then good luck finding one that's even remotely secure. My US bank has such a laughable concept of security that I'm very glad I don't keep much money on that side of the pond.

I always thought I was just weird

[BenEnglishAtHome]

This had me flashing back to elementary school arithmetic. It happened to me a hundred times. The textbook showed an equation and made a statement about it. The textbook showed another equation and made a statement about it. Then the textbook showed a third equation and asked "What can we say about this equation?"

My answers always started the same way. "It's printed in ink on paper." I don't really think that the textbook author expected people to do anything other than to extend whatever line of reasoning had been presented in the previous examples (and I always got around to that) but the open-ended question "What can we say about this equation?" always struck me as license to comment on the clarity of the typesetting or anything else.

My teachers thought I was weird.

Later in life, I became involved in competitive pistol shooting. I loved the rule books. They were just collections of hidden loopholes begging to be found. And then came the problems. In some sports it was called the "engagement" rule. In others, it was the "spirit of the rules" rule. They were all the same sort of thing - a way to say you couldn't do anything unexpected. If you looked at a practical defensive scenario and found some completely whacky way to beat it by, say, running between cover in an odd sequence, you'd be found guilty by the officials of "failure to engage" the scenario. No points for you. A guy I knew had trouble seeing sights too close to his face but the rules forbid changing the sight radius (distance between the sights) making it impossible for him to move the rear sight further from his face. He responded by cantilevering both sights forward so that the sight radius stayed unchanged but both sights were now completely forward of the muzzle. It was perfectly legal under the rules as written but his pistol was declared illegal because it violated the "spirit of the rules."

What amazes me is the hostility this mindset engenders. I'm not shy about saying that I love to parse out the rules and find advantages. I'm not shy about saying that a "spirit of the rules" rule is really just saying "You're not allowed to be smarter than the people writing the rules and running the match." The reaction I get is flaming on message boards and accusations of poor sportsmanship. There are actually people out there who want to punish innovation; at least, that's the way I look at it.

"Thinking different" makes people feel threatened and act nervous and hostile. I don't understand that. Am I weird, or are they?

Re:Factoring large primes?

[Anonymous Coward]

That's because you misunderstood his comment--by definition primes are not factored (whether large or small)--composites are factored *into* primes.

Re:Is this mindset really special?

[Anonymous Coward]

No incentive to wonder if the attachment from the strangely worded email is a trojan?

Plenty of incentive to wonder if their dark-skinned neighbor is a Muslim terrorist?

It's not about incentive. It's about hype, and unfortunately, info sec hasn't gotten enough hype. Have a few media outlets declare that terrorists have poisoned the salt shakers and watch Americans start eating healthier.