Slashdot Mirror
Ask Slashdot: Can Bruce Schneier Be Trusted?
An anonymous reader writes "Security guru Bruce Schneier is, among other things, a world renowned cryptography expert, author of several popular books, and a second-order internet meme. He is also an outspoken critic of the NSA, in particular the massive NSA surveillance programs disclosed over the summer by Edward Snowden. Schneier has been involved in reviewing the leaked documents and has put in effort to determine which cryptosystems should still be considered safe. I'm a big fan of Bruce Schneier, but just to play devil's advocate, let's say, hypothetically, that Schneier is actually in cahoots with the NSA. Who better to reinstate public trust in weakened cryptosystems? As an exercise in security that Schneier himself may find interesting, what methods are available for proving (or at least affirming) that we can trust Bruce Schneier?"
Seriously... Especially the Govt. (and clowns - clowns scare me...)
"I say we take off, nuke the site from orbit. It's the only way to be sure."
It's turtles all the way down.
I use two cyphers, just in case. In my case, I found ROT13 and XOR excellent for speed and obfuscation.
Bruce Sheneier is hardly the only cryptologist in the world.
Fucking fanboys.. Christ.
Obviously we burn him at the stake. If he burns he was innocent.
and has put in effort to determine which cryptosystems should still be considered safe.
Have someone(s) double check his work.
We should be doing that anyway, even for someone who is 100% trusted.
[Fuck Beta]
o0t!
... Anonymous Coward. There are some very suspicious posts he makes. And besides, he seems to never sleep.
now we need to go OSS in diesel cars
...not trusting and simply relying upon his evaluations and pointing out that you need to think for yourself.
Not a very positive trait for the NSA irrespective of their goals.
Loading...
And by the way, you're in a virtual reality machine. Everything you know is false.
Good luck!
It's fairly easy.
You can simply walk through http://www.schneierfacts.com/
He generally gives intelligent logical arguments towards any given subject and if something he said or did was believed to be wrong, the math and crypto communities would be free to point out any mistakes or errors in his words or algorithms and make their points publicly. So far, people seem to generally agree with everything he says and I guess so do I for the most part. That's just my opinion on him so far.
Can I even trust myself? I mean, how can I even conclusively prove that I'm not being used by the NSA to hide secrets from myself?
He never wears a tinfoil hat, suggesting that this is a safe practice. But we all know it isn't
If you're talking about absolute trust, i.e. "I trust him" = "I trust him to do anything", you should probably have your head examined.
Phrase your questions better and you will get more useful answers.
If we can't trust old Bruce, we're all screwed. Though possibly we are anyway. But if he's an asset, he's pretty well disguised.
Have gnu, will travel.
I've got exactly what you need! Tinfoil hats are cheap. They are easy, to make too, it takes less than two minutes. Don't believe the MIT study that debunks the time honored tinfoil hat, it's a government conspiracy you know!
Don't worry, there are support groups for conspiracy theorists! Now I know like any number of other conspiracy theories those pesky facts might get in the way. However, learn from Joseph Goebbels and don't ever let logic, facts or reality get in your way. I know you look like a raving lunatic to any rational person, but not to worry, there is someone even crazier will soon show up to defend you, so cheer up!
I can see that Schneier is trusted as a religious entity. There you need no proofs. God cannot be proven or disproven. Sorry.
.. that is a full 2 feet shorter than the average American male.
I keed! I keed!
Problem: Paranoia
Solution: None
Bruce Schnier may be the front-line spokesperson for the security community, but that should be completely separate from his body of work in cryptography. At the bottom line, he's doing mathematics, and mathematical proofs can be reproduced and confirmed -- or debated and disproven -- by anyone else in any country with sufficient background to understand them.
He is not some guru spouting unprovable wisdom from a mountaintop, he is a member of a scientific community, and if he is able to earn and keep the respect of that community, then that's a pretty good indication that he knows what he's talking about.
It's supposed to be completely automatic, but actually you have to press this button.
That's the best way to tell
For a long time, it's been known. There is _no such thing as trust_.
Either you invent the Universe from scratch, at which point you can trust the things you create as your own god; or you _inherently_ can not trust anything in your environment ever.
http://cm.bell-labs.com/who/ken/trust.html
Let the whitch hunt begin!
Just be sure to have enough matches!
Has Schneier given us bad advice? So far, so good it seems.
Has Schneier been a vocal critic of the NSA? Yes.
Has Schneier been on this file for a really long time? Yes.
Do you have any evidence that he's in cahoots with the cryptofascists? No.
So, all you have is a speculation to tear down the reputation of one of the good guys, a thought experiment, based on no evidence, but one that has real world consequences of spreading fear, uncertainty and doubt regarding someone who is fighting the good fight.
Therefore, I would humbly suggest that I could and do logically conclude that YOU are a tool of the NSA, not Schneier, and furthermore, I have more evidence than you do: Your suggestion to consider Schneier as less than reliable based on zero evidence.
Shoes for Industry. Shoes for the Dead.
Even when Bruce Schneier lies, he can roundhouse kick reality into changing to suit his statements.
He looks like Chuck Norris.
Seriously. The mere act of trusting someone will eventually lead to that person betraying said trust. Trusting someone puts them in a position of power, and power corrupts. You can't trust anyone.
Seven puppies were harmed during the making of this post.
"How do you know who your daddy is? Because your mamma told you so."
--JFK
Hi,
read his papers check the hints within, its even possible for non crypt-math geeks to get a background understanding, because
there are many more out there. Work out differences in their argumentation, dont just think because there is a citation it can be trusted, check what`s
behind a citation.
Wikipedia is the best entry point for you.
Check Argumentation on a logical level, and question the argumentation, especially if it fits the known problems till know, when it remains true, you have a good chance that its really true.
It's a subjective measure, based on long experience with someone and someone's writings. It's much easier to assess trust from personal contacts, but even then you can get thoroughly disappointed - just think of some types of failed marriages as an example.
The question is why would you personally have to trust Bruce Schneier? I don't have to, in order to enjoy his books and blog posts and make up my own mind. Has he recently asked you to hand over the masterpassword for you computer?
Regarding business with his company, overall reputation and a realistic assessment of threat scenarios is more important than personal trust. If you believe the NSA is your main adversary and you contemplate whether you should put all of your trust into Bruce Schneier as your sole savior, you might want to revise your "requirements".
Bradley Manning, Ed Snowden, and Bruce Schneier are just bots that are engaged in misdirection to keep people from seeing the *real* backdoors in computing systems. The government TLAs have many ways of getting into our systems. If they can keep us working on the least effective backdoors, then we miss the real threats.
Or not.
I guess people's paranoia with the NSA revelations have been difficult to swallow. Now everyone is slowly becoming suspicious of everyone else.
Anything is possible I suppose. To me, it was no surprise really. I do have to say that, having worked with individuals in the security community, the primary focus really is the safety of our way of life at the hands of those who would subvert it.
The problem comes when those of less character use the government apparatus for control, political or other purposes. It's the same reason police and military need to be kept separate - one enforces the rule of law, and one protects against enemies. When those lines are blurred, history has demonstrated repeatedly that individual rights suffer. The degree to which this happens is the degree of the moral compass of those at the helm of this extremely powerful surveillance apparatus.
I'm not sure how many true boy scouts are really left running the show up there, but I do know this: the more paranoid we get, the more we lose. All of this need not come to pass in this way. One of the most important things I learned in my time in this world was "trust, but verify" and it rings true today. You can still trust the message that Bruce Schneier has. We have to, for otherwise we will be consumed by our own paranoia. But to verify is probably the most important point. That's where openness and information sharing in the spirit of open source is paramount and what will lead us to the proper conclusion on this matter.
Hell no.
Personal experience; Ask Bruce to evaluate our product. His reply "The more you pay, the more I like it."
He is a crypto savvy person, who can manipulate his opinion however it needs to, to generate the most income.
Do you trust a dentist to tell you how often you need dental checkups? Or an oil change company to tell you how often to change your oil?
Oh wait, you probably do, don't you?
slashdot troll = you make a compelling argument I do not like the implications of.
Agree/disagree with what he writes/says, but why do you have to trust him? Is he dating your daughter?
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
Well, you can always just trust the computer. The computer is your friend.
Well, if you XOR with a good random one-time pad, I don't think that anyone can break your encryption ever, not even with a quantum computer.
The ROT13 is just unnecessary fluff.
--PM
This question is stupid. It would not matter if he was the most honest, intelligent, and experienced security expert in existence, he would tell you the same thing, do not trust him.
Troll is not a replacement for I disagree.
Forget Schneier. The critical question is actually "Can we trust ourselves?" I'd argue not. Many of us post all manner of information about ourselves, our family, friends and work acquaintances on Facebook, LinkedIn, Twitter, Four Square and other sites. Our GPS-equipped phones know where we are, where we've been, and can probably predict where we're going and when. Short of unplugging, there's little we can do to assure that we're trustworthy electronic citizens.
problem: surveillance.
solution: paranoia.
As an exercise in security that Schneier himself may find interesting, what methods are available for proving (or at least affirming) that we can trust Bruce Schneier?
What's good for the goose is good for the gander.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
He's really version 2.0 of a long term general intelligence project running on a supercomputer at Fort Meade.
Version 1.0 was called Henry Spencer and was developed in Canada.
(The original graphics version now used for videos of him started out as Max Headroom. This demonstrates yet again, it's much easier to improve on the presentation than the underlying system.)
Bruce Schnier may be the front-line spokesperson for the security community, but that should be completely separate from his body of work in cryptography. At the bottom line, he's doing mathematics, and mathematical proofs can be reproduced and confirmed -- or debated and disproven -- by anyone else in any country with sufficient background to understand them.
He is not some guru spouting unprovable wisdom from a mountaintop, he is a member of a scientific community, and if he is able to earn and keep the respect of that community, then that's a pretty good indication that he knows what he's talking about.
The same argument applies to any organization, doesn't it?
This sure sounds like the start of campaign to bash Bruce for helping snowden and greenwald.
There has been no evidence direct or implied that he might be a trojan. This post, definitly smells like the U.S. gov shrills trying to plant doubt in the community about a respected authority.
", and mathematical proofs can be reproduced and confirmed -- or debated and disproven -- by anyone else in any country with sufficient background to understand them."
Wrong, because the NSA seeds misinformation into textbooks and universities! If your background is based on disinformation taught to you in schools, then you are introuble...
Trust.. but Verify.
There's two reasons to potentially not trust Bruce Schneier -- he's in cahoots with the NSA (and by "cahoots" I mean involved in a conspiracy to somehow impact you) or he's biased against the NSA, in which case his opinions are equally untrustworthy.
It doesn't matter why someone's opinion isn't neutral -- its just as invalid to blindly trust it if that opinion matches yours or not. In fact, its probably worse to blindly trust it if it happens to match yours because you already have a bias.
. . .all others we track.
Invite all these "experts" to create a website of "secure code segments". Things like authentication, validation of input, etc., across all languages. Essentially, cut-and-paste bullet proof code that can be dropped into projects. Then we will not need to trust any single individual.
When it comes to crypto, well there is a lot of FUD out there. The push for using standard crypto systems is because it makes it easy to identify and hack. In a scenario were everyone is using self-created weak systems, it is much more difficult because of the time to analyse and the inability to reuse code (read expensive). Just because it is easy to crack something, or reverse a function, does not mean the NSA know what function they need to reverse. So, I would combine them both.
Security through obscurity therefore does have its place.
Everyone needs to focus on the practical implementation of a crack, not the theoretical aspect.
Is that "Ask Slashdot" needs to just go away permanently, and the Slashdork editors whipped.
You are not paranoid, if they really do want to get you. So, all you got to do to cure your paranoia, is give them a reason to come after you.
The BT security directorate will obviously administer the test at Martelsham/BT Labs/Disatral Park - in the time honored suffolk fashion by throwing him into the lake at the labs if he sinks we can trust him if not hes a witch :-)
though Bruce's lack of a proper martleman beard will probably count against him.
No one will be nuts.
Now that tinfoil hats are in fashion the answer is quite simple. If he proves a weakness then the crypto system is crap. If he doesn't then regardless of his motives the system still can't be trusted.
Here is where we can even add a layer of lead to our tinfoil hats. What is to say that the NSA doesn't have working quantum computers? Thus almost any system that is susceptible to any sort of quantum math such as factoring is quite simply dead as far as the NSA is concerned.
This last is an important consideration. Because most of us have no data that the NSA could be even slightly interested in. Let's say a forum discussing shoe repair techniques. So in that case all we are concerned with would be that our cryptographic system will protect password hashes, CC encryption, and keep SSH server access secure. So most of the old systems are probably still quite nice.
But there is an edge case where the NSA couldn't give a crap but a large politically connected corporation would like to have a peek into your systems and then the NSA might give them access. So if you were say a huge conglomerate bidding on a massive infrastructure project, those who were bidding against you might be given access to your data due to "national interests". A simple reason why organizations like the NSA might want to help large corporations is that then those corporations will lobby on the NSA's behalf in times like the present. Can you imagine how many senators/congressmen are in districts where GE is a large employer? In that light it would be stupid for the NSA not to hand them interesting data.
Even here in Canada I could see our spy bunch giving stolen data from Canadian companies that weren't politically connected to those that are politically connected.
make it to the front page of Slashdot?
If the focus is on the message, the messenger is irrelevant. The message should be scrutinized (which sounds like "Trust, but verify").
eom
Why does someone who won't give a username get to the front page?
He has kind eyes.
Some settling may occur during posting.
Why not? I have his SHA256 hash, right here, on this USB stick.
But wait! Am I sure I spelled "Schneierer" correctly?!?
"Flyin' in just a sweet place,
Never been known to fail..."
There is something else. Bruce Schneier is a public figure in the cryptography area. Scientist need to fight for money and a large part of it comes from reputation and fame. If Bruce said something that appear wrong to security researchers, they would speak up, just to be "the one that knows better".
You can't verify everything independently. Yes it should be possible to prove a cryptographic system is secure with math, but most don't have the know how, and those that do don't have the time. So you do have to trust someone somewhere down the line.
Which leaves you with needed to make some choices about trust. First you have the transitive property, you can use the personal opinions of people you already do trust to help reach trust judgements about others.
Next you got to go with experience, has this person proven dependable before? After than you have to move to agenda analysis.
We might say that Bruce's lively hood depends on him being perceived as a reliable expert. He would at least appear to have more to lose by knowing misleading people and eventually being exposed than he has to gain doing otherwise. We can also say we are not aware have having been deceived by Bruce before; at least to the degree what he is saying makes sense and the risk to me is low enough to not feel the need to go into deep analysis of the software and protocols on my own; I'll take Bruce at his word if he says something is broken, it probably is.
Conversely we think we have been knowingly deceived by the government intelligence agencies over and over again and have pretty solid evidence of that. With that in mind my default position is distrust anything they have to say. If they say something is secure, I must assume its not unless I can get some degree of independent verification. If they something is broken I have to assume that may be the case or they may be trying to steer me and others away from something that is useful. Again needs to be checked out independently.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Put Schneier in a ring with Bruce Wayne, Bruce Willis, and Bruce Lee. See who survives.
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
Problem: Paranoia
Solution: None
That is because in the security field you do not try to solve critical job skills.
Thanks for pointing out my Diverse Double-Compiling (DDC) paper!
My page on Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) has more details, including detailed material so you can duplicate the experiments and re-verify the proofs. Note that you do not have to take my word for it.
You have to trust some things. But you can work to independently verify those things, to determine if they're trustworthy. I don't always agree with Bruce Schneier, but after watching what's he's done for years, I've determined that he's quite trustworthy. This is the same way we decide if we should trust anyone or any thing. In short: "trust, but verify".
- David A. Wheeler (see my Secure Programming HOWTO)
I think misinformation in mathematics can be easily detected. Not only is math universal, it's also impossible to launch satellites or go to the moon without it. We would've noticed AND corrected any deliberate diversion of the sciences.
Custom electronics and digital signage for your business: www.evcircuits.com
Simple. Encrypt twice. Use one cipher he loves and one he hates. It is unlikely both are compromised in any usable way when combined. Also be sure to encrypt lots of content from /dev/random to make sorting legitimate content from garbage difficult. Bonus: split your important content into chunks such as rar files, strip out the header so knowing the mimetype isn't possible and encode the different sections using various ciphers. They will need to have compromised all the ciphers to put it back together and without a header knowing the reassembly order will be more difficult.
I think it would be useful for people who participate in creating and vetting standards to sign some sort of a standard affidavit about their not being affiliated with NSA or similar government entities. It is a simple thing to do, but you'd think twice before jeopardizing your good name.
Why are the sheeple being told by Slashdot and others to look at the personalities, and NOT the maths? The maths behind encryption is not so hard to understand- certainly not the correlation between DEEPER (bigger) keys and better encryption.
The NSA uses FUD as its number one tactic against best security practices. These are some of the current NSA propaganda programs.
- spreading the nonsense that properly deleted data can be recovered from hard-drive platters using 'advanced technology'. This discourages people from using proper deletion protocols, and instead relying on branded software products from companies in the pocket of the NSA.
-spreading nonsense that the NSA has 'secret technology' that can break any encryption. This discourages people from using the best encryption methods, instead using the completely compromised encryption products sold by NSA partners.
-spreading the nonsense that 'security through obscurity' doesn't work. The NSA relies on people using standard methods to secure their data, and CANNOT afford to assign people to 'crack' unique solutions, except in vanishing rare cases.
-spreading the nonsense that end-point encryption is INSECURE. The worst nightmare for the NSA is end-point encryption becoming common-place on the Internet. Companies can be targeted in ways that individuals never can be. Rely on a man-in-the-middle company for your Internet security, and you have no security at all. Encrypt your data yourself, and rely on the recipient to decrypt it, and you have the best possible general security protocol.
Here's a question for you all. Why do Instant Message services NOT use peer-to-peer methods for moving your messages, once you have made contact with your communication partner? Why do IM services DEMAND that all your messages pass through their servers, which is a much more expensive solution for them? None of these companies were mining your messages for targeted ads in the early years, so THAT excuse doesn't explain anything.
The answer is that, from the beginning, IM services were designed and created for the benefit of the NSA and equivalent agencies in Israel. Unlike VOIP, end-point encryption of text messages has no downside or technology issues. But it never happened.
If your HDD fails, you have to send it back to get a replacement. Since that HDD is likely loaded with your data, and since the HDD company won't accept a HDD given the sledge-hammer treatment, you are a fool if your first act with the new drive wasn't giving it a giant Truecrypt container. Your data should NOT be viewable by a third-party without your permission, REGARDLESS of what that data is. Judgements about how innocuous it is shouldn't even come into it. You should NEVER have to think "what might be the consequences of some stranger looking at my data".
Otherwise the situation INVERTS. Bad people will ALWAYS be thinking of new ways of turning such data against you, regardless of what nature that data has. History PROVES that anything UNIQUE or COMMON about you can trigger a "burn the witch" effect, whether you are a specific target, or an amusing distraction for the mob.
Why do schools and induction training for the military attack the concept of individual privacy? Why do apologists for the worst monsters in power always spout "if you've nothing to hide, you've nothing to fear". You either have a society that puts personal space FIRST, and only seeks to punish OVERT criminality that DIRECTLY hurts others through clear intention or inexcusable negligence, or you have a society of mob-based justice, with thought-crimes, and 'burning' of 'witches' (by which we mean the 'other').
You trust math, and your knowledge of it. So maybe you don't understand it now and then use humans as proxies. Well, learn math/crypto yourself.
No secret last longer than 6 years, 5 years on average. Planning on it could save one from some, um, uncomfortable outcomes. If one is looking at Crypto, look at those who are successful. The Banking Industry. Why? How many Bankers have gone to jail, damn few. Also, who's making the money in Banking? That's who Crypto as superior. If one plans on being ratted out, then one can move forward with more confidence, by not creating an naive enviornment.
Reminds me of a scene from Andromeda when Tyr was advising a prince:
Tyr: Trust no one
Prince: Can I trust you?
Tyr (incredulous): No!
It's been awhile since Bruce really has said anything that hadn't already been thought through, discussed, and agreed on by a large part of the industry. Bruce leads from the middle of the pack these days - so who cares if the NSA has compromised him?
Why should you trust anyone at Slashdot to give a trustworthy answer about Bruce Schneier's trustworthiness?
From TFA: "The Texas legislature adjourned in June, and it will not reconvene until 2015."
Now that's my sort of holiday! Yee-haw!
Slashdot - News for Nerds, Stuff that Matters, in ISO-8859-1 Has just realised that beta makes this signature redundant
This tells us all we need to know about him: http://www.thoughtcrime.org/blog/saudi-surveillance/
His whole set of ideals and processes is about not having to trust an individual person to make you secure. What he publishes is open, as are the software and techniques he espouses. The point is that if he's not trustworthy there should be people out there that will spot it. Personally, I'm not qualified but I do have some level of trust that there are plenty of people who are and who do check. If not, we're all screwed but there's no point in going down that path.
The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln
Quite possibly, but a lot of what would have sounded like paranoia last winter no longer does.
Slashdot is not a game, Slashdot is not a game. Crap, I just lost points.
Well, you *can* trust anyone. But should you? Usually we use past behavior as a judge of whether it is likely the person is being deceptive, especially where proof is impossible or too expensive. Sadly, past behavior is no guarantee of future behavior. Anyone can be compromised. So we make a guess and balance cost of verification against cost of deception. After all, I can't prove the Africa exists. But I am choosing to trust that it does.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
They really are out to get you.
"Bruce Schneier intercepts all your internal monologues by a man-in-the-middle attack."
^Seems legit to me
Mod me down, I shall become more off-topic than you could possibly imagine.
Ask his Mother.
I dont trust Bruce since he took the shilling and went to work for BT, who are the most scummy backdoor roll over for the max corporate offshore fuelled dollar company in the UK.
I was genuinely shocked, knowing how the company works and is set up paying the merest lipservice to security and human factors and quality, and bruces stance.
The only explanation I have is money. That counterpane deal must have been super sweet to taint his name over.
I have competed with Bruce's companies (Counterpane, BT), met Bruce several times in professional settings. I've never worked with him personally, but I have plenty of other colleagues who have.
I trust Bruce.
-Red
This is a rediculous post. Bruce Schneier can be trusted as much as anyone can be "trusted" until he shows otherwise. What a waste of bandwidth.
Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
Probably he is controlled opposition.
Trust cannot be built from parts or verified or logically deduced. It's a gift that you give to someone. Anyone can be trusted.
Should I trust Bruce?
That's a question more about yourself than Bruce.
Look at it this way: has He-Whose-Hashed-Password-Is-0000000000000000 asked (even implicitly) for any dogmatic trust?
It's one thing to suggest that scientist X may be lying about his experimental evidence. It's another thing to say Karl Popper might be lying about how science can be used to learn. You're either persuaded by Popper's arguments or not; there's never any question about him giving you misleading facts, though, because facts aren't what he offers. Intellectual strategy is what he offers.
Overall, Schnieir's "face" is doing the same. It's just complicated a bit by the fact that he's also done some "Real Work" too. ;-)
The closest thing I can remember to ever seeing some Schnieir dogma, is that he came out with an opinion (I won't tell you whether it was for or against, because it doesn't matter) about Eliptic Curve Crypto. A lot of people who don't understand EC probably copied his opinion. In that respect, he could be subversive. Most of Schnieir's writings aren't really like that, though.
I have great admiration for Bruce Schneier. But there is one issue he has to resolve.
In 2006 Bruce joined BT (British Telecom) as their Chief Security Technology Officer. During this time Phorm installed DPI boxes in BT exchanges. This was illegal and yet no one got prosecuted.
Bruce implies that the gamekeeper did not know poachers, in cahoots with senior management, had breached the fence and were doing something they should not have. All Bruce will say is "So I'm sorry that I can't write about Phorm"
I do hope one day he reverses his decision on that and says what really went on.
He gives explanations and evidence for the things he advises (where they are not obvious). Sure, you need to be a security expert yourself to evaluate his advice, but if it were bad, most of the world's security experts would either need to be silenced or need to be in on it. That would be rather unlikely. It makes it also extremely hard for him to do anything _for_ the NSA, in the hypothetical case that he was working for them.
Hence the correct answer is that there is no need for him to be trusted, and in fact if you are reduced to trusting him, then you are doing it wrong.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The math.
If you're into cryptography, you can do the math. You don't have to take Bruce's word for it.
I do not fail; I succeed at finding out what does not work.
"If Ghandi wasn't such a nice guy, he could have like totally messed up India. Just a thought experiment, but still...you can't just trust a guy because he's got a perfect record of being trustworthy, you know? Seriously, trust me on this."
You are welcome on my lawn.
To make the claim that linux has been never been intentionally weakened in security, you need to know that every single security vulnerability in Linux (to take one example) was due to carelessness, not intended action.
Certainly - some classes of backdoor are trivially obvious 'if(sourceip==NSA)' - but others can be subtle logic errors.
You mean like this attempt in 2003?
Personally, I'm not longer all that impressed by the IOCCC. Don't get me wrong, some of the code submitted there shows utterly insane levels of skill. However, the above is an excellent example of a good submission for the Underhanded C Contest, which is an excellent teaching tool for discovering exploits as well as for learning about subtle bugs that may drive you utterly mad trying to find.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Since Bruce Schneier himself said that you can't trust US-based cryptography companies, because such companies can be compelled by law to cooperate with the CIA... doesn't it also mean that NO US Person who is under the jurisdiction of the NSA can be trusted w.r.t. crypto advice? Is there a law of some kind in the US that muzzles US crypto researchers and forces them not to disclose certain facts that could harm the NSA's ability to operate? I'm just curious.
cpghost at Cordula's Web.
I am sitting next (or at least across) from Bruce right now. He is definitely interested (and humoured) in this conversation. As he notes, he's written a book on it. I'd say that a conversation about Bruce's trustworthiness is definitely worthwhile. One should have it about everybody. Of course, it means we should also have it about the people who are most interested in trying to attack Bruce's trustworthiness.
Did Bruce Schneier rape and murder a prostitute in 1990? I don't know i'm just asking questions...
Don't trust me. Don't trust anybody.
-Bruce
Oh, and a Bruce Schneier connection: In 2006 Bruce wrote a summary of my ACSAC paper on diverse double-compiling (DDC). Bruce's article is simply titled Countering "Trusting Trust".
Bruce completely understood the approach. He explained it very well in his blog, and he also did a nice job explaining its larger ramifications. His conclusions are still true: the "trusting trust" attack has actually gotten easier over time, because compilers have gotten increasingly complex, giving attackers more places to hide their attacks. Here's how you can use a simpler compiler -- that you can trust more -- to act as a watchdog on the more sophisticated and more complex compiler.
- David A. Wheeler (see my Secure Programming HOWTO)
But how, exactly, were going to use those alternative compilers? If you just use an alternative compiler executable, maybe the original executable was okay and the alternative was subverted - so now you have introduced corruption into the compiler executable you cared about. Just using a different compiler in the obvious way simply moves the problem somewhere else, it doesn't actually solve anything. In DDC, you have to subvert both compiler executables, which is significantly harder.
Ken Thompson's trusting trust paper didn't describe how to solve the problem. The only proposed approach is to rewrite everything yourself, which is impractical.
- David A. Wheeler (see my Secure Programming HOWTO)
Is OP posting from Ft Meade??
I believe Schneier is honest and credible, my only beef with him is that, like too many in the IT industry in general, with superior talents and skills and intelligence, he is somewhat gullible or less than informed of the underlying agendas of they who rule. (An example: his taking seriously the TSA stuff --- when obviously it has nothing to do with keeping Americans safe, just at the American intelligence establishment has never had anything to do with national security, simply garnering financial intelligence for their super-rich founders, and command and control of the populace by various and sundry means.
I trust Bruce Schneier, I trust Julian Assange, I trust Jacob Appelbaum, and I trust that hooker down the street who only charges me $20 for a blo.....
sgt_doom (actually a precocious 13-year-old with a monster-sized dick]
Just because you feel paranoid doesn't mean that they're not out to get you...
Clearly, the only way we can be sure is to disassemble Bruce Schneier. Glove up.
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
Your request to play Devil's Advocate has been denied: the-toast.net/2013/10/02/no-more-devils-advocate/
I've tried and failed to find the blog entry where he says that he was asked to sign an NDA to review TSA/DHS guidelines, which would have granted him access to classified information. Bruce declined because it would forever bind him from releasing any classified, something he is clearly glad that he can do now in clear conscience.
It's not paranoia if they really are out to get you. Spending billions of dollars on it, secret laws, secret courts, national security letters, and gag orders: these are the signs that you're NOT paranoid.
True, but irrelevant. His reputation on the 'net doesn't depends on his skill and experience as a cryptographer - but on his position as a columnist and pundit saying things that they (the netizens) agree with. His reputation (and ability) as a scientist have nothing to do with his ability and trustworthiness as a pundit. (Or at least they shouldn't to any thoughtful and intelligent person.)
One of the early projects that Schneier lead, precipitated by the Y2K date crisis, was a security evaluation of old COBOL system (code-named "ZEBRA") that was still being used by a certain un-named U.S. Government agency.
This mainframe software had not been maintained for some years, except by patching the binary image; no online version of the source code was available. It would be too hard to audit that way, so they decided to upload the original code (from paper), recompile, diff against the binaries, and eventually reconstruct accurate source code for the Y2K bugs and security issues.
Schneier's group decided to use OCR. The source code had been "line printed" on "greenbar" paper, where alternate lines have a light green background stripes for contrast. The problem was that OCR scanners of the day were designed only for black-and-white, and would get confused by the green stripes, and sometimes mis-scan some letters and numbers, making this source code unreliable. This required them to manually read and type in corrections, to about half the code!
Bruce Schneier is an outspoken critic of agencies like the DHS and the TSA, but he has been a consultant for the Government in the past. And as you can see from the above story, he was originally an early proponent of scanners, and only in more recent years has spoken out against them. So it is quite reasonable to ask if Bruce Schneier has ever changed his stripes.
Of course Bruce Schneier can't be trusted his criticism of the NSA obviously means he's in cahoots with the albino shape-shifting lizard Ilumaniti ..
What I want to know, what I've always wanted to know, is whether Schneier has a govt. security clearance. If so, his clearance can be yanked (or nonrenewed) at the whim of anonymous bureaucrats, and he's completely dependent on NSA et al. for his livelihood.
Similarly, if you read that there is going to be some blue-ribbon commission "investigating" the NSA, and the people named to the commission all have clearances, hold onto your wallet.
We don't trust software, or people, or machines, or anything. We make a compromise everytime we use or believe something we do not know fully.
When I use web, email, etc. I make the basic assumption that anything on it can, and probably is snooped, and I just make the compromise, let it be that way this time, I don't have the time to fix this now.
Also, what good is use of crypto, if your girlfriend can not use it? I mean, while there exist so many algorithms and all, so what? She can't understand and deploy them herself, and anyway, she is busy and that is way too much work. Same thing goes, if you use crypto, then you have to know there is no keylogger, etc. etc. and you'll be using tinfoilhat linux in a faraday cage. But the receiver of your message, does he see the same great effort because of your super-secret PGP message? I don't think so.
The security must be water & gas -tight in both ends, otherwise it's useless. And a thought about VPN: well, if you use one, you trust the VPN provider, be it your friend or a company, that their system, that outputs your connections to the web, isn't compromised. And if you do your super secret hacking, the VPN provider is in the radar, not you. Well, make the terrorism argument, and your provider is caught, and then just look up from the logs, who is the actual endpoint of this dataflow. Eh?
Perhaps somebody controls his connection to the internet. Then they post things in his name, but prevents him from reading them. Or they alter something he publishes, but he is prevented from seeing the alteration.
People are all concerned about the NSA siphoning data off of the internet. But what happens when they can put/alter any data they want. Then they have total information control. And hell on earth begins....
If I were an enemy of the Slashdot community, I'd make posts suggesting that Slashdot editors can't see obvious FUD.
That that is is that that that that is not is not.
Problem: Paranoia
Solution: Tinfoil hat
FTFY.
Also you must be new here.
No, you're still paranoid. But at least you're justified in thinking so.
Paranoia strikes twice...
The only answer is to trust but verify.
It is moderately safe to expect that Bruce is not an NSA shill.
That does not eliminate the ability of a large organization to convince
or coerce any individual to have a view that they would like you to have.
Businesses, developers and others should look hard at Bruces comments
on an airgap in his most recent news letter. Legal organizations should
also take a hint here.
Paranoia does strike deep, just do not be buffaloed by the
quagmire out in the fields this spring.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
TSIA.
There's a difference between devil's advocate and asshole that you are not grasping.
"He who fights with monsters should look to it that he himself does not become a monster. And when you gaze long into an abyss the abyss also gazes into you." -Friedrich Nietzsche
This hypothetical post is hypothetical.
Discuss.
Kriston
... then he's made of wood...
Those Bruce Schneier facts don't bode well for you.
Troll 2.0 Fear my asocial networking!
For a number of years it was a secret that programmable digital computers existed and worked. If it happens that (proper) quantum computers exist and work then don't reckon they'll be in any hurry to tell the likes of us. Everything could be being depicted now, real time, without access to any compromised routers, without needing to get secret court orders for the disclosure of keys, all that could be nothing but a smokescreen. No, don't trust Bruce Schneier, because no one has told him there are working quantum computers either.
Paul Beardsell
Finally we have an objective unit to measure paranoia, the Bruce.
The theoretical relationship between a truth function and the belief in the truth of the truth function has never previously been established.
My hypotheses is that each truth table has a paranoia variable located on the Z axis, measured in Bruce Units, which measures the belief in the reliability of the truth table. A positive Bruce value means you are paranoid and probably an idiot; a negative Bruce value means you are not paranoid and everybody else is an idiot.
I propose that the combination of a truth table and an array of associated Bruce values be called the Bruce Cube. Other proposed names such as the Nixon Cube and the Tom/Friedman Cube lead to the incorrect belief that the paranoia vector is associated exclusively with either the left or right spin. The name “Nixon-Friedman Cube” was just too damn long to use.
I'll leave it to other to work out the details of Bruce calculus. I'm too tired
.
The main thing in my opinion is upon seeing anything fishy with a person or organization, then it is time to recognize that it should never again be trusted. Governments can never be trusted. Some people have stated on SD that NIST should be trusted. However, NIST is making unnecessary mods to the new SHA3 (I think that is the one) hash that are not necessary. There have been reports of NSA types visiting NIST. NIST will never have my trust again.
Isn't this just like the Byzantine General's problem (first proposed by Marshall Pease, Robert Shostak, and Leslie Lamport in 1980 : http://dl.acm.org/citation.cfm?doid=322186.322188 ) : you cannot trust a person only on its declaration , but if having enough sources, you can have fault tolerance, and get an answer to questions like "can this algorithm/implementation be trusted or not ?".