Schneier on Security
A blog covering security and security technology.
« Stealing WiFi Access |
| Forged Documents in National Archives Change History »
July 13, 2005
In December, I gave a long interview to a literary magazine called Turnrow. That interview was finally published, and it's even better than I remembered.
Posted on July 13, 2005 at 6:07 PM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Am I the only one that started reading the interview assuming it was all by Bruce? I guess the word "interview" should have told me otherwise, before I did the double-take at the words "my husband"...
@RG3 - the prologue looks like it is written by someone named Claudia Grinnell, who may well have a husband. Why would this matter anyway ?
True, the source attribution is a little dodgy. Theres no clear writer of the prologue, then the article starts out using names but cuts to initials, but theres no indication that Claudia's middle name starts with a 'K' that I could see and I'd have thought prefixing the comments by a name might be better than "BS" which is often used in these parts as an acronym meaning "less than factual" - the opposite of what we expect from Bruce ;-)
But thats all being very picky - The article was great. Thats the important thing.
This was pretty good. I never bothered taking notes when reading the book, so I took the opportunity to cut and paste the two lists into a textfile.
I agree that the prologue was a bit confusing. The interview as a whole was properly credited, but the layout didn't distinguish the prologue as such.
Bruce speaks much of the "agenda' of an agency. I'd say the real problem in America is that the current Administration has its own agenda, unrelated to any proper agenda of the national government as such.
Bluntly, the Bush II administration is led by a cabal which has been operating at least since the Nixon administration. Their agenda is simply to remove all impediments to their own power and profit. Unfortunately for the rest of us, those impediments include the Constitutional rights of the citizenry, accountability of public officials, and the rule of law in general.
As I've said before, my primary hope against these guys is that they are sufficiently out-of-touch with reality, that they may not recognize when their grip starts slipping.
It was a very good interview (and I agree, the long intro made it a bit confusing, as I was waiting to find out when we'd finally see words from Bruce!).
But there's one aspect to security that I don't really see mentioned all that much, and that's the issue of addressing the psychological side of security. Bruce mentions it in order to point out how we miscategorize risks. But many security measures that are being taken today are being taken because, psychologically speaking, if you're in charge, you can't NOT do them. If the hijackers use small knives, and you DON'T ban them after that, people will say, "What, are you crazy? Why aren't you being stricter now that we know small knives can be used?"
It's easy to accuse generals of "fighting the last war" without recognizing that they need to acknowledge THAT war while simultaneously trying to predict the NEXT one. People have (admittedly sometimes irrational) ideas of due diligence, and when you're in a position of having to provide security, you have to take that into account. Bruce describes the scenario of the high school principal taking extreme measures for low risk because he might lose his job if something bad happens, but it's not necessarily just due to his self-interest: parents may well demand that he take those measures even if HE doesn't want to. He'll be perceived as not doing enough if he DOESN'T react.
So it might make sense to emphasize more of the "psychological due diligence" factor when analyzing security options.
Whoops, in editing that last post, I lost my context points:
Actually improving American security is *not* on BushCo's agenda, so if we citizens want security, we cannot depend on government action to provide it for us. Bruce's idea of enforcing liability on companies is not "optimal" in terms of side-effects or edge conditions, but it has two big advantages over "enforcement from above":
One is that administration or no, the business community *needs* the liability system to remain functional (lest contracts become unenforcable), and so they will make sure it doesn't get too badly damaged, at least for intercorporate conflicts.
The other advantage of liability is that instead of depending on a government agency (== single point of failure ;-) ), civil suits are "prosecuted" by the aggrieved party, acting in their own interests. Remember how Microsoft managed to drag out their anti-trust case until a change in administration? (Yes, wealthy companies or persons can also abuse the civil courts, but that's where the first point came in.)
Well, I hate to stick out here among the happy congratulators but I found several odd statements in the interview that should be addressed. Here's just one example:
"Our security intuition evolved in a world where nothing ever changed. Fear of the new made a lot of sense in that kind of world. But the pace of today's technology means that things change all the time."
Really? Nothing EVER changed? I am not an expert on the development of consciousness but I am fairly certain that I have read that advanced cognitive capacities of human beings are a result of constantly changing externalities.
I mean really, have you been camping lately? Spend just a few minutes in a rural or "primitive" environment and you should quickly agree that humans face rapid change including many safety threat(s) in the "real" world.
Thus, it seems far more accurate to say technology has actually and traditionally shielded humans from the rapid pace and threats that surround us. Technology has been the means to slow-down or arrest certain conditions. What we note in security, however, is that our technology brings its own new set of challenges (threats) along with it.
So the problem is never the pace of change, but the complexity of change and our bandwidth for the information necessary to properly process. In other words, humans are extremely adept at handling change, as long as they can get sufficient information to make intelligent decisions. It has something to do with synthesis and analysis...
Oh, and just for fun, I thought I should mention that you made a good observation here:
"They either have millions of offspring and hope a few of them survive, like lobsters, or they have very few offspring and devote a lot of energy into protecting and rearing them. Human beings use the second strategy, and a general risk aversion makes sense."
So, if you look at fundamentalist behavior, your conclusion seems to tell us they have more in common with lobsters than humans. It might help if instead of saying "humans use the second strategy" that you say something like "due to certain environmental changes, many humans today use the second strategy".
Wendy, I'd say that what you're calling "psychological due diligence" amounts to reassuring the public that they're being taken care of.
I feel that a true leader deals with the problem first, and then explains to the public how it's been taken care of. In contrast, a mere politician goes for public opinion first, and deals with the problem only as a means to that end. (And a demagogue doesn't even try to deal with the problem ;-) ) A bit of security theater may well help with public confidence, but not if said public isn't already confident in the authorities!
I'm not talking about "security theater" -- I'm talking about whether, as a security leader, you can really justify not doing the blindingly obvious things because your statistics tell you they won't help very much.
Seriously, try putting yourself in the shoes of that principal and try explaining to worried parents that you don't need to implement any additional security measures because the numbers say that the risk is very low. You might be right -- but they'll call you irresponsible at best and call for your head at worst. All the charisma and theater in the world isn't going to "convince them they're being taken care of" when you're arguing against doing something that seems very obvious and reasonable to them.
The security world is full of this due diligence stuff. You can't NOT lock your door even if the window is your bigger risk. You can't NOT strengthen security around mass transit right after an attack like London's even if you have no reason to believe that it's any more of a target now than it was before 7/7. You have to understand and go after the more significant but less noticed risks, yes, but you still have to remind people not to share passwords too. You can make fun of the password reminders, and sneer that they won't help against virus attacks, but no security officer worth their salt is going to be able to say, "Oh, I don't care whether people share passwords and I'm not going to check for it."
Pretty good. I expecially liked this one:
"Fundamentally, the possibility of crime is the price of liberty. Think about it; people who are free are also free to do bad things."
Exactly. Anyone's free to plan attacks in their homes as much as they wish and for as long as they want and no one would have a clue. No one would know until they actually carried out those attacks. That's simply the price we pay for our freedoms.
Wendy challenges: "Seriously, try putting yourself in the shoes of that principal and try explaining to worried parents that you don't need to implement any additional security measures because the numbers say that the risk is very low."
Whoa there, please don't put words in my mouth. I carefully did *not* refer to the principal's actions, mostly because he was the "authority on the spot" and I don't know half enough about his situation to second-guess him. Regardless of the "provable" risk of an attack on the game, he may have determined that the potential *audience* was too scared. Or he may have had some plausible suspicion that this game would, or might be targeted. Either way, one high-school football game is not a huge sacrifice. Could he have tried some intermediate measure, such as hiring guards? Sure. Did his school have the budget for that? Damdifino.
'All the charisma and theater in the world isn't going to "convince them they're being taken care of" when you're arguing against doing something that seems very obvious and reasonable to them.'
For one thing, "they" might well be right! But remember, I said a real leader deals with the problem *first*. If nothing else, that gives him *something* to trumpet to the public. Another part of my position is that someone's reasons for doing something are going to affect how they do it... and how well.
As a simple example, I have indeed been seeing a lot of extra guys with guns running around town (NYC) since 9/11, let alone 7/7. But far too often these guys are bunched up in the main areas of stations, rather than scattered in loosely-bound pairs. Never mind the guns, the *real* security in "more cops" is their eyes and the brains behind them, which can patrol the entire station and trains far better than any number of cameras. Letting the cops bunch up like that, suggests that someone along the line forgot about "coverage", and thought "show of force" instead. (For a while, they also forgot about MetroCards for the cops. Then somebody was attacked, and the cops couldn't get through the turnstile to help them. :-( ) Of course, with the cops scattered around, they'd also be far *more* visible to the public than the little clusters up front. But instead, they've been closing token booths, and sending the *clerks* out to the platforms. Like they say, "that doesn't look too good."
"Pretty good. I expecially liked this one: 'Fundamentally, the possibility of crime is the price of liberty. Think about it; people who are free are also free to do bad things.'"
Thank you. I am pretty sure I first heard that from Dan Geer.
"Really? Nothing EVER changed? I am not an expert on the development of consciousness but I am fairly certain that I have read that advanced cognitive capacities of human beings are a result of constantly changing externalities."
Yeah, yeah. Hyperbole.
Things rarely changed. In the Middle Ages, you could go through your whole adult live and never see anything new. And if you did see something new, it was a major event. We're jaded in our post-industrial society. We see new things every other day.
"Things rarely changed. In the Middle Ages, you could go through your whole adult live and never see anything new."
Bruce, I feel like I'm being baited here. You can't be serious...
I could go on about the obvious problem with how the Middle Ages could never have ended if nothing ever changed, but instead I feel I must point out how scholars of the "Middle Ages" often highlight how Western concepts of "security" evolved during this time, let alone food, language, science and customs.
The European concepts of towns, cities, hotels, farms, universities, and even peasants and lords radically evolved during this time period.
But back to security trade-offs, let's just take for example the Carolingian Empire that fell apart in the 10th Century and significantly changed Carolingian living. Peasants went from serving in the army to being allowed to till the soil only -- forbidden from picking up arms. They lost rights to their land by the 11th Century and many lost their freedom altogether. Peasants became serfs, who owed dues and services to the local strong man (as well as a "lord of their manor", if they lived on one), and they had to refer to him as their lord.
This was the genesis of the famous system of lords, vassals, and fiefs that most of us romanticize about today. The hash fact is, however, that power struggles were messy affairs in the Middle Ages that led to radical change in offensive and defensive tactics.
Perhaps most interesting of all is the social structure that changed due to the evolution of cities around the 12th and 13th Centuries. The diverse groups of laborers who congregated in increasingly large "urban" areas sought ways to win independence from their overlords. Some cities just required a serf to be a resident to become free, while others paid money or litterally fought for freedom. The Italian city-states were an offshoot of this movement as serfs not only gained independence as communes, but they also achieved the right to govern the land around the city.
You might say this all was due to the pursuit of security, and people faced many trade-offs every day.
Anyway, I stand by my point that change is constant, and people have developed ideas of security throughout history in order to address change -- either proactively or in response. We are not unprepared to handle change as much as we are unprepared to actually find and pursue the truth during periods of change.
"Bruce, I feel like I'm being baited here. You can't be serious..."
I'm very serious, and I'm not trying to bait anyone.
Yes, everything you write is true. But those are changes on a broad scale. They're changes that took hundreds of years. They're changes that affected the gentry. For most of the population, the technology they saw in childhood was the technology they died with. There are exceptions, but they're exceptions. Today, the pace of change is very different. The technology we have now is not the technology we'll have in ten years.
(Sorry. I posted this too soon.)
Change is not constant. Or, at least, the rate of change is not constant. In a world where there is little change, our security intuition develops in childhood and still works as an adult. In a world where change happens regularly, our intuitions fail us because the world is different.
We can see this when we ask people about the security of using credit cards online. We can see this when we watch our parents trying to figure out how Internet security works. We can see this when people don't understand the security risks of giving out information. It was more secure twenty years ago; who noticed when it changed?
There is not much about plows, compases, iron, gunpowder, wells, windmills, paper and soap that would surprise us today, but would you agree that those things were developed and deployed at a "rapid" pace for the Middle Ages?
I think our intuition does not get "developed in childhood" but actually gets increasingly accurate through a reasonable amount of experience based in constructive observation and knowledge. I mean specifically that we need to gather and process information in a way that actually allows us to enhance our ability to use our "gut instincts".
What happens if a rabbit has never seen a fox before (to use your analogy)? What about animals that have never seen any threatening predators for that matter? Does the rabbit go the way of the dodo?
All that being said, I suggest that people often do not understand security risks today because they consciously chose not to use/develop their intuition, and are therefore less prepared to handle the (relatively faster) pace of change that they are eventually faced with when their limited/dated source of information fails them.
In other words, most of us do not make well-reasoned decisions about security because we find ourselves stuck relying on customs, traditions and societal influences that we accumulate over time. We are rarely well enough informed or trained to actually make logical and deductive decisions as we fill our work and daily lives with comfortable habits from our upbringing and culture. This is really why adults are usually more resistant to the information related to change. It takes a lot of time and energy to absorb enough information to achieve moments of useful intuition.
Twenty years ago?
The problem from "giving out information" seems to be more of a manifestation of the Customer Relationship Management (CRM) data-collection rush that companies engaged in just five or so years ago. Few if any of them really considered the fact that once they gathered huge databases of identity information, that it would actually have to be secured from misuse. Or they couldn't justify the cost. In a way, it is like the collection of money into banks...as assets increased, threats emerged and highlighted the vulnerabilities, which led to a reevaluation of risk (T x V x A = R).
Bruce vs. Davi:
Okay, and I thought I was prone to digression... ;-) For starters, the Middle Ages are just irrelevant, notably as per the Chinese Law of Relativity. In any case, we started with Bruce's:
"Our security intuition evolved in a world where nothing ever changed. Fear of the new made a lot of sense in that kind of world."
Bruce picked the wrong word here; he probably wanted "instinct", which evolved over millions of years. It's not so much that "nothing ever changed", as that brief changes and challenges just got folded into "long-term conditions". That is, it didn't matter if we were dealing with jackals or jaguars, the point was we wanted their food, while they wanted *us* for food. Negotiations begin with a stare....
But the business of where our decisions come from happens to be something I'm *very* interested in, so here comes my Big Picture spiel....
The human mind is a many-layered thing, from the spinal cord and medulla (physiology, reflex, pain) through the limbic system (emotion, instinct), and on through several mammalian layers (more "instinct", learning, intuition, thought, reason) to the cerebral cortex. This stack accumulated through megayears of evolution, culminating in the 1-2 megayear sprint that produced our current bodies and brains. Only the topmost layers on this stack would even *notice* a blip like the Middle Ages -- and our "fast" responses to security-type situations mostly depend on the *bottom* few layers:
Emotion and reflexive responses vary a good deal among humans ("temperament"), but for a given human, they're easier to work with than to change. In a group, however, the most suited person for a task will naturally tend to gravitate toward that task.
Instinct for humans is surprisingly flexible on a group level, because much of human instinct seems to have been converted to imprinting and prepared learning. That is, we "draw cards" from a a deck representing much of our primate and mammalian heritage. But that happens very early in life, in response to our earliest comprehensible signs of what sort of world we've been born into. (E.g.: Am I getting enough to eat? Which parents are present and attentive? Do passers-by smile at me, or are my parents hiding me from them? etc.)
Our most basic personality patterns and ideas about the world are formed in the first few years of life. This is when we develop expectations about how the world works -- first the physical world, then the social world. (Also language, but that's by the by.) If those expectations don't match what we meet when we grow up, we get cranky about it. ("When I was a boy, there weren't all these buttons and blinky lights... and girls didna wear lingerie in public!" ;-) )
True intuition is part of the next layer up, the layer that's most outraged by our current pace of change. This is where our learning abilities project upwards from "animal territory" to intertwine with language and abstract thought. It's where we learn the details of our social and physical environment (including customs and laws) and develop the appropriate habits and responses for *this* year's environment. This layer was what turned humanity from a scrawny ape into an world-shaper, but it's not really "finished", in that much of our learning still happens at sub-verbal levels. "Intuition" describes our access to this sub-verbal learning, including all the expectations and habits that we never really needed to put into words.
Of course, with or without words, we expect what we've learned to stay useful, and get upset when it doesn't: ("I took typing in school, but what's with all these extra keys?" "Grr, this new program has the commands in all the wrong places!" "Permission *denied*? Dangit, this is *my* computer!" etc...) We *can* learn new things even as adults, but for most humans, this is an anxious and uncomfortable business. The problem with "modern" life is, that's happening too often. Every time we think we've mastered our current environment, it changes (again), keeping us in that anxious "figure it out" condition longer than is really healthy for us.
Of course, "we techies" are individual specialists in new stuff, defined by prolonged curiosity, better abstraction ability, etc. This subtype is useful enough to human groups, that it's a secure part of our instinct/temperament "library". We can help explain things to normal folks, and sort out new situations for them. But the thing is, Joe Sixpack is never going to *like* learning new things as much as we neophiles do. He wants us to deal with the tech problem *for* him, just as the priestly sorts deal with gods and spirits, the warriors deal with predators and enemies, etc.
These days, we just can't do that, largely because there are too many new developments for the proportion of neophiles available. Normal people rarely get a chance to learn enough about new technology to have useful "intuition" about it.
So, Joe gets an ulcer from his inability to control his own environment, much less deal with the global demimonde known as the Internet.
Okay, end of spiel. (For now :-) ) I'll be happy to discuss things further by E-mail, but I suspect this comment thread is soon to be left behind by a continuing stream of new topics....
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.