Reddit AMA

I did a Reddit AMA on Thursday, September 6.

Posted on September 7, 2018 at 2:22 PM • 22 Comments

Comments

bobSeptember 7, 2018 3:36 PM

"What is your point of view of blockchain/cryptocurrency long term?"

"I am working on a longer essay about this, one that I hope to publish in the coming weeks."

No no no... please don't. Don't get me wrong, you have the right to speak your mind, but so have I and in mind is hope for a day when people stop asking cryptographers about cryptocurrencies. People reacted bad when they heard Snowden talk about zcash and monero. Because he is famous and people listen to him, he is very knowledgable in his field, but his field is not cryptocurrency. And I admire Snowden as I admire you Bruce, but every time you comment on bitcoin or whatever it seems clear to me that you do not have a firm grasp on it. Biologists and physicists will tend to know about chemistry, but if you want to know chemistry you ask a chemist. Same goes with the mainstream media interviewing people in economics, finance, etc. if you want to know cryptocurrency you ask the developers, the traders, the journalists in the field (even a youtuber will know more), the cryptocurrency experts.

HmmSeptember 7, 2018 3:59 PM

"I use Windows whatever-is-current. Why? Inertia, mostly. I don't want to learn new muscle movements and switch to Mac. Linux feels like too much learning. And a well-hardened Windows install is pretty secure these days."

You forgot the /sarc tag! :p

Your friend has his work cut out. EMET? Bolt-on ASLR? AV package? How many services disabled?
What do you run for intrusion detection? Are you basing that bill of health on lack of symptoms?

Exactly how do you afford your rock and roll windows lifestyle and call it "pretty secure"?

(That is, if you feel like sharing details with this inquisition/intervention/gathering outraged mob...)


HmmSeptember 7, 2018 4:04 PM

@bob

The way you phrased it, no cryptographers understand cryptocurrencies? That's unlikely.

Do you have any specifics of Bruce not "properly understanding" cryptocurrencies?
Can you share some? I agree there's a lot of room to specialize in that stuff,
but I don't think it's some kind of secret magic that CS types can't grasp.
Some examples would help make your case, maybe you're right?

bobSeptember 7, 2018 4:54 PM

@Hmm

Yeah, the windows part was a hard pill to swallow for me too, but he has said it before so I think it's not sarcasm. I don't know, maybe using windows is more penitence than sin, so I won't go full inquisition on Bruce.

No cryptographers understand cryptocurrencies? That's unlikely, as you say. Not what I wanted to say, I wanted to say most cryptographers don't know as much about them as experts and it is a good rule to ask experts instead of cryptographers, but most people do the opposite (and cryptographers like Bruce can and should refuse to participate in it). It's not some kind of secret magic, but crypto is hard (bruce says it all the time), even for CS types, and so is economics. If you want to understand their offspring you have to be either a genious or dedicated (meaning, you have to specialize).

Do I have any specifics? Bruce has not written many specifics. Most of the time he says who or what he agrees with, period. I can argue against the opinions he has linked or general ideas he has written, but I imagine you are aware this discussion can get long as long can be. I don't think Bruce would like it (I wouldn't if it were my blog). But I don't think it's right to hit and run either, if in the end anyone reads and thinks I'm evading the question, say it and I will write a wall of text or two. For now, I will insist on the fact that too many walls of text have been written already elsewhere, and they are not hard to find.

HmmSeptember 7, 2018 5:32 PM

I believe Bruce doesn't fancy himself among the premier currency experts, probably not, but he does get called up to speak before Congress on security - being integral to cryptocurrency, one of the major concerns generally - and a lot of lessons cross apply. Not all, that's true.

It maybe comes across as a glove slap as you don't have a glaring specific disagreement to point to of the cuff, so it's difficult for anyone reading to follow what you're referring to or why you feel that way - and maybe agree or disagree on the merits.

I guess I'm back to asking if there's anything specific Bruce omitted that you think need be said?
Let's hear it! This is the forum for exactly that purpose. I think he'd be curious too now.

bobSeptember 7, 2018 8:41 PM

@Hmm

Yes, I believe Bruce doesn't fancy himself among the premier currency experts, but probably knows most people fancy him expert enough. If he knows it, Bruce should stop himself from giving his opinion or, at least, include a disclaimer (like he probably would if giving his opinion on chemistry) underlining his probable ignorance and referring to cryptocurrency experts (not cryptography/security experts).

So, I want to say first, I think my argument is backed if cryptocurrency is accepted as a field distinct enough that it demands specialization and cryptographers are not cryptocurrency specialists. If it is, my point is made, no specifics needed. If it is not... here it goes.

I looked for the cryptocurrency tag and took the first three results.

https://www.schneier.com/blog/archives/2018/03/breaking_the_an.html

https://www.schneier.com/blog/archives/2018/06/regulating_bitc.html

https://www.schneier.com/blog/archives/2018/07/nicholas_weaver_2.html

I have already commented on the first two, please read me there. The first, specially, had me scratching my head. I didn't comment on the third because, as I read the paper, I found something to object to in every sentence or so. It tested my patience, I really hoped something informative would come out of it, I'll test my patience again as I write my thoughts on it.

The first page is a technical introduction to bitcoin, then he fixes on the outrageous power consumption of the bitcoin network (failing to compare it to the outrageous power consumption of other networks, for example, networks around banking and payments). It concludes "The only way Bitcoin could reduce its power consumption is through a massive collapse in price.". But there are many ways bitcoin could reduce its power consumption, the most obvious is maybe a progressive reduction in its mining reward, programmed at the core of bitcoin since the beginning. He goes on to transaction limits and concludes "These global volume limits make Bitcoin clearly unsuitable as a public ledger.", failing to mention segwit, the lightning network, and all the debates and forks that hang from the fact that the problem of scalability is central to the community and a lot of people are dedicated to solving it.

This marks the first underling problem in the whole analysis, the paper talks about the state of cryptocurrencies now, but damns the idea as if investing in it could not lead to a desirable future state. 10 years or whatever, blockchain is still young. You can judge ideals and laws now, but to judge the technology you have to wait. And "ideals and laws" is the second underlying problem, it is hard to talk cryptocurrency without politics, and he doesn't even try. The next paragraphs (titled "cryptocurrencies for Payments") demonstrates it, and you don't need to do a lot of reading between the lines.

But I will not talk politics now, to concentrate on things more objective. "irreversibility combined with the volatile price means Bitcoin is significantly inferior to alternatives such as credit cards or PayPal." Again, he is taking into account the volatility it has now (or back then, as now it doesn't have nearly a price as volatile), not the volatile price it would have in the future (especially if it was used by as many as those who use credit cards or paypal). And he later explains why irreversibility is a defect not a feature as intended, in a way that delineates why the defect is in the de facto payment system that bitcoin wants to correct.

Then comes murica-centrism, "Most sensible recipients of a Bitcoin payment immediately convert their payment into dollars". In most countries of the world, converting into dollars is either expensive or illegal, and bitcoin could be a better deposit of value than an unbelievably inflationary local currency. Finally, and ironically, he makes fun of the idea of a deflationary currency because it disincentivizes consumption in favor of savings. I think the effect he proposes is exaggerated but, if it's not, an economy based on consumption is a highly criticized concept anyway. And I would remind him, economics is not his area of expertise.

I could talk about the next section (individual technical risks), but that IS his area of expertise after all. And I could continue with the rest of the paper, but by now you get the idea, I hope.

echoSeptember 7, 2018 10:55 PM

I do have criticisms. I just don't want them to come over in the wrong way. Possibly the easiest general position I feel is to say that people are very good at narrow technical experience and on the social aspects of security which didn't get a mention typically very closed in by experiences too. I noticed these failures in policy discussion and lower levels and within the media too.

In the UK the state sector has a much larger say in the economy than the US and also more social democratic countries within the EU which don't have the left-right religious war over mixed economies that the UK does. In the UK too many regulators and NGOs are captured by the system. Some are positively appalling and so weak as to be simply a rubber stamp and a way for the otherwise talentless to obtain an honour for time served. Because of this and a culture of make it up as you go along and secrecy it's very very rare for a technical analysis to be published which is accessible to the mainstream.

"Feminist security studies" is actually a thing. As useful and informative as it is I don't believe it solves the crux of the problem. The basic issue is that sexurity (or any other field) is always taken over by subjective context which detracts from policy development and analysis and technical tools.

On wikipedia "Security Studies" has one whole page with a bazillion links. The page for "Feminist security studies" is one line!

HmmSeptember 8, 2018 12:44 AM

@Bob

So maybe I'm misunderstanding what I thought I was asking you, but those 3 links you pasted are examples of Bruce directly reporting a blog or news article or topic by virtue of someone else writing about it. Those aren't Bruce's opinions. He's basically journaling those here for our discussion. I don't think they sum up his entire perspective on the respective topics, it would be strange if they did.

"Then comes murica-centrism, "Most sensible recipients of a Bitcoin payment immediately convert their payment into dollars". In most countries of the world, converting into dollars is either expensive or illegal, and bitcoin could be a better deposit of value than an unbelievably inflationary local currency."

That's Krugman?

So you're jumping on "dollars" as opposed to "currency", dollars being a prolific form of that?
Sure, it's centric. US T-notes are centric. The system is centric. His word choice was centric.
He could have said Yuan or Baht or Lira.

So Bruce isn't an expert because he reposted those articles for our consumption?
Is that the logical posit here? I get what you're saying, just not who you attribute it to...


bobSeptember 8, 2018 1:56 AM

@Hmm

Maybe I misunderstood what you asked, but I said what I could answer to, beforehand. I said "Do I have any specifics? Bruce has not written many specifics. Most of the time he says who or what he agrees with, period. I can argue against the opinions he has linked or general ideas he has written".

I don't think they sum up his entire perspective either, but he has said to agree, at least, with Weaver's skepticism (I will add that "skepticism" sounds too good for a paper whose first and last sentences are "Cryptocurrencies, although a seemingly good idea, are not fit for purpose." and "The only winning move is not to play." respectively, "pessimism" fits much better). Bruce has also said that cryptocurrency "is a stupid name" and "cryptocurrencies aren't crypto", more reason to believe a cryptographer has no business talking cryptocurrency. But yes, Bruce is not just a cryptographer, he's also a security expert, among other things. He is not, however, a crytpocurrency expert.

And here comes my point again, I don't need his entire perspective because I'm not arguing against Bruce's opinion, I'm arguing against the presupposition that cryptocurrency is within the field of expertise of cryptographers, security experts, economist, financiers, etc. I'm arguing against listening to their opinion on the matter instead of that of the experts, and against them not referring to the experts when they give their opinion.

What you quote is not Krugman, is me quoting Weaver and adding my opinion. And no, I'm not jumping on dollars as opposed to currency, he could have said yuan or whatever but what I said would apply anyway. I said "bitcoin could be a better deposit of value than an unbelievably inflationary local currency". Murica-centrism in this case comes when he implies that because bitcoin is not as useful in america (or the developed world, for that matter) it's benefits to the rest of the world (most of the world) are unimportant.

"So Bruce isn't an expert because he reposted those articles for our consumption?" No, that's only part of the reason. Saying he agrees with them is another part, but most importantly, Bruce is not an expert because he hasn't developed any cryptocurrency, or written any books on them, or articles for a crytocurrency newsletter, or lived as a trader, etc.

HmmSeptember 8, 2018 2:53 AM

@Bob


"Cryptocurrencies, although a seemingly good idea, are not fit for purpose."

-Which means to my eyes "they have some problems, so going all in is premature now as they exist"

"The only winning move is not to play." = You are gambling, it's unpredictable to invest in.
They're positing you could lose all your money overnight for xyz reasons out of any control.

It's not so out of school. Notice, all Bruce said was he shares the skepticism. Not any particular rhetorical specifics, just shared skepticism. It's not exactly searing.

The skepticism seems to be not uncommon, and though you perhaps could say people doubting CC's are not experts, several CC experts are skeptical of individual implementations also. There are new fundamental issues to consider with CC IN ADDITION to the new code, the implemented wallets themselves, the trading platforms, the governing % bodies, all of it is an attack surface that a year ago didn't exist - and is different in each.

The surety of investments is borne out over time. The security of platforms, ditto. So you may be proven correct that the early hecklers and naysayers are fools, that may come to pass. (I don't think Bruce is one of those.) But notice there are a lot of Orville Wrights out there who are eating a lot of tarmac, too. CC "flight" is not yet a fully achieved and documented thing. You see constant growth after you demonstrate it, and confidence questions don't come back around until a rhetorical crash. This week I think it was a 15% sell off? Maybe it will recover 150% next week. It might be a great investment - but the value is not predictable outside of a ~5 minute window. There are a lack of insurances and a whole new regulatory environment to consider also. These are not trivial nitpicking differences from traditional currencies, this is rubber meeting road.

As value in each platform grows, interest by criminal organizations in attacking that codebase/implementation grows. New issues are discovered, "zombie" wallets and headless transactions. Will each implementation survive and grow like a nominal investment? Probably close to it, %-wise, if you bear in mind how many investments fail overall.

But again, none of this is stuff Bruce said really. Judging him a non-expert based on
"I agree with the skepticism" is maybe kind of rash, don't you think?

Peter S. ShenkinSeptember 8, 2018 10:19 AM

Thanks for this. Thanks also to your interlocutors for asking such great questions.

bobSeptember 8, 2018 5:24 PM

@Hmm

I think you are misinterpreting Weaver, Bruce and me. But I don't wanna be an asshole to you, you have dedicated a good amount of time to this so I don't think it's fair to leave you in silence yet.

I don't see how Weaver's initial and final sentences could be interpreted as you have, even by themselves but specially given the rest of the paper. That Bruce shares Weaver's skepticism is not all that Bruce said, I quoted him in more instances than that of Weaver's skepticism and even if you only take that instance, there's more implied in the words "Weaver's skepticism" than what you said.

And most of my last post was repeating myself because you miss the point, ignore it when I point at it again, even put words in my mouth. "and though you perhaps could say people doubting CC's are not experts, several CC experts are skeptical of individual implementations" No, I could not say people doubting CC's are not experts, I said who are experts and who are not and it has no relation to doubt. And as you say, several CC experts are skeptical, but not only of individual implementations, even of the whole idea! And that's ok! I also agree with what you said in the following paragraphs, but it has little to no relation with what I'm talking about. I'll state what I'm talking about one more time, this time from my last post.

"And here comes my point again, I don't need his entire perspective because I'm not arguing against Bruce's opinion, I'm arguing against the presupposition that cryptocurrency is within the field of expertise of cryptographers, security experts, economist, financiers, etc. I'm arguing against listening to their opinion on the matter instead of that of the experts, and against them not referring to the experts when they give their opinion."

"Judging him a non-expert based on "I agree with the skepticism" is maybe kind of rash" I didn't, i said "most importantly, Bruce is not an expert because he hasn't developed any cryptocurrency, or written any books on them, or articles for a crytocurrency newsletter, or lived as a trader, etc."

SolSeptember 9, 2018 10:35 AM

Dang, I missed the AMA. I wanted to ask Bruce if he still thought that there'll be some sort of meaningful post-Snowden reform against mass surveillance.

HmmSeptember 9, 2018 1:28 PM

"there's more implied in the words "Weaver's skepticism" than what you said."

That's true, but Bruce hasn't fleshed out his agreement with it beyond skepticism.

If you don't want to hear his opinion on CC, don't read it, that's fine, it's your call.
I just find the reasons to be strangely limiting, sort of prejudging in lieu.

Experts are wrong all the time. People deeply embedded in something might be partial.
Go one further, some "experts" have serious financial entanglements involved in it.
There's plenty of meat on the topic for everyone to have a bite.

"Bruce is not an expert because he hasn't developed any cryptocurrency, or written any books on them, or articles for a crytocurrency newsletter, or lived as a trader, etc."

Sure, but does that mean he can't have insights into that landscape? He needs to publish a book on it?

Maybe you're right, you should seek the utmost authority in the field instead...
I just find that rationale limiting and kind of tautological. We agree to disagree.

But I do doubt you'll dissuade him from discussing it on his own blog, anyhow.
At least I hope you don't. I think even non-expert ideas have merit, all the time.

WaelSeptember 9, 2018 7:33 PM

I did a Reddit AMA on Thursday, September 6

Why did you ask about the book "Decoded, by Mai Jia"! Am I getting warmer? Come-on, @Bruce! I can't sleep, Chief!!! At least give us a hint.

bobSeptember 10, 2018 5:31 PM

@Hmm

In the end, as I suspected in the beginning, it appears Bruce does not approve of this discussion. My last response was blocked (and the previous one was filterred for some time) so I won't write another lengthy text. But as closure I want to say, we really can't agree to disagree. I don't say it to put an aggressive stance, but to point again to what I think the problem is. You ignore what I say and argue against a strawman. I don't think you can disagree with something you don't see or point to.

Pascal CretainSeptember 13, 2018 12:17 PM

Shame that I missed the AMA.

My colleagues (security engineers, pen testers, compliance consultants) and I started a chaotic and interesting discussion today, the topic being "Is the internet safer today compared to 10 years ago"? I realize that this is a very broad question, but if you have any off-the-top of your head Boolean-type answer, I would be grateful to hear it.

HmmSeptember 13, 2018 2:05 PM

"Is the internet safer today compared to 10 years ago"

Well, define the use case, define "safer" and define for whom it would be more or less safe?

All users are not equal, all systems are not equal, and the internet is a big place.
If you tried to aggregate all of it you get a "beige" result of little comparative value.

*(IMO)

Clive RobinsonSeptember 14, 2018 12:53 AM

@ Pascal Cretain,

You also want to work out some way of making the comparison.

That is by number of people in the world / country / by connecting / by connected hour / by data sent&received / etc. But do you want that for the attackers or attacked or total...

Then the method used by the attacker of which there are many some of which just need the connection to a vulnerable computer or as in phishing attacks require a vulnerable user...

Then if it's by attack attempt tried / detected / connected / repeled / successfull / etc.

Then by target type ie hardware / OS / app / etc.

Depending on any combination of these will wildly vary your results.

After all there was a time where advise was "use a Mac not a PC" which did not reflect the safty of Apple -v- Microsoft -v- Linux but just who was writting the attacks for script kiddies to use. That is the attackers were concentrating on MS because it had the greatest number of machines on the network and MAC and Linux boxes were seen as not worth bothering with by attackers.

Like any "crime statistic" the figures can be massaged to show what you want.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.