Schneier Interview in Telecom Asia

I was interviewed for Telecom Asia.

Posted on September 19, 2008 at 1:55 PM • 6 Comments

Comments

aikimarkSeptember 19, 2008 3:13 PM

What gives?!? You are interviewed by Asian publication and not asked a single squid-related question.

How disppointing ;-)

Davi OttenheimerSeptember 19, 2008 3:51 PM

"Now Counterpane belongs to BT..."

Scary. Imagine being told you belong to BT. Is that why people in England are signing all those anti-BT petitions?

"The reason Microsoft gets away with selling crap is you can't do anything if they do."

Yeah, no surprise Gates was the son of a powerful lawyer. Their legacy is a contract for crap that you pay for but never actually own.

http://en.wikipedia.org/wiki/...

"With identity theft, there are two ways to solve the problem[...]. Making it harder to steal is a waste of time, so make it harder to use."

It is not a waste of time. How can you be both pro-regulation (e.g. enforcing a standard to make it harder to steal) and also dismiss making it harder to steal? Perhaps you meant to say making it hard to steal only gets you so far, before regulators have to make it harder to use.

Bruce SchneierSeptember 19, 2008 4:22 PM

"It is not a waste of time. How can you be both pro-regulation (e.g. enforcing a standard to make it harder to steal) and also dismiss making it harder to steal? Perhaps you meant to say making it hard to steal only gets you so far, before regulators have to make it harder to use."

I'm not sure what you mean by "pro-regulation"? I don't think I'm either pro- or anti-regulation. I am pro-regulation when a regulation makes sense, and anti-regulation when a regulation doesn't make sense.

I am certainly pro privacy. The two ways to make companies take my privacy seriously are 1) regulation, and 2) liabilities. Liabilities are inherently problamatic because, when my privacy is breached, it's hard for me to know which company was lax with my information. Regulation makes sense here as a solution.

In any case, I don't think that the solution to identity theft is to make information harder to steal; there's just too much information out there and too many ways to steal it. Smart solutions center on making it harder to use.

PaulSeptember 19, 2008 5:32 PM

@Bruce

Wouldn't regulation in this case go hand in hand with making information harder to steal? e.g. something like the UK Data Protection act, limiting who can gather information, what purposes it can be used for, etc. A similar regulation would reduce the attack surface available to identity thieves. It is also something where the brunt of the effort would be upon governments and corporations, who could be browbeaten into complying with laws.

Contrast to trying to make it harder to use identity information: in this case, if it is harder for a thief to use information it is harder for legitimate users to do so as well. When your average person has to deal with security features, they choose the path of least resistance and don't think about it too much. Think of it as the meatspace equivalent of UAC. When confronted with a safety feature that makes someone take more care than they had to previously, their first and foremost concern is "how do I turn it off?". People will get used to credential challenges and learn to reply by rote. In turn, it will become easier to mount attacks under false pretense to get people to turn over whatever information is being used to "make it harder to use" their identity information.

Do you have any specific ideas on how to make it harder to use someone else's identity information that doesn't rely on the weak link (i.e. John Q. Citizen) to play a fundamental role? As far as I can see, businesses can be forced to comply with privacy legislation (albeit only if the government is serious about it, with random audits and very significant penalties for noncompliance)...but you can't browbeat the average person to care about their security. And even if they care, and are constantly scared of identity theft, the average person just isn't paranoid enough to question whatever "authority" might ring them up and ask to verify their mother's maiden name.

ripSeptember 20, 2008 9:47 AM

Security is never absolute, its subjective. what is the threat and how many of them are there.
Will the future be in a world where fascist databases control every move you make, or will there always be a smart monkey who resisted the brainwashing and became an indivudual.
In the end, freedom comes from resisting the imposed authority of king george.Tea party?

Davi OttenheimerSeptember 22, 2008 7:04 PM

"I'm not sure what you mean by "pro-regulation"? [...] I am pro-regulation when a regulation makes sense..."

I'm not sure what you mean by "makes sense". Those opposed to regulation generally say there is no need whatsoever and only support regulation when convenient (e.g. as a platform to win presidential elections so they can then try to deregulate everything after winning)

"I don't think that the solution to identity theft is to make information harder to steal; there's just too much information out there and too many ways to steal it. Smart solutions center on making it harder to use."

Smart solutions sound good but a bit too slick and vague. What makes it smart? ROI? :)

The problem reminds me of methanol and ammonium nitrate regulations. Should the government try to spend resources on making these harder to use, given increasing risks to a gigantic market, or make them harder to steal? Seems like a combination is best.

I could never disagree with a "smart solution" or a "regulation that makes sense", but I can speak from experience that creating a control that tries to anticipate good/bad usage is non-trivial, and relying on that single control should be avoided if not required.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..