Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« The Cyberwar Arms Race | Main | Friday Squid Blogging: Giant Squid Eye Preserved in a Jar »
April 29, 2011
TED Talk
This is a surprise. My TED talk made it to the website. It's a surprise because I didn't speak at TED. I spoke last year at a regional TED event, TEDxPSU. And not all talks from the regional events get on the main site, only the good ones.
EDITED TO ADD (5/13): A transcript.
EDITED TO ADD (5/14): Motley Fool article about the talk.
Posted on April 29, 2011 at 2:45 PM • 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I watched it on TED yesterday, and I kept thinking how well this applies to the current (somewhat panic stricken) debate regarding nuclear power, which is spreading like wildfire throughout Europe. I don't know about other parts of the world, but I assume it's similar.
Thanks for sharing, it was an excellent talk!
Posted by: Fredrik at April 29, 2011 3:13 PM
I started watching, and can't wait to finish. I saw it on Facebook earlier this week. Thus far, it is a very good talk. I had the opportunity to listen to you at Boise State last year, and have been following your blog ever since.
Posted by: Kevin Rank at April 29, 2011 3:14 PM
It's been up all week. Thought you were just playing it cool.
Posted by: mcb at April 29, 2011 4:01 PM
Or those talks whose givers have made quiet remarks to the TED staff along the lines of "Wow. Nice computer system you have there. Wouldn't it be a shame if something happened to it?
Yeah. A terrible terrible shame."
*grinz* I'm sure it was an excellent one, and I'll get to it this evening!
Jon
Posted by: Jon at April 29, 2011 4:03 PM
I'm not a big fan of TED Talks, but so far yours and Johannes' have been the most interesting I've watched.
http://www.youtube.com/watch?v=K2Rvh8VG3o8
I liked your talk because it explains in a very plain English what's wrong with the notion of security these days. Thanks.
Posted by: Rubin110 at April 29, 2011 4:19 PM
The correct link is http://www.ted.com/talks/bruce_schneier.html
Posted by: Rich Wilson at April 29, 2011 4:47 PM
Great talk Bruce. There are a couple of things I'd like to get your feedback on. Specifically the Tylenol and baby snatching examples caught my attention. Probabilistically the risks are low of being affected by either event. However, if it happens to you, it only takes once. It's the same with a plane crash or lottery ticket. Low probability for either, but it's nearly guaranteed to happen at some point, and someone will lose/gain everything. How should this effect our model of risk and security?
BTW, thanks for the great blog, I really enjoy it. I'd like to see a little more math.
Posted by: Andrew at April 29, 2011 4:51 PM
Great talk Bruce! I've been following your blog silently for about a year and I love it! You've really influenced in how I think about security.
Posted by: Diego at April 29, 2011 5:42 PM
Andrew says he wants more math. More math??? Jeepers creepers. I can barely follow this thing now.
Besides, to quote my ideal woman, Barbie, "Math is hard."
It was a good talk though. Hardly any math.
Posted by: MikeF at April 29, 2011 6:19 PM
Off topic: The other shoe drops.
Hackers Claim to Have PlayStation Users’ Card Data
http://bits.blogs.nytimes.com/2011/04/28/...
Did Sony lie about the card data being encrypted? Or was it stored elsewhere unencrypted?
2.2 million cards - if I'm not mistaken, that's not the biggest CC theft. But it's pretty big. The TJ Maxx theft was something like 45 million. The Gonzalez case was 130 million over multiple breaches.
Posted by: Richard Steven Hack at April 29, 2011 6:22 PM
A little off topic,
But the PSN network has been down for 10 days now, and no comments here. You'd think a breach of this size would get a mention here.
Any chance Bruce is one of the outside experts helping Sony and can't comment due to a NDA?
Posted by: RW at April 29, 2011 6:26 PM
Just watched the talk. Well done, very clear.
As an aside, I'm not even an African tracker and if you took me to New York, I'd probably die in a day. San Francisco isn't New York! (Although I HAVE been in New York for more than one day, I wasn't wandering around and it was in the 1970's.)
OTOH, if I took you to Federal prison...that would be interesting.
Posted by: Richard Steven Hack at April 29, 2011 6:49 PM
Great quote Bruce! "News is something that almost never happens."
ROFLMAO! Thanks, I needed that!
Posted by: Spaceman Spiff at April 29, 2011 6:51 PM
RW: Bruce is often a little late with comments on major security events. I think he likes to wait until he gets a sense of the overall *meaning* of the event rather than rush to comment based on possibly inadequate information. Bruce is not a "rush to judgment" kind of guy which is why he's so valuable to the industry.
Posted by: Richard Steven Hack at April 29, 2011 6:51 PM
Bruce, I love your work and read everything you write. But you have got to peel back the arrogance and get a little down to earth humility -- such as saying things like "only the good ones". You are not the second coming. You're a smart guy who says really smart things. But don't start believing your own hype.
Posted by: alex at April 29, 2011 6:58 PM
Huge fan of TED & Bruce. Great job, wish I had been there!
Posted by: James at April 29, 2011 7:59 PM
The hospital RFID anecdote got me thinking: do long odds automatically make all mitigations "security theater", regardless of the stakes to the stakeholders?
A small measure affecting only stakeholders that reduces chances of even highly unlikely events of disproportionate severity (to those stakeholders) seems legitimate to me, not theater (perjorative.)
I purchase insurance against unlikely events of disproportionate severity -- is that theater? There are non-linearities in the economics of expected outcome that make it rational to me, not theater.
Posted by: Paul K. at April 29, 2011 8:09 PM
@ RW:
"But the PSN network has been down for 10 days now, and no comments here."
Uh, I commented on that three days ago, but received no replies nor posting by Bruce, to my slight disappointment. See
http://www.schneier.com/blog/archives/2011/04/...
and search for "Sony".
@ BRUCE: Congratulations! ... But is it possible to institute a policy of giving us links to the *text* of such things, for those of us who prefer to read, or who don't wish to allow googleapis and some other scripting?
Posted by: tommy at April 29, 2011 8:37 PM
Great quote with the news that never happens. It is not completely true, though, as a change in state may not happen very often, but one cares if they are affected by one state or the other. Like a declaration of war, it happens rarely, but its effect may last.
Also, you kind of presented a lot of reality about security in a talk about converging reality and feelings :)
Posted by: Siderite at April 30, 2011 7:05 AM
The TED lecture explores a divergence of intuition/feelings, reality, and model in the field of security. In other fields, such as physics, the tool that reduces the influence of intuition and feelings on the construction of model is called "the scientific method".
Perhaps, in the field of security the scientific method does not dispatch the "theater of security" because suppliers and advocates of security measures are political or business agents not scientists.
Posted by: randi at April 30, 2011 12:42 PM
I saw the Ted speech. I've never seen you speak before. I became an instant fan. I've been watching video on youtube by you for the past few days. Fascinating stuff and your delivery is very calm and intellectual. Keep up the good work.
Posted by: rich at April 30, 2011 2:13 PM
Excellent, well said. Everyone needs to listed to this speech.
Posted by: Martin at April 30, 2011 11:06 PM
@Fredrik if you must bring up the nuclear debate, perhaps you can say what you think about the whole waste management aspect?
Posted by: Will at May 1, 2011 3:52 AM
"But is it possible to institute a policy of giving us links to the *text* of such things, for those of us who prefer to read, or who don't wish to allow googleapis and some other scripting?"
When I know of text links, I include them. I don't think there is a transcription of this talk anywhere.
Posted by: at May 1, 2011 7:59 AM
"There are a couple of things I'd like to get your feedback on. Specifically the Tylenol and baby snatching examples caught my attention. Probabilistically the risks are low of being affected by either event. However, if it happens to you, it only takes once. It's the same with a plane crash or lottery ticket. Low probability for either, but it's nearly guaranteed to happen at some point, and someone will lose/gain everything. How should this effect our model of risk and security?"
Dealing with low-probability high-cost events is inherently hard, because a lot of or normal intuition and math doesn't work very well.
I know I've written about it in Beyond Fear. This is the only thing I could find on my blog:
Posted by: at May 1, 2011 8:02 AM
@ Bruce, tommy
This web site appears to have a transcript of the TED lecture:
I Googled for this [text transcript Bruce Schneier: The security mirage]
:-)
Posted by: randi at May 1, 2011 8:37 AM
@ randi:
Thanks for both the link and the search tip. I d/l the transcript and will read thoroughly when time allows.
Also, will file your text-search tip for future reference. (Maybe Bruce will, too? - but I guess we can do it ourselves.)
Thanks again.
Posted by: tommy at May 1, 2011 6:02 PM
Very good talk. Thank you.
On seat belts, and other risks, John Adams is good (apologies if old news)
http://www.john-adams.co.uk/
So, do we have safety theatre as well as security theatre? I haven't heard the phrase but the answer is yes I fear.
The question I took from your talk was pure confirmation bias but improved by the talk. Who shall guard the modellers? The UK foot and mouth epidemic of a few years ago showed just how dangerous bad models can be. As models get more complex (which is what modellers do), so they become less transparent. Not a good thing.
I fear there was an element of Cartesian logic supremacy in your talk. Feelings are not there to be 'corrected'. Also, some technological imperative. Just a soupçon.
Human values do not = MEU from PxC. Charles Perrow's 'Next Catastrophe' says we should limit C regardless of cost. Recently he has written we should really reduce P as well (e.g. understanding of earthquake frequencies).
Posted by: BrianSJ at May 2, 2011 3:53 AM
Good talk, but models can be wrong or broken. Are heavy metals a threat? In the environment? In toys? In vaccines?
Do you get fat from fat? inactivity? Carbohydrates? HFCS?
Global warming? Is the science correct? Or are the people in lab coats merely the new robed priesthood? That you can't question them without being a heretic? Or as you said, "A model that we just accept by FAITH, and that's OK"?
In WW2, cigarettes were called "coffin nails" or "cancer sticks", so there was no model change, merely the cost of pleasure and popularity. Before smoking was cool. Now smokers are pariahs.
Posted by: tz at May 2, 2011 11:54 AM
ISO/IEC 15026 Part 2 on Assurance Cases might be relevant to the model element in your talk.
Posted by: BrianSJ at May 3, 2011 3:03 AM
Hi Bruce, here's a link to my TED Talk, from TEDGlobal 2011 in Edinburgh: http://on.ted.com/Hypponen
Mikko
Posted by: Mikko Hypponen at August 15, 2011 12:52 PM
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Blog Menu |
SearchBlog Home Page
Archives by Date2012 J F
  |
| Latest Book |
more books by Bruce Schneier |
| Syndication |
|
Full Text Feed
Excerpts Feed |
| Translations |
|
German
Italian |
| Crypto-Gram Newsletter |
|
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more |
Comments