Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Encryption

Bruce Schneier on What He Knows Best 110

Posted by CowboyNeal from the smart-people-on-smart-topics dept.
Over at CSO Magazine there's a wonderful interview with Bruce Schneier, where he talks about cryptography and security. He has several good points, such as the physical security industry versus the IT security camp, and how true security really boils down to people problems. There's some good commentary on post-9/11 airport security regulations as well.
This discussion has been archived. No new comments can be posted.

Bruce Schneier on What He Knows Best More

Bruce Schneier on What He Knows Best

Comments Filter:

  • Here's a link (Score:1, Informative)

    by Sir Haxalot ( 693401 )
    to his website [schneier.com].

  • CSO Magazine (Score:2, Funny)

    by cnb ( 146606 )
    That sounded too much like SCO Magazine :)

    • In related news, SCO sues the CSO Magazine for trademark infringement due the undeniable similarity between the two names and the blatent attempt by the CSO magazine to unlawfully align itself with the SCO Group by using SCO patented methods to similitaneously pump up their stock and destroy their business at the same time.

      In a seperate filing the SCO Group also sued the CSO Magazine for illegally copying SCO IP from the Linux kernel, which is the sole property of SCO. CEO of The SCO Group, Mr Darl McBrid
      • Furthermore, 699 instances of attempted obfuscation had allegedly been detected in which two of the letters of the word 'the' had been reversed in order to spell 'teh'.

        In a countersuit, CSO magazine accuses SCO of violating the DMCA by breaking the encryption used to obfuscate the word 'the'.

  • Bruce (Score:1, Funny)

    by Anonymous Coward
    Paranoia paranoia
    Everybody's coming to get me
    Just say you never met me
    I'm going underground with the moles
    Hear the voices in my head
    I swear to god it sounds like they're snoring
    But if you're bored then you're boring
    The agony and the irony , they're killing me
    I'm not sick but I'm not well
    And I'm so hot cause i'm in hell
    I'm not sick but I'm not well

  • Post-9/11 (Score:1, Offtopic)

    by SunPin ( 596554 )
    This is a stupid term. It is now 2003 in case anyone is checking their calendars. Can we come up with a better term than something invented on Fox?
    • It may be stupid [*], but it's bloody catchy. I don't know how to measure the 'goodness' of a term, but if catchy = good, then it's really hard to come up with something better.

      [*] Come on, the day that really changed the world and you call it A NUMBER? All those other days have good names like Bloody Sunday, but a number... It sounds so empty, so devoid of emotions. Or maybe that's why it's used -- to show the world that America wasn't shaken, that the Star Spangled Banner is still waving (is that why the

      • I think people started referring to the attacks using "9/11" because they were not limited to one place, unlike, say, Pearl Harbor [Day]. It was too hard to refer to the events themselves, so they refer to the day.
    • The point is that he's refering to something that's changed since that date which I won't mention since it offends you. It doesn't matter how much time has passed since then, it changed alot of security procedures. Since he's refering to those specific changes, post-9/11 is the best term.
  • I often wonder why it has to be this way. Wouldn't it be just as logical to make the two place nice? Perhaps if the two fields worked more closely they could actually learn something off each other.

  • Paranoia rules (Score:5, Interesting)

    by Alien54 ( 180860 ) on Saturday October 18, 2003 @11:37AM (#7248375) Journal
    and then there is this article in the Straights Times [asia1.com.sg] about the latest thing in spyware on steroids.

    I can see all of the glazed eyeballs out there as you tell folks that they need to learn about firewalls and computer security, etc. Some folks just don't want to be bothered.

    Randon thought - with the decline of things like boot disk viruses, etc, best security most folks can understand is that they are safe so long as they are not on the internet.

    • it should be Straits Times - need morning coffee. of course
    • I can see all of the glazed eyeballs out there as you tell folks that they need to learn about firewalls and computer security

      Well off course, imagine their looks if you told them they had to learn about locks and physicall security!
      All they want to do is buy the lock and not loose the key. That's the problem with computer security: You can't simply buy the lock and try not to forget your password, you need to learn security. Way too much effort for busy people who have other things on their minds.
    • Latest thing? That sounds like NetBus to me. *shrug*

      Face it, people have been breaking security measures since the first one was thought up, and someone is going to come up with a new security measure to try to fix the old one. LOOP.

      The only people benifiting from any of it are the people breaking the security and the people who are paid to come up with the new measures. The rest of us are just left to be vulnerable. Always.

  • Whereas I will be flamed into Hades for suggesting, just suggesting, that "Actually, technology usually IS the solution": Social engineering is the least of your worries. Cryptography, authentication et cetera create the need for social engineering: if you leave the computers without passwords and the serviceman's door unlocked, you can't worry about whatever-you're-protecting being unprotected from social engineering, bribery, and whatnot. Y'know why? What industrial spy (as an example) is going to bri
    • Exactly. Much easier to get a throwaway shell accoutn somewhere to make your accesses less traceable than it is to bribe people to get to the physical equipment. Social engineering is less of a problem because it's harder to carry out without getting caught. Amen to what Schneier says about 'cyberterrorism' hype. I think that instead of trying to prevent these vaguely defined events, people should focus on the other problems with the Net - e.g. script kiddies who get a couple hundred annoying bots set up w
    • Ah, but his point is quite often the computers have passwords, and the serviceman's door is still unlocked. Then someone walks in the door, and in reaction the security people demand blood tests instead of passwords, but still leave the door unlocked.

      What industrial spy is going to bribe the guards when he can telnet? None. But quite often he can't telnet, but he doesn't need to bribe the guards; he can walk in anyway.

    • I am always entertained by my brother-in-law's tales of the physical security around the critical machines in the Army's command-and-control bunkers in Germany in the late 1980s. He was a civilian contractor doing installation and upgrades of the software written by his company. The computers themselves were physically isolated. The room was under armed guard. The guards never knew their watch schedule more than 24 hours in advance. A small number of people entering or leaving the room were selected a

    • Mmm, you do have a point. What happens, though, if you follow your examples backwards through the chain of causation?

      If you have computers without passwords, that's because people didn't put passwords on them. If the serviceman's door is unlocked, it's because the administration didn't make a rule that it should be locked, or because there was a rule but nobody cared about it, or because leaving the door unlocked was the only way to get some other job done.

      In other words, people problems again.

      Thing is,
  • we changed the admin password of a colleague's Win2k machine who'd forgotten his password. But we also reminded ourselves just how important is physical security.

  • Cringely's view on security -- log analysis is key (Score:5, Interesting)

    by GringoGoiano ( 176551 ) on Saturday October 18, 2003 @12:05PM (#7248476)

    Cringely put out an article (Changing the Game: How to Save the World by Taking Back Control of Our Data) [pbs.org] a week or so back emphasizing security through recording all activity in any given IT infrastructure. Cryptographic techniques may be great, but social engineering, cracked buffer overflows, and short-sighted or stupid actions can always leave some crucial data exposed.

    Rather than throwing your hands up when you've found you've left data exposed, or you've discovered some insider has been poking around documents they shouldn't be looking at, you should be able to track down all access to all information at all layers of your infrastructure. You hopefully can uncover traces of specific incidents, find any other similar unnoticed events that are now part of history, and find the culprits.

    So logging and log analysis are key to securing any site. You need to log:

    • web servers
    • DB access
    • app server use
    • custom applications
    • machine login sessions
    • network events
    • key card access to buildings
    • maybe even disk I/O info
    • ... and many others ...

    ... and you need to do it in a way where you can correlate information from all these disparate sources to uncover patterns of abuse. Cringely mentions that Addamark [addamark.com] (he calls them the next "Oracle") is the first company with a viable solution for storing and analyzing the massive logs involved. I've looked at their site, does anybody know anything about this product? Sounds very useful.

    • Yeah, logs are good. Prison sentences are good, too. But they are all after the fact.

      For my own part, postmortems aren't nearly as important to me as preventative measures. But that's just me.

      --Richard

      • Mr. Schneier contrasts problems of physical security with IT security throughout his article and emphasizes that in both domains criminals and terrorists will, at times, hit their mark. (He also implies losses to crime are greater than losses to terror, and that society emphasizes the terror while neglecting sensible countermeasures to crime -- but that's beside the point I want to make here).

        In the physical world criminals always leaves tracks. Fingerprints, footprints, bodily fluids, DNA, personal ef

    • "You need to log:... disk I/O"

      Isn't that recursive?

      I just want to put on file that I put on file that I put on file that I put on file that I put on file that I put on file that I saw somebody read a file on disk. Damn, now I need to report myself.

    • Re:Cringely's view on security -- log analysis is (Score:4, Interesting)

      by Agent Green ( 231202 ) on Saturday October 18, 2003 @01:41PM (#7248878)
      And the best quote on the article regarding those kinds of databases:

      "Definitely. Terrorism is rare, while crime is common. Security systems that require massive databases in order to function--TIA, CAPPS 2--will make crime easier. They'll make identity theft easier. They'll make illegal government surveillance easier. They'll make it more likely that rogue employees of the governments and corporations that maintain the systems will use the data for their own purposes. In the United States, there isn't a government database that hasn't been misused by the very people entrusted with keeping its information safe. IRS employees have perused the tax records of celebrities and friends. State employees have sold driving records to private investigators. This kind of thing happens all the time."

  • Audio Interview (Score:4, Informative)

    by Rabid Penguin ( 17580 ) on Saturday October 18, 2003 @12:15PM (#7248518) Homepage
    He also gave an interview [mpr.org] on Minnesota Public Radio covering similar topics on September 29. Follow the link for a RealMedia archive.

  • An example (Score:5, Interesting)

    by jjohnson ( 62583 ) on Saturday October 18, 2003 @12:39PM (#7248627) Homepage
    I make a weekly trip to put our tape backups into a safety deposit box at a nearby bank. For $35/year, we get bank-level security and convenient off-site storage.

    For the two years I've been doing this, I've had a small, running battle with the president of the branch, who wants to enforce a rule that all use of safety deposit boxes must be done in the booths provided for privacy; presumably, he wants to avoid any appearance of, or liability for, the bank employee knowing what's in my safety deposit box. However, switching the tapes in the box can be done in 5 seconds right there, whereas taking a booth makes it a 2 minute affair. The tellers all know me, so they let me do it right there, except for the couple weeks after a stern policy memo has been issued.

    The reason I don't sacrifice another 1 minute, 55 seconds, is because I don't care that the tellers know--they'd figure something out with my weekly trips anyway. But the real crux is that, putting the tape backups into a safety deposit box makes it one of the strongest links in the security chain. The server room door is always locked, the servers logged off, etc. The weakest link now is that a competitor would offer one of my employees $20,000 to sneak the tape backups out one night. In comparison, the cost of breaking into a safety deposit box, removing the tapes, and returning them after copying, all undetectably, would be in the hundreds of thousands of dollars, if it could be done at all. They can't bribe a teller because the bank has only one of two keys for my box--when I've forgotten my key, I'm SOL.

    This is what Schneier means by system security. Insisting on me using a booth is like upgrading your encryption when users are writing their passwords on stickies attached to their monitors.
    • Insisting on me using a booth is like upgrading your encryption when users are writing their passwords on stickies attached to their monitors.

      Isn't that the truth. Years ago a place I worked had a machine on the DMZ script-kiddied. One of my bosses then insisted that we set up a password policy on the win2k domain behind the firewall (which was unaffected by the incident, that's the whole point of a DMZ). The password policy required "strong" passwords - varying case, numbers, puntuation, minumum length..

    • Ummm (Score:2, Insightful)

      by Neon_Mango ( 143057 )
      Ok so lots of valuable company data is moved from your facility to a bank by an employee on a weekly basis? I think the weakest link in the chain is you. I'm just saying what's to stop someone from taking the tapes from you in transit? Sure the bank has good security (cameras, security guards, a vault), and your company most likely has good security too but when your in transit couldn't someone stop you and take the tapes from you (by force if needed)? Just out of curiosity are there any backup software

      • Re:Ummm (Score:1)

        by tyen ( 17399 )

        ...but when your in transit couldn't someone stop you and take the tapes from you (by force if needed)?

        My associates Mr. Smith and Mr. Wesson will be pleased to make the acquaintance of that someone. Actually, I conceal carry a .45 ACP manufactured by a company called Kimber, but few Slashdotter's would recognize that name. I'm one of the principals of the company, so carrying concealed at the office is condoned.


        • So, someone wanting your data badly enough to take it by force can still take it. But you've ensured that they have to kill you in the bargain. Good thinking.

          • Re:Ummm (Score:1)

            by tyen ( 17399 )

            If your data is that sensitive that you can conceive of someone killing to get at it, you hire pros to transport it. There are professional courier services that work with this kind of risk, though they are expensive. Otherwise, life is full of risk, deal with it and move on or continue to cower and whimper on your knees.

            • I quite agree. The point I was trying to make was this:
              Without disputing your right to have a loaded firearm about your person, I don't think it's a very smart way to mitigate the risk of someone stealing your data; or a very smart way to mitigate almost any risk for that matter. Unless you're in law enforcement or the army, the risk from being armed (accident, escalation of otherwise non-fatal assault, etc.) far outweighs the very small chance that being armed will actually be helpful.
              I understand
      • I'm the one who makes the switch every week, unless I'm unavailabe, in which case it's the sysadmin.

        You're sort of right, but not really due to the particular circumstances. The bank is a ten minute drive through a semi-rural/industrial setting, down major roads with lots of cops who don't have much to do. A carjacking is unlikely in the extreme.

        Also, there's just the fact that, since we're a manufacturer of commodity housewares, where industrial espionage itself isn't terribly useful, the risk of an at
        • You started by saying that your secuurity is pretty good, and giving us a breakdown.. now you claim you aren't the weak link, because who would want the tapes?

          That doesn't change the fact that you are the weak link.

          Also, the bank manager has a very good, and valid, point. Wheras you see convenience, he sees the possibility of a complaint down the road, and heck, bank protocol wasn't followed; the employees had information they should not have, which makes them more suspect.

          • I think that the weakest link is one of the employees in the I.S. department (myself included) being bribed to sneak the tapes out. What I was disagreeing with was your characterization of my transporting the tapes as being the weak link. While I can see a competitor laying out for a bribe, I can't see one organizing a carjacking, which would be much more expensive, more risky, and less useful, since we'd know the tapes were gone. What I was disagreeing with was the attack vector you proposed.

            My point a

    • Re:An example (Score:3, Insightful)

      by fm6 ( 162816 )

      Insisting on me using a booth is like upgrading your encryption when users are writing their passwords on stickies attached to their monitors.

      Or like most banks' online transactions, which are encrypted by the maximum key length supported by non-export browsers, but makes no attempt to make its users use high-entropy passwords to access that encrypted data. My own bank just uses my ATM PIN, which only has 10,000 possible values!

      Most security measures serve to make people feel more secure, not make them

      • You are mixing up two things here. Yes, a PIN is easy to brute-force, if the system will allow you to do it. Most will not; after a few wrong attempts, your account is locked. What are the odds of guessing the right 4 digit pin if you only get five attempts?

        You don't need a high entropy password if it's not possible to brute-force against the system.

        Many banks insist that they KNOW what is in a safe deposit box, so you don't put, say, things that could explode, or start a fire, in them. That's not to s
  • ( ... hey I never do anyway!) can I guess that Bruce says something like:

    "Technological solutions don't work for human problems. 9/11, Bush, P2P vs. RIAA are human problems. Cryptography can't help you here either, so look elsewhere. "

    Just a hunch.
  • And why would the Chicago Symphony Orchestra be interested in Bruce Schneier's views on security and such? A better way to keep a Stradavarius safe?

    (No, I didn't RTFA. Why do you ask?)

  • It just popped into my head. It has to be...

    FLESHNET
  • CSO?

    Aren't they the people who are trying to stamp out Lniux with a bunch of frivolous lwasuits?

    Dyslexic lawyers of the world, untie!

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close