Freakonomics Q&A With Bruce Schneier

Samrobb writes "In grand Slashdot tradition, the Freakonomics blog solicited reader questions for a Q&A session with Bruce Schneier. The blog host writes that Mr. Schneier's answers '...are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for "crime pays" to see his sober assessment of why it's better to earn a living as a security expert than as a computer criminal.'" The interview covers pretty much the whole range of issues Schneier has written about, and he provides links to more detailed writings on many of the questions.

His comments on terror and cameras were

[WillAffleckUW]

I found his comments on terrorism - A. Refuse to be terrorized - and cameras to be fairly well thought out.

We choose how we live.

We can live in fear and magnify risks that are, in reality, very minimal, or we can realize they're minimal and stop worrying about them.

I'd rather live free from fear.

And the answers about passwords were fairly good. When I was a regional security officer, I came up with similar concepts, based on the real threats that actually existed. When on a public site, with low real risk (e.g. public web, no linked account) it's better to have a common (but hard) password, and save more secure passwords for sites where you have real financial risk instead.

Re:His comments on terror and cameras were

[WillAffleckUW]

Well, as a former Army Sergeant, I have to agree with you.

The concept of force protection arose from the objective of battle - the imposition of chaos on the enemy and the reduction of chaos on our own military and economic supply train. But there is no cost effectiveness analysis used, sadly.

Sometimes we need to realize that overreaction, and overprotection, are the wrong responses.

Is it truly worth the time delays and economic disincentives we impose on air travel to screen everyone? Is it worth the disruption to the system from a few networks that don't screen roaming IP wireless users properly to include them? Should we not instead choose more limited and more effective measures instead? For example, let's look at rogue wireless spammers. Why not just ban them until they fix their own routers - or only permit them to receive IP traffic but not send it? We could even screen the outbound IP traffic based on the origin, or insist they use try IPv6 secure traffic, so that we can impose more strict restrictions on just those networks that cause 80 percent of the problem.

But living in fear never works.

Freakonomics Q&A with Jonathan Coulton

[FleaPlus]

I don't think this was mentioned on slashdot, but since this is quasi-related I thought I'd mention that a couple weeks ago Freakonomics also had a Q&A with Jonathan Coulton, a really awesome (IMHO) singer-songwriter who releases many of his songs under a Creative Commons license and whose music often has a rather geeky tilt. He also got quite a bit of attention recently for writing the song "Still Alive" which plays at the end of Portal. Here's a few neat quotes from the interview:

Q: Do you think having music available for free will make releasing some of it on a traditional album more difficult? Also, why aren't more of your songs available on Yahoo Music Engine or iTunes?

A: It's always hard to figure out the actual numbers on this, but I definitely get the feeling that having a more open attitude with MP3s has contributed to my ability to actually make a living. More and more, people don't like to buy things that they haven't heard first, which makes perfect sense when you think about it. This is why they have listening stations in record stores (er, I mean, when they used to have record stores). And because I depend so heavily on word of mouth marketing, it's extremely important that it's as easy as possible to hear my stuff. Again, it comes down to the extremely low cost that comes with digital content -- it's okay if only a small percentage of listeners buy, as long as the number of listeners is very high. That can only happen if you let people listen. ...

Q: When you wrote "Still Alive" for Portal did you have any idea how well the synergy would be with the game? I don't think that there has every been ending credits in any media that has matched the love that people have for the end of Portal. Have you been asked to work on any other video game music since the release of Portal?

A: One of the reasons I agreed to do it was that I understood the character so well -- it was one of those things where I looked at what they had created and it made absolute sense to me. We didn't know all the details of how we were going to finish the game, but I really could sort of feel how it was supposed to end up. Of course I'm thrilled with the reception, and it's been much larger and more positive than I could have imagined. There's nothing else in the works at the moment, but I'm definitely open to doing more things like that if it's the right project. ...

Q: When will Valve release a video game that is also a full musical comedy?

A: Yes please. That would be a great deal of fun to do, whether or not it was any fun to play. I'll put you in touch with Gabe and you can insist that he make it happen.

A billion times...

[Spy+der+Mann]

FTA:

Moore's Law predicts that in fifty years, computers will be a billion times more powerful than they are today. I don't think anyone has any idea of the fantastic emergent properties you get from a billion-times increase in computing power.

I do have an idea. For starters, Holovideo. Computers a billion times more powerful than today's will be able to calculate the interference equations required to display true color live holograms on flat screens - or glasses.

Just think about it, put on your glasses and everything seems normal. Turn on your (wearable?) computer and you'll be able to interact (let's assume the glasses got tiny cameras on them, thanks to transparent electronics) with holographic objects - which may include virtual displays which you can move with your hand, a-la minority report (or a-la Nadesico if you're an anime fan ^^). Who says you'll need to use physical keyboards? Probably they'll be virtual, too! No more Repetitive Strain. And that's just for starters - imagine playing with rubik cubes or analyzing/debugging code (for programmers) in 3D.

However, I wonder if software will be advanced enough by then to have AI agents assisting you like most sci-fi flicks. Usually software is the barrier in computing. Programmers are slow.

strange answer on wireless

[SEAL]

Q: Is there any benefit to password protecting your home Wifi network? I have IT friends that say the only real benefit is that multiple users can slow down the connection, but they state that there is no security reason. Is this correct?

A: I run an open wireless network at home. There's no password, and there's no encryption. Honestly, I think it's just polite. Why should I care if someone on the block steals wireless access from me? When my wireless router broke last month, I used a neighbor's access until I replaced it. That answer is so bad it almost sounds like sarcasm. Given how easy it is to sniff sensitive data from an unencrypted wireless network, I can't imagine Bruce would allow it unless he segments his network or wires up his own PC.

Re:strange answer on wireless

[someone300]

I personally use an open wireless network. I trust my open wireless network as much as I trust my ISP and unsecure wired network, and all sensitive data that I throw around internally is securely encrypted or otherwise done through a secure tunnel. If I need to put a password I care about into a HTTP site, and I want to minimize risk, I just use my proxy, which is directly and securely* wired into the switch. Generally, if you have a large wired network, you need to make the assumption that any piece of cable not in a secure room could be spliced and packets logged.

Of course, considering a large amount of web traffic is HTTP when it should be HTTPS, and certain operating systems expose services onto the network which they probably shouldnt, it's probably a bit irresponsible to suggest that home users leave their stuff unencrypted. Personally, the reason I run an open AP is because open APs have helped me in the past. There's a form of QoS to stop people abusing and give priority to certain computers on my network.

* Considering it's a house, 'secure' means it's in a locked cupboard ;)

Re:strange answer on wireless

[trawg]

That answer is so bad it almost sounds like sarcasm. Given how easy it is to sniff sensitive data from an unencrypted wireless network, I can't imagine Bruce would allow it unless he segments his network or wires up his own PC. As others have already pointed out, as long as he's encrypting probably everywhere else it won't make any real difference. If you're on an open wifi network and everything you do is via an SSH tunnel or VPN or something, you're probably doing quite a bit better than using WEP anyway.

I think the really interesting part of this answer is that it doesn't really address the legal issues of someone misusing and abusing your connection for their own evil deeds. I don't know if this has been tested in court but it seems laws about this sort of thing most likely are of the form "you are responsible for what happens with your Internet connection".

I would love to run an open wifi AP for my neighbours and everyone else walking past, but I'm worried about them using it for nefarious deeds when the IP address associated with those deeds is traceable back to me.

His Password Comment

[OldSoldier]

I choose the same password for all low-security applications. There are [also?] several Web sites where I pay for access, and I have the same password for all of them. Has there been any survey of how various systems store passwords? Schneier's policy above is very similar to mine, and I was surprised recently when my Sprint password, which I thought was "secure" was plainly visible to the customer service clerk at my local Sprint store!

Specifically I do not care how my low-security passwords are stored. But for my high security passwords, I would like them all to be stored in a unix-like way, namely only cyphertext is stored and it's impossible for anyone to know what that password is. Sure they may be able to change it on my behalf, but can they tell what it is? No!

I've had this concern for quite a while now and I'm surprised that I haven't found a security certified label that addresses this concern. Sure there are other labels like http://www.truste.org/ or "Verisign Secured", but where's there one that tells me my user-password is stored in a "unix-like" manner?

Writing down your password

[Beryllium+Sphere(tm)]

Same point as Bruce, but put in terms of a threat analysis translated into everyday terms:
Why you should write down your password

I'll third that.

[Xenographic]

I'm not a soldier, but I arrived at essentially the same conclusions on my own, right down to writing passwords on a card in your wallet. In fact, I used to teach people that in a local basic computer security awareness class a local library held.

One important thing to note is that you have to be careful about password reuse. Oh, and email, no matter what, should NOT be considered "low security" no matter how boring your private life is because it can often be used as leverage to get more sensitive data. Look at this leak if you want to see the harm losing a simple Gmail account via password reuse can do.

As for the military issues, you have my sympathy. I sincerely wish we had leaders who would tell us "the only thing you have to fear is fear itself" and who would try to calm the public instead of using fear mongering tactics to consolidate political power. Unfortunately, from the responses we've seen over in Boston, I think that the public has been so irrationally terrified at this point that they won't listen any more. Not that I've heard many voices of reason speaking out to begin with, at least on TV.

What really sickens me is that this unrealistic threat evaluation is likely to get nice guys like you killed. I don't envy you :/