Schneier on Security
A blog covering security and security technology.
« The Cyberwar Arms Race |
| Friday Squid Blogging: Giant Squid Eye Preserved in a Jar »
April 29, 2011
This is a surprise. My TED talk made it to the website. It's a surprise because I didn't speak at TED. I spoke last year at a regional TED event, TEDxPSU. And not all talks from the regional events get on the main site, only the good ones.
EDITED TO ADD (5/13): A transcript.
EDITED TO ADD (5/14): Motley Fool article about the talk.
Posted on April 29, 2011 at 2:45 PM
• 36 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I watched it on TED yesterday, and I kept thinking how well this applies to the current (somewhat panic stricken) debate regarding nuclear power, which is spreading like wildfire throughout Europe. I don't know about other parts of the world, but I assume it's similar.
Thanks for sharing, it was an excellent talk!
I started watching, and can't wait to finish. I saw it on Facebook earlier this week. Thus far, it is a very good talk. I had the opportunity to listen to you at Boise State last year, and have been following your blog ever since.
It's been up all week. Thought you were just playing it cool.
Or those talks whose givers have made quiet remarks to the TED staff along the lines of "Wow. Nice computer system you have there. Wouldn't it be a shame if something happened to it?
Yeah. A terrible terrible shame."
*grinz* I'm sure it was an excellent one, and I'll get to it this evening!
Really good talk, very eloquent.
it's a dead link right now.
I'm not a big fan of TED Talks, but so far yours and Johannes' have been the most interesting I've watched.
I liked your talk because it explains in a very plain English what's wrong with the notion of security these days. Thanks.
Great talk Bruce. There are a couple of things I'd like to get your feedback on. Specifically the Tylenol and baby snatching examples caught my attention. Probabilistically the risks are low of being affected by either event. However, if it happens to you, it only takes once. It's the same with a plane crash or lottery ticket. Low probability for either, but it's nearly guaranteed to happen at some point, and someone will lose/gain everything. How should this effect our model of risk and security?
BTW, thanks for the great blog, I really enjoy it. I'd like to see a little more math.
Nice. Well done and keep up the good work.
Great talk Bruce! I've been following your blog silently for about a year and I love it! You've really influenced in how I think about security.
Andrew says he wants more math. More math??? Jeepers creepers. I can barely follow this thing now.
Besides, to quote my ideal woman, Barbie, "Math is hard."
It was a good talk though. Hardly any math.
Off topic: The other shoe drops.
Hackers Claim to Have PlayStation Users’ Card Data
Did Sony lie about the card data being encrypted? Or was it stored elsewhere unencrypted?
2.2 million cards - if I'm not mistaken, that's not the biggest CC theft. But it's pretty big. The TJ Maxx theft was something like 45 million. The Gonzalez case was 130 million over multiple breaches.
A little off topic,
But the PSN network has been down for 10 days now, and no comments here. You'd think a breach of this size would get a mention here.
Any chance Bruce is one of the outside experts helping Sony and can't comment due to a NDA?
Just watched the talk. Well done, very clear.
As an aside, I'm not even an African tracker and if you took me to New York, I'd probably die in a day. San Francisco isn't New York! (Although I HAVE been in New York for more than one day, I wasn't wandering around and it was in the 1970's.)
OTOH, if I took you to Federal prison...that would be interesting.
Great quote Bruce! "News is something that almost never happens."
ROFLMAO! Thanks, I needed that!
RW: Bruce is often a little late with comments on major security events. I think he likes to wait until he gets a sense of the overall *meaning* of the event rather than rush to comment based on possibly inadequate information. Bruce is not a "rush to judgment" kind of guy which is why he's so valuable to the industry.
Bruce, I love your work and read everything you write. But you have got to peel back the arrogance and get a little down to earth humility -- such as saying things like "only the good ones". You are not the second coming. You're a smart guy who says really smart things. But don't start believing your own hype.
Huge fan of TED & Bruce. Great job, wish I had been there!
The hospital RFID anecdote got me thinking: do long odds automatically make all mitigations "security theater", regardless of the stakes to the stakeholders?
A small measure affecting only stakeholders that reduces chances of even highly unlikely events of disproportionate severity (to those stakeholders) seems legitimate to me, not theater (perjorative.)
I purchase insurance against unlikely events of disproportionate severity -- is that theater? There are non-linearities in the economics of expected outcome that make it rational to me, not theater.
"But the PSN network has been down for 10 days now, and no comments here."
Uh, I commented on that three days ago, but received no replies nor posting by Bruce, to my slight disappointment. See
and search for "Sony".
@ BRUCE: Congratulations! ... But is it possible to institute a policy of giving us links to the *text* of such things, for those of us who prefer to read, or who don't wish to allow googleapis and some other scripting?
Definitely a good one. Thank you.
Great quote with the news that never happens. It is not completely true, though, as a change in state may not happen very often, but one cares if they are affected by one state or the other. Like a declaration of war, it happens rarely, but its effect may last.
Also, you kind of presented a lot of reality about security in a talk about converging reality and feelings :)
The TED lecture explores a divergence of intuition/feelings, reality, and model in the field of security. In other fields, such as physics, the tool that reduces the influence of intuition and feelings on the construction of model is called "the scientific method".
Perhaps, in the field of security the scientific method does not dispatch the "theater of security" because suppliers and advocates of security measures are political or business agents not scientists.
I saw the Ted speech. I've never seen you speak before. I became an instant fan. I've been watching video on youtube by you for the past few days. Fascinating stuff and your delivery is very calm and intellectual. Keep up the good work.
Overall very good.. broke down around 14:00 and picked back up around 18:00. Which is bad because the model discussion is needed.
Excellent, well said. Everyone needs to listed to this speech.
@Fredrik if you must bring up the nuclear debate, perhaps you can say what you think about the whole waste management aspect?
"But is it possible to institute a policy of giving us links to the *text* of such things, for those of us who prefer to read, or who don't wish to allow googleapis and some other scripting?"
When I know of text links, I include them. I don't think there is a transcription of this talk anywhere.
"There are a couple of things I'd like to get your feedback on. Specifically the Tylenol and baby snatching examples caught my attention. Probabilistically the risks are low of being affected by either event. However, if it happens to you, it only takes once. It's the same with a plane crash or lottery ticket. Low probability for either, but it's nearly guaranteed to happen at some point, and someone will lose/gain everything. How should this effect our model of risk and security?"
Dealing with low-probability high-cost events is inherently hard, because a lot of or normal intuition and math doesn't work very well.
I know I've written about it in Beyond Fear. This is the only thing I could find on my blog:
@ Bruce, tommy
This web site appears to have a transcript of the TED lecture:
I Googled for this [text transcript Bruce Schneier: The security mirage]
Thanks for both the link and the search tip. I d/l the transcript and will read thoroughly when time allows.
Also, will file your text-search tip for future reference. (Maybe Bruce will, too? - but I guess we can do it ourselves.)
Very good talk. Thank you.
On seat belts, and other risks, John Adams is good (apologies if old news)
So, do we have safety theatre as well as security theatre? I haven't heard the phrase but the answer is yes I fear.
The question I took from your talk was pure confirmation bias but improved by the talk. Who shall guard the modellers? The UK foot and mouth epidemic of a few years ago showed just how dangerous bad models can be. As models get more complex (which is what modellers do), so they become less transparent. Not a good thing.
I fear there was an element of Cartesian logic supremacy in your talk. Feelings are not there to be 'corrected'. Also, some technological imperative. Just a soupçon.
Human values do not = MEU from PxC. Charles Perrow's 'Next Catastrophe' says we should limit C regardless of cost. Recently he has written we should really reduce P as well (e.g. understanding of earthquake frequencies).
Good talk, but models can be wrong or broken. Are heavy metals a threat? In the environment? In toys? In vaccines?
Do you get fat from fat? inactivity? Carbohydrates? HFCS?
Global warming? Is the science correct? Or are the people in lab coats merely the new robed priesthood? That you can't question them without being a heretic? Or as you said, "A model that we just accept by FAITH, and that's OK"?
In WW2, cigarettes were called "coffin nails" or "cancer sticks", so there was no model change, merely the cost of pleasure and popularity. Before smoking was cool. Now smokers are pariahs.
ISO/IEC 15026 Part 2 on Assurance Cases might be relevant to the model element in your talk.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.