Interview with Me About the Sony Hack

These are what I get for giving interviews when I'm in a bad mood. For the record, I think Sony did a terrible job with its customers' security. I also think that most companies do a terrible job with customers' security, simply because there isn't a financial incentive to do better. And that most of us are pretty secure, despite that.

One of my biggest complaints with these stories is how little actual information we have. We often don't know if any data was actually stolen, only that hackers had access to it. We rarely know how the data was accessed: what sort of vulnerability was used by the hackers. We rarely know the motivations of the hackers: were they criminals, spies, kids, or someone else? We rarely know if the data is actually used for any nefarious purposes; it's generally impossible to connect a data breach with a corresponding fraud incident. Given all of that, it's impossible to say anything useful or definitive about the attack. But the press always wants definitive statements.

Posted on May 13, 2011 at 11:29 AM • 55 Comments

Comments

CSTARMay 13, 2011 11:54 AM

Le "chuck Norris" de cybersecurité? ça alors! Qui est Chuck Norris? Le Bruce Schneier de la bagarre. Ils auraient pu choisir quelqu'un d'autre non? Obelix peut être ...

Merde, ils posent toujours les même questions idiotes "Dans 20 ans, des avancées pourront-elles offrir des systèmes inviolables?" COmme quoi "encryptage quantique"?

Timm MurrayMay 13, 2011 12:00 PM

Most of the story here isn't so much about the breach in itself, but rather the continuation of Sony's famously inept public relations department.

Jim HarperMay 13, 2011 12:04 PM

"[I]t's generally impossible to connect a data breach with a corresponding fraud incident."

If correspondence can't be shown, how do you know that there is a connection to be made?

Michael S CollinsMay 13, 2011 12:20 PM

"If correspondence can't be shown, how do you know that there is a connection to be made?"

That's the whole point - we don't know *if* there is a connection or not. That's a mighty big "if" hanging out there. It could be nothing, or it could be *tens of millions* of persons' stolen CC information. I think Bruce is rightly making the point that lack of information is frustrating for everyone involved. The only people with the useful information have no financial incentive to be forthcoming.

-MSC

JimMay 13, 2011 12:21 PM

"And that most of us are pretty secure, despite that." That's what a lot of companies think - "we haven't been attacked, so therefore we must be secure."

Nick PMay 13, 2011 12:24 PM

Dude, you were snappy on that guy from Kotaku. If you that pissed next time, you might want to reschedule for another 30 minutes so you can do some deep breathing exercises or something,

PascalMay 13, 2011 12:24 PM

@CSTAR

Chuck Norris is himself an internet meme. Everytime people want to highlight how strong you are they compare you to Chuck Norris. This choice was not random, or arbitrary

They could not have used Obelix because Obelix is both unknown to most English readers in the world, and is not an internet meme.

HJohnMay 13, 2011 12:41 PM

Funny, I couldn't get to the Kotaku interview because it was flagged as game playing. *shrug*

Cue the chorus that no one with power seems to pay attention to: As important as it is to protect sensitive information, incidents wouldn't be a serious if the information was not so simple to use.

stvsMay 13, 2011 12:41 PM

And: Bruce Schneier's Twofish algorithm has 16 rounds, but he always gets a knockout in the first.

HJohnMay 13, 2011 12:41 PM

The first of the two posts had a typo. This isn't the first time my fail to proof read properly has embarassed me :) TGIF

LiamMay 13, 2011 12:46 PM

I honestly thought the Kotaku interview was heavily edited or fabricated. I emailed Bruce for clarification.

Trichinosis USAMay 13, 2011 1:01 PM

@Marsh Ray, I agree. Bruce doesn't have chest hair, he has a one-time pad of hair follicles.

Jim HarperMay 13, 2011 1:07 PM

@MSC Oops - My earlier query was utterly incomplete. I was thinking of the correspondence problem in the context of the earlier statement: "I also think that most companies do a terrible job with customers' security, simply because there isn't a financial incentive to do better."

If we don't know cause and effect, how can one say that companies are doing a terrible job? Maybe they're doing a fine job, and frauds don't arise from these breaches in quantity significant enough to worry about. If most of us are pretty secure anyway, why would we want companies to do better (in particular, to spend more) on security?

I'm thinking as a contrarian about something that I'm sure is counterintuitive to many here: There's a background level of insecurity that is tolerable, and if we're pretty secure now, I'm wondering why we need more security. I wouldn't want there to be incentives that cause our society to spend, say, $4bn more on security to get $3.5bn worth of protection.

We're all agreed that it's frustrating not to know. It's worth considering that we don't know enough even to say how well or badly companies are doing on security.

Bruce SchneierMay 13, 2011 2:10 PM

"Dude, you were snappy on that guy from Kotaku. If you that pissed next time, you might want to reschedule for another 30 minutes so you can do some deep breathing exercises or something"

Agreed.

Captain ObviousMay 13, 2011 2:20 PM

@HJohn

We're all human. The only reason to be embarrassed by a typo is if it occurs while correcting someone else (which in an informal online environment should only be done upon request if the intended meaning is already clear), or maybe if you post a correction to the typo, as well as an explanation for the correction, while missing the second typo entirely ;)

SomeGuyMay 13, 2011 3:00 PM

Yes, "how little actual information we have" has become a pet peeve of mine. Ten different articles will either all be AP wire stories or say the same thing phrased slightly differently. This new White House security proposal (sorry, "cyber proposal") is exactly the same - totally content-free. I haven't found an article yet that has any substantive information.

JohnsMay 13, 2011 3:15 PM

Bruce, clearly you have anger issues. The first step is recognizing the problem. You apparently have done so. The next step is to identify and openly discuss the issues causing said difficulties.

We are your friends here. You may begin.

Paul RenaultMay 13, 2011 3:52 PM

Put me down in the "I don't see what the problem is" camp.

Bruce, your comments were reasonable, if pointed. But they were fair.

Nick PMay 13, 2011 4:56 PM

@ paul renault

The problem wasnt in the content but the presentation of it. A security pundit's reputation and ability to score press can suffer if he acts arrogant, dismissive, careless, etc. during interviews. If this is unclear, see Theo de Raadt. Great developer + wrong attitude in public = most people dont care to listen to him.

Bruce apparently realized the problem with his presentation style and publicly admitted the mistake, preserving his professional image. It's something that people in the media spotlight have to watch out for. Thats my take.

mooMay 13, 2011 4:59 PM

While a little more fatalistic than usual, I didn't see anything to gripe about in Bruce's comments in the kotaku interview.

The only downside I can see is that to someone not very familiar with Bruce's writings, he might come off as a Sony apologist in that interview. Kotaku is a video-game-nerd site, populated by hardcore game enthusiasts. Almost all of Kotaku's readers will own a PS3 and/or Xbox360, and almost all of them will have strongly polarized opinions about the PSN breach, Sony's PR handling of the incident, etc. Most of them will not be experts (even armchair experts) when it comes to security. So they might not realize or care that Sony's response to the breach was actually about the best that any reasonable company could hope for. Except that Sony isn't so great at reaching out to and communicating with their customers, but thats nothing new for Sony and the kotaku crowd are already painfully aware of that.

Richard Steven HackMay 13, 2011 6:23 PM

Bruce:

"What does that even mean? Is there such a thing as a secure house?"

No networks, Schneier added, are really secure and people have to come to grips with that.

"Everyone is probably equally sucky," he said of network security in general. "Some may be better than others."

Bruce, I am suing you for misappropriating my intellectual property, namely the following:

"There is no security."
"You can haz better security and you can haz worse security, but you cannot haz security."
"Suck it up".

Clearly you have illegally copied, or made clearly derivative works from, all of my remarks, which I will be copyrighting, trade marking and filing patents on in the next ten minutes.

You have been served! :-)

BF SkinnerMay 13, 2011 6:50 PM

Still...Kotaku says you're famous! Cynical Validation - we'll send your updated Cynacism Union membership card in the mail.

"Fan boy" ?? - what a yutz.

Nick PMay 14, 2011 12:26 AM

@ Richard Steven Hack

"Clearly you have illegally copied, or made clearly derivative works from, all of my remarks, which I will be copyrighting, trade marking and filing patents on in the next ten minutes. You have been served! :-)"

Epic win.

fbmMay 14, 2011 3:37 AM

Hahaha, that Kotaku interview was great! I wish there were more experts who gave those kinds of answers. It's refreshing and genuine. Although the fore-mentioned breathing exercises might be good, if only to get some more oxygen in the blood.

As for Sony being compromised - I'm sure it had something to do with the PS3 hacks, as was pointed out in the comments after the article. Bad business decisions are now becoming more dangerous than ever when considering the break-in probably came from their "customers."

But the reasoning (if that's the case) is flawed. It's like buying a pair of shoes you wear every day from a store you know and then 6 months later finding out you can't trade out the laces. So in retaliation you throw a brick through the store manager's car window.

Paul RenaultMay 14, 2011 7:52 AM

Nick P, it's possible, even likely, that I'm blind to the affect. I'll never be a media personality, so I'm lucky that I don't have to constantly edit myself.

However, let me ask: how else should/can you deal with someone or some organization which desperately needs to have the snot choked out of them? Other than by being blunt - especially when this someone or something is causing and perpetuating substantial harm?

Can you imagine a physician being more concerned about the blood spatter on his tie (he has to appear 'professional', no?) or avoiding using a loud, harsh tone of voice when asking someone to dial 911 (again, that professionalism), than about saving a life? Give me Matt Taibbi or Robert Fisk over, um, Mary Hart any day.

How much better might this world be if we realized that everyone, even famous people, use toilets, pick their teeth, burp, and, gasp, have opinions, well-supported opinions based on long experience. It shows they care as much about other people as their image.

So, Bruce, if you're ever at my place for eats and drinks, and you think I'm doing something bone-headed (or even better: if someone else is doing something bone-headed), tell me. I might hand you some more lobster or calamari or another glass of whiskey, as thanks.

Bruce SchneierMay 14, 2011 11:50 AM

"Most of the story here isn't so much about the breach in itself, but rather the continuation of Sony's famously inept public relations department."

Agreed.

Kevin WallMay 14, 2011 12:36 PM

I noticed that www.schneierfacts.com was missing a key achievement of Bruce, so I submitted it so he can get all the credit he rightfully deserves.

Bruce Schneier is also an accomplished children's author. He wrote that famous childhood crypto book, "One Fish, Twofish, Red Fish, Blowfish".

Nick PMay 14, 2011 1:10 PM

@ Paul Renault

The analogies are nice in their context but they don't apply here. The reason is that you've picked emergencies, where rules are often discarded, and a situation where one must defer to an authority figure to be safe. The context of Bruce's interview was a routine interview. It wasn't an emergency, it wasn't totally necessary, and it was voluntary on both sides. He might have been able to drop all the rules of presentation if he was hastily interviewed about how to protect a building he was in from an attack taking place in a few hours.

And if he was at my house, I'd tell him to say what he really thinks as well. That's a non-public place. I make the rules there. Authenticity/honesty is one of them. ;)

Clive RobinsonMay 14, 2011 3:53 PM

"Obelix is ... unknown to most English readers"

Realy? it didn't used to be, Aterix the Gaul was quite popular.

I know I'm going to regret saying it but when I was younger Obelix used to be my nick name.

echowitMay 14, 2011 4:21 PM

Since when is using a rhetorical question (or two), especially to answer a rather confused question, being dismissive? It seems an effective way to maybe get the questioner to rethink what they just asked.

Richard Steven HackMay 14, 2011 6:11 PM

Put me down with those who think Bruce gave VERY useful and definitive statements about security in response to questions about a specific attack.

He's exactly right on all counts and these are precisely the points security experts should be making, to bring some reality to the issue.

At the risk of granting him a free license to steal my intellectual property - :-) - here are those points again:

"There is no security."
"You can haz better security and you can haz worse security, but you cannot haz security."
"Suck it up".

Oh, and I'm indebted to Bruce for another useful point: "Admit it publicly when your security sucks and you've been caught in the BOHICA position." If you can't be secure, at least be a useful example as a warning to everyone else.

OTOH, that could be considered part of the general principle of "suck it up." "CYA" is no part of "suck it up."

Macneil ShonleMay 14, 2011 8:17 PM

".. it's impossible to say anything useful or definitive about the attack"

In general, can't organizations seed their databases with fake accounts? The moment any of those credit cards are hit (or their soc. used in a credit check) the alert will let them know definitively what was accessed.

vectorizerMay 14, 2011 8:41 PM

@fbm "It's like buying a pair of shoes you wear every day from a store you know and then 6 months later finding out you can't trade out the laces. So in retaliation you throw a brick through the store manager's car window."

Well, the reasoning is more like the shoe store manager coming into your home and taking back the laces you bought with the shoes 6 months ago. (Not that that justifies the brick.)

More on topic: It's tough to have to give one-liners that can so easily be misunderstood. I remember a decade or so ago, Bruce made a statement to the effect that SSL isn't important. Of course *we* all know he was making the point that SSL is much less important than many other web app security features, but I had to fight with a manager who took Bruce's remark to mean SSL isn't necessary. So maybe quote-quantity is important -- one-liners for the public are dangerous without having a larger context.

Tony S.May 15, 2011 5:07 AM

Dear Mr. Schneier:
quote:
These are what I get for giving interviews when I'm in a bad mood.
comment:
So you had a 'bad mood.' What a surprise. For me, who regard you
as a 'hero and expert.'
1.)it's an occupational hazard. An analogy is that many police officers
are cynics; having seen so much of a 'skewed' view of humanity.
2.)correlation of 'poor results' may NOT be correlated with 'bad mood.'
3.)'poor results' may have to do with 'lack of control' and 'communication
problems' which appears to be coorelated STRONGLY with 'the press.'
4.)statistically, 'the press' background is English Major. English Major
is ridiculed in NPR Radio's Prarie Home Companion. They
don't know the difference between Accuracy and Precision.

suggestion:
The mindeset of the enemy... er.. that's frenemy.... make that
friend who is THE PRESS is:
1.)Look good rather than look right. Who needs fact checking?
2.)Choose Precision NOT Accuracy.
3.)address the messenger, NOT the message. It's who you know,
not what you know.
4.)shorten the interview. Cover too much, too complex.
quotation:
Like a skirt, long enough to cover the subject and short enough
to be interesting.
Like a skirt, long enough to give an impression of 'fast control'
about 'cool gamers' and short enough to encourage 'fighting words',
controversy and 'speed debating - no holds barred.'

PS. Unofficial General Manager of the FAN CLUB for Mr. S!
http://www.schneier.com/blog/archives/2011/05/...

GreenSquirrelMay 15, 2011 4:30 PM

If Obelix is unknown to most people then it really is a sad day for childrens books across the world.

Long Live Asterix...

(Maybe Bruce is Getafix)

Dirk PraetMay 15, 2011 5:44 PM

For what it's worth, I think all Bruce's comments were right on the money. And we all have a bad day from time to time. We just live in a world where style too often is more important than substance.

The real story however is that there seem to be people out there that have never heared of Asterix and Obelix. Non licet omnibus adire Corinthum, I suppose.

BF SkinnerMay 16, 2011 6:20 AM

@fbm "Bad business decisions are now becoming more dangerous "

Leave aside where you stand on this particular issue (Sony thought it was a good decision to protect their IP and market, protect their control) for the moment.

We had a recent speaker who was talking about denial of service attacks. He summed it up "Do you have people who want to gather in front of your offices, wave signs and protest your operations? Then you'll have someone with enough motivation to launch a DoS."

It's more a case now where _ANY_ decison a company makes may provoke a backlash in an attack on thier IS. But what executives are skilled and trained enough in assessing the risk and their networks ability to sustain under the assualt? Even major corporations do not (they'll say cannot) give sufficient resources to security.

I'm putting this Sony story in my casebook under "See what can happen?" Either Forbes or WSJ opined that this event cost them over a billion. Even a company Sony's size cannot sustain this kind of cost.

jacobMay 16, 2011 8:28 AM

@skinner. So far Sony has done it for years and absorbed the cost. They have a long history of coming out with something and then screwing up with DRM, monopolistic plays, or bad faith business deals.

I have more respect for apple or microsoft. And that's saying something.
At least they pretend to care about customers.

If there is a serious way to screw it up, they will. I used to think it was unintentional. Now I think it is intentional. It's never the crime it's the coverup. Or doing one thing illegal will get you in some trouble. Doing two or more at the same time is where jail time is involved. DUI, bad. DUI, doing donuts, and flipping the cop off as you do them. That's serious.

ChrisMay 16, 2011 8:59 AM

Personally I found Mr. Schneier's commentary a refreshing change from the typical pablum served up to Joe Sixpack when dealing with security measures.

Harsh, brutal, and above all honest. Certainly wouldn't cause him to lose standing among any of my peers.

And the four-letter invective there was an excellent example of the Precision F Strike.

jacobMay 16, 2011 12:51 PM

@Bruce. I'm seeing reports that amazon cloud may have had something to do with sony psn problem, as well as other cloud problems (microsoft, google). The cloud apps have been discussed for years and companies want us to move to the "cloud". I have been leary due to security (want encryption) or control. What are your thoughts on cloud computing?

HappySpaceInvaderMay 17, 2011 6:31 AM

@Pascal

"They could not have used Obelix because Obelix is both unknown to most English readers in the world, and is not an internet meme."

I dispute the first statement - the TV series was dubbed into American English, so someone must have seen it. For what it's worth, both the comics and the TV series were popular in England during the 70's and 80's, and I was 14 years old before I realised that it was originally French.

HappySpaceInvaderMay 17, 2011 6:39 AM

@Pascal;

"They could not have used Obelix because [it] is not an internet meme."

... and this should be addressed as soon as possible.

fbmMay 18, 2011 4:41 AM

@BFSkinner - "Leave aside where you stand on this particular issue (Sony thought it was a good decision to protect their IP and market, protect their control) for the moment."

Agreed. I should have put it in that context vice making it seem like I disagreed with what they did, because I can't say I do disagree with them.
I imagine both sides feel justified with what they've done and they both have a right to.

lbnugMay 19, 2011 5:42 AM

@Green squirrel (Maybe Bruce is Getafix) lol. I can see him in the role :-)

Clive RobinsonMay 19, 2011 6:47 AM

@ Green squirrel, ibnug,

"Maybe Bruce is Getafix"

Not yet. his beard and hair are two short and even in the latest photos still not white enough, at current rates Bruce needs about three years ;)

CacofonixMay 19, 2011 8:47 AM

If Bruce is Getafix, then I guess that makes Clive Robinson Asterix?

SahsnotMay 20, 2011 3:45 AM

Concerning the Sony hack:

The size of the potential loot defines the effort which can be spend for the breach and the effort for security measures. I mean, ~100 million data sets !!!
It's the well known rat race and Sony was slow.

I like the idea of seeding fake accounts. But I fear someone is stupid enough to seed them alltogether before the public launch date ...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..