Slashdot Mirror
Bruce Schneier Interview on Salon
citmanual wrote to us with the Schneier interview on Salon. He's promoting his new book Secrets and Lies. I'm just about finished with it, and will be doing a review soon - it's quite good.
← Back to Stories (view on slashdot.org)
That's one of the reasons Schneier rocks as hard as he does. He's a down-to-earth kind of renaissance man and he's pretty much always been like that in the years I've known him. Not only is he one of the best 10 or 50 cryptographers in the world (of which about 40 are probably NSA), but he's a regular guy. I had the good fortune to see Richard Thieme speak and he's similar in that regard (though he's more of a humanities guy than a science guy).
I read something recently describing a self-proclaimed epiphany he experienced a few years ago that set him in the direction of holistic security versus the crypto-heavy approach he favored since he entered the field. I'd be curious to know more about it because I felt he's always had a hint of that approach. Just go back and read his essays "Why Cryptography Is Harder Than It Looks" and "Security Pitfalls in Cryptography"... substitute "cryptography" for "computer security" or "network security" and you'll see what I mean.
In 1996 I think it was, Bruce, Niels Ferguson, and I were working on the problem of creating a file system offering plausible deniability of the existence of any files the user wanted to keep secret. We came up with some really neat ideas on how to avoid creating proof that certain files existed. I think it would have worked, but I made the realization that it wouldn't work successfully with technology of the day. Microsoft Word (heck, the Start -> Documents listing broke us too) will list the last several documents accessed: what if one of them was supposed to remain secret? If it's hidden, but the attacker sees you modified it and they can't find it, the game is over--you can't deny it exists and the system is broken.
Why is this such a big problem? Because if we were to create a special OS and set of applications that didn't track that stuff, the only people who would use it were those with something to hide (this wasn't a court of law--we couldn't assume you were innocent until proven guilty). So, the user loses the game before it even started simply by having that special OS and application set.
Keep on "keeping on", Bruce.
Countless analogies to computer security can be made - banks being one of them, my house being another. There's nothing inherently insecure about my house - strong doors with locks, a security system, new windows, a fenced-in backyard - but one open window allowed my wife to "break in" when she accidentally locked herself out. All it takes is one slip-up, and all other security measures are nullified.
Still, my house is only one house, on one street, in one neighborhood in this city, and I count on that "anonymity" to provide a measure of safety. All that's necessary is to provide potential thieves ("house hackers?") with sufficient motivation to either overlook the house or move on to an easier target (hence the Security System sign in the front). It's a play on human nature - count on the baddies to take the path of least resistance, and don't call attention to yourself by parading how many secrets you have locked up or how confidential your data is.
Net privacy may be a concern, but net anonymity is also good cover. My real name is so commonplace and vanilla that I use it frequently as my login - tempting fate perhaps, but do a search on it in any database and you'll be swamped with results. Which one is me? I'll never tell...
Was that out loud?
Taking another poster's Java example. If you use a language like Java, you have no buffer overruns. But this is at the cost of checking array bounds.
Many of Microsoft's security problems is because MS wants to give you convenience and damn the security implications. Macros in Word files and email attachments as clickable applications are just two examples.
The problem of ignorance is twofold. One is that many users are not knowledgable system admins, and yet they will be on the Internet 24/7. The other is that the current OS model is just not security conscious. It take enormous work (e.g., OpenBSD) to get a semi-secure OS and even then, it is easy to slap on telnet, ftp, and every other insecure service. Combining ignorant users with inherently insecure OSes is a potent mix.
Dealing with cost and convenience is a social issue. Costumers will have to demand security as a top priority before anything much happens here. That probably won't happen until we get a disaster that costs a lot of people a lot of money. There is not much you can do about ignorant users. You can educate some, but certainly not most. It is a matter of research to make OSes more secure, and this is something that the government and the military are very interested in.
For example, it is possible to easily execute money transfers and stock trades as someone else at A Large Internet Broker Who Will Remain Unnamed. This sounds bad, and it is bad, but it isn't much worse than the equivalent security at non-Internet banks and brokerages. At my bank, I can execute a money transfer by simply sending a fax with my signature to the bank. Now, any waiter, billing clerk, or grocery checkout monkey to whom I have ever given a check has my account number, the name of my bank, the bank's routing number, and an original of my signature. Photo reproduction is more than good enough for a forged fax, so it would be trivial to walk down to the local copy shop and start faxing money transfers to people's banks.
Credit cards are even worse. You need only possess the physical card, or a reproduction thereof, to use the card fraudulently. The number of register operators who actually check the card signature against positive identification and then note the form and number of the identification is incredibly small. With near-full employment here in the U.S.A., the diligence of the rank register operator has become even worse in recent years. Fraud is trivially perpetrated in real-world banking and retail.
My final example involves my own clients. I am in a line of business that automates business processes in medium and large companies. Invariably, the client wants to ensure that the computer-automated process is totally secure. This is good and I applaud their concern. However, it is funny to note that the manual processes they are replacing haven't the least bit of security at all. Often, the "process" involves one person rubber-stamping a piece of paper and placing it in an open bin on some other person's desk. Yet they insist on impenetrable electronic security.
Or the coder throws in a 1024 byte buffer and says to himself "I'll go make this more robust once it is working". A couple days latter, he's got the system working, so he runs off, shows it to his boss, and moves on to the next project, forgetting about the work he has left to do on the program that "works".
Usually the tradeoff isn't program performance vs. security but coding time vs. security/performance/whataver.
The cake is a pie
Salon takes this quote out of context. Schneier goes on to say:
I haven't read the book yet, but my understanding from what Schneier says regularly on his very interesting mailing list is that he and others had been looking at security the wrong way. The analogy he uses frequently is to safes. Safes don't claim to be uncrackable; instead they come with ratings specifying how many minutes it would take a skilled safecracker to open them. Schneier's argument is that this is the same approach we should be taking to information security. Not "this security is crackable and that security isn't," but "this security can be cracked by a skilled intruder after X minutes/hours, giving you that much lead time to respond. Plan accordingly."
-
-
Give me liberty or give me something of equal or lesser value from your glossy 32-page catalog.
Exactly. I'm sure a determined person could break into my house. But I don't give up, because moderate security means that such a person will have to go to a lot of effort to do so. That's really the best we can hope for. To make it hard enough that it isn't worth an attacker's time.
I'm sure that the NSA could break into my home box, no problems. I don't really care about that. There's not much I can do about that. That doesn't mean I won't put up enough security to keep the script-kiddies out.
The same applies for a corporate box. You don't give up just because you can't keep everyone out. It is good enough to have enough security that any attacker is highly skilled enough that he wouldn't bother with your site.
The cake is a pie
I believe the moral of the book (which I gather from Bruce's comments in Crypto-gram) is that security breaches are inevitable, and therefore it's imperative to have a recovery plan.
He doesn't claim that since perfect security is impossible we should stop trying to attain it. He says that we need to stop assuming our efforts will always protect us and make sure we're prepared for the alternative.
/* The beatings will continue until morale improves. */
The moral argument:
"Who watches the watchmen?"
All the rest is just elaboration on that.
The cake is a pie
Exactly! Most of us live in houses that can be entered by anyone with a large brick. Does that mean that we give up and just leave our doors sitting wide open when we go to work?
The cake is a pie
Horatory:
"Marked by exhortation or strong urging: a hortatory speech."
That's funny, for a second there, I thought that I had a new word to use in my second job: High-Jammy-Pimpmaster Supreme.
Shucks.
Rami
--
rJames.org - illustration
I'm not so sure about your comment on Most programmers still choose performance over stability and security.
Most will choose stability, and I think, no I hope more are choosing security when programming but this also falls under the category of human error.
A lot of programmers are just not aware of their errors. Most programs with buffer overflows may be very stable in theory, but they assume that the user will not make errors. Or assume that noone will ever enter a string longer than 1024 characters. Or maybe they don't expect anyone to use an other interface than their own, and put their security in the wrong place
A lot of programs still in use today were written in a time when the internet was still a relatively friendly place. I hope books like this one will make programmers today more aware of the problems that plague the internet in it's new form.
just better than the other guy!
:))
There is neither cause for irrational exuberance nor hopeless despair. Frankly I'm disappointed in the last 3.5 years of running a NT net that we've had no break ins, security compromises, etc; sure there's been the ocassional StealthBoot.B viri and one person executed a 'fireworks' attachment w/ a virus that took a half hour to clean up, but that's been about it. Eternal vigilance and watch is my key, try to convince mgmt to keep things simple enough to keep it under control w/ ability to recover should a disaster occur and all will be find. I'm looking fwd to e-commerce while watching for some bastard to 'make my day'
try { do() || do_not(); } catch (JediException err) { yoda(err); }
What is being sold today under the Intrusion Detection System label usually is a cobbled together set of attack signatures that spuriously trigger thousands of times per day. The ones I've seen do not have the flexibility to do things like suppress the check for ".asp." if a word consituent character follows it. And needless to say, the way they work, chances are that successful attempts to break in are overlooked.
This of course if yet another instance of false security. A lot of work has to be done still to make IDS systems work reasonably out of the box, and that is not even taking issues like training into account.
Mind you, people who actually read the book will know better, but I've lived in corporate hell for much too long to know just where this IDS thing will end. "Do we have a firewall? Check. Do we have an IDS? Check. Hey, what's this guy doing on our systems? Call legal and sue the IDS vendor."
Bert Driehuis -- All I asked was a friggin' rotatin' chair. Throw me a bone here, people.
The problem is that government has violated the trust given them.
So have individuals, yet trust is extended to them. There is no monolithic "government". It is made up of people. The "government" didn't commit Watergate. A few people within it did. Just like a few people within society commit crimes. Yet I'm sure you would agree that we shouldn't revoke our trust of all people on the basis of the violations of a few.
The problem is that government has violated the trust given them. Again, look at Watergate and the Nixon enemies list as an example. Its those kinds of violations that make people nervous about giving them more trust.
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
I find this extremely insightful and would love to spend a mod point on it.
But what I'd love more is a reference telling me where I can read this view of Jefferson's, and others. Can anyone help?
Tweet, tweet.
Nonsense. The Net servers and accounts are the property of the ISPs and users. Theft is immoral. Quod Erat Demonstrandum.
Wake up people, there are some very evil people out there
Yep -- and the levers of government power are their natural homes.
/.
/. If the government wants us to respect the law, it should set a better example.
Hey Taco, This book is for you man!
I find it really, really scary when someone of Bruce Schneier's reputaion has seeming given up on the idea of secure software.
If that is the case, what possible arguements can we muster against things like internet regulation. If we can't have better living through software, then there is a bunch of special interest groups and three leter agencies who would be happy to say "just install this box on every network, and we'll be able to trace all hackers"
I think that just like the real world, you can *never* prevent crimes from happening. You can, however, make the criminal's life as hard as possible by heavier punishment, making it more difficult to break in etc.. You can only make it more difficult, but not impossible. So I think the advice of mr.Schneier isn't too bad: put more emphasis on prevention and recovery.
How to make a sig
without having an idea
At least, not for vitally important applications and services. There has been a push recently towards providing every kind of service imaginable over the net, but people have already learnt that some things just aren't safe to do online - the notable failures of internet banks such as Egg to keep their sites secure being one recent incident.
Another foolhardy venture I read about in the paper today (no links, I couldn't find anything online) is of a company in Thailand which has developed a security robot armed with an air gun as standard, but which can be fitted with any other type of weapon, lethal or not. Whilst it can be set to work automatically, it can also be aimed and fired manually, using a command sent over the Internet! Is this the most stupid thing ever or what? Now hackers can shoot people from the comfort of their own bedrooms!
Despite the recent rush to get online, I can see that the craze will die down in years to come, as people and companies realise that some things are much safer in a real world environment where factors such as ease of interception and physical location make every transaction far more secure.
At the end of the day, the amazing lack of online security and privacy means that the net is good only for unimportant information and trivial communications. Who wants every hacker with a root exploit to know their most personal and important details?
No system - computer or otherwise - is perfect. For any lock there's a way to get around it. They just deter the amateurs.
Is this a situation where there is no hope? I don't think that's the right question or conclusion. We all have houses with locks that are adequate 99.9% of the time. They will fail from time to time but that is something we've all accepted (well, 99.9% of us:).
Computer security is the same way and Schneier's conclusion seems to me to be common sense. Not that he doesn't - probably - present all sorts of interesting anecdotes.
To be eternally secure we'd have to be eternally vigilant. No one can do that. So we do a best effort sort of thing, get on with our lives and have to be prepared to pick up the pieces when it falls apart. What else is new.
IMHO, as per
J:)
Oh well, no point in steering now.
The argument against internet regulation remains the same. If installing extra hardware on every network would provide real security, then I think Bruce Schneier would endorse it. Rather, I believe the point not that we are not yet capable of a secure technology (whether implemented in hardware or software), but that there is no conceivable technology that is truly secure. The best you can do is realistically assess risks and mitigate them where it's cost-effective to do so.
In my opinion, many of the security problems that plague the internet (and computers in general) are caused by the fact that companies still put their priorities in the wrong place. Most programmers still choose performance over stability and security.
An example:
The article mentions buffer overflows, which, in my experience, have been virtually deleted in a language like Java. Sure, checking array bounds every single time may be a performance hit, but I will choose a performance hit over a security hit any day.
Basically, when you write software, don't make assumptions. Not on anything. I've seen plenty programs crash because they tried to access the network and found that it was not installed, or play a sound and find the device busy.
We may not be able to fix the people, but I think fixing the the software is possible. All it requires is ridding the world of software licences that deny responsibility. Once financial gain is at stake, corporations will put a lot more time into security, and hopefully a lot less in screwing eachother for financial gain.
Douglas Hofstadter's brilliant book "Goedel Escher Bach" comes to my mind. It's a very good read and could have suggested to Scheider 20 years ago that every formally defined system is going to have holes in it.
Going from one extreme to the other.
Of course you can't have full safety, but that holds true as well for the real world. You can't prevent anyone from getting into a building, but you can make it so hard, that only a few will manage. And you have to pay in a way for that.
Yes. And he falls into the same trap, as if this would make these systems totally useless.
Simply because it's not possible to create perfect security does not mean that we should give up the ghost and go home. Quite the contrary, it is simply an indication that computers are indeed a part of the real world. Are real world banks 100% secure? Do the never get robbed? Obviously not, but we still have trust in them. Simply because "you cannot build a robbery proof bank" does not mean that we should give up banks (and their like) alltogether. And, while the Fort Knox gold repository isn't precisely invulnerable, it is sufficiently close to being so for the purposes necessary.
Computer security will necessarily ebb and flow as people recognize the issues and concerns and understand how to deal with them, etc., etc. Currently, there are many examples of poor and lax security because A) the favored model for computing has many security problems, B) unix is not a very secure operating system (face it guys, I love unix to death, but in many ways it is fundamentally broken when it comes to security [luckily, unix is so flexible that you can patch up the huge gigantic rents enough to make it pretty a box pretty damn secure]), C) everyone and their mother has some sort of semi-important server, which when combined with D) very few people actually understand even the basics of making a network / server / system secure can only cause problems.
In the semi near term, one of two things will most likely happen. Either 1) people will in general become more security concious, or 2) programs and systems will be made more inherently secure. I think 2 is much more likely, though a combination of 2 and a little bit of 1 would go a very long way.
{sarcasm on}
Then I'm sure you'll have no problem handing over your social security number, street address and phone number, credit card numbers (with exp. dates, please) and bank account info, along with that for your kids. What? You're not going to? Why, then, you must have something to hide!
{sarcasm off}
That's the first problem with your stance - you do have an expecation of privacy, and I don't think you're a terrorist or a child pornographer.
The second problem is that parts of the government has historically shown an annoying tendency to violate privacy rights for no particular good reason. Watergate and other things Nixon is a classic example, particularly the 'enemies list'. (For those who don't remember, Nixon and his cronies ordered the FBI and the IRS to investigate and cause trouble for people who Nixon considered his political enemies - classic cases of misuse of power.) These reasons are enough for people to want to protect their privacy themselves, since we've already seen we can't rely on the government to do it.
Wake up people, there are some very evil people out there, and it is our duty as decent Christians to do everything we can to help stop them.
Many people, myself included, find it evil for the powers-that-be to trample all over the innocent in pursuit of the evil. And, given the recent track record of the government in the issue of things like wrongful convictions (remember that the gov. of Illinois has put all death sentences on hold, because of massive uncertainty in the process, or you can check here for organizations which track this sort of thing), many people are not sure the government is the best organization to give our absolute trust to.
Also note, while the vast majority are probably decent, there are a lot of people who are not christian. You're not calling their decency into question, are you?
...phil
...phil
"For a list of the ways which technology has failed to improve our quality of life, press 3."
This last line of the article is telling. A user of an Internet-connected computer is in possession of a powerful, potentially dangerous tool - maybe it's been long enough that people look at them as some kind of silly toy. On the one hand computing ought to be fun and people shouldn't have to do it in fear (implying they should be given software tools that, though they can never be completely secure, at least aren't braindamagedly insecure). On the other hand they should probably need some bare cognizance of what they're getting into and what they might, through ignorance and negligence, allow someone else to do in the world. Dancing pigs (or penguins) might be cute, but people need to consider that there can be real-world consequences of what they allow to be done to their networked computer.
We tell our kids not to take toys from strangers, but then we go and download and play with the software equivalent without a second thought...
The proof, as they say, is in the pudding. I can definitely associate his work with Ron Rivest, for instance. Rivest wrote RC6, an AES candidate which had 15 rounds broken. Schneier wrote Twofish, an AES candidate which has fared much better. RC6 isn't going to be selected as AES (I'll wager $20 on it), but Twofish is still in the running.
Insofar as "Bruce Schneier, by his work, is not a cryptographer (nor is he a cryptologist)"... I've got to recommend that you talk to your dealer about the purity of your rock. Strictly speaking, a cryptographer is one who develops and devises codes and ciphers. Schneier has written lots of ciphers, ranging from the lousy (MacGuffin) to the profoundly brilliant (Blowfish, and maybe Twofish).
He has also published cryptanalytic results against the major AES candidates, including (I believe) RIJNDAEL. I like RIJNDAEL. Joan Daemen (I'm misspelling the name here) is a brilliant cryptographer, responsible for a lot of extremely high-quality stuff--and if Schneier, et. al., can cryptanalize RIJNDAEL, that says something about Schneier's skill.
Insofar as Applied Cryptography being shady, I'm going to have to ask you for some verification. How is his description of Blowfish "shady"? After reading his description of Blowfish I was able to implement it, from scratch, without looking at any source code. My version passed the Blowfish compatability vectors, so apparently his description was clear and concise.
Finally there is a better crypto book out there anyways: it called the Handbook for Applied Cryptography by Vanstone et al.
Err... no. The Handbook of Applied Cryptography (notice the name), edited by Menezes, Vanstone, et. al., is a very good book. I refer to it often. However, I refer to Applied Cryptography more--why? Because I want to know the accepted way of how to do something, not a formal proof that the accepted way works. If you want to know how to encrypt the last block of a CBC mode cipher so that the cleartext is the same size as the ciphertext, Schneier tells you this in the space of a paragraph or two. The Handbook of Applied Cryptography goes into much more mathematical rigor.
This is not to say that the Handbook of Applied Cryptography is inferior: it's not. The two books are meant for different audiences who need different things, and claiming that one is superior to the other is pretty specious.
His papers are imprecise and obvious
... Are you telling me that you could have cryptanalyzed RIJNDAEL?
Seriously. Get a grip. Schneier is no demigod, that much is true; he's a human being just like anyone else, and occasionally screws it up past all recognition (just like anyone else). However, he is a hell of a lot better than I am.
My own beef with Schneier is something totally different. Schneier works as part of a team, not a solo operator. His best work has always been collaborative, with Doug Whiting, Niels Ferguson, etc. While I don't begrudge Schneier his fame--I think he's more than earned it--I do wish that people, particularly Slashdotters and the news media, would realize that Schneier may be the crypto version of Buckaroo Banzai, but--just like Buckaroo Banzai--he's nothing without his crew of Hong Kong Cavaliers and Blue Blazes Irregulars backing him up.
"If J. Random Websurfer clicks on a button that promises dancing pigs on his computer monitor, and instead gets a hortatory message describing the potential dangers of the applet," Schneier writes, "he's going to choose the dancing pigs over computer security any day."
Make it dancing penguins and I'll give up security too. <grin>
Wait a minute... hortatory?
"Free your mind and your ass will follow"
It seems to me that while there may not be a hope of totally securing anything, that doesn't mean that the act of breaking in will be worth it. Right now, I'm sure that the FBI's headquarters isn't totally secure, but the effort to break in isn't worth it to the average individual who would do it just for the novelty of it.
--------------------
`Lex - Find Me Here: Text Appeal
A long, long time ago I was utterly taken with formal methods. I lived and breathed Z and VDM.
Then one day I read a paper about the *limits* of formal methods. The one phrase summary of the article was that once a formally-verified program meets the real world, each time it's executed is a conjecture.
The paper seemed to be an argument against formal methods and as you might guess, all the heavy hitters with PhDs and post-doctoral work to defend generated a storm of complaint, the one phrase summary of which was that while formal methods might not be perfect, they shouldn't be abandoned.
I mention this because of the author's original notion of protecting ourselves by wrapping ourselves in mathematics, and his current appearance of despair.
It appears to me that the book's more a reaction to a crisis in faith than anything else. I don't think anyone really expects security to be uncrackable - we're got history going back to the pharaohs on that one, but neither should we throw the baby out with the bath water. I mean, I think I've seen at least one reaction that uses this article to predict the *imminent* *death* *of* *the* *internet*. As if!
668: Neighbour of the Beast
so long as there is reciprocal transparency so that I know the same details about every person who accesses mine.
Government violates privacy precisely because they expect to labor under secrecy. If they didn't have that "expectation of privacy" that you talk about then they wouldn't trample all over the innocent.
And nothing bad has ever happened to me. Am I just lucky or is this article a little hyperventilated?
There are an average of five to 15 bugs in every thousand lines of code, which means that Windows 98 is riddled with somewhere between 90,000 and 270,000 oopsies.
It's probably the use of "oopsies" by an adult that set me off, but the first half of that statement seems exaggerated and the second half is just bad logic. What, that absurd claim about "65,000+" documented bugs in W2K isn't absurd enough?
---------