Slashdot Mirror
Freakonomics Q&A With Bruce Schneier
Samrobb writes "In grand Slashdot tradition, the Freakonomics blog solicited reader questions for a Q&A session with Bruce Schneier. The blog host writes that Mr. Schneier's answers '...are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for "crime pays" to see his sober assessment of why it's better to earn a living as a security expert than as a computer criminal.'" The interview covers pretty much the whole range of issues Schneier has written about, and he provides links to more detailed writings on many of the questions.
I found his comments on terrorism - A. Refuse to be terrorized - and cameras to be fairly well thought out.
We choose how we live.
We can live in fear and magnify risks that are, in reality, very minimal, or we can realize they're minimal and stop worrying about them.
I'd rather live free from fear.
And the answers about passwords were fairly good. When I was a regional security officer, I came up with similar concepts, based on the real threats that actually existed. When on a public site, with low real risk (e.g. public web, no linked account) it's better to have a common (but hard) password, and save more secure passwords for sites where you have real financial risk instead.
-- Tigger warning: This post may contain tiggers! --
it's better to earn a living as a security expert than as a computer criminal
Watch "Catch Me If You Can", this was obvious a long time ago.
"...In 1957, fifty years ago, there were fewer than 2,000 computers total, and they were essentially used to crunch numbers. They were huge, expensive, and unreliable; sometimes, they caught on fire..."
Well, now they are small, inexpensive, and relatively reliable. But at least they still sometimes catch on fire.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
A: It's always hard to figure out the actual numbers on this, but I definitely get the feeling that having a more open attitude with MP3s has contributed to my ability to actually make a living. More and more, people don't like to buy things that they haven't heard first, which makes perfect sense when you think about it. This is why they have listening stations in record stores (er, I mean, when they used to have record stores). And because I depend so heavily on word of mouth marketing, it's extremely important that it's as easy as possible to hear my stuff. Again, it comes down to the extremely low cost that comes with digital content -- it's okay if only a small percentage of listeners buy, as long as the number of listeners is very high. That can only happen if you let people listen.
Q: When you wrote "Still Alive" for Portal did you have any idea how well the synergy would be with the game? I don't think that there has every been ending credits in any media that has matched the love that people have for the end of Portal. Have you been asked to work on any other video game music since the release of Portal?
A: One of the reasons I agreed to do it was that I understood the character so well -- it was one of those things where I looked at what they had created and it made absolute sense to me. We didn't know all the details of how we were going to finish the game, but I really could sort of feel how it was supposed to end up. Of course I'm thrilled with the reception, and it's been much larger and more positive than I could have imagined. There's nothing else in the works at the moment, but I'm definitely open to doing more things like that if it's the right project.
Q: When will Valve release a video game that is also a full musical comedy?
A: Yes please. That would be a great deal of fun to do, whether or not it was any fun to play. I'll put you in touch with Gabe and you can insist that he make it happen.
To get the most out of this interview, make sure you have the facts on Bruce Schneier. The man is not what he seems.
There are several Web sites where I pay for access, and I have the same password for all of them.
/.pr0n
And these sites have content, content which gets stored under
Anyway, I've always found the blogogroupies who cluster around low-level celebrities like both parties here to be a bit creepy. Better Schneier or whatever Freakonomics' name is, who have some useful content, than someone as pointless as Wil Wheaton, but still...
we love them
It's so much easier to post a snipurl into your html than a similar Google link. Plus, you know, they're trendier than the huge URLs you sometimes have to use.
Poor Bruce must get awful tired of answering questions from people who don't understand how computers, etc. actually work.
Unpleasantries.
I do have an idea. For starters, Holovideo. Computers a billion times more powerful than today's will be able to calculate the interference equations required to display true color live holograms on flat screens - or glasses.
Just think about it, put on your glasses and everything seems normal. Turn on your (wearable?) computer and you'll be able to interact (let's assume the glasses got tiny cameras on them, thanks to transparent electronics) with holographic objects - which may include virtual displays which you can move with your hand, a-la minority report (or a-la Nadesico if you're an anime fan ^^). Who says you'll need to use physical keyboards? Probably they'll be virtual, too! No more Repetitive Strain. And that's just for starters - imagine playing with rubik cubes or analyzing/debugging code (for programmers) in 3D.
However, I wonder if software will be advanced enough by then to have AI agents assisting you like most sci-fi flicks. Usually software is the barrier in computing. Programmers are slow.
This is an economics blog, so you tell me: why don't the computer companies compete on boot-speed?
7 to 10 years ago that might have been a problem but these days with people booting at most once or twice a day (and the majority just putting their laptops to sleep or not turning their machines off at all) I don't see why we should even be discussing this topic.
I can't. No one can; there are simply too many. But I have a few strategies.
None of which are acceptable. This person needs to learn more about security and a different way to go about handling their passwords. Based on the techniques I use I am able to remember every single password for every single site I use with 99% of them being different (I have some legacy passwords on sites that don't require security in the first place but that's because I'm lazy).
There will never be a global repository for public keys, for the same reason there isn't a single ID card in your wallet.
Never is a long time and just like the sci-fi writers of the past getting stuff wrong, this guy is likely to get this wrong as well. If the slippery slope continues to degrade as it has been for the last 7 years, I have a feeling that we will see a different world stage with the players running that stage handling things a little differently than we would have thought about 10 years ago or even today...
There are probably zillions of books and classes on basic computer and Internet skills, and I wouldn't even know where to begin to suggest one. Okay, that's a lie. I do know where to begin. I would Google "basic computer skills" and see what comes up.
This tutorial is the first hit. While interesting, I don't believe it's someone who is interested in learning basic computer skills is going to stumble across -- even if you told them what to do. I work with those that don't even have the most basic computer skills and believe me, when you tell them to Google something it isn't processed like it is by those that have at least some basic skills.
The key difference is that most criminals are stupid, while most consultants are much more intelligent. I would suggest that for a given IQ (or however you want to measure intelligence) the balance is far more in favour of the criminal than an equally IQ-endowed consultant.
The reason being that there are more opportunities to get money from a criminal activity than from a security consultancy activity and it will always be easier to exploit a weakness than to fix it.
So why aren't there more super-villains?
Because it's not about the money, it's about the life-style. No really intelligent person would want to spend the rest of their life looking over their shoulder. Neither would they be dumb enough to think they had committed the perfect (i.e. untraceable) crime
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
This person needs to learn more about security
You think Bruce Schneier needs to learn more about security?
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
A: I run an open wireless network at home. There's no password, and there's no encryption. Honestly, I think it's just polite. Why should I care if someone on the block steals wireless access from me? When my wireless router broke last month, I used a neighbor's access until I replaced it. That answer is so bad it almost sounds like sarcasm. Given how easy it is to sniff sensitive data from an unencrypted wireless network, I can't imagine Bruce would allow it unless he segments his network or wires up his own PC.
Yeah, his response to the question about passwords was absolutely fucking lame. I thought I already explained that.
Consider that a point is being made that you're not getting, because "this person" is not a moron, and generally talks about security as it is actually practiced instead of how it would be practiced if everybody were an expert and made good security a priority. Since people in general will not make security a priority, you have to talk about how people actually behave and how to craft security that will take actual behavior into account.
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
Specifically I do not care how my low-security passwords are stored. But for my high security passwords, I would like them all to be stored in a unix-like way, namely only cyphertext is stored and it's impossible for anyone to know what that password is. Sure they may be able to change it on my behalf, but can they tell what it is? No!
I've had this concern for quite a while now and I'm surprised that I haven't found a security certified label that addresses this concern. Sure there are other labels like http://www.truste.org/ or "Verisign Secured", but where's there one that tells me my user-password is stored in a "unix-like" manner?
And all of those passwords are:
Right?
This person needs to learn more about security and a different way to go about handling their passwords.You do realize that this is like suggesting that the Pope learn more about Catholicism, right? Bruce Schneier started as a serious academic cryptographer and branched out into more general security topics. At this point he's more of a public figure than a top tier researcher, but he's still very, very knowledgeable. The safe assumption is that he has considered and discarded whatever sort of scheme you use. Perhaps you've invented something he hasn't seen, but the odds of that are extremely slim.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Is he twins?
Infuriate left and right
Same point as Bruce, but put in terms of a threat analysis translated into everyday terms:
Why you should write down your password
No, you just bragged about your extremely clever system for memorizing passwords (that you didn't describe).
Regardless, Schneier's solution is vastly more useful in practice for, well, everyone else.
You still sound like you have no clue who this guy is.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
Writing down passwords is perfectly acceptable (i.e. preferable to poor passwords) as long as you never write down the purpose of the passwords and have several of them. Padding the list with fake passwords is okay. If someone steals your password list they will have your passwords, but no idea where those passwords are supposed to be used. Assuming the thief is someone who knows where you might use those passwords they will still have to guess which password to use before you change the password or the system locks them out for too many login attempts. Adding bogus characters to the passwords makes it basically impossible for someone to use your list.
Correction: Actually, they're keeping us from seeing the long string of flag-draped coffins streaming home...
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
From the context, it appears that he used his neighbor's network without permission. Depending on where you live this is considered a felony.
http://money.cnn.com/2005/07/07/technology/personaltech/wireless_arrest/index.htm
You also might be violating terms of service with your ISP by sharing your connection.
Another person using bittorrent to download movies and music can easily swamp your wireless router with the number of connections used. It could also lead to a civil case against you by the MPAA and RIAA. Win or lose, you still pay the lawyers if a defense fund doesn't.
Criminal activity (use of stolen CCs, child porn, etc.) run through your wireless can also have you answering questions while your computer equipment is taken to verify your innocence.
This is all without letting someone sniff your traffic.
People don't let strangers plug into their LAN, why is it different with WIFI?
There are legal issues and responsibilities that really should be cleared up, so people who do want to share WIFI can.
And all of those passwords are:
Yeah, they are. All of them. Thanks for posting what I figured was obvious and unnecessary.
Bruce Schneier for President!
When on a public site, with low real risk (e.g. public web, no linked account) it's better to have a common (but hard) password,
No. The point is, it's better to have a common, and super easy to remember password that requires no difficulty at all to use and retain.
Low risk, remember? Why make it more likely you'll forget your common password after a two week trip. KISS.
This is why I despise sites of obviously low security interest, that enforce ANY kind of password limiting (like mandatory mix of numbers and letters and case).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
None of which are acceptable. This person needs to learn more about security and a different way to go about handling their passwords. Based on the techniques I use I am able to remember every single password for every single site I use with 99% of them being different (I have some legacy passwords on sites that don't require security in the first place but that's because I'm lazy).
First of all, you saying "[Bruce Schneier] needs to learn more about security" is like me saying "the Pope needs to learn more about being Catholic".
The reason Mr. Schneier suggested as he did is self-evident: He's addressing non-nerds and wanted to give an answer that balances ease with power. Even a simple two-password system beats the crap out of "password". And note that he said "pay for access" and not "can use my credit card". Thus, you have a three-tiered system: low-level passwords that while embarrassing if stolen, represent no serious loss if cracked and are not very valuable (like Slashdot); mid-level passwords that represent some target to thieves, but little actual loss if compromised (Lexis Nexis, say), and finally the top layer, like Amazon, where having your password lets one purchase things at your expense. Suggesting the writing the passwords down thing was smart, because most people wouldn't, and that prevents them from voluntarily having a password over 6 alphanumeric characters.
Judging by your other thoughts in the comment, I think the overall problem you have is not recognizing that Bruce Schneier is "talking down to" (in a non-condescending way) the Freakonomics readers. A Slashdot Q&A would probably be more in-depth, and would probably offer more complex advice. He's smart enough not to try to push these guys from A to Z in a day. He just wants to get them from A to B.
A really good read and John Lott responds to many of Bruce Schneiers chapters.
He kind of annoys me by not answering any of the questions and instead links back to articles he's written before. Why bother giving an interview if you're just going to give a works cited page? I understand not wanting to repeat yourself, but when you're the Chuck Norris of infosec you have to in order to get through to the rest of us mere mortals.
Post is just using extra long URL's to obscure shock site.
"Forget the engineers." -Carly Fiorina, briber of MIT Technology Review.
snipped url goes to shock site.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
I'm not a soldier, but I arrived at essentially the same conclusions on my own, right down to writing passwords on a card in your wallet. In fact, I used to teach people that in a local basic computer security awareness class a local library held.
:/
One important thing to note is that you have to be careful about password reuse. Oh, and email, no matter what, should NOT be considered "low security" no matter how boring your private life is because it can often be used as leverage to get more sensitive data. Look at this leak if you want to see the harm losing a simple Gmail account via password reuse can do.
As for the military issues, you have my sympathy. I sincerely wish we had leaders who would tell us "the only thing you have to fear is fear itself" and who would try to calm the public instead of using fear mongering tactics to consolidate political power. Unfortunately, from the responses we've seen over in Boston, I think that the public has been so irrationally terrified at this point that they won't listen any more. Not that I've heard many voices of reason speaking out to begin with, at least on TV.
What really sickens me is that this unrealistic threat evaluation is likely to get nice guys like you killed. I don't envy you
Yeah, they are. All of them. Thanks for posting what I figured was obvious and unnecessary.
I strongly doubt it. Especially the part about not being related to one another. That's very difficult to do effectively, without using a strong one-way function.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
"There's a form of QoS to stop people abusing and give priority to certain computers on my network."
But as a common carrier you shouldn't. Oh wait.
You, sir, are not only anonymous but also a liar (or possibly a moron, I'm sure someone can tell you which if you post some details about your password scheme).
Let's have a look.
:-).
From a code perspective you'd have something like
(0) init - maybe a start 'magic word' to make it individual?
(1) take website name
(2) strip "www" from it (so 'bare' use is identical)
(3) request password from user
(4) store user password for re-use (as normal if Firefox is set up that way)
(5) get hash (MD5 or better) of magic word + sitename + user provided password
(6) take first/last/middle 5..32 characters (not all sites allow more than 8 chars) - maybe derive this from web name as well so the length is stable per site but random between sites.
(7) submit the derived "hash"word (as opposed to "pass"word) to the site's "password" field.
There are a few gotchas there: step 6&7 are limiting in the character set used (0..9 and A..F) so we may need to examine which hashing algorithm is used, and taking a defined subset of the output could weaken the output variation.
However, compared to 'ordinary' passwords it would certainly be better.
Tell you what, I'll punt Bruce Schneier an email, see what he thinks (if he answers, of course).
All in all it strikes me quite a useful Firefox plugin, so now we need to find a plugin author
Insert
I'm glad you're so well-informed on this topic.
A: This is an economics blog, so you tell me: why don't the computer companies compete on boot-speed? I know! I know! Because there's no competition?
The desktop competitors are*: 90% Microsoft, 5% Apple, 5% other. With a distribution like that, there's hardly any real competition to cause things to improve. Even if Linux is modified to boot in 3 seconds, it won't make Microsoft change anything.
* (This is just a ball park guess to make the point, not warranting for accuracy)
Bruce, you obviously don't have Comcast as your ISP. The problem with an open WiFi is that others can run you over the unstated limits traffic limits in your intentionally vague ToS on your "unlimited" broadband plan, and suddenly you're stuck on your neighbor's WiFi for good. A much more realistic danger than than a Drive-By, Child Porn sharing, hacker.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
It's easy to have a hard password that's easy for you to remember.
Let's say you speak a foreign language. Just take a word that doesn't exist in that language and "translate" it from your primary language into that language, and put digits or symbols somewhere in the string.
Fairly simple, but it defeats all dictionary lookups.
Do that for both the public browsing password and for the more private passwords.
-- Tigger warning: This post may contain tiggers! --
A close approximation would be your browser storing passwords in the OS's key chain, and (optionally) your keychain being locked with a different passwd/key than your account's: so all we're missing is a context-sensitive menu on all "password" (masked) fields to generate a hash (or new complex password) for you.
You don't manage site passwords anymore, they're all "secure" in complexity and unique, you only remember the pass phrase to your key chain. (Is that not like encrypting a volume as opposed to files?)
--In retrospect, is there an already supported means (API?) to delegate the storage and retrieval of keys/passwords, so you could set your browser(s) to point to a (portable) encrypted and pass phrase protected keychain file (on a USB key perhaps)?
Bruce has done a great job becoming the journalistic expert on cryptography and computer security. You want to do an expert interview, ask Bruce he is ready and waiting to answer your questions.
I found it fun that his website listed an old company I used to work for ultimateprivacy.com. Long since defunct it raises fun memories of loony, paranoid owners, former CIA agent employees and general start-up hoopla before the bust.
As far as Bruce's snake oil label it really did hurt us, he has and does have a lot of power in the industry.
I'm sure I saw his comments before, but they were worth a re-read. I was pleased to see that he conceded that we probably were doing a one-time-pad correctly and I have to admit he is spot on in his analysis that key distribution makes it a dead end. We could get a workable system for point to point email to talk with your lawyer, vinnie, or terrorist operative. But it started to get strained once you added attachments (even word docs) and would fall over if you ever started trying to use if for picts, videos, and other binary data on a network with many users.
The reality is a widespread security protocol has to be easy and One time pads while mathematically unbreakable require never quantities of secret bits and will never be low maintenance.
Sometimes it's fun to bait the mods. I got a dumb one this time, who decided since he didn't catch the joke, it must be off topic.
Mods forever! Dumbness rules!
Infuriate left and right
Thanks for that, already testing it :-)
Insert