SecurityFocus Interview

This is an interview with me from SecurityFocus.

Posted on May 11, 2005 at 1:46 PM • 23 Comments

Comments

Israel TorresMay 11, 2005 1:52 PM

"I have no problem hiring people who used to be hackers."

used to be? Bruce doesn’t state much about hiring people that are currently hackers…

Just an FYI hackers does not equal criminals (i.e. convicts).

Israel Torres

Joe BuckMay 11, 2005 2:20 PM

It appears that we have lost the language war, and this is confirmed by the fact that even Bruce Schneier uses (or misuses) the word "hackers" in this way. We old-timers who called ourselves hackers lost the word long ago.

Erik W.May 11, 2005 3:03 PM

I suppose it's good to put the information in front of more eyes, and he could have been asking questions from the POV of someone clueless, but he didn't seem to have done his homework; a lot of "I wrote about this here..." answers.

xMay 11, 2005 3:26 PM

Why do I always have to look at Israel Torres' comment(s), first, before seeing any others? Does he hit the F5 key every 2 seconds or something?

Israel TorresMay 11, 2005 3:40 PM

@x
"Why do I always have to look at Israel Torres' comment(s), first, before seeing any others? Does he hit the F5 key every 2 seconds or something?"

If you must know I created a tool that alerts me anytime bruce thinks something up. This puts my bruce-box machine in anticipation mode. Sometimes I have already completed my reply before he posts his blog.

Thanks for caring.

Israel Torres

r4bb1tMay 11, 2005 3:51 PM

Bruce, a few questions:

On the ECC front, what is it that you are sceptical about?
Are you going to submit your own HASH Bruce?, if another AES type "competition" raises its head? What do you think of TIGER by Ross Anderson over in the UK?...
Have you invented a hard problem for subtitute to ECC/Large Primes?...

AnonymousMay 11, 2005 3:51 PM

Bruce, a few questions:

On the ECC front, what is it that you are sceptical about?
Are you going to submit your own HASH Bruce?, if another AES type "competition" raises its head? What do you think of TIGER by Ross Anderson over in the UK?...
Have you invented a hard problem for subtitute to ECC/Large Primes?...

Dave CollinsMay 11, 2005 6:29 PM

Bruce
In response to this question
"Since most crypto protocols on the internet, such as SSL or SSH, uses public-keys to build a secure channel, wouldn't a unexpected public disclosure create a chaos on the internet ?"

you said
"No. Chaos is hard to create, even on the Internet."

Two days ago you reference the 1984 internet worn and people investigating SSH worms.

Could the failure of a cryptographic primitive used in SSH cause chaos?
Do you think that failures will be gradual, think MD5 and SHA, rather than 256 bits to 0 bit of security over night?
Thanks
Dave

Bruce SchneierMay 11, 2005 10:59 PM

The Morris worm did not create chaos. And a worm based on the SSH vulnerability I wrote about earlier this week -- as bad as it would be -- would not ctreate chaos. Even if a failure in a major encryption algorithm, from 256-bits to 0-bits of security, would not create chaos. Honestly, chaos is very hard to create. Even the 9/11 terrorists only managed it for a short time in a small geographic area.

Bruce SchneierMay 11, 2005 11:00 PM

"Just an FYI hackers does not equal criminals (i.e. convicts)."

Unfortunately, it does. And there are more important battles to fight than this semantic one.

DadMay 11, 2005 11:37 PM

Yes, such as feeding my baby at 3am, and being able to get out of bed to work.

Curt SampsonMay 11, 2005 11:50 PM

The language war that has been "lost" is not preserving the good meaning of "hackers." The one that has been "lost" is preventing the emergence of a second, bad meaning. But that was a stupid battle in the first place.

I really don't know why computer people have such a problem with this, though. It's not as if there aren't plenty of other words in English with more than one meaning. It's as if people who are perfectly capable of understanding which meaning of a word is implied by context suddenly go blind to context when confronted by this one word.

SpamAssassinMay 12, 2005 2:36 AM

"And I think we're doing well solving the spam problem; it's one of computer security's success stories. The current crop of anti-spam products and services are great; I hardly get any spam."

Shame on you Bruce. If you define "great" only in terms of your personal experience, then perhaps you are correct, but one look at some real numbers and you can hardly hold up anti-spam as a success story (unless the bar for success is really really low).

2003 was a watershed year and so a lot of noise was made about fighting spam. A year later, after a string of lawsuits, a gaggle of new antispam technology, and the passage of the Controlling the Assault of Non-Solicited Pornography and Marketing law (CAN-SPAM), it looked like spam was still winning. Yet, instead of conceding that things were not as effective as was originally hoped companies like Microsoft and AOL started claiming steady progress despite setbacks.

Today we see about 80 - 90 percent of all mail is spam and it is projected to continue to rise. So even when we nab 95-99 percent (during normal conditions) we still let through a half dozen messages a day (on average) and battle false positives. I am certain you know at least one person who complains about spam problems, even if you are lucky enough to keep your filters on top of the lists.

I think we should also take a hard look at the antispyware tools. Why were they so slow to evolve and why are they being licensed separately from other anti-malware software? Speaking of malware, when worms like sober.s start to spread, they rely on spam as the infection path...I say sober would never have reached a global medium threat level last week if antispam filters were as good as you seem to say they are. And finally, what about the blog spam that keeps popping up on your site? Really, how good can anti-spam be if even you are unable to find a way to contain the problem?

I don't want to diminish the value and evolution of anti-spam, but I question whether your personal mailbox is a fair litmus for the general public or enterprise users. I think it is premature to say we are already "solving the spam problem" since (in the Microsoft world) the technology solution still requires a somewhat complex and blended approach (host-based patching, antivirus, antispyware, and firewalls along with integrated messaging server and mail-database filters, gateway filters, etc.)

Davi OttenheimerMay 12, 2005 2:51 AM

Ooops, was fiddling with the name field and gave myself more credit than deserved...SpamAssassin is really a great tool, but I have no affiliation, really.

But back to the point, even when the technology that filters spam is most successful it merely hides the problem from users. This can actually end up making the situation worse as it covers up the problem but does not cure the systemic issue(s). Bruce, you say your mailbox is clean, as though the problem has gone away, but many others are still suffering. Success will be when the cost of spam decreases or is avoided, but right now transmitted spam is still increasing at an alarming rate.

PeteMMay 12, 2005 6:00 AM

"Why do I always have to look at Israel Torres' comment(s), first, before seeing any others? Does he hit the F5 key every 2 seconds or something?"

RSS feed!

RvnPhnxMay 12, 2005 8:35 AM

@Curt Sampson
They can't go blind to the original context if they never knew it in the first place.
An example: In 1620 "turkey" did not mean "a large odd looking bird native to North America", or even "a moron, or somebody whom intentionally acts like one" (my definititions, consult a dictionary if you insist on "better" ones)--at the time it meant "something rather strange or odd" (which is why it got attached to a large odd bird and just about anything with reminds people of said animal). Did you know that? I didn't until a couple of months ago.
So there, we all do it. Language evolves even if we try to keep it from doing so. After all, whom would have thought that in some circles one day it would be a compliment to be called a geek?

ArtaMay 12, 2005 10:18 AM

I agree, that's true: but there's a wider point. The change in meaning of 'hacker' has led to an imprecision in the language, because there's no word I can think of whose definition is '_benign_ hacker'. A new word should have been used to describe malicious hackers, and fortunately, one has: cracker.

I think the difference is meaningful enough to make it worth making the distinction.

ProbitasMay 12, 2005 1:34 PM

The word cracker has been around for a long time, as well. Unfortunately, most of the speaking and reading public doesn't care. Their eyes will glaze over once you mention anything having to do with any level of computer security greater than the one password they use for all operations.

Ask any lawyer, physicist or mathematician, and they will tell you of the same problems with inaccurate use of very specific terminology by the general public.

I used to do it myself, but I have since turned around 360 degrees and don't do it anymore. I agree with Bruce, there are battles far more worth the fight, and which could be won.

Israel TorresMay 12, 2005 1:53 PM

@Probitas
" I agree with Bruce, there are battles far more worth the fight, and which could be won."

Agreed, there are other significant battles, but it sure doesn't help to publicly interview with the same ignorance as someone off the street. Geesh. No one asked him to fight anything, just don't continue to spread bad information. Speak with defeat and the ignorant have already won.

Israel Torres

AnonymousMay 12, 2005 3:25 PM

@ Isreal Torres.
"Speak with defeat and the ignorant have already won"

The point I was trying to make is that the ignorant won that particular battle long ago, but not because of Bruce's comment of a few days or weeks ago. Bruce's comment merely demonstrates an acceptance of the reality of the dominance of the current usage.

Israel TorresMay 12, 2005 3:33 PM

@Anonymous

IF that is entirely true, explain this quote:

"Bruce Schneier: I’ve always believed that security is a mindset, and you’re right, my career has been an endless series of generalizations because I think they’re all…all apiece. They are very similar. I think people who are good at security look around the world as they wander through their day and see security systems and see ways to subvert them. In a sense, they’re hackers of the truest sense. “How did this system work?��? “How can I use it?��? “How can I abuse it?��? "
src: http://www.itconversations.com/transcripts/119/...

Notice how there is an inconsistency in such usage? The word seems to transform into a matter of convenience more than anything. The battle has not been lost, but its users have.

Israel Torres

xMay 12, 2005 4:08 PM

OK, since my original question was worded too vaguely...

Yes, I also use RSS. What I was wondering is do you, Israel, feel that you have to respond instantly, whether you have a point to make or not?

Israel TorresMay 12, 2005 4:18 PM

@x
"OK, since my original question was worded too vaguely...

Yes, I also use RSS. What I was wondering is do you, Israel, feel that you have to respond instantly, whether you have a point to make or not?"

In all honesty I do not have a feeling of urgency in the least (ala post-envy). I get a notification that Bruce has posted a new blog entry and since we all pretty much are familiar with most subjects in this field have an educated opinion in relation to the blog entry. If I did not have a point I wouldn't bother posting. I really don't post just to post, that would be a waste of my time, a waste of your time and a waste of Bruce's time and effort.

I admit that sometimes my posts appear a little poetic, but that in itself is because I am presenting it that way on purpose. I must also admit that there are those out there that will never get all of the points I am making however subtle.

I hope that clears things up and explains that it is not my intention to clog up a blog with useless information. I really do believe I am helping guide the reader to expand their minds.

I'm sure if Bruce thought my posts were a big waste of resources he would have told me a long time ago. I would certainly respect his wishes in his domain. He recently helped me in an issue regarding his blog and had plenty of bandwidth to speak up then if he so desired.

Sincerely,
Israel Torres

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..