Schneier on Security

Another clue to Bruce's identity -- he speaks Norwegian!!

Interesting, very interesting. I haven't heard your approach to fix our bad instincts via education before. Its an interesting idea, but I have my doubts to its effectiveness. If you have a true master teaching you what instincts to ignore in a particular field, then by all means lets do it. But as the world is there aren't enough masters in any domain to teach the new hires.

So you'll have some teachers that don't have a full grasp of what instincts to ignore. I think I've been in that situation before as an apprentice and a teacher. As a student the best you can do is to absorb the lessons, while probing the limit of your masters expertise. As a teacher you have to clearly define your level of expertise and resist the temptation to make up an answer, based on your gut (about which gut instincts you can ignore).

Well for all of that, I think its a noble idea, one which I'm still pursing myself.

The Infosec Mag interview is great, but I think the two in Norweigan are on Squid, yes?

you are a rockstar for IT security.

Great security stuff as always, Bruce, but the self-promotion is getting out of hand. Bragging about your number of pieces for Wired, the African Safari anecdotes, the endless accounts of where you are speaking next, now come on.

Sure, this resume fluff is needed by a start-up competing with the giants of fluff and spin, but now you are standing on the shoulders of BT giant, give it up.

What this reader likes is when you savage the bloaters and liars of security PR, but what undermines your critique are those overweaning pats on your own back. Sorry to say, but it smells like somebody is paying you to peddle high quality snakeoil, and could damage the rep of Counterpane.

Your accomplishments speak for themselves, enough of the yelling about them.

Respectfully annoyed at the rock star image,

John

"...the self-promotion is getting out of hand."

You're kidding, right? I think I do very little self-promotion, and I like to keep it that way.

I never mention my speaking engagements in the blog; just on a seperate page. I never brag about any of my publications; I just reprint them. And the South African anecdote was the first time ever I used a personal anecdote to start an essay. I admit it felt odd, but it never occured to me that anyone would consider it either bragging or self-promotion.

Sure, these are links to me in the news. Mostly they're here so I have a record of them. I try to bunch them up, and post them on Friday afternoon just before squid.

This has nothing to do with BT. This certainly isn't me patting myself on the back. Nor is it me "yelling." And I don't mean it to come across that way.

"Another clue to Bruce's identity -- he speaks Norwegian!!"

Not a word of it. I have no idea what those articles said. (When I sent the links to my webmaster to post, she responded with: "I just hope 'Slik vurderer' is a compliment.")

Amusingly the second Norwegian article starts of by noting that Bruce Schneier is the closest thing you'll come to a rock star in the field of IT-security.

"Slik vurderer" means someone who grades, rates, or evaluates (like a teacher, appraiser, etc).

"kjent ekspert innen IT-sikkerhet" means known (or even famous) expert in IT-Security.

And the rest of it my wife didn't know how to translate into English, but she is a native Norwegian so she understands it just fine, but has a hard time explaining to me what it means... Oh well, they look like interesting articles, I hope she enjoyed them :) You can try this link: http://www.translation-guide.com/free_online_translators.php?from=Norwegian&to=English but it does a HORRIBLE job at translating (because, for example, they say: "Microsofts development they lastly å clean-cut" --But it is really "Microsofts development over the past [few] years"...

Oh, and the Rock Star image isn't just for IT Security, Novell http://www.novell.com is promoting IT Rock Stars (win one for a day), so I don't think there is anything wrong with it. If Blogs were Bands, then I could say I "listen" to you every day, and in my opinion, I'm a huge fan, and I consider you a leader, innovator, and philosopher in IT Security; and if someone in Norway considers you an IT Security Rock Star, well then, that's pretty darn close to the truth to me. Maybe someday I'll "See you in concert" It's not "Self-Promotion" it's just letting your fans know what you've been up to, and I appreciate it, and I say "keep it coming".

The self-promotion is healthy. Don't worry about it. If you don't love yourself, no one else will either.

Me, me, me... Really, Bruce, you are starting to sound like Agent Smith. :-)

@John Young: "Bruce, but the self-promotion is getting out of hand."

Even if that were so, which I don't see where it is, would his promoting his books, articles, and speeches in order to promote security and in the process fulfill some crazy idea to actually make a profit through his job really constitute something worthy of criticism?

I get paid to do IT security, and to get paid some self-promotion is beneficial, but it's not just about the money but to actually obtain the credentials to make a difference for the better.

In any case, we're all better off talking about the merits of the issues and not criticizing someone for supposedly promoting their own products (as if it would be wrong anyway on a web site that bears their name to boot).

Keep up the good work, Bruce. Whatever all your motives are, you make a difference for the better, which is something we should all appreciate rather than diminish.

Best regards,
sm

He has his own boat in The Deadliest Catch.

Here is a very fast written translation of the second interview in Norwegian... It might not be 100% correct English, but you get the idea...

-Assume that the customers are idiots

Safety-guru Bruce Schneier says the things the online-banks are to afraid to.

-Give up safety if fraud is cheaper!

Bruce Schneier is the closest you come to a rock star in IT-security.

Technology chief in BT Counterpane is mostly known as a free speaking blogger, and is getting much respect for his insight in safety.
The "to-the-point formulations come close as he speaks, and recently he was
in Oslo on Ciscos safety conference to talk about the only thing he thinks
can save IT-security - pure self interest.

Dagensit.no met him just before the conference, to talk about
banking-fraud.

Norwegian online-banks has the last year been shook by a series of frauds.
It hasn't been too many cases yet, but the business fears what is to come.

- It isn't getting better, it's getting worse, thinks Schneier.

Impossible to secure the customers
The attacks in Norway have been directed against the customer’s computers.

-The hackers are going for results, and of course, they are going for the
weakest link - the user, says Schneier.

Norwegian banks invite customers to secure their computers, and some banks
are to distribute free security software to them.

- Can this solve the problems?

-No, the customers don’t have the chance to know if they are hacked, and
they can't fix it, says Schneier.

By breaking in to the customers computers the hackers can take what they need of information to pretend to be the customer. Schneier’s doesn't think this can be solved by using better security software.

-No, they have not solved the problem as long as the safety is depending of
what goes on in the user’s computer, he says.

The problem is already solved
Defenseless customers and increasing fraud does not sound good, but
Schneier is still not worried for the future of the online banking. He
compares online fraud with other, very old problems of society.
-Murder isn’t gone, but society works great, and we don’t wear bulletproof
wests. The point is for it to work and that doesn’t mean it’s perfect.

If hackers can pretend to be customers, it’s easy to visualize online
banking frauds to gallop out of control.

-Is it possible to eliminate the customer as a security problem?
-Yes, just look towards the credit card companies. They assume you’re
acting like an idiot. And they stop fraud all the time, even if nobody
verifies it’s the right person, that the signature matches or if the card
is a fake, says Schneier.

-But credit cards is being fraud every day?
-Yes, it isn’t perfect. But you have to look for a good business model,
where the fraud is low enough for the model to be profitable. That’s what
you always look for, he says.

Faceless swindlers
Schneier says it took the credit card companies some years to work out the
model, and that the only possible solution has been to exclude the customer
as a part of the security chain. They doesn’t base the security on the
users ID to be correct, but if the transaction is suspicious. He has self
experienced that it works.

-My card was copied when I had lunch. VISA stopped the fraud already at the
second attempt to use the card. I’m still impressed. The most important
part of the security is what happens in the backrooms in the banks systems,
he concludes.

Schneier’s solution
In the USA the banks try to push the responsibility of fraud over on the
customer. That can be the death of online banking, he says.
Schneiers solution to the problem is about self interest, that the
responsibility must be placed with the ones who can do things about the
matter, that is; the banks.
The tools are the same when you are to deal with other problems, like
pollution: Regulation, criminal liability and economical responsibility.

-It’s about incentives. Do that right, and then the capitalism will work.
If you can’t place them right the safety issue will never be solved
Must prove fraud
The Norwegian banks do today cover the customer’s losses of fraud. The only
unclarified question is where the boundary for negligence is, which gives
the customer the responsibility.
There are plenty of examples of people giving credit cards to others for
them to swindle the bank. It the same thing happens to online banks, the
bank can’t be responsible can it?

-No, but they have to prove that the customer is swindling them. If
opposite the banks will sit on all the information and will win all the
cases. The banks have the expertise, the possibilities to do something, and
must have the responsibility.

They accept rat droppings in food.
That the banks take the entire risk doesn’t mean that the safety bar has
to be sky high, says Schneier.

-Give up security if it is cheaper to accept fraud, he says.

It's not likely for the banks to say that?

-The maximum allowed amount of rat droppings in cereals aren’t zero
in the rules from the government. They accept fraud and live with it. They
don’t talk that way about it, but that is the way they think.

It’s nonsense to deny a break-in.
The problem with security is that it is difficult to calculate if it pays
of, because most of the break-ins are concealed by the companies hit.
-That’s why it’s hard to make the economy work, says Schneier .

The banks claims to be less secure if they talk about their security
systems, and refuses to comment if they’ve been hacked.
-Yes, and it is nonsense. The point is that is makes bad press. That
vulnerability is known is a bigger problem for them than the money they
lose to hackers. It can lead to them losing customers, thinks Schneier.

The same banks claim to have huge security systems that are hidden for the
user. Schneier doubts this.

-They’ll sayit like that and hope that the journalists write it so that the
customers and hackers believe it.

Difficult calculation
Is it possible to calculate if investments in security are profitable?

-No, not really – the ones who say so is making it up.

But if decisions shall be taken based on economic incentives, then what do
you do?

You do the best you can – it isn’t about perfection, but what is most right.