Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security United States

Bruce Schneier on Security Tradeoffs 129

Anonymous Smile writes "Business Week has an interview with Bruce Schneier on his new book 'Beyond Fear.' He talks about the tradeoffs we've made in the name of increased security. (hint: we've done a poor job so far) Bruce furthers his tradition of being accessible by the non-technical crowd."
This discussion has been archived. No new comments can be posted.

Bruce Schneier on Security Tradeoffs

Comments Filter:
  • Sounds like a good read. Give me Pragmatism over Knee jerk reaction every time..
  • by MoonFog ( 586818 ) on Saturday September 06, 2003 @08:39AM (#6886878)
    Q: You have been critical of efforts to better secure the U.S. and the world in the wake of September 11. What do you think are the biggest mistakes we've made in those efforts? A: I think the biggest mistake is that we've made policy decisions while scared. We've passed laws that are expensive, both in terms of money and fundamental liberties, without giving us a corresponding increase in actual security. In other words, we've made bad security tradeoffs.

    Hopefully some bright men in the EU parliament will consider the laws passed in the USA before they blindly try to copy them into laws applying in European countries..
    • Hopefully some bright men in the EU parliament will consider the laws passed in the USA before they blindly try to copy them into laws applying in European countries

      You might be making the assumption that EU parliamentarians aren't in the firing line of lobbyists and corporate moneymen.

      At least some of the decisions made in the US were with an eye to the "security industry". There's money to be made in the EU too, and it's unlikely they'll have failed to notice. Laws passed which end up giving those in
  • Can't help it... (Score:2, Interesting)

    by SiGiN ( 679749 )

    Q: How do you try to live up to these security principles in your own life? I remember reading that due to flaws in computer security you carry around pass codes on strips of paper. A: That's not because of computer-security flaws, it's because I can't remember all the passwords I need to have. My wallet is already a secure container; it has valuable things in it, and I have a lifetime of experience keeping it safe. Adding a piece of paper with my passwords seems like a natural thing to do. I try to make

    • by drunk_as_in_beer ( 661124 ) on Saturday September 06, 2003 @09:48AM (#6887129)
      Well, I actually find it describes my attitude about things. Yes, I lock my doors and have very tight firewall rules, but this part is important:

      "I'd rather accept the slight risk of attack than constantly live in fear."

    • I try to make my security tradeoffs consciously and willingly, as much as possible. I don't worry about locking the back door of my house much of the time because I know the risk of burglary is slight.

      I guess he's making the informed judgement that readers of BusinessWeek are much more likely to be corporate raiders than cat burglars.

      -a
  • Sounds interesting (Score:5, Interesting)

    by yoshi1013 ( 674815 ) on Saturday September 06, 2003 @08:40AM (#6886880) Homepage
    The whole security thing is very flawed on a number of levels, some of them political.


    We've all heard the absurd stories like a woman being forced to drink her breastmilk (in bottles) to prove it wasn't some type of explosive or whatever the hell they thought it could have been.

    Yet I remember reading on Michael Moore's website about how right after 9/11 he noticed that despite the fact that nail clippers weren't allowed on planes, matches and lighters were because the Tobacco industry had complained to the government that not allowing matches doesn't allow their customers to light up once they get off the plane.

    Later they were put back on the list of prohibited items but it's stuff like that which makes the whole security thing seem totally absurd sometimes.

    • Perhaps they should start thinking about from the other point of view. i think both lighters and nail clippers should be allowed. i highly doubt the next terrorist act on a plane will be due to nail clippers. for god's sake, it has nothing to do with the weapon. as george carlin said "what if you have very strong hands? shouldn't those be banned too?" michael moore is a hippie who has some good points, but nevertheless exists to profit from the atmosphere around him. his point deals with such a slight detai
    • That wasn't just some woman, that was a LAWYER. Big mistake. I wish the news would follow up on that story more.
    • by Fnkmaster ( 89084 ) on Saturday September 06, 2003 @09:39AM (#6887084)
      Like any process administered and regulated by humans, it is flawed, open to manipulation by the many parties with interests at stake, and imperfect in that it will not always catch the bad guys, and sometimes will inconvenience the good guys.


      But we're still better off talking and thinking about it, and consciously making those tradeoffs than just sticking our heads in the sand. These domestic security issues are also so fundamentally visible that they _are_ subject to feedback and criticism by the public - unlike obtuse IRS regulations, the absurdity of, for example, flagging every flyer with a one-way ticket for special security treatment, is eminently visible to every frequent business traveler. And thus there are a lot of us to whine, bitch and complain until something gets done about it.


      I'm much more worried about the invisible stuff than the visible stuff (like nail clippers being banned from planes). The invisible stuff is the pressure exerted on ISPs, credit card companies, technology organizations, encryption researchers, etc. to "help combat terrorism" by reducing security, or opening and releasing personal information to the government. Because, doncha know, "hackers" are terrorists. What's a hacker? Well, you know, those "cybercriminals". And "identity thieves". And you never know who might be doing those things. And maybe tax evaders are also helping the terrorists - aren't they avoiding funding our fabulous military? And what about drug users - well, clearly, they are supporting terrorists, I mean, we saw the government make those claims in ads on TV.


      That "with us or against us" attitude combined with the power of overreaching legislation like the Patriot Act makes me queasy about who or what comes next behind the scenes - the security we don't see at the airport, or in city hall, or on the streets during a festival or parade, and that does give me cause to worry. I don't have a perfect solution, other than that we, the technologically aware and literate, need to push our causes more, be more politically organized, and make sure that some portion of the citizenry is watching what the government is doing, and that we do a better job of getting that word out to the mass media, and to politicians.

    • by deek ( 22697 ) * on Saturday September 06, 2003 @09:59AM (#6887181) Homepage Journal
      • Yet I remember reading on Michael Moore's website about how right after 9/11 he noticed that despite the fact that nail clippers weren't allowed on planes, matches and lighters were because the Tobacco industry had complained to the government that not allowing matches doesn't allow their customers to light up once they get off the plane.

      I remember the days when I travelled via plane to Canada and the US, with my swiss army knife in my pocket. Fat chance of that ever happening again, and I can live with that, I suppose. But nail clippers, matches, and lighters? Does any of this strike anyone as paranoid to the point of absurdity?

      The ironic thing is that any determined terrorist will find a way to do what they need, without having to resort to any of the banned items. Do you want to threaten someone with a dangerous object? There's many devices other than metal knives that will do the job. Want to set fire to something on a plane? The whole chemical world abounds with ways to ignite things. Want to clip your nails on a plane? Hey, any smart terrorist can find a way to make sure their nails are decently manicured before they hijack the transport they're on.

      Let's face it. Security is not provided, in any way, by banning a whole bunch of little items. It is just a panacea for a nervous public, looking for action after some very troubling events. It is there to bolster confidence by providing a false sense of security. Succinctly, it's a PR exercise.
      • The ironic thing is that any determined terrorist will find a way to do what they need, without having to resort to any of the banned items.

        This reminds me of the time, just after the shoe bomb incident, of the security check guard that forced me to put all the cables from my laptop bag (mouse, power, ...) in my suitcase as they could be used to strangle people. Of course, my leather belt and shoe laces were perfectly acceptable on board in hte cabin. I started to ask questions but once they asked me to m

      • The problem with boosting confidence in this way is that people will get a false sense of security. While there is no point in causing unneccessary alarm, if people feel secure because of these measures then there is more of a problem than if these measures were not introduced because they will be less vigilant, believing they are perfectly safe as they did pre-11/09 (dd/mm, the UK way!). While it is more comforting to live in blissful ignorance the shock caused by awaking from that dream a second time coul
      • Give that man a cigar, and something to light it with!

        What was the mistake that was made on 9/11? If you believe in the 80/20 rule, there's just one answer.

        Open cockpit doors.

        It should probably be called the 99/1 rule in that case. A closed cockpit would have been enough to prevent the destruction of high value ground targets and 1000s of lives. It would have reduced the potential loss by at least one order of magnitude, probably two.

        And the irony is that airline security experts already understood t

      • any determined terrorist will find a way to do what they need, without having to resort to any of the banned items.

        For example, a wild-eyed terrorist brandishing some ragged piece of heavy plastic toilet seat ripped out from the airplane restroom/closet.

    • Oh, I'd like to get a picture of that...Oh, in bottles...forget it.
  • Schneier speaking (Score:5, Informative)

    by scubacuda ( 411898 ) <<moc.liamg> <ta> <aducabucs>> on Saturday September 06, 2003 @08:42AM (#6886886)
    Schneier's talks are incredibly accessible, especially when you consider how accomplished he is.
    • designed the popular Blowfish encryption algorithm
    • his Twofish was a finalist for the new Federal Advanced Encryption Standard (AES))
    (I heard him talk about a year and a half ago)

  • Bruce talks a great deal about security tradeoffs. Despite the fact that he's a big security guy, he states that he doesn't lock his back door, because I know the risk of burglary is slight. A security expert who cannot be bothered to turn a knob on his door... eh, what?

    Well, how would he know the risk of burglary? The risk of burglary is so multifactorial, does he just go on the statistics in his city as a whole? Does he consider taking into account that maybe there's been a rash of burglaries in his
    • Bruce talks a great deal about security tradeoffs. Despite the fact that he's a big security guy, he states that he doesn't lock his back door, because I know the risk of burglary is slight. A security expert who cannot be bothered to turn a knob on his door... eh, what?
      Surely, now everyone's read this, all his local burgulars will pop round to steal his TV when he's away at the next book signing?
    • Well, how would he know the risk of burglary?

      He said:

      People have an innate sense of risk. It's a product of millions of years of evolution.

      I guess - putting words in his mouth - he would say his estimate of the burglary risk falls into this innate sense. He has a rough idea how often burglaries occur, he knows how accessible his back door is, and so on. It is in the case of exceptional or unfamiliar risks that people are not able to use their innate sense and are more likely to make or accept very

    • by Frater 219 ( 1455 ) on Saturday September 06, 2003 @09:15AM (#6886991) Journal
      A security expert who cannot be bothered to turn a knob on his door... eh, what?

      I used to work for a guy who had a saying on this subject: "Locks are to keep your friends out." That is to say, security measures impose barriers to unauthorized access, but these barriers are only so high -- if you have enemies willing to break down your door, locking it will not help you; if you don't, what function does locking serve?

      Well, one function of a lock, or a password, is its social effect: it says, loud and clear, "Keep out -- this place is only for those who have the key." Most people want to think of themselves as nice and respectful people. Most people aren't crackers or thieves, and will respect a security measure simply because someone went to the bother of putting it there. Against these people, you set a password on your account simply so they will realize it is not a public resource. You lock your machine room door so they won't wander in randomly in search of a terminal to check their email.

      Securing things against concerted attackers is different from securing them from wandering friends. You rarely need to enact security measures that will keep a concerted attacker out forever -- only ones that will keep him out long enough for you to notice his assault and cuff him. Bank safes are rated in minutes: rather than proclaiming a safe "uncrackable", the rating states how long a certain level of attacker will take, to crack the safe. So as long as the bank has their security guard come by more often than that, it doesn't matter that the safe isn't perfectly uncrackable.

      • Yes, absolutely (Score:5, Interesting)

        by The Tyro ( 247333 ) on Saturday September 06, 2003 @09:34AM (#6887069)
        it's truly a matter of providing a deterrent... "target-hardening" as we used to call it in the military. Make a task too difficult, and the perp will move on to easier pickings, it's human nature.

        Many home burglaries are done by youths, or people looking for easily-fencable goods (typically to support a drug habit of some kind)... few are done by pros. Some burglars will simply go around a neighborhood, trying doors until they find one that's unlocked. A simple deadbolt would go a long way toward deterring this kind of casual thief.

        The professional is a VERY different animal, whether he's a car thief, or a home burglar. The determined car thief will bring along wheel dollies and a panel truck/trailer if he really wants your car... he might even line that trailer with metal screen if he's out to defeat your LoJack transmitter. Bottom line: it's very difficult to guard against a calculating, intelligent, and determined thief.

        That said, simple measures will go a long way... to not even take simple measures to secure your home might even open you up to legal liability. If you have a pool, you must provide a secured enclosure or gate, lest a neighborhood kid drown (and you would be sued, likely successfully, for not having taken such a "reasonable" measure). If you own guns, it might be argued that you had the obligation to lock your doors... I certainly wouldn't want to be sued because a gun I owned wound up on the floor of a neighborhood Stop-N-Rob, next to a dead clerk, simply because some crystal-meth user was able to simply wander into my home and steal said gun... I can think of more than a few plaintiffs' attorneys that might argue that angle in a wrongful death suit.

        • Re:Yes, absolutely (Score:4, Insightful)

          by bobthemonkey13 ( 215219 ) <.keegan. .at. .xor67.org.> on Saturday September 06, 2003 @12:34PM (#6888046) Homepage Journal
          If you own guns, it might be argued that you had the obligation to lock your doors... I certainly wouldn't want to be sued because a gun I owned wound up on the floor of a neighborhood Stop-N-Rob, next to a dead clerk, simply because some crystal-meth user was able to simply wander into my home and steal said gun... I can think of more than a few plaintiffs' attorneys that might argue that angle in a wrongful death suit.

          You know, it's interesting to take those comments in a computer-security context. Compromised machines are often used to send spam, conduct DDoS attacks, and otherwise wreak havok on the Internet -- many of them compromised by script kiddies, the "crystal-meth users" of the Internet. It seems odd then that while the average gun owner knows to take at least basic security precautions with his/her weapon, the average computer owner isn't even aware that a broadband internet connection can be used as a weapon.

          How can user awareness be raised? Hell if I know. But it needs to be done: right now the Internet is like a row of houses where 90% have a loaded AK-47 lying on the front doorstep.

        • If you've read any of his security stuff you'd know that he says that security is the combination of protection, detection, and reaction. At each stage you have to weigh the costs versus benefits. Bruce has simply said that he has weighed the cost of the protection and decided that the limited benefit he gets from locking his back door is not worth it. He's decided that anything short of encasing his house in steel is only going to add limited protection, so why bother. This doesn't mean that he hasn't impl
        • Agreed - 3 doors down from my house is a neighbor who's house is the most "hardened" in the area - security gates, alarms, fences, lights - you name it.

          Recently, a group of pros hit the neighborhood. His hardening stood out, so they must have figured he had something to loose - they cut his alarm cables (redundant - the cut BOTH), took a ladder, and removed the bars on an upper floor window, and broke in.

          BTW they hit four other houses in the area that day, and all were the ones with obvious security

          My n
      • A colleague of mine who works for Kryptonite says in response to every smart ass (who has the great lock breaking solution) is that, with security, money is only buying you "time and noise". In other words, any detirmined thief will get in. The price we pay is to delay him and make it noisy to get in.
      • There two types of breakin, one where they want to get into YOUR house (frankly you can't really stop someone veery determined), and where the person wants to break into A house. To protect yourself from people who want to break into A house, what you need to do is to present yourself as a worse (in terms of risk/benefit) and someone else. Fitting great lock might infact just label your house as having good stuff inside to steal rather than protecting it better.

        James
      • I used to work for a guy who had a saying on this subject: "Locks are to keep your friends out." That is to say, security measures impose barriers to unauthorized access, but these barriers are only so high -- if you have enemies willing to break down your door, locking it will not help you; if you don't, what function does locking serve?

        It gives the burglar a reason to break a window. That's probably not the purpose that was intended. A pretty decent example, really.

    • Perhaps he uses other anti-burglary devices [imdb.com].
    • by Swanktastic ( 109747 ) on Saturday September 06, 2003 @10:36AM (#6887390)
      a lot of the "security" we've put in place post-911 is truly window-dressing.

      I agree with you 100%. This response isn't arguing with your post, but your post did remind me of some thoughts i've had on this matter. The vast majority of the expenditures post 9/11 have been made to make people feel safer, rather then to actually increase their mathematical likelyhood of being safe.

      In a sense, though, making sure the passengers feel safe is far more important than actually making them safe. I'm not trying to trivialize airline accidents, but we all know that hopping in a car is far more dangerous than hopping in a jet plane. The FAA doesn't have such strict regulations to bring down the number of crashes every year from 4 to 3. Those kind of numbers don't mean anything to the average person. Humans have a fundamental misunderstanding of the statistics involved, and no one would fly if they perceived the industry to be unsafe. I consider myself a rational person, and I know all the statistics, but I still feel less safe in a plane than I do in a car. No amount of improving the 'actual' security will change that. If you've ever taken a decisions sciences course, you'll know that even the brightest people in the workforce don't make perfectly rational decisions, but rather base them on stupid little things like the order that information is presented in.

      What will change everyone's fear of flying is "window dressing," and, yes, I'm willing to pay the 9/11 security tax (or whatever it's called) to fool myself into thinking that there's probably not a terrorist on the plane. The government's role isn't just to operate in a vacuum and take actions that improve safety. The US government also has an obligation to maintain confidence in the airline industry. If having armed guards standing around the airport makes people more likely to fly, then it makes sense to have armed guards, regardless of their statistical effect on safety. And yes, I'm aware that all in all those armed guards are a waste of money. But, you have to make decisions within the constraints of your environment, and I truly believe that no amount of statistical understanding will change the way that the average American or non-American makes the decision to fly or drive.

      Spending money to change perceptions is sometimes a rational tradeoff. However, reducing freedoms in order to increase perceptions of safety is simply not a reasonable tradeoff.
    • Bruce talks a great deal about security tradeoffs. Despite the fact that he's a big security guy, he states that he doesn't lock his back door, because I know the risk of burglary is slight. A security expert who cannot be bothered to turn a knob on his door... eh, what?

      I came home one day from a long business trip. Spouse and kids were out of town. Noticed that the spouse had locked the inside basement door as usual while I was away. Heard a funny noise from the basement, thought "I must get down and

    • A security expert does not mean a paranoid person. A security expert will analyze the risks of a given situation, object, whatever. Then the security expert would determine a number of responses to that risk, and weigh whether the response to a risk would be effective, in terms of both cost and effectiveness. Therefore, as Bruce is a security expert, he has looked at the risk of burglary, determined at least one response (lock the door), and weighed the cost of that response. In his analysis of the risk
    • A security expert who cannot be bothered to turn a knob on his door... eh, what?

      It's a bit more complicated than that when you think about it. If the risk of burglary is slight then at what stage do you:

      • turn back from the start of a long trip to lock your door (or check that it is locked if you're not sure)
      • get out of bed on a cold night to lock the back door

      Why not call a neighbour when you reach your destination or rely on the dog sleeping in your laundry to scare away any intruders?

      Anywa

  • Security and reality (Score:3, Interesting)

    by nemaispuke ( 624303 ) on Saturday September 06, 2003 @08:48AM (#6886908)
    Where I think the problem in post 911 security is awareness, and this is a people problem. Bruce is right, people that are more aware of their surroundings can easily notice things out of place. Instead what do we get from Wahsington, fear mongering and freedom stifling laws and legislation. The 911 attacks more than likely could not be easily duplicated since (at least in theory) we are aware of how they did it and (hopefully) in a better position to stop it. The bigger question is what are they planning to do in the future? And putting the entire population of the U.S. in under almost continuous surveillance is not the answer. It is not unlike other intelligence efforts, who is going to analyze all of that data? It wasn't all tha tlong ago that the director of the NSA stated his staff couldn't process all of the information they were gathering. Hopefully Bruce's book points out some simple steps that will actually improve security without "breaking the bank", be more effective than most of the current measures, and that some people in Washington actually read it!
  • Good read... (Score:3, Interesting)

    by Mr. L33t ll4m4 ( 704726 ) on Saturday September 06, 2003 @08:51AM (#6886912)
    It has been a long time since I have ever seen someone who has the ability to comunicate tech ideas to those who are "non-tech." Unlike most security experts Bruce Schneier seems to use the "uncommon" common sense approach. In the interview Bruce states "There's so much stupid security out there -- in airports, in office buildings, in the government. I wanted to give people the ability to see why some things are stupid and -- to the extent possible -- how to fix them. There are many dangers in the world, both real and perceived, and it's my hope that the book gives people a realistic sense of how to deal with risks and threats." If the US would adopt this man's ideas I would not be astounded by how much money the government would save and how much more secure we would all be.
  • by turkeyphant ( 648612 ) on Saturday September 06, 2003 @08:54AM (#6886919) Homepage Journal
    Q: There's a dialogue going on right now about the Patriot Act. You have often stated that you think parts of this act are misguided or not terribly effective. Which parts and why?
    A: One of the problems with making security tradeoffs is that there are many overlapping security concerns. The Patriot Act has given the government and police unprecedented powers. Many of these powers are Draconian and fly directly in the face of a free society.

    Of course, if you assume that the government and the police are 100% benevolent and good, there's no reason not to give them ultimate power. But history shows, in this country and abroad, both that power corrupts and that even an honest organization invariably includes a dishonest few.
    I agree with a lot of what he says, but I wish he would actually answer what the questions ask instead of simply stating the obvious...
    • I agree with a lot of what he says, but I wish he would actually answer what the questions ask instead of simply stating the obvious...

      This is the long form of "No comment."

      Many times, I have seen politicians do this, and when a reporter persists repeatedly for a real answer to the question, the politician just gives him a sour look, as if to say, "Now, at this point, you're supposed to play by the 'rules,' be a good doggie and just go on to the next question, goddammit!"

      • Yes. Personally, with such expertise, I think he could and should have been a lot more ruthless in his diatribe against the Patriot Act.
        • Which is kind of surprising that he wasn't.

          Politicians use double-speak when they're trying to evade tough questions without admitting they're evading them. But you would think he'd want give chapter and verse to a question like that, and should have.

          • He called it "draconian" and said it's powers "fly in the face of a free society," which seems like pretty unreserved criticism to me. What do you guys want from him, a Slashdot-style rant in a single long paragraph replete with poor spelling?
            • What do you guys want from him, a Slashdot-style rant in a single long paragraph replete with poor spelling?

              Of course not. Simply a specific answer to a specific question: "which parts and why". Saying generally that the Patriot Act gives way too much power to law enforcement, is obvious and correct, but simply making a generic negative comment about the Patriot Act is not germane to the specific question. Which powers? The ability to kick in your door at 3am without a search warrant? And why would t

            • He called it "draconian" and said it's powers "fly in the face of a free society," which seems like pretty unreserved criticism to me. What do you guys want from him, a Slashdot-style rant in a single long paragraph replete with poor spelling?

              No, a small paragraph with spelling and punctuation errors will be enough;-)

              OK, I know, it's a pretty bad attempt at being funny. Hopefully, this post itself doesn't contain too many errors...

      • No, this was the long form of "Buy my book." Ain't nothing wrong with that.
    • Unfortunately, some of this "obviousness" is lost on the media lately. They've completely lost sight of the fact that the FBI, CIA, etc. have been well known (internationally as well as locally) for their less-than-ethical ways of doing "business".

      It needs to be restated.
      • Maybe so, but he could at least go into more details instead of dumbly quoting Lord Acton. Most people are aware that power has a tendency to corrupt, but they would be more worried if they were given examples of how their governments abuse privileges.
      • by Rutulian ( 171771 ) on Saturday September 06, 2003 @03:21PM (#6889039)
        They've completely lost sight of the fact that the FBI, CIA, etc. have been well known (internationally as well as locally) for their less-than-ethical ways of doing "business".

        You know, the "power corrupts" comment is fairly common, but I think the issue is more complicated. Power certainly does corrupt a lot of people, but I don't think organizations like the FBI or CIA seek legislation like the Patriot Act because they are power hungry. They do it to make their job easier. Youth curfews, for example, are usually supported/sought by local police departments because it is easier for them if they can just tell a group of kids to go home. Some groups of kids will get into trouble if left unsupervised, but catching them in the act is tricky. So rather than try to catch individual acts of vandalism (or whatever), they would prefer to just keep all juveniles off the street.

        Now, the argument should be whether we should allow them to make their jobs easier, and you have to address this issue on a case by case basis. I think most people would agree that not allowing weapons on board aircraft is a reasonable measure. However, I think most would agree that overarching legislation like the Patriot Act is certainly not reasonable. Both make the jobs of the enforcing agencies easier. But one is simply a deterrant, and the other allows for circumvention of judicial controls, like due process.

        The problem is, a lot of enforcement agencies see due process as a hurdle they have to cross to catch criminals. Criminals can get away because you don't have a search warrant, or you don't have a wiretap warrant, or the evidence isn't sufficient.... In other words, you can't just look at somebody and say "I think he might be up to something" and throw him in jail. I think it is important for law enforcement agencies (and legislators) to realize that due process is important because, yes, people do make mistakes, and suspicious looking activity can be legitimate. So as for my original point, no I don't think this is just about a power struggle.
        • "You know, the "power corrupts" comment is fairly common, but I think the issue is more complicated. Power certainly does corrupt a lot of people, but I don't think organizations like the FBI or CIA seek legislation like the Patriot Act because they are power hungry. They do it to make their job easier."

          This is rather naive considering the history of these organizations and the way their abilities have been courted and abused by various powerful interests. At one time J. Edgar Hoover had most of Washingto
  • Secure my ass (Score:3, Insightful)

    by jabbadabbadoo ( 599681 ) on Saturday September 06, 2003 @08:59AM (#6886934)
    Security will never be a solved problem, because people are involved. No matter how secure a system is from a technical standpoint, people can ALWAYS circumvent it. It is a mathematical fact. But we can improve immensely, and that is the point of Bruce's book.
  • by Anonymous Coward
    I don't worry about locking the back door of my house much of the time because I know the risk of burglary is slight.

    Not anymore....

  • by mariox19 ( 632969 ) on Saturday September 06, 2003 @09:05AM (#6886956)
    I don't worry about locking the back door of my house much of the time because I know the risk of burglary is slight.

    Would somebody google his address and get back to me? I'm in the market for a new television and stereo!

    • Would somebody google his address and get back to me? I'm in the market for a new television and stereo!

      That's too bad, all you'll get is a folding chair, and an old 486.
    • Particularly when it comes to weaknesses in their security procedures. :)

      www.eviloverlord.com
      Rule #9. I will not include a self-destruct mechanism unless absolutely necessary. If it is necessary, it will not be a large red button labelled "Danger: Do Not Push". The big red button marked "Do Not Push" will instead trigger a spray of bullets on anyone stupid enough to disregard it. Similarly, the ON/OFF switch will not clearly be labelled as such.

      Rule #65. If I must have computer systems with publically ava
    • You know, he never said why the risk of burglary was slight. I can just see the hapless criminal opening the unlocked door only to face Bruce's beloved Pit.

      "Err, Spuds??...."

      • My own favorite version of this is the burglar enters a dark room and hears "God is watching!", the burglar looks around and sees a parrot who again says "God is watching!". The burglar asks "What are you God?" to which the parrot replies "No, I am John the Baptist." The burglar then asks "Who in their right mind names a parrot 'John the Baptist'?" The parot replies "The same person who names his doberman 'God'."

        -Rusty
  • equilibrium (Score:1, Troll)

    by gustgr ( 695173 )
    This tradeoff between security and freedom makes me remember that movie called Equilibrium, where people was prohibited to fell because felling and emotions are the cause of wars and terrorists acts.

    Maybe USA wants to lead the world to a society like that, but it is appropriate to remember that USA doesn't own the Earth.

    • by Anonymous Coward
      This tradeoff between security and freedom makes me remember that movie called Equilibrium, where people was prohibited to fell because felling and emotions are the cause of wars and terrorists acts.

      Man, I know what you mean.

      Like, one of the Hatfields next door felled a tree on our property, hell, they felled several of them (said they needed the firewood or some bullshit, would have given them bullshit if they'd just asked, but we like our trees), and we've been exchanging war-like and terrorist acts e

    • that movie called Equilibrium, where people was prohibited to fell because felling and emotions are the cause of wars and terrorists acts.

      Interesting... Did they ban proper grammar and spelling too, because they lead to wars and terrorist acts? ;) Seriously, 'prohibited to fell'?
      • I am sorry, but english isn't my native language. I am brazilian and I speak a great and good portuguese. You can be sure that I wouldn't laugh you if you made a mistake while trying to learn portuguese or another language.

        I have not the enough money to travel abroad and get used to speak and write in english, so forgive me.

        • Sorry, didn't mean to rip on you there, it just sounded funny ;) My Japanese skills aren't too good, so I probobly shouldn't be criticizing....
  • the security myth (Score:5, Interesting)

    by kraksmoka ( 561333 ) <grantstern@gmYEATSail.com minus poet> on Saturday September 06, 2003 @09:13AM (#6886981) Homepage Journal
    or better, an illusion. i know that my mac is suceptible to the very next worm, virus, file infector, buffer overflow, etc. but reading that there isn't a single virus out there for OS X is a great re-enforcer of the feeling of invulnerability i project to all the winbloze using schmoes out there.

    really, the post 9-11 security craze is nothing more than a jobs program for the security industry. sure, the security here still sucks, it sucked before too. we're a (sometimes and mainly in theory) free society, but mostly an open society. we do make social exclusions, but really, we accept anyone as a neighbor (tho neighbor in another city if we don't like you, thanks, and don't forget to mow the lawn on the way out). we play security like its a game. we dodge our own security just to prove it can be done.

    face it, security is an illusion. i'm more likely to die crossing the street (especially in my hood) than from a terrorist attack.

    • security is an illusion

      True, but so is the stock market, and the economy as a whole.
      As The Onion [theonion.com] so scatalogically pseudo-quoted a leading Democratic Presidential candidate:

      Calling the American people's enormous shit-belief capacity "one of the cornerstones of our democracy," U.S. Sen. John Kerry (D-MA) stressed that it is the patriotic duty of all citizens to grant our leaders the benefit of the doubt with regard to their shit.
      "If the American people are no longer willing to believe this shit, wh

  • FBI Guidelines Value Security Over Privacy By Jeffery L. Bineham
    St. Cloud Times 26 June 2002: 5B.

    At first blush the new FBI guidelines appear harmless and reasonable. When Attorney General John Ashcroft announced on May 29 that agents would be allowed to surf the internet, use commercial databases, visit any public place, or attend any public event, my reaction was disbelief that previous guidelines prohibited such commonplace activities.

    As Ashcroft noted, "even a 12-year old" can surf the web, just as any citizen can frequent public events and public places or employ databases to gather information. The FBI should have the same rights to gather information as everyone else. And the need to gather that information is greater in this time of increased threat. As President Bush indicated, "The FBI needed to change. The organization didn't meet the times."

    But the first blush doesn't always coincide with the final conclusion. We might decide that the new guidelines are justified and necessary. Before we do that, however, we should examine the premises that undergird this policy change, and we should consider what the new policies imply with regard to our security and our privacy.

    The new guidelines are based on two premises. The first is that we have entered a more dangerous era that justifies new investigative procedures. But have we? The threat of future terrorist attacks on U.S. soil is no greater now than it was before September 11. Perhaps, given increased security and awareness, it is less. So one objection is that neither the domestic nor foreign situations have changed enough to justify revisions in FBI policies.

    The second premise is that the same standards of information collection should govern FBI agents and ordinary citizens. But significant differences exist between agents and non-agents, so that when an ordinary citizen surfs the web or attends a political meeting it is a fundamentally different activity than when an FBI agent surfs the web or attends a political meeting. The agent is in position to collect data into a file, to build a case, to set the stage for an arrest, and thus to intimidate. The history of the FBI certainly makes this fear credible.

    Still it seems reasonable to allow FBI agents access to means of observation that are available to other residents of the United States. Recent polls indicate that the public is willing to concede more investigative powers to the FBI, so my hunch is that most citizens will accept the two premises I have presented here.

    But even if the new guidelines are justifiable, they are still unnecessary, because the FBI may already engage in these activities. The only requirement is that they establish suspicion of criminal activity. The requirement is not stringent. Indeed, the old guidelines allow preliminary inquiries of 90 days during which the FBI can conduct web searches, engage in surveillance, utilize data collection services, and employ other investigative techniques even without indication of criminal activity. The new guidelines allow the FBI to engage in these activities for a year even if the investigation reveals no criminal activity. In sum, the FBI can now use these procedures not simply to investigate suspicions of criminal conduct, but to generate the suspicion in the first place.

    So what does this mean? The FBI can document what you say in internet chatrooms or in religious and political meetings. They can ascertain what magazines you subscribe to or what books you buy. They can access your credit profile, your telephone records (made many international calls lately?), and your travel itineraries. And they can do this without any evidence of a crime or a potential crime. None of these changes in domestic policies increases their abilities to monitor international terrorist organizations. The FBI already has wide latitude to conduct foreign investigations without evidence of criminal activity. The new guidelines apply only to domestic surveillance.

    • FBI Guidelines Value Security Over Privacy By
      Jeffery L. Bineham
      St. Cloud Times 26 June 2002: 5B.
      [...]
      As Ashcroft noted, "even a 12-year old" can surf the web, just as any citizen can frequent public events and public places or employ databases to gather information. The FBI should have the same rights to gather information as everyone else.

      That's a pretty good idea. Put the FBI behind SurfWatch or NetNanny or whatever and have them really surf the net like 12-year-olds. Of course, most 12-year-olds a

  • by cyberguyd ( 50420 ) on Saturday September 06, 2003 @09:24AM (#6887030)
    Bruce states that the only two measures to do any help is the reinforcement of the cockpit doors and the teaching of passengers to fight back. Citizens of the US for the most part do not want to be bothered with their own security. It is the same with handguns. I own one and believe I have every right to do so. Citezens need to stand up for themselves and be be prepared to defend themselves and those close to them. The government and police cannot be everywhere all the time, not that would be good either. When you are in your home or a plane it will take some time for the protection services to show up. There is a window of 2 minutes to 2 hours where each person may be called upon to defend themselves.

  • by epsalon ( 518482 ) * <slash@alon.wox.org> on Saturday September 06, 2003 @09:30AM (#6887047) Homepage Journal
    Bruse Schneier's house was just broken into from the back door. The burglars apparetnly looked for his wallet, and took money and some slips of paper with passwords on them.
  • by Crixus ( 97721 ) on Saturday September 06, 2003 @09:38AM (#6887082)
    Once again, Schneier shows why he's at the top of his game. Perhaps we should petition to get him and Lessig together to do a radio show (not that either of them have any time to do this).

    Geeks would be in their glory.

    Rich...
  • Why is it when I searched google for "Bruce Schneier" the first ad on the right was "Work at Google, Google is looking for software developers..."

    Does google want to hire Bruce Schneier?
    • Maybe they want to hire people that are interested in reading about Bruce Schneier's work. After all, that generally means that you aren't some MCSE that only cares about programming in VB or Java or some other worthless language.
      • Have you read any of Schneier's work? I am guessing here, but if your suggesting that Bruce would prefer a language like C/C++ to java (esp. w.r.t security) you're absolutely nuts. He's got a long rant in Practical Cryptography where he goes off on the industry as a whole for continuing to use (for thirty years) compilers/langauges that don't automatically do bounds-checking. He interprets such things as gross negligence on the part of the computer industry. If I guessed wrong, then please ignore this comme
        • ...but he also mentions how with Java, it's basically impossible to protect your secret data, since you have no idea when an object will be finalized and can't satisfactorily overwrite the memory it was using.
          • Impossible? Not at all. The trick is to use arrays of bytes and characters instead of, say, the native string object (which is difficult to control as you say). I agree that both require the programmer to be extra careful, but it is unlikely that a sloppy programmer mistakenly using string objects is going to result in the same type of exploits that buffer overflows do. The point is that in c/c++ the mistakes you are capable of are far worse (in general than with higher-level language). I use c++ everyday,
            • I haven't checked the specs on this and I imagine that using char/byte arrays would probably work with all current JVMs, but I don't believe there's anything to stop the JVM giving you a new array and writing into that when you overwrite an array.

              I also wish the industry would adopt something better - but I don't think Java's it. Even assuming JVMs aren't allowed to (effectively) negate your work overwriting arrays, use of byte and char arrays is a long way from ideal - ideal would be having a language wh
              • i agree with you on many counts. my original post was aimed at the guy suggesting that schneier would prefer everyone use c/c++ instead of wussy languages such as java or vb. i don't think java is the answer either, just that it is a step in the right direction. as for your comment above, a jvm could easily give you a new block of memory, but an OS can also swap your entire app to disk, and when your c++ app wipes its memory this may not affect the blocks on disk. so, yes, there's still all kinds of progres
  • I ordered Bruce's new book a few days ago, and after the interview I am definitely looking forward to reading it. I've been using his Crypto book religiously as a reference and I have enjoyed all that I've read. He does have that rare ability to bring technical, complex material down to the layperson's level without "dumbing down" anything.

    What I appreciate most about his interview was his balanced approach -- that security measures since 9/11 are flawed, but we should try to FIX them rather than throw

  • after 9/11 (Score:3, Insightful)

    by steelerguy ( 172075 ) on Saturday September 06, 2003 @10:48AM (#6887441) Homepage
    I read a lot of criticism about the security measures and laws that were enacted after 9/11 and although I do agree that many of the laws give the government too much power and some are just idiotic, it has not affected my life at all. I still can surf the web, including pr0n, send email, drive to work, buy groceries, ride the subway, go to the US Open...etc. More importantly there has not been another terrorist attack on our soil. Is this the new laws and surveilence working or just chance? I honestly don't know, but I have a feeling the laws we so often rip on are the same ones helping to protect innocent lives right now. Could they be better? Certainly, and I think they will get better.

    We rip on the "knee-jerk" reaction, but that is how it works...it is a reflex. If you don't have reflexes, something is wrong. This is the first time something like this happened here, no one knew how to handle it, we are learning.

    On the other hand, we need to keep bitching when these laws go too far. This is how people who will chance things get elected. They listen to the people and their gripes and get the votes. In essence we are watching the process that makes the US a great place. The government goes too far, the people speak out, the government backs off. So keep speaking out.
    • Re:after 9/11 (Score:5, Insightful)

      by cowbutt ( 21077 ) on Saturday September 06, 2003 @11:42AM (#6887752) Journal
      Surfing pr0n is not a big deal, and neither are any of the other activities you mentioned.

      How confident do you feel about visiting all the mosques in your city to speak with lots of muslim people about their faith? (an activity that's harmless, but may cause you to be added to various agencies' watchlist)

      How about participating in non-violent activist groups? (anti-war protestors have been placed on a "no fly list" [progressive.org])

      How about being critical of your government in a highish-profile way?

      All sorts of groups are being classed as "potential threats" these days. You'd be surprised at some of them.

      Also, many of the post-911 laws have been passed with no sunset clause. Legislation generally requires significant effort to be removed from the books when it is no longer needed. Whilst we have (arguably, relatively) benign governments, people are unconcerned ("their power will only be used for good!"), but if an extremist government came to power, all the legislational infrastructure is there to establish a repressive state in no time at all.

      --

      • I completely agree that the activities I mention are no big deal and have caused me no problems or harm since 9/11. I think this is the lives about 90% of Americans led, so the laws don't affect most people. In all honesty, I was just speaking about myself though.

        I would feel completely confident in going to a mosque and speaking to Muslims. If it got me on a watch list, I would not really care either, nor would I probably ever know. Now if I were planning on blowing something up, I might care, but I'm
        • I completely agree that the activities I mention are no big deal and have caused me no problems or harm since 9/11. I think this is the lives about 90% of Americans led, so the laws don't affect most people.

          I was a pretty uncritical and ignorant of western policies until a few years ago. Since the post-911 laws have been passed, I often find myself canceling (or posting pseudo-anonymously) emails, USENET posts and so on wondering whether such posts will get me branded un-British. And it doesn't matter whe

  • The back of his previous book, 'Secrets and Lies', contained enthusiastic quotations [schneier.com] from Mary Meeker, dotcom cheerleader at Morgan Stanley, and from Jay Walker, the founder of priceline.com. Now 'Beyond Fear' elicits yet another effusive remark [schneier.com] from Jay Walker, now founder of U.S. HomeGuard. Is this because Schneier and Walker share the patent [priceline.com] that invented buyer-driven e-commerce? Acknowledge the affiliation, Mr. Schneier...you aren't just slightly ashamed of this patent [uspto.gov], are you?
  • Somewhere on his web site, Schneier comments on how silly it is to ban sharp objects from airliners. Sadly, no other Big Name pundit seems to have noticed this.

    I'll go a step further. This occurred to me soon afte 9-11, but it seemed impolitic and insensitive to say it. But now that people are beginning to realize how out-of-control the whole anti-terrorist thing is, I might as well speak my mind:

    All these anti-hijacking measures are pointless. They might have done some good before 9-11, but they do not

  • Reading the book (Score:3, Interesting)

    by lildogie ( 54998 ) on Saturday September 06, 2003 @08:09PM (#6890486)
    I've read halfway through the book so far, and I'm certain I'll finish it.

    An important message I've taken away is that attacks are very rare. Schneier mentions several times how physically safe we are in open, democratic countries, and contrasts this safety to totalitarian (my word) regimes.

    He also drives home that you can't spend all of your resources on a plethora of one-in-a-million or once-per-century events. Risk analysis is essential.

    Read the book! An interview doesn't nearly do it justice.
  • Bruce Schneier is great! Unfortunately, his 'slight risk of attack' may be a bit higher considering the number of drunk geeks in his town at night who think they know how to get his passwords. I agree with him but there is no point issuing a challenge to these guys right? Hard to imagine he is willfully announcing that he carries on his person at all times but maybe they are encrypted with solitaire?
  • - That's Bruce Schneier, Bruce Perens, and over there is Bruce Eckell. So what's your name?

    - Linus

    - It's not Bruce then?

    - No.

    - That's gonna cause a little confusion. Do you mind if we call you Bruce?

  • This weekend, I had to take a road trip to Long Island, New York with several people, one of whom was to pick up a rental car when we got to the area we were going.

    <anecdote>

    So I did the natural thing -- I pulled up to the airport's departure gate, she hopped out and walked in to the rental agency's counter, and I waited outside in the car. A minute or two later, a security guard walked up and told me, in fractured English, that unless I was helping a passenger with their luggage, I could not stay

Parts that positively cannot be assembled in improper order will be.

Working...