Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bruce Schneier on Security Tradeoffs

Posted by CowboyNeal on from the price-of-freedom dept.

Anonymous Smile writes "Business Week has an interview with Bruce Schneier on his new book 'Beyond Fear.' He talks about the tradeoffs we've made in the name of increased security. (hint: we've done a poor job so far) Bruce furthers his tradition of being accessible by the non-technical crowd."

13 of 129 comments (clear)

  1. I like this statement by MoonFog · · Score: 5, Insightful

    Q: You have been critical of efforts to better secure the U.S. and the world in the wake of September 11. What do you think are the biggest mistakes we've made in those efforts? A: I think the biggest mistake is that we've made policy decisions while scared. We've passed laws that are expensive, both in terms of money and fundamental liberties, without giving us a corresponding increase in actual security. In other words, we've made bad security tradeoffs.

    Hopefully some bright men in the EU parliament will consider the laws passed in the USA before they blindly try to copy them into laws applying in European countries..

  2. Sounds interesting by yoshi1013 · · Score: 5, Interesting
    The whole security thing is very flawed on a number of levels, some of them political.


    We've all heard the absurd stories like a woman being forced to drink her breastmilk (in bottles) to prove it wasn't some type of explosive or whatever the hell they thought it could have been.

    Yet I remember reading on Michael Moore's website about how right after 9/11 he noticed that despite the fact that nail clippers weren't allowed on planes, matches and lighters were because the Tobacco industry had complained to the government that not allowing matches doesn't allow their customers to light up once they get off the plane.

    Later they were put back on the list of prohibited items but it's stuff like that which makes the whole security thing seem totally absurd sometimes.

    --
    Kick in the Head
    1. Re:Sounds interesting by Fnkmaster · · Score: 4, Insightful
      Like any process administered and regulated by humans, it is flawed, open to manipulation by the many parties with interests at stake, and imperfect in that it will not always catch the bad guys, and sometimes will inconvenience the good guys.


      But we're still better off talking and thinking about it, and consciously making those tradeoffs than just sticking our heads in the sand. These domestic security issues are also so fundamentally visible that they _are_ subject to feedback and criticism by the public - unlike obtuse IRS regulations, the absurdity of, for example, flagging every flyer with a one-way ticket for special security treatment, is eminently visible to every frequent business traveler. And thus there are a lot of us to whine, bitch and complain until something gets done about it.


      I'm much more worried about the invisible stuff than the visible stuff (like nail clippers being banned from planes). The invisible stuff is the pressure exerted on ISPs, credit card companies, technology organizations, encryption researchers, etc. to "help combat terrorism" by reducing security, or opening and releasing personal information to the government. Because, doncha know, "hackers" are terrorists. What's a hacker? Well, you know, those "cybercriminals". And "identity thieves". And you never know who might be doing those things. And maybe tax evaders are also helping the terrorists - aren't they avoiding funding our fabulous military? And what about drug users - well, clearly, they are supporting terrorists, I mean, we saw the government make those claims in ads on TV.


      That "with us or against us" attitude combined with the power of overreaching legislation like the Patriot Act makes me queasy about who or what comes next behind the scenes - the security we don't see at the airport, or in city hall, or on the streets during a festival or parade, and that does give me cause to worry. I don't have a perfect solution, other than that we, the technologically aware and literate, need to push our causes more, be more politically organized, and make sure that some portion of the citizenry is watching what the government is doing, and that we do a better job of getting that word out to the mass media, and to politicians.

    2. Re:Sounds interesting by deek · · Score: 4, Insightful
      • Yet I remember reading on Michael Moore's website about how right after 9/11 he noticed that despite the fact that nail clippers weren't allowed on planes, matches and lighters were because the Tobacco industry had complained to the government that not allowing matches doesn't allow their customers to light up once they get off the plane.

      I remember the days when I travelled via plane to Canada and the US, with my swiss army knife in my pocket. Fat chance of that ever happening again, and I can live with that, I suppose. But nail clippers, matches, and lighters? Does any of this strike anyone as paranoid to the point of absurdity?

      The ironic thing is that any determined terrorist will find a way to do what they need, without having to resort to any of the banned items. Do you want to threaten someone with a dangerous object? There's many devices other than metal knives that will do the job. Want to set fire to something on a plane? The whole chemical world abounds with ways to ignite things. Want to clip your nails on a plane? Hey, any smart terrorist can find a way to make sure their nails are decently manicured before they hijack the transport they're on.

      Let's face it. Security is not provided, in any way, by banning a whole bunch of little items. It is just a panacea for a nervous public, looking for action after some very troubling events. It is there to bolster confidence by providing a false sense of security. Succinctly, it's a PR exercise.
  3. Schneier speaking by scubacuda · · Score: 5, Informative
    Schneier's talks are incredibly accessible, especially when you consider how accomplished he is.
    • designed the popular Blowfish encryption algorithm
    • his Twofish was a finalist for the new Federal Advanced Encryption Standard (AES))
    (I heard him talk about a year and a half ago)

  4. Radical theory from Bruce Schneier: Power corrupts by turkeyphant · · Score: 4, Insightful
    Q: There's a dialogue going on right now about the Patriot Act. You have often stated that you think parts of this act are misguided or not terribly effective. Which parts and why?
    A: One of the problems with making security tradeoffs is that there are many overlapping security concerns. The Patriot Act has given the government and police unprecedented powers. Many of these powers are Draconian and fly directly in the face of a free society.

    Of course, if you assume that the government and the police are 100% benevolent and good, there's no reason not to give them ultimate power. But history shows, in this country and abroad, both that power corrupts and that even an honest organization invariably includes a dishonest few.
    I agree with a lot of what he says, but I wish he would actually answer what the questions ask instead of simply stating the obvious...
    --
    Turkeyphant
  5. Merry Christmas to me!!! by mariox19 · · Score: 4, Funny
    I don't worry about locking the back door of my house much of the time because I know the risk of burglary is slight.

    Would somebody google his address and get back to me? I'm in the market for a new television and stereo!

    --

    quiquid id est, timeo puellas et oscula dantes.

  6. the security myth by kraksmoka · · Score: 4, Interesting
    or better, an illusion. i know that my mac is suceptible to the very next worm, virus, file infector, buffer overflow, etc. but reading that there isn't a single virus out there for OS X is a great re-enforcer of the feeling of invulnerability i project to all the winbloze using schmoes out there.

    really, the post 9-11 security craze is nothing more than a jobs program for the security industry. sure, the security here still sucks, it sucked before too. we're a (sometimes and mainly in theory) free society, but mostly an open society. we do make social exclusions, but really, we accept anyone as a neighbor (tho neighbor in another city if we don't like you, thanks, and don't forget to mow the lawn on the way out). we play security like its a game. we dodge our own security just to prove it can be done.

    face it, security is an illusion. i'm more likely to die crossing the street (especially in my hood) than from a terrorist attack.

    --
    "You never want a serious crisis to go to waste." - Rahm Emanuel
  7. Re:A study in contradictions by Frater+219 · · Score: 5, Interesting
    A security expert who cannot be bothered to turn a knob on his door... eh, what?

    I used to work for a guy who had a saying on this subject: "Locks are to keep your friends out." That is to say, security measures impose barriers to unauthorized access, but these barriers are only so high -- if you have enemies willing to break down your door, locking it will not help you; if you don't, what function does locking serve?

    Well, one function of a lock, or a password, is its social effect: it says, loud and clear, "Keep out -- this place is only for those who have the key." Most people want to think of themselves as nice and respectful people. Most people aren't crackers or thieves, and will respect a security measure simply because someone went to the bother of putting it there. Against these people, you set a password on your account simply so they will realize it is not a public resource. You lock your machine room door so they won't wander in randomly in search of a terminal to check their email.

    Securing things against concerted attackers is different from securing them from wandering friends. You rarely need to enact security measures that will keep a concerted attacker out forever -- only ones that will keep him out long enough for you to notice his assault and cuff him. Bank safes are rated in minutes: rather than proclaiming a safe "uncrackable", the rating states how long a certain level of attacker will take, to crack the safe. So as long as the bank has their security guard come by more often than that, it doesn't matter that the safe isn't perfectly uncrackable.

  8. Yes, absolutely by The+Tyro · · Score: 4, Interesting

    it's truly a matter of providing a deterrent... "target-hardening" as we used to call it in the military. Make a task too difficult, and the perp will move on to easier pickings, it's human nature.

    Many home burglaries are done by youths, or people looking for easily-fencable goods (typically to support a drug habit of some kind)... few are done by pros. Some burglars will simply go around a neighborhood, trying doors until they find one that's unlocked. A simple deadbolt would go a long way toward deterring this kind of casual thief.

    The professional is a VERY different animal, whether he's a car thief, or a home burglar. The determined car thief will bring along wheel dollies and a panel truck/trailer if he really wants your car... he might even line that trailer with metal screen if he's out to defeat your LoJack transmitter. Bottom line: it's very difficult to guard against a calculating, intelligent, and determined thief.

    That said, simple measures will go a long way... to not even take simple measures to secure your home might even open you up to legal liability. If you have a pool, you must provide a secured enclosure or gate, lest a neighborhood kid drown (and you would be sued, likely successfully, for not having taken such a "reasonable" measure). If you own guns, it might be argued that you had the obligation to lock your doors... I certainly wouldn't want to be sued because a gun I owned wound up on the floor of a neighborhood Stop-N-Rob, next to a dead clerk, simply because some crystal-meth user was able to simply wander into my home and steal said gun... I can think of more than a few plaintiffs' attorneys that might argue that angle in a wrongful death suit.

    --
    Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
  9. Re:Can't help it... by drunk_as_in_beer · · Score: 4, Insightful

    Well, I actually find it describes my attitude about things. Yes, I lock my doors and have very tight firewall rules, but this part is important:

    "I'd rather accept the slight risk of attack than constantly live in fear."

    --
    --Drunk as in Beer
  10. Re:A study in contradictions by Swanktastic · · Score: 4, Interesting

    a lot of the "security" we've put in place post-911 is truly window-dressing.

    I agree with you 100%. This response isn't arguing with your post, but your post did remind me of some thoughts i've had on this matter. The vast majority of the expenditures post 9/11 have been made to make people feel safer, rather then to actually increase their mathematical likelyhood of being safe.

    In a sense, though, making sure the passengers feel safe is far more important than actually making them safe. I'm not trying to trivialize airline accidents, but we all know that hopping in a car is far more dangerous than hopping in a jet plane. The FAA doesn't have such strict regulations to bring down the number of crashes every year from 4 to 3. Those kind of numbers don't mean anything to the average person. Humans have a fundamental misunderstanding of the statistics involved, and no one would fly if they perceived the industry to be unsafe. I consider myself a rational person, and I know all the statistics, but I still feel less safe in a plane than I do in a car. No amount of improving the 'actual' security will change that. If you've ever taken a decisions sciences course, you'll know that even the brightest people in the workforce don't make perfectly rational decisions, but rather base them on stupid little things like the order that information is presented in.

    What will change everyone's fear of flying is "window dressing," and, yes, I'm willing to pay the 9/11 security tax (or whatever it's called) to fool myself into thinking that there's probably not a terrorist on the plane. The government's role isn't just to operate in a vacuum and take actions that improve safety. The US government also has an obligation to maintain confidence in the airline industry. If having armed guards standing around the airport makes people more likely to fly, then it makes sense to have armed guards, regardless of their statistical effect on safety. And yes, I'm aware that all in all those armed guards are a waste of money. But, you have to make decisions within the constraints of your environment, and I truly believe that no amount of statistical understanding will change the way that the average American or non-American makes the decision to fly or drive.

    Spending money to change perceptions is sometimes a rational tradeoff. However, reducing freedoms in order to increase perceptions of safety is simply not a reasonable tradeoff.

  11. Re:after 9/11 by cowbutt · · Score: 4, Insightful
    Surfing pr0n is not a big deal, and neither are any of the other activities you mentioned.

    How confident do you feel about visiting all the mosques in your city to speak with lots of muslim people about their faith? (an activity that's harmless, but may cause you to be added to various agencies' watchlist)

    How about participating in non-violent activist groups? (anti-war protestors have been placed on a "no fly list")

    How about being critical of your government in a highish-profile way?

    All sorts of groups are being classed as "potential threats" these days. You'd be surprised at some of them.

    Also, many of the post-911 laws have been passed with no sunset clause. Legislation generally requires significant effort to be removed from the books when it is no longer needed. Whilst we have (arguably, relatively) benign governments, people are unconcerned ("their power will only be used for good!"), but if an extremist government came to power, all the legislational infrastructure is there to establish a repressive state in no time at all.

    --