Schneier on Security
A blog covering security and security technology.
« Should Terrorism be Reported in the News? |
| Combating Spam »
May 12, 2005
This is an interview with me from ITConversations.
Posted on May 12, 2005 at 1:48 PM
• 11 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Here is a better link:
"Bruce Schneier: I’ve always believed that security is a mindset, and you’re right, my career has been an endless series of generalizations because I think they’re all…all apiece. They are very similar. I think people who are good at security look around the world as they wander through their day and see security systems and see ways to subvert them. In a sense, they’re hackers of the truest sense. “How did this system work?��? “How can I use it?��? “How can I abuse it?��? "
So now security people should be hackers, the same hackers Bruce defined here as convicts and criminals.
It may be no wonder that the security world is in shambles... perhaps we are chasing our own tails, and making our own footprints!
We need context.
IIRC, the quote you cited was regarding "hackers" in the popular sense: criminals who abuse computer and trust systems for their own ends. I seem to remember seeing it and blinking a few times, too.
Bruce has repeatedly used the term "hacker" in its original sense, as he did in that quote.
Nice troll, though.
Perhaps Bruce using context can take his quote, and rather than use it in a matter of convenience explain in a straightforward manner what he means to say with the usage of hackers. One second they equal criminals and the next they are godsends. There is no condition of "sense" for example if I were really trolling I could say I am using the "future sense" of the word hacker.
I will restate my original comment here:
"Just an FYI hackers does not equal criminals (i.e. convicts)." and am curious as to what Bruce's reply will be this time around.
I interpreted Bruce to mean that when considering whether to employ a person who has made questionable ethical choices in the past, one needs to look at the context, including the age/maturity of the person at the time, and whether they have changed in their outlook such that they would not make such choices now. I also understood him to mean that he would not personally use past ethical lapses of a "hacking" variety as an automatic employment disqualifier.
The amount of ink devoted to this issue shows, I think, how ready people are to hear "it depends" when they're used to hearing "black" or "white".
That was a great interview. After listening to it in January I jumped in the car and went to the bookstore to buy the book. Good book too, although a bit repetitive in places.
I understand the context he was originally using it in regarding the SecurityFocus interview that isn't the issue as far as I can tell. It was when I stated the response:
"Just an FYI hackers does not equal criminals (i.e. convicts)."
and he replied back to my response with:
"Unfortunately, it does."
So you see the argument isn't about the context because the context is this.
Had he not replied at all it would have been dropped a long time ago.
I consider myself a hacker, but according to Bruce by stating this I am also then a criminal. I have not been convicted of any crimes nor ever plan to and yet because of what Bruce sustains am nothing more than a criminal.
Surely someone can see the argument here.
> Surely someone can see the argument here.
indeed. bruce runs a business where him being seen as endorsing 'hackers' would be bad.
that's okay. commercialism has taken over here, that's all.
All semantic quibbling aside, I enjoyed this interview a lot the first time I heard it, and I enjoyed it again a few weeks ago when it was linked to from popular forums and blogs all around the intarwebs after Doug Kaye named it as one of his all-time faves in the ITC newsletter.
I'm just curious; why prompted you to post it here now, with no other explanation?
Bruce's IT interview is very worthwhile. While you're at it, check out their other conversations. This is a remarkable website!
"After listening to it in January I jumped in the car and went to the bookstore to buy the book"...and then I joined the Schneier fan club, put on my Schneier-beard (patent pending), and looked around to figure out how can I abuse the system(s) around me?
Alex, sorry to disappoint, but since you admit to purchasing the book you clearly haven't graduated to Schneier-security level four where you are able to abuse the system and get the book for free.
"The use of "hacker" to mean "security breaker" is a confusion on the part of the mass media. We hackers refuse to recognize that meaning, and continue using the word to mean, "Someone who loves to program and enjoys being clever about it.""
(Richard Stallman, The GNU Project)
P.S.: While I personally would add "malicious" to "security breaker" or just use "cracker" in the security context here...
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.