Schneier on Security
A blog covering security and security technology.
« Preventing Cell Phone Theft through Benefit Denial |
| Me on EconTalk »
June 28, 2013
My Talk at Google
Last week, I gave a talk at Google. It's another talk about power and security, my continually evolving topic-of-the-moment that could very well become my next book. This installment is different than the previous talks and interviews, but not different enough that you should feel the need to watch it if you've seen the others.
There are things I got wrong. There are contradictions. There are questions I couldn't answer. But that's my process, and I'm okay with doing it semi-publicly. As always, I appreciate comments, criticisms, reading suggestions, and so on.
EDITED TO ADD (6/30): Two commentaries on the talk.
EDITED TO ADD (8/1): To date, 14,000 people have watched the talk.
Posted on June 28, 2013 at 2:42 PM
• 18 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I've been coming to like the idea that security is primarily an economic problem. Finding bugs and vulnerabilities (software, hardware, and social) is expensive. Companies and groups of individuals make software, but spending the time/money to find all the security bugs is very, very expensive. Look at the state of OpenBSD (highly secure, not very functional, huge developer effort into security) vs Linux (much less secure, much more functional, moderate developer effort into security). Governments can devote vast resources to finding vulnerabilities, while companies don't have the resources to do so. Governments can also rely on others to create much of the software/hardware/social norms, and thus don't have to pay directly for these things. There's an inherent asymmetry in what each side needs to spend to get power (find a vulnerability) and the Government side can spend less of its total budget and has greater resources to spend.
The paranoid in me suspects the only reason that Google hosted Bruce was to dissuade him from speaking critically of them. I know Bruce is a consummate professional; I hope he manages to maintain his impartiality and dutifully criticizes Google if and when it is appropriate.
Adam G: I'm a Googler, and was at the talk at Google (I quite enjoyed it). I thought that Mr. Schneier made several points that were at least indirectly critical of Google, and in general of large organizations that store massive amounts of private information. I think it was great that he talked about the recent issues surrounding privacy (which is just an extension of security), and I know that many other Googlers feel the same way. Believe it or not, the vast majority of people inside Google care deeply about this stuff, and want to do the right things. And embracing open criticism is absolutely necessary to do that.
(in response to adam)
I'm not the biggest fan of Google, but I would like to just point out that Google hosts thousands of talks, many by non-techies like Christopher Hitchens and Anderson Cooper. http://www.youtube.com/user/AtGoogleTalks
The fact they would think to include one from about the most popular security expert in the world seems kind of inevitable to me.
Re: Evan M
Reciprocity is a strong conditioning. There were a few critical indirect references to Google. But he did emphasize how Google is an exception in the vendor lock-in case, which made me chuckle.
> Believe it or not, the vast majority of people inside Google care deeply about this stuff, and want to do the right things.
I suppose that's the case. Sadly though, it seems to be the minority that calls the shots.
At any rate, I really liked the talk. Wonder whose idea at Google it was. Given how Google is on the PRISM list, it does resemble more of a marketing stunt.
Adam G, Even M:
There were multiple times during the talk that I thought, "Oh, the Googlers in the room *must* be squirming with discomfort, knowing he's talking about Google even when he doesn't say it." He may have the tact not to attack Google by name on their own campus, but he also has the integrity not to shy away from the issues just because he's hosted by a company involved.
It was nice to see you again, and I'm glad to see you taking on the important work of EFF. One thing worth thinking about is whether EFF should have a more international role. Freedom is not just an American value, and Americans should be held to a higher standard regarding freedom for others. Knock em dead Bruce!
Thanks for your excellent blog, which I am reading much more after the PRISM scandal.
power and security, my continually evolving topic-of-the-moment that could very well become my next book.
The book I (and I suspect many others) badly need at this point is an analysis in straightforward terms of what we can do to be fairly safe in these days when on-line.
Example: I am fairly computer-literate but I write numerical analysis code and know next to nothing about security. I make my living consulting so I must take care of my clients' data better than they take care of it themselves. What does this imply for my online habits?
I always use a VPN these days, but I do not know how much that helps. I still have a Gmail account. Is it foolish to have client email there? Is there a way to use services like Dropbox without being irresponsible with secrets which my clients' businesses depend on?
Is there a book which addresses these things available today?
Just listened to your talk at Google. Whilst your basic thesis of our technological neofeudalism is correct, I was surprised that you appeared unaware of the large body of work on the corporate/state power nexus produced over many years by the left libertarian community.
Most tech world libertarianism is distinctly right leaning (or even of the Objectivist variety); a feature documentary film maker Adam Curtis explored to some extent in the first part of his BBC series All Watched Over By Machines of Loving Grace.
The big problem with right libertarianism is that it doesn't (or, at least, only rarely) acknowledge the existence of coercive power structures outside of the state itself (and when it does acknowledge them, is dismissive of their importance). In contrast, left libertarianism recognises that entities other than the state - or bodies acting in concert with the state - can exert coercive forces upon the population.
If you haven't already, I would urge you to explore some of the left libertarian literature. Here, you will find analysis both of historical feudalism (and related issues such as enclosure programs, which are equally relevant to today's tech world), and a critical appraisal of the corporate/state soft/hard power structure which you seem to be working towards articulating.
Whilst there are many great sources out there, and as you are interested in historical parallels, I can't recommend the work of Kevin Carson highly enough. I think that you will find the second part of his book Studies in Mutualist Political Economy particularly useful. The book is available online. Carson, and other mutualists/left libertarians run a website which might also provide some useful input into your thinking.
Great talk, much appreciated. In response to the last questioner who pointed out that the US is a democracy I sensed ambivalence.
In clarifying the real versus apparent choices offered between the two parties in our current democratic system I would have been inclined to mention the corrosive influence of the Citizens United decision in the 'co-mingling' of the interests of corporations and the state and perhaps referenced the Patriot Act as an example of a recent, significant policy where both parties have, surprising to discover, little or no daylight between them.
The other thing about that final question (the 'democracy' one) is that he was talking about meatspace, not cyberspace. Regardless of how rigged you think national elections are, no one gets to vote for anything that's meaningful in cyberspace, with the partial exception of 'voting' by not using or not doing something. But that's becoming less and less viable as a 'vote' (see Bruce's example of a college student choosing not to use Facebook).
I listened to the long talk and it was worth it. Naturally, there was a rehash of things discussed on this blog but good to see it repeated in one longer thought stream.
Bruce or anyone else, what were the things that Bruce got wrong? I heard one thing about the inability to flush cookies on the iPhone. I think that is possible on demand, although I assumed Bruce meant the inability to block third party cookies.
After watching the talk, I caught Bruce's Defcon talk in 2012. That was a lot more fun to watch. http://www.youtube.com/watch?v=dJh0mIJn6kE
The Edward Snowden / NSA affair is the best demonstration of that - perhaps ultimate? - democratic paradigm that "people shouldn't be afraid of their government, government should be afraid of their people."
Wouldn't it be so much better if we could get computer security solved in the general case? Then nobody would need to bow to any new lords and masters.
I strongly believe that capability based security can accomplish this, and free us all.
"The paranoid in me suspects the only reason that Google hosted Bruce was to dissuade him from speaking critically of them. I know Bruce is a consummate professional; I hope he manages to maintain his impartiality and dutifully criticizes Google if and when it is appropriate."
Don't worry; the free lunch wasn't enough to bribe me.
"I was surprised that you appeared unaware of the large body of work on the corporate/state power nexus produced over many years by the left libertarian community."
That's because I was unaware of such a body of work. Thank you for the recommendations.
Eudora? Mozilla recommends upgrading to Thunderbird for security reasons.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.