Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside The Twisted Mind of Bruce Schneier

Posted by Soulskill on from the it's-dark-in-here dept.

I Don't Believe in Imaginary Property writes "Bruce Schneier has an essay on the mind of security professionals like himself, and why it's something that can't easily be taught. Many people simply don't see security threats or the potential ways in which things can be abused because they don't intend to abuse them. But security pros, even those who don't abuse what they find, have a different way of looking at things. They always try to figure out all the angles or how someone could beat the system. In one of his examples, Bruce talks about how, after buying one of Uncle Milton's Ant Farms, he was enamored with the idea that they would mail a tube of live ants to anyone you asked them to. Schneier's article was inspired by a University of Washington course in which the professor is attempting to teach the 'security mindset.' Students taking the course have been encouraged to post security reviews on a class blog."

17 of 208 comments (clear)

  1. Destructive mindset by wces423 · · Score: 5, Insightful

    This article just confirms my belief that a good security professional needs to have destructive mindset. You need to feel the urge to abuse the system as soon as you have seen it. I was not good at it, quit security research to join development!

    1. Re:Destructive mindset by iamdrscience · · Score: 4, Funny

      You two should be careful about critcizing Bruce Schneier. His fists are tatooed with "Bob" and "Alice" and if you get on his bad side, he'll exchange keys all over your face.

    2. Re:Destructive mindset by cbart387 · · Score: 4, Funny

      Even if you're not 'Eve'?

      --
      Lack of planning on your part does not constitute an emergency on mine.
    3. Re:Destructive mindset by qbzzt · · Score: 4, Insightful

      In fact I went into security after college because of the allure, but in fact the daily things that have to be done are not that glamorous, and have little to do with his strange psychological theories.

      Implementing security procedures is not at all glamorous, and does not require more than understanding the system to which they apply. Writing security procedures in such a way that they will be difficult to abuse requires a twisted mind. Doing it correctly, so the procedures properly balance security and availability, requires a mind that is twisted and straight at the same time.

      --
      -- Support a free market in the field of government
    4. Re:Destructive mindset by Anonymous Coward · · Score: 4, Insightful

      At least he has accomplished something notable, which is a heck of a lot more than can be said for an anonymous post criticizing said noteworthiness.

    5. Re:Destructive mindset by cardpuncher · · Score: 4, Insightful

      I think it's got more to do with awareness and analysis than destructivness.

      I remember some years ago now gently trying to persuade a colleague that it was inappropriate to have forwarded the infamous Craig Shergold chain e-mail. Despite widespread publicity, the colleague absolutely refused to believe that there could be anything amiss and insisted I was being mean and cruel to deny the child (even by then cured and in his late teens) his "dying wish" and denounced my callousness to other co-workers.

      There's an advertisement for an animal welfare organisation on British TV at present with pictures of pathetic looking dogs who have been badly beaten ("it's the worst case I've ever seen" says the voice-over) or "used as an ashtray". Finally, at the end of the advertisement the confession, "these are not real cases" - followed with a demand for money anyway, now the viewers have been "softened up".

      Being a sucker for a sob-story isn't "constructive"; knowing that it can be exploited for social engineering isn't "destructive" - unless you regard human gullibility as a postive trait - though it sure can make you unpopular!

    6. Re:Destructive mindset by mattpalmer1086 · · Score: 5, Informative

      Symmetric crypto easier than public key? Are you kidding? Public key is based on simple one-way math functions. It's easy to prove it's secure (with certain assumptions about not being able to solve hard problems, like discreet logs or factoring large numbers). If the maths is solid, you've got a good encryption algorithm. If the single hard maths problem isn't cracked, you're safe. Job done.

      I could probably invent a reasonable public key algorithm with a maths textbook to hand - but no way could I invent a good symmetric crypto algorithm. Symmetric crypto relies on scrambling things up in a way it can't be unscrambled easily. You have to know a *lot* about cryptanalysis to even begin designing one, and you can still become vulnerable to a surprise attack. There is no general way of mathematically proving that how you are doing the scrambling is secure in any way - only that it is resistant to all the known attacks so far.

    7. Re:Destructive mindset by Anonymous Coward · · Score: 5, Funny

      Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes.

      Hashes collide because they're swerving to avoid Bruce Schneier.

      And more:
      http://geekz.co.uk/schneierfacts/
      http://geekz.co.uk/schneierfacts/facts/top

  2. Re:Open network ? by muridae · · Score: 5, Insightful

    Okay, I'm not Bruse, but I'll explain. If I open my wireless network, I know it's open. I can secure the computers behind with the knowledge that the wireless system is wide open. This is not really any different then securing the whole internal network against internet based problems. And, on the off chance that he really does have a single AP/router combo with the other computers connected directly to it, then the computers all need to be secured. How does this differ from securing a laptop that you use while traveling, connecting to what ever unsecured wireless signal you can pick up, except that you have to do it to all the devices involved?

    So, let's say you keep your wireless system closed. What happens when someone cracks the encryption key and gets access anyways? What happens when an internet bot net gets turned on your router because someone found a vulnerability in it? Lots of people kept secured computers before home routers and NAT became a real necessity. Doing so hasn't really gotten that much tougher. Just more constant.

    My real guess, though, is that he keeps the wireless and wired networks separated. Internet->wifi AP ->wired router+NAT+firewall-> computers. Given that he's a pro, the wifi AP and wired router might not even be connected to each other at all.

  3. Is this mindset really special? by badzilla · · Score: 4, Insightful

    Anyone can do what Bruce implies only "special security people" can do. It's just that most people don't because there is no incentive to. You might as well announce that your special security mindset has noticed how easy it would be to go into restaurants and put poison in the salt shakers. Hell they are wide open! What were the salt shaker designers thinking of! But of course normal people are just not interested in doing that.

    --
    "Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
  4. Re:I have to agree by Rainer · · Score: 5, Insightful

    I used to look forward to reading what he had to say - in the 1990's. Now when I see these articles about what the almightly Bruce Schneier says I cringe.

    You cringe because he keeps saying the same things over and over again.

    He keeps saying the same things over and over again because people keep making the same dumb mistakes over and over again.

  5. Re:Disappointing by call-me-kenneth · · Score: 5, Insightful

    Tell you what, when you've written a book that gives a tenth of the useful advice, interesting information and insightful analysis of a single issue of CryptoGram, come back and tell us about it. Until then, your words serve only to make you look bad.

  6. You're damn right, most people don't get it! by MikeRT · · Score: 5, Interesting

    My instincts on this are more of "how would a criminal or terrorist" behave in this setting" because I grew up in a law enforcement family (both parents plus extended family). I've made a few "regular people" upset in the past by pointing out the idiocy of their evacuation plans to them in pointed detail. One example comes from high school when the school shootings were just starting to disappear from the news.

    Our school gets a bomb threat, and the teachers and administrators are freaked out. They move us all, I kid you not, to the football field where we are fenced in by chain link fence, about 1/3 of which is covered by barbed wire. So I point out to my history teacher, one of the only genuinely intelligent public school teachers I have ever met that we had been corralled into an enclosed area, surrounded by strong sniper nests (there were many points where a shooter with a 30.06 and a few mags could have unloaded with impunity), and that ironically, if there were a bomb, and the person who planted it were clever, they'd have put it under the bleachers where about 200-300 of us were sitting.

    He nodded his head in agreement that were this a real thing, we'd probably be fucked because of our administrators' plan, but the one or two regular teachers not far away who overheard acted like I was the real danger for pointing out what should been "the obvious" about this plan. Me? I'd have called in the buses, and shipped everyone off property to be safe right away.

    1. Re:You're damn right, most people don't get it! by remahl · · Score: 4, Insightful

      No need to call in the busses. Just tell everyone that they may go home for the day. They will disperse randomly in every direction, quicker than any school administrator can administer their movements and in ways that no terrorist can predict.

  7. Article leaves out cost benefit analysis by MyNameIsFred · · Score: 5, Insightful

    While I agree with many points of the article - specifically that a security professional must have an unusual mindset - I am troubled that the examples leave out the cost-benefit analysis. As an example, the article correctly points out the vulnerability associated with picking up "your car" from a service department. All you need is a last name, no ID. This is an obvious vulnerability. On the other hand, the service department is motivated to make the process as streamlined as possible for its customers. Demanding IDs, etc., will slow down the process. The more cumbersome the process, the more likely customers are to use a competitor. Therefore, they need to trade security with cars to the cost of loosing customers.

    I am reminded of the time that I test drove a new car. All the dealership wanted was a photocopy of my driver license, and they let me drive the car off the lot for an extended test drive. Since driver licenses are relatively easy to fake, I wondered how often cars are stolen. I asked, and was told they are stolen on occasion, but insurance covers it. My point, they did the cost-benefit analysis, and decided on an insecure method.

  8. Re:Disappointing by mattpalmer1086 · · Score: 5, Insightful

    I would say quite the opposite. I think it's well documented that Mr Schneier used to think that cryptography would solve all our security woes, and then he realised this was only a small part of the picture. You may have preferred him when he was all gung-ho on the deeply technical and fascinating aspects of crypto - I love that stuff too - but you are not his audience anymore.

    Things that you may think are obvious are just not to most people. He's trying to reach normal people, business leaders, politicians - people who don't get it, or still think security is just boring techy stuff that doesn't work very well. He's trying to show it's also a mindset, a way of seeing the world, that anyone can understand. I think he's doing pretty good, but again, we are not his primary audience.

  9. Re:In security by v1 · · Score: 5, Insightful

    I take the third view. I believe you need the ability to (forgive the overused phrase) "think different". 100% of what we do every day in life is based on a world of assumptions. To be a good security researcher requires distancing yourself from the assumptions, breaking out of the ruts in the road, and trying different things. The majority of security holes exist because the developers and defenders are making the same assumptions as everyone else. Buffer overflows are the classic example, and we still see them constantly even though they've been recognized for years as a major security risk.

    I did in-house beta testing for a time, and used to really piss off the developers because I had a knack for knowing what they weren't planning for. I wasn't so much looking for security holes, but rather ways to crash the app. (which probably many of which were exploitable) A classic I heard was a developer submitting a bug report for "program crashes when it says Press Any Key and you press letter A". The developer called her back to his cubicle, why did you press "A"??? She said her name was Alice, and it said press ANY KEY so she hit "A". "But you're not SUPPOSED to hit "A", you're SUPPOSED to hit the space bar!" At which point the other developer stood up from his cubicle and said "oh? I thought it meant RETURN?" This perfectly illustrates how persistent assumptions are in coding. Not only are they all making assumptions, but they aren't even making the same assumptions.

    That's the sort of testing I did. Deleting the last element in a list, Select all in empty lists, saving a form before completing it, entering a 200 character filename for save, taking advantage of assumptions that the user knew what they were doing and would not ask the program to do something that was certain to produce undesirable results.

    --
    I work for the Department of Redundancy Department.