Slashdot Mirror
Ask Slashdot: Can Bruce Schneier Be Trusted?
An anonymous reader writes "Security guru Bruce Schneier is, among other things, a world renowned cryptography expert, author of several popular books, and a second-order internet meme. He is also an outspoken critic of the NSA, in particular the massive NSA surveillance programs disclosed over the summer by Edward Snowden. Schneier has been involved in reviewing the leaked documents and has put in effort to determine which cryptosystems should still be considered safe. I'm a big fan of Bruce Schneier, but just to play devil's advocate, let's say, hypothetically, that Schneier is actually in cahoots with the NSA. Who better to reinstate public trust in weakened cryptosystems? As an exercise in security that Schneier himself may find interesting, what methods are available for proving (or at least affirming) that we can trust Bruce Schneier?"
Seriously... Especially the Govt. (and clowns - clowns scare me...)
"I say we take off, nuke the site from orbit. It's the only way to be sure."
I use two cyphers, just in case. In my case, I found ROT13 and XOR excellent for speed and obfuscation.
Obviously we burn him at the stake. If he burns he was innocent.
and has put in effort to determine which cryptosystems should still be considered safe.
Have someone(s) double check his work.
We should be doing that anyway, even for someone who is 100% trusted.
[Fuck Beta]
o0t!
... Anonymous Coward. There are some very suspicious posts he makes. And besides, he seems to never sleep.
now we need to go OSS in diesel cars
If you're talking about absolute trust, i.e. "I trust him" = "I trust him to do anything", you should probably have your head examined.
Phrase your questions better and you will get more useful answers.
If we can't trust old Bruce, we're all screwed. Though possibly we are anyway. But if he's an asset, he's pretty well disguised.
Have gnu, will travel.
Problem: Paranoia
Solution: None
Bruce Schnier may be the front-line spokesperson for the security community, but that should be completely separate from his body of work in cryptography. At the bottom line, he's doing mathematics, and mathematical proofs can be reproduced and confirmed -- or debated and disproven -- by anyone else in any country with sufficient background to understand them.
He is not some guru spouting unprovable wisdom from a mountaintop, he is a member of a scientific community, and if he is able to earn and keep the respect of that community, then that's a pretty good indication that he knows what he's talking about.
It's supposed to be completely automatic, but actually you have to press this button.
That's the best way to tell
Has Schneier given us bad advice? So far, so good it seems.
Has Schneier been a vocal critic of the NSA? Yes.
Has Schneier been on this file for a really long time? Yes.
Do you have any evidence that he's in cahoots with the cryptofascists? No.
So, all you have is a speculation to tear down the reputation of one of the good guys, a thought experiment, based on no evidence, but one that has real world consequences of spreading fear, uncertainty and doubt regarding someone who is fighting the good fight.
Therefore, I would humbly suggest that I could and do logically conclude that YOU are a tool of the NSA, not Schneier, and furthermore, I have more evidence than you do: Your suggestion to consider Schneier as less than reliable based on zero evidence.
Shoes for Industry. Shoes for the Dead.
Seriously. The mere act of trusting someone will eventually lead to that person betraying said trust. Trusting someone puts them in a position of power, and power corrupts. You can't trust anyone.
Seven puppies were harmed during the making of this post.
Hi,
read his papers check the hints within, its even possible for non crypt-math geeks to get a background understanding, because
there are many more out there. Work out differences in their argumentation, dont just think because there is a citation it can be trusted, check what`s
behind a citation.
Wikipedia is the best entry point for you.
Check Argumentation on a logical level, and question the argumentation, especially if it fits the known problems till know, when it remains true, you have a good chance that its really true.
I guess people's paranoia with the NSA revelations have been difficult to swallow. Now everyone is slowly becoming suspicious of everyone else.
Anything is possible I suppose. To me, it was no surprise really. I do have to say that, having worked with individuals in the security community, the primary focus really is the safety of our way of life at the hands of those who would subvert it.
The problem comes when those of less character use the government apparatus for control, political or other purposes. It's the same reason police and military need to be kept separate - one enforces the rule of law, and one protects against enemies. When those lines are blurred, history has demonstrated repeatedly that individual rights suffer. The degree to which this happens is the degree of the moral compass of those at the helm of this extremely powerful surveillance apparatus.
I'm not sure how many true boy scouts are really left running the show up there, but I do know this: the more paranoid we get, the more we lose. All of this need not come to pass in this way. One of the most important things I learned in my time in this world was "trust, but verify" and it rings true today. You can still trust the message that Bruce Schneier has. We have to, for otherwise we will be consumed by our own paranoia. But to verify is probably the most important point. That's where openness and information sharing in the spirit of open source is paramount and what will lead us to the proper conclusion on this matter.
Agree/disagree with what he writes/says, but why do you have to trust him? Is he dating your daughter?
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
This question is stupid. It would not matter if he was the most honest, intelligent, and experienced security expert in existence, he would tell you the same thing, do not trust him.
Troll is not a replacement for I disagree.
Forget Schneier. The critical question is actually "Can we trust ourselves?" I'd argue not. Many of us post all manner of information about ourselves, our family, friends and work acquaintances on Facebook, LinkedIn, Twitter, Four Square and other sites. Our GPS-equipped phones know where we are, where we've been, and can probably predict where we're going and when. Short of unplugging, there's little we can do to assure that we're trustworthy electronic citizens.
He's really version 2.0 of a long term general intelligence project running on a supercomputer at Fort Meade.
Version 1.0 was called Henry Spencer and was developed in Canada.
(The original graphics version now used for videos of him started out as Max Headroom. This demonstrates yet again, it's much easier to improve on the presentation than the underlying system.)
Let the whitch hunt begin!
Whitch hunt would that be?
Why not? I have his SHA256 hash, right here, on this USB stick.
But wait! Am I sure I spelled "Schneierer" correctly?!?
"Flyin' in just a sweet place,
Never been known to fail..."
Thanks for pointing out my Diverse Double-Compiling (DDC) paper!
My page on Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) has more details, including detailed material so you can duplicate the experiments and re-verify the proofs. Note that you do not have to take my word for it.
You have to trust some things. But you can work to independently verify those things, to determine if they're trustworthy. I don't always agree with Bruce Schneier, but after watching what's he's done for years, I've determined that he's quite trustworthy. This is the same way we decide if we should trust anyone or any thing. In short: "trust, but verify".
- David A. Wheeler (see my Secure Programming HOWTO)
I think misinformation in mathematics can be easily detected. Not only is math universal, it's also impossible to launch satellites or go to the moon without it. We would've noticed AND corrected any deliberate diversion of the sciences.
Custom electronics and digital signage for your business: www.evcircuits.com
You know he's designed several ciphers, right? Blowfish, Twofish, perhaps you've heard of them? Twofish was an AES finalist. If that doesn't give him credentials, what does?
They really are out to get you.
"Put Schneier in a ring with Bruce Wayne, Bruce Willis, and Bruce Lee. See who survives."
Obviously the answer is no one. Lee is already dead, and he will still kill all the others before they can make it over the rope.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
"Bruce Schneier intercepts all your internal monologues by a man-in-the-middle attack."
^Seems legit to me
Mod me down, I shall become more off-topic than you could possibly imagine.
He isn't licensed by the NSA to do crypto work. You wouldn't trust an unlicensed lawyer, or an unlicensed doctor, now would you (well, you might, but not for very long)? Better play it safe and keep your child porn and assassination plots securely in a DES container, potential criminal.
To make the claim that linux has been never been intentionally weakened in security, you need to know that every single security vulnerability in Linux (to take one example) was due to carelessness, not intended action.
Certainly - some classes of backdoor are trivially obvious 'if(sourceip==NSA)' - but others can be subtle logic errors.
You mean like this attempt in 2003?
Personally, I'm not longer all that impressed by the IOCCC. Don't get me wrong, some of the code submitted there shows utterly insane levels of skill. However, the above is an excellent example of a good submission for the Underhanded C Contest, which is an excellent teaching tool for discovering exploits as well as for learning about subtle bugs that may drive you utterly mad trying to find.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Since Bruce Schneier himself said that you can't trust US-based cryptography companies, because such companies can be compelled by law to cooperate with the CIA... doesn't it also mean that NO US Person who is under the jurisdiction of the NSA can be trusted w.r.t. crypto advice? Is there a law of some kind in the US that muzzles US crypto researchers and forces them not to disclose certain facts that could harm the NSA's ability to operate? I'm just curious.
cpghost at Cordula's Web.
I am sitting next (or at least across) from Bruce right now. He is definitely interested (and humoured) in this conversation. As he notes, he's written a book on it. I'd say that a conversation about Bruce's trustworthiness is definitely worthwhile. One should have it about everybody. Of course, it means we should also have it about the people who are most interested in trying to attack Bruce's trustworthiness.
Oh, and a Bruce Schneier connection: In 2006 Bruce wrote a summary of my ACSAC paper on diverse double-compiling (DDC). Bruce's article is simply titled Countering "Trusting Trust".
Bruce completely understood the approach. He explained it very well in his blog, and he also did a nice job explaining its larger ramifications. His conclusions are still true: the "trusting trust" attack has actually gotten easier over time, because compilers have gotten increasingly complex, giving attackers more places to hide their attacks. Here's how you can use a simpler compiler -- that you can trust more -- to act as a watchdog on the more sophisticated and more complex compiler.
- David A. Wheeler (see my Secure Programming HOWTO)
Clearly, the only way we can be sure is to disassemble Bruce Schneier. Glove up.
--- Generation X: The first generation to have SIG lines inferior to their parents... ---
One of the early projects that Schneier lead, precipitated by the Y2K date crisis, was a security evaluation of old COBOL system (code-named "ZEBRA") that was still being used by a certain un-named U.S. Government agency.
This mainframe software had not been maintained for some years, except by patching the binary image; no online version of the source code was available. It would be too hard to audit that way, so they decided to upload the original code (from paper), recompile, diff against the binaries, and eventually reconstruct accurate source code for the Y2K bugs and security issues.
Schneier's group decided to use OCR. The source code had been "line printed" on "greenbar" paper, where alternate lines have a light green background stripes for contrast. The problem was that OCR scanners of the day were designed only for black-and-white, and would get confused by the green stripes, and sometimes mis-scan some letters and numbers, making this source code unreliable. This required them to manually read and type in corrections, to about half the code!
Bruce Schneier is an outspoken critic of agencies like the DHS and the TSA, but he has been a consultant for the Government in the past. And as you can see from the above story, he was originally an early proponent of scanners, and only in more recent years has spoken out against them. So it is quite reasonable to ask if Bruce Schneier has ever changed his stripes.