Bruce Schneier Talks Brain Heuristics and Security

ancientribe writes "Bruce Schneier is at it again: the security icon shares his latest research and insight on the interplay between psychology and security in this article in Dark Reading. The focus of Schneier's latest research is on brain heuristics and perceptions of security, which may be the basis for the best-selling author's next book. His goal for the topic, which he'll be presenting at the RSA Conference next week, is to focus on how people think, and feel, about security, and how neuroscience can help explain how our perception of risk doesn't always match reality."

Its all in your..

[scoot80]

head.. as a matter of fact.. this reply is all in your head too.. it doesn't exist..

Re:

[Dark Kenshin]

I think that's the general synopsis of the book. If you really, really, really believe you are secure, then you are... till you get hit by a bus or something.

A slightly different analogy.

[khasim]

You really really believe your wife is monogamous ..... then she's busted in a prostitution sting. With your best friend. And now she wants a divorce. And she'll take 1/2 of everything you own.

Re:A slightly different analogy.

[MillionthMonkey]

He's got herpes. She doesn't. They take VALTREX to keep it that way. So her neocortex is all hot for him. But her amygdala isn't convinced. Because he has herpes.

Re:

[MillionthMonkey]

I tend to believe that people take Valtrex so they can continue sleeping around without using protection while eliminating the risk of a partner noticing their open sores. I mean, how'd they get herpes in the first place?

That's assuming they have it. Smart people take Valtrex so they can start sleeping around without using protection while eliminating the risk of a partner giving them herpes in the first place. But of course, the pharmaceutical industry lacks the balls to produce the obvious commercial, an

Re:

[Sique]

I got mine at age five. So what? :)

Re:

[aeoo]

Ultimate security cannot be guaranteed through protection from ill will. Once ill will has formed, there is insecurity already.

The best path is to prevent ill will from forming. That is done by convincing the disenfranchised people that they are cared for.

Re:

[kfg]

I just saw Cypher. Don't mess with me.

KFG

Encryption and ease of use.

[Kelson]

At one point in the article, Schneier comments on email encryption:

"Over the years, no one used encryption" in email, he says. "It had nothing to do with the technology," but instead the ease of use, he says.

This is a good example, because encryption is in common use on the web. To the end user, using a website over an SSL or TLS connection is no different from using one in the clear. It's almost too easy, which is why browsers have lock icons, color changes, and "You are leaving a secure site!" messages.

Of course, the problem is slightly different, since HTTPS is all about protecting a client-server connection from eavesdropping, not protecting the data itself. Once the data reaches the server, the server is entirely capable of doing something boneheaded with it like saving it in plain text in index.html. Similarly, data sent to the client can easily be printed out and left face up on the car seat.

Client-server connections are easy to deal with, because the only people that need to manage them are the software developers and the admins managing the server. Similarly, it's trivial for an end-user to send/retrieve mail using a TLS-encrypted SMTP, POP3, or IMAP connection.

Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity.

Re:Encryption and ease of use.

[Em Adespoton]

The interesting thing about this is that I tend to at least use digital signatures now, and started for one big reason:

I have to enter my passphrase before I send something I might regret. This has been a boon to me on innumerable occasions. It means I send fewer emails than I otherwise would, but I don't tend to send anything I'll regret years down the road.

Re:

[maxume]

It will be interesting to see if it is too late already. Most people aren't interested in the fuss and bother of managing an identity(and it might be a chore to make the difference between an address and signature clear), and at this point, there are many, many, many emails that people are going to regret down the road, so perhaps the end result will that social mores will evolve a bit, where people aren't taken to task for stuff they did 15 years ago.

Re:Encryption and ease of use.

[owlstead]

"Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity."

That, and email encryption is mostly done either through soft-certificates or - more commonly - through PGP. There are hardly any mail systems that integrate PGP, although they are available as add on. Even so, I believe the user interface is still much harder than e.g. websites with SSL. Also, as you rightly said, end users not only have to manage a digital identify, most of the time they have to handle the other person's digital identities as well. E.g. here at home I cannot verify any signatures that I can verify on the computer at my work, because I do not have an up to date certificate store.

Of course there is also SSL with client side authentication. Although this is very usefull for B2B transactions (web services), you will hardly see any uses for end users. Even though both Mozilla and IE have build in support (although the Mozilla version tended to be broken for a pretty long time, and the IE version also has its fair share of problems).

Re:

[h4ck7h3p14n37]

"Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity."

I have to disagree with this statement since end users could use a notary to manage this identity. Specifically, I'm thinking of a website that allows users to send and read encrypted messages. One would create an account on the site which would then generate the necessary crptographic keys; the user could then send enc

Re:

[caveymon]

I haven't entirely thought this idea through, but I'm not aware of anyone having attempted such a thing.

Hmm, well, I've been in touch with a company in the Netherlands, http://www.nedsecure.nl/ [nedsecure.nl] who offer pretty much what you're suggesting.

Transparant email encryption through a webserver/webmailportal. So you can send encrypted messages to your clients, they get a notification mail, and can check the mail you sent online. Bit cumbersome perhaps, but well, technology probably improved from back in nov-2005 that I saw these guys at some InfoSecurity convention.

Unfortunately, the site seems to be dutch o

Re:

[gr8dude]

E.g. here at home I cannot verify any signatures that I can verify on the computer at my work, because I do not have an up to date certificate store.

You can use a cryptographic provider [dekart.com] that can store the certificates and the keys on some sort of media (ex: token, smart card or USB drive). When there is a need to use the certificate, the application will ask you to connect your smart card (or whatever it is that you chose to use).

Note: This works with Windows only.

Re:

[owlstead]

Oh, the same thing exists for linux as well. PGP has support for smart cards, as well as GPG does. The problem is that the certificates of the other users won't be on the smart card, and that the computer you are working on needs to have hardware and middleware installed to use it. Smartcard make things more secure, but not easier to use.

Re:

[gr8dude]

The tool I mentioned can store the data on a USB flash disk, all you need is a USB port; at least half of the problem is fixed.

All the email clients on my computers are configured to leave the messages on the server for a few days. Once I receive a digitally signed email from a friend, that email will be received by all the computers, therefore the credentials of the other party are available.

And if that doesn't help - the CA should make everyone's data available in a public directory.

MUA makes a big difference.

[Kadin2048]

I think everything you say is true, but a big part of the problem is that most people's mail-user-agents are set up with encryption as an afterthought, rather than as a core feature. When users have their email set up to use encryption from the very beginning, from the moment that they're issued their computers by their employer, they use it.

The environments where I've seen the heaviest use of encryption are Lotus Notes shops, because Notes was basically designed around encryption. Granted, it uses some str

Re:

[RAMMS+EIN]

``Email is harder, because it's fundamentally peer-to-peer (layered through a series of client-server interactions), which means the end users actually have to manage a digital identity.''

That _could_ be really easy, though. Just one idea for how to do it: when you configure your mail client, it generates a PGP key pair for you (or allows you to specify one), which it publishes on subkeys.pgp.net. Add a widget somewhere that allows you to select signing, encryption, both, or neither. Now everyone can use PG

Tag !schneider

[Nesetril]

I am tagging this story !schneider.

That word. . .

[Skadet]

Bruce Schneier once again is turning security on its head -- literally.

That word. . . I don't think it means what you think it means.

Re:

[poopdeville]

Please look in a dictionary. Only one of the five to six meanings for the word 'literal' is opposite in meaning to 'figurative.' The rest are orthogonal. Indeed, the primary and secondary definitions are "conforming to the exact meaning of words",[1] and adverbial forms of 'real', 'factual', and 'unembellished'.

Really, it's good that you paid attention in high school. You learned a lot of great rules of thumb that will help you avoid making grammatical errors. But they're just rules of thumb. They don

Re:

[rkanodia]

So your validity-seeking tweed jackets propose that the word 'literally' has no semantic content. I can't wait to hear other ways in which emergent online paradigms can synergistically leverage new value-adding phenomena!

Re:

[poopdeville]

Did I say that?

There are plenty of perfectly good uses for the word 'literally'. I counted 6 when I looked in my dictionary.

The "tweed jackets" (nice flamebait there, by the way. I happen to wear tweed every day) have shown that one of the commonly used meanings for the word is vacuous. To paraphrase Wittgenstein, the meaning of a phrase is in its uses. And this possibly figurative meaning can be perfectly exact. Ergo, a phrase can be meant literally and figuratively at the same time.

Re:

[kv9]

Ergo, a phrase can be meant literally and figuratively at the same time.

Schroedinger's cat[chphrase]?

*whoosh*

Re:

[RAMMS+EIN]

IANAMD (I Am Not A Marketing Droid), but I think the answer has something to do with AJAX and Web 2.0.

Re:

[Mprx]

So if "literal" doesn't mean "literal" anymore, what word should we use instead. I oppose the degradation of language.

Re:

[poopdeville]

Keep using 'literal' if you want. Like I said, the rules of thumb we all learned aren't wrong. They're just incomplete.

Re:

[poopdeville]

Presumably, "exactly in accordance with the meaning of the phrase" or the adverbial form of 'unembellished'. Context makes me think the latter was intended, but you make a case for either (especially since the two are already closely related). Note that the latter is also similar to an intensifier, like 'strongly.' However, there is a crucial difference. Consider:

"The cat was very sleepy" and
"The cat was literally dying to sleep".

Obviously, in the first case, 'very' acts as an intensifier, intensifying

Re:

[Skadet]

Okay, so I took your advice and looked in a dictionary. Likely nobody but you will see this, but for posterity's sake. . .

Wordnet says (and if Princeton isn't good enough for you, then I don't know what else to say):

Noun

* S: (n) misprint, erratum, typographical error, typo, literal error, literal (a mistake in printed matter resulting from mechanical failures of some kind)

Adjective

* S: (adj) actual, genuine, literal, real (being or reflecting the essential or genuine character of somet

Re:

[poopdeville]

Any of the first, second, or fourth are appropriate interpretations. Of course, the three are very closely related. See this analysis [slashdot.org], based on the American Heritage dictionary, as used by Answers.com [answers.com] for an explanation.

Re:

[vertinox]

Actually, security is a man named Steve at the front desk. Bruce has been getting him in a head lock and pile driving him in a wrestling move during the company get together.

Re:

[Michael Woodhams]

He's changing the direction of (turning) security, taking as fixed* what goes on in people's brains. It is pretty close to literal - the main problem being that it isn't (as implied by the phrase) security's head but rather the heads of people needing security. I think you'll find the journalist has a paid-up poetic license for this sort of minor stretch of truth (even though it doesn't rhyme.)

* That is 'immovable', not 'repaired'.

Re:

[Darxon]

Dane Cook meets Mandy Patinkin!

It's just the usual social engineering

[elucido]

I think everyone already knows that humans are always the weakest link in security.

Bruce Schneier is my homeboy

[bigredradio]

More facts about Bruce. http://geekz.co.uk/schneierfacts/ [geekz.co.uk]

Re:

[TheDreadSlashdotterD]

I love that site. He's the cryptographic Chuck Norris.

Perception

[bwthomas]

Part of the problem is with our perception of probability. We see it mathematically, but we still expect cause and effect rather than randomosity. Most users will say things like "why would someone monitor me," not realizing that there's usually no direct causal relation between who they are and interest others might have in their information, and the question is better put, "how probable is it that someone like me might be monitored."

In other words, we feel relatively safe in a crowd. We are completely visible, but because we cannot see why someone would single us out as unique, we feel obfuscated. All the while not realizing that it's more opportunity than it is causality.

This is why we feel safe sharing information on websites like myspace, or using our credit cards over insecure wireless connections, because we believe that because everyone else is engaging in this fundamentally insecure behavior, we have safety in numbers. No one will read our blog for information about our identity, no one will try to use our amazon account to buy electronics.

But they will, with a probabilistically determined frequency.

Re:

[Yartrebo]

We also have a major bias towards catastrophic risks that we have no control over mundane risks that we think we have control of.

Take the risk of getting wiped out by an asteroid vs. the risk of getting framed and sent to prison. The former is far less likely (less than 1 in a million), but it also gets people a lot more scared. Your odds of being framed and sent to prison are greater than 1 in a 100 over a lifetime (at least in the USA, the odds are far lower in countries with lower incarceration rates), b

Re:

[maxume]

Your odds of being framed and sent to prison are greater than 1 in a 100 over a lifetime

That's a rather extraordinary claim. Do you have extraordinary evidence to back it up with? [overcomingbias.com]

Re:

[jonadab]

The other poster is merely confused, not deliberately making that kind of extraordinary claim. The figure he presumably *intended* to quote is that 1 in 100 prisoners was convicted improperly -- a figure I have seen numerous times before (usually in conjunction with poorly constructed arguments against capital punishment, of the kind often seen in high school "persuasive" English papers and on usenet). While the figure is probably exaggerated, it is conceivable, at least vaguely plausible, and not nearly

Re:

[Yartrebo]

No, I believe that you do indeed have a better than 1 in 100 chance of spending some jail time for a crime you didn't do. About 0.7% of the population is in jail at any one time and over 10% of the population has been sent to prison at least once in their lives. If only 10% of people convicted were innocent, then you get your 1 in a 100.

Your odds vary greatly based on where you are, how rich you are, your gender, your race, your political connections, and other factors, with poor black males in inner cities

Re:

[jonadab]

> over 10% of the population has been sent to prison at least once in their lives

Where on earth do you live? Los Angeles?

In any case, that is certainly not true around here. In small-town Ohio, I doubt if 1% of the population, nevermind 10%, has ever done time in prison. I believe 10% is higher than the proportion who have been inside a prison even to visit. I do know a guy who *works* at a prison, and I know several men who have been into prisons at one time or another as part of a ministry... but

Re:

[Yartrebo]

I live in NYC, and yes, the inner city people and people of certain colors (black and hispanic mainly) are far more likely to spend time behind bars than people in small white towns. Even in NYC, middle class whites are unlikely to land in the slammer, but it only takes a few neighborhoods with 50%+ rates to skew the figures.

Re:

[jonadab]

> I live in NYC

Oh. I'm sorry. I didn't mean to be insensitive.

Good points, poor example though.

[Kadin2048]

You make good points, but I think you should be more careful about your examples. Saying that you have a 1 in 100 chance of being 'framed and sent to prison,' is hardly supportable; saying that you have a 1 in 100 chance of going to prison might be (if on average 1 in 100 people end up there).

But that's still a poor example, because that's a controllable risk. People don't get as upset about it as they do plane crashes or terrorism, because they feel like they have some level of control over the outcome. "W

Re:

[Sique]

The same can be said about the terrorism panic. It's still more likely to choke on a fishbone and die than to be hit by a terroristic attack. For Germany [pop. 80 mio] there are about 700 reported dead each year because of choking on a fishbone. I wonder if the number of all Germans ever dying during a terroristic attack since 1947 has ever reached 700.
And the perception still gets it wrong if two risks are very similar: Think about the craze because of the H5N1 bird flu. Worldwide we have now ~200 people w

Re:

[mutterc]

about 700 reported dead each year because of choking on a fishbone

Shhh! If word gets out, the government might spend trillions of dollars in a War On Fish...

Not just knowing the imbalance is there...

[oKAMi-InfoSec]

The last part of the article poses a critical question that deals with the fact that our perception of security may not be in sync with the logic of security:

How can security customers make sure they don't make bad security decisions that are based on incorrect perceptions?

Schneier says he doesn't know if you can change brain chemistry for this. "My belief is that making you aware of it goes a long way," he says. "If you can understand you are just reacting from fear, you have a better shot at...understan

Re:

[jonadab]

Either that, or you could let your android science officer make the decision.

Re:

[h4ck7h3p14n37]

A very common comment that I hear from people regarding computer security is, "we're not a target". This of course assumes that crackers select their targets based on some criteria other than they can hit your system over the 'net. Sadly, it's been my experience that when such a person's system is compromised they just want it brought back up and the particular exploit that was used remedied.

Re:

[RAMMS+EIN]

You, sir, seem to have hit the nail on the head.

Do you perchance also have an insightful explanation of why we should be _worried_ about Them monitoring us?

5 tough user-space factors

[G4from128k]

I see five factors that make the user-space side of security so hard.

1. Incentives: Most people, especially employees, don't face personal consequences when their PC is infected or the company database gets pwned.
2. Rarity: Most people see security problems as something that happens to someone else. That so few breaches are publicized only enhances the belief in the low likelihood of problems.
3. Hubris: Most people believe they know what they are doing.
4. Boredom: Ask a person to be careful too many times in the face of a relatively low-probability event and they become trained to click "Yes, Install."
5. Sociality: Most people are nice and assume that other people are nice too. They hold the door open for the social engineering intruder, they click on the "cool link", they open email that looks like it might be from someone important. Malware creators prey on our desire to "do the right thing."

Some of these five are easier to address but some reflect deeper realities about being human.

You mean, Bullshit in Bullshit out.

[twitter]

Some of these five are easier to address but some reflect deeper realities about being human.

And all but one of them have the same solution, Education.

1. Incentives. This is the odd man out because punishing the victim does nothing for anyone. Disconnecting an identifiable problem on a public network, should not be thought of as punishment but can serve as an incentive to fix the problem.
2. Rarity. Bullshit. One in four computers is part of the botnet.
3. Hubris. Bullshit. This attitude was created by commer

Re:

[Xenographic]

> Boredom. Bullshit. The user should have a trusted repository of community verified software,

Half of the security problems we face today are because users don't know who to trust.

Me? I'm only safe because I hate the popular but stupid crap and am far too lazy to even try new software until I've heard something about it from several people I respect and I have some reason to believe it doesn't contain any nasty surprises (i.e. spyware or adware). I'm also so anti-advertising that the one time I saw a p

Re:

[firewrought]

I see five factors that make the user-space side of security so hard.

6. Difficulty: Security is hard and unintuitive. How many scams--both online and offline--rely on duping people's epistimology? ("Yeah, I'm a cop. Call this number on the back of my badge to verify.") We're really quite bad at it, and even worse: computers make it especially difficult to tell where a piece of data is really coming from. Did that urgent security pop-up come from Windows, or is it just a GIF on the current website? You an

Re:

[travwend]

That's why most IT people have such a mean exterior. Maybe if I intimidate the users I'm responsible for, they'll think twice the next time they're being complacent. Okay, not the first time but thats where the intimidation factor comes in that's why I said the "next" time.

"Old news"

[Anonymous Coward]

When one of the reporters asked for a copy of Mr. Schneier's notes during the presentation, he handed her two pages of ciphertext.

Re:

[oostevo]

All kidding aside, this guy came to speak at my college. I got a seat in the second-to-front row well before the presentation started. The school photographer came up to him to ask him to sign a silly little photography release so he could take photos. He signed it, stared at the poor guy, and said, "I want three copies of this, okay?"

The poor photographer nodded meekly.

True story.

OT (your sig)

[jonadab]

> In soviet russia, You ask not what country do for you, but what you do for country!

Wouldn't that be, "In Soviet Russia, your country ask not what it can do for you!"?

fear and power

[wall0159]

Seems to me it would be good if more people understood the ways that their gut reaction to fear is often incorrect. It would at least make it harder for politicians to manipulate the populace.

It was interesting how Schneider said "you can feel secure even if you're not" - maybe this is also known as herd-mentality..

Re:

[maxume]

I get the impression that he is talking more about locked doors with glass windows and security theater than he is talking about herd mentality.

Hopefully you haven't been reading Niven.

Re:

[jonadab]

Locks on glass doors are not entirely without value.

In a home setting, breaking the glass will make a significant racket. That's not good protection (except insofar as it makes your case with the insurance company more straightforward) against theft that occurs while you're away on vacation for three weeks, or even at work during the day, but it *is* useful against petty break-ins when you sleep at night. Indeed, if the thief is thinking (which, granted, is not always the case) he would probably pick a lo

Re:

[maxume]

People lock their doors and feel safe. The should merely feel safer. That's what I was talking about.

Re:

[jonadab]

People lock their doors and feel safe. The should merely feel safer. That's what I was talking about.

Oh.

To be perfectly honest, we practically never lock the doors at my house, and I do feel safe. Not that I am not aware of various possible crimes which potentially could be committed -- on the contrary, I am fully aware that those things could happen, or for that matter that the house could burn down, or any number of other dire potentialities. Nonetheless, I feel safe. Nothing has ever happened to m

Re:

[maxume]

That's fine. I'm talking about feelings directly related to locking the door; that you have piece of mind otherwise is great and probably sane, but in my experience, there are people who actually feel unsafe when the door is unlocked, and then feel safe when it is locked. The emotional investment in and gross overestimation of the effects of the lock demonstrate that many people do a poor job of analyzing security. Sure, the lock has good effects, but most doors aren't sledgehammer proof, which is worth act

People TRUST programs with a LOCK as their icon

[wwnexc]

Why do people trust complex programs with colorful symbols and logos more than a simple linux command, where you know what is going on?

Re:

[jonadab]

> Why do people trust complex programs with colorful symbols and logos more
> than a simple linux command, where you know what is going on?

Because end users *don't* know what's going on.

It's not a question of trusting something complex and inscrutable (proprietary security software) versus something simple and straightforward (open-source command-line software), but more a case of trusting something complex and inscrutable that looks well put-together and comes from a well-known maker, versus something

The New Science of Change

[screeder]

For what it's worth, I wrote an in-depth look at the neuroscience of the brain and its impact on peoples' ability to change for CIO magazine here: http://www.cio.com/archive/091506/change.html [cio.com].

Primate psychology

[Master of Transhuman]

is all you need to know to understand "security".

Chimps are afraid of each other. So any time any chimp does anything, it's automatically fear time for everyone else.

As I've said many times before, humans work like this: "If you're right, I'm wrong. And if I'm wrong, I'm dead - and that can't be allowed. So I'm right and you're wrong. And if necessary, you're dead."

It's that simple.