Essays: 2008 Archives

How to Prevent Digital Snooping

  • Bruce Schneier
  • The Wall Street Journal
  • December 9, 2008

As the first digital president, Barack Obama is learning the hard way how difficult it can be to maintain privacy in the information age. Earlier this year, his passport file was snooped by contract workers in the State Department. In October, someone at Immigration and Customs Enforcement leaked information about his aunt's immigration status. And in November, Verizon employees peeked at his cellphone records.

Read More →

When You Lose a Piece of Kit, the Real Loss Is The Data It Contains

  • Bruce Schneier
  • The Guardian
  • December 4, 2008

These days, losing electronic devices is less about the hardware and more about the data. Hardly a week goes by without another newsworthy data loss. People leave thumb drives, memory sticks, mobile phones and even computers everywhere. And some of that data isn't easily replaceable.

Read More →

Why Obama Should Keep His BlackBerry -- But Won't

  • Bruce Schneier
  • The Wall Street Journal
  • November 21, 2008

When he becomes president, Barack Obama will have to give up his BlackBerry. Aides are concerned that his unofficial conversations would become part of the presidential record, subject to subpoena and eventually made public as part of the country's historical record.

This reality of the information age might be particularly stark for the president, but it's no less true for all of us. Conversation used to be ephemeral.

Read More →

America's Next Top Hash Function Begins

  • Bruce Schneier
  • Wired
  • November 19, 2008

You might not have realized it, but the next great battle of cryptography began this month. It's not a political battle over export laws or key escrow or NSA eavesdropping, but an academic battle over who gets to be the creator of the next hash standard.

Hash functions are the most commonly used cryptographic primitive, and the most poorly understood. You can think of them as fingerprint functions: They take an arbitrary long data stream and return a fixed length, and effectively unique, string.

Read More →

Passwords Are Not Broken, but How We Choose them Sure Is

  • Bruce Schneier
  • The Guardian
  • November 13, 2008

This essay also appeared in The Hindu.

I've been reading a lot about how passwords are no longer good security. The reality is more complicated. Passwords are still secure enough for many applications, but you have to choose a good one.

Read More →

CRB Checking

  • Bruce Schneier
  • November 8, 2008

Since the UK's Criminal Records Bureau (CRB) was established in 2002, an ever-increasing number of people are required to undergo a "CRB check" before they can interact with children. It's not only teachers and daycare providers, but football coaches, scoutmasters and Guiders, church volunteers, bus drivers, and school janitors -- 3.4 million checks in 2007, 15 million since 2002. In 2009, it will include anyone who works or volunteers in a position where he or she comes into contact with children: 11.3 million people, or a quarter of the adult population.

This might make sense if it worked, but it doesn't.

Read More →

Time to Show Bottle and Tackle the Real Issues

  • Bruce Schneier
  • The Guardian
  • October 23, 2008

This essay also appeared in the Taipei Times.

Airport security found a bottle of saline in my luggage at Heathrow Airport last month. It was a 4oz bottle, slightly above the 100 ml limit. Airport security in the United States lets me through with it all the time, but UK security was stricter.

Read More →

Quantum Cryptography: As Awesome As It Is Pointless

  • Bruce Schneier
  • Wired
  • October 16, 2008

Quantum cryptography is back in the news, and the basic idea is still unbelievably cool, in theory, and nearly useless in real life.

The idea behind quantum crypto is that two people communicating using a quantum channel can be absolutely sure no one is eavesdropping. Heisenberg's uncertainty principle requires anyone measuring a quantum system to disturb it, and that disturbance alerts legitimate users as to the eavesdropper's presence. No disturbance, no eavesdropper — period.

Read More →

Why Society Should Pay the True Costs of Security

  • Bruce Schneier
  • The Guardian
  • October 2, 2008

It's not true that no one worries about terrorists attacking chemical plants. It's just that our politics seem to leave us unable to deal with the threat. Toxins such as ammonia, chlorine, propane and flammable mixtures are being produced or stored as a result of legitimate industrial processes. Chlorine gas is particularly toxic; in addition to bombing a plant, someone could hijack a chlorine truck or blow up a railcar.

Read More →

The Seven Habits of Highly Ineffective Terrorists

  • Bruce Schneier
  • Wired
  • October 1, 2008

Most counterterrorism policies fail, not because of tactical problems, but because of a fundamental misunderstanding of what motivates terrorists in the first place. If we're ever going to defeat terrorism, we need to understand what drives people to become terrorists in the first place.

Conventional wisdom holds that terrorism is inherently political, and that people become terrorists for political reasons. This is the "strategic" model of terrorism, and it's basically an economic model.

Read More →

Does Risk Management Make Sense?

  • Bruce Schneier
  • Information Security
  • October 2008

This essay appeared as the first half of a point-counterpoint with Marcus Ranum. Marcus's half is here.

We engage in risk management all the time, but it only makes sense if we do it right.

"Risk management" is just a fancy term for the cost-benefit tradeoff associated with any security decision. It's what we do when we react to fear, or try to make ourselves feel secure.

Read More →

Airport Pasta-Sauce Interdiction Considered Harmful

  • Bruce Schneier
  • Wired
  • September 18, 2008

Airport security found a jar of pasta sauce in my luggage last month. It was a 6-ounce jar, above the limit; the official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that jar was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way.

There are two classes of contraband at airport security checkpoints: the class that will get you in trouble if you try to bring it on an airplane, and the class that will cheerily be taken away from you if you try to bring it on an airplane.

Read More →

A Fetishistic Approach to Security Is a Perverse Way to Keep Us Safe

  • Bruce Schneier
  • The Guardian
  • September 4, 2008

We spend far more effort defending our countries against specific movie-plot threats, rather than the real, broad threats. In the US during the months after the 9/11 attacks, we feared terrorists with scuba gear, terrorists with crop dusters and terrorists contaminating our milk supply. Both the UK and the US fear terrorists with small bottles of liquid. Our imaginations run wild with vivid specific threats.

Read More →

How to Create the Perfect Fake Identity

  • Bruce Schneier
  • Wired
  • September 4, 2008

Let me start off by saying that I'm making this whole thing up.

Imagine you're in charge of infiltrating sleeper agents into the United States. The year is 1983, and the proliferation of identity databases is making it increasingly difficult to create fake credentials. Ten years ago, someone could have just shown up in the country and gotten a driver's license, Social Security card and bank account -- possibly using the identity of someone roughly the same age who died as a young child -- but it's getting harder.

Read More →

Security ROI: Fact or Fiction?

Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.

  • Bruce Schneier
  • CSO Magazine
  • September 2, 2008

Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.

It's become a big deal in IT security, too.

Read More →

Here Comes Here Comes Everybody

Book Review of Here Comes Everybody: The Power of Organizing Without Organizations
By Clay Shirky
Penguin Press: 2008. 336 pp. $25.95, ISBN: 978-159420153-0

  • Bruce Schneier
  • IEEE Spectrum
  • September 2008

In 1937, Ronald Coase answered one of the most perplexing questions in economics: if markets are so great, why do organizations exist? Why don't people just buy and sell their own services in a market instead?

Read More →

The TSA's Useless Photo ID Rules

No-fly lists and photo IDs are supposed to help protect the flying public from terrorists. Except that they don't work.

  • Bruce Schneier
  • Los Angeles Times
  • August 28, 2008

The TSA is tightening its photo ID rules at airport security. Previously, people with expired IDs or who claimed to have lost their IDs were subjected to secondary screening. Then the Transportation Security Administration realized that meant someone on the government's no-fly list -- the list that is supposed to keep our planes safe from terrorists -- could just fly with no ID.

Read More →

Boston Court's Meddling With "Full Disclosure" Is Unwelcome

  • Bruce Schneier
  • Wired
  • August 21, 2008

In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free.

The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start -- despite facing an open-and-shut case of First Amendment prior restraint.

Read More →

The Problem Is Information Insecurity

  • Bruce Schneier
  • Security Watch
  • August 10, 2008

Information insecurity is costing us billions. We pay for it in theft: information theft, financial theft. We pay for it in productivity loss, both when networks stop working and in the dozens of minor security inconveniences we all have to endure. We pay for it when we have to buy security products and services to reduce those other two losses.

Read More →

Memo to Next President: How to Get Cybersecurity Right

  • Bruce Schneier
  • Wired
  • August 7, 2008

Obama has a cybersecurity plan.

It's basically what you would expect: Appoint a national cybersecurity adviser, invest in math and science education, establish standards for critical infrastructure, spend money on enforcement, establish national standards for securing personal data and data-breach disclosure, and work with industry and academia to develop a bunch of needed technologies.

I could comment on the plan, but with security, the devil is always in the details -- and, of course, at this point there are few details. But since he brought up the topic -- McCain supposedly is "working on the issues" as well -- I have three pieces of policy advice for the next president, whoever he is.

Read More →

Why Being Open about Security Makes Us All Safer in the Long Run

  • Bruce Schneier
  • The Guardian
  • August 7, 2008

German translation

London's Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing. People might be able to use this information to ride for free, but the sky won't be falling. And the publication of this serious vulnerability actually makes us all safer in the long run.

Read More →

Lesson From the DNS Bug: Patching Isn't Enough

  • Bruce Schneier
  • Wired
  • July 23, 2008

Despite the best efforts of the security community, the details of a critical internet vulnerability discovered by Dan Kaminsky about six months ago have leaked. Hackers are racing to produce exploit code, and network operators who haven't already patched the hole are scrambling to catch up. The whole mess is a good illustration of the problems with researching and disclosing flaws like this.

The details of the vulnerability aren't important, but basically it's a form of DNS cache poisoning.

Read More →

Software Makers Should Take Responsibility

  • Bruce Schneier
  • The Guardian
  • July 17, 2008

A recent study of Internet browsers worldwide discovered that over half – 52% – of Internet Explorer users weren't using the current version of the software. For other browsers the numbers were better, but not much: 17% of Firefox users, 35% of Safari users, and 44% of Opera users were using an old version.

This is particularly important because browsers are an increasingly common vector for internet attacks, and old versions of browsers don't have all their security patches up to date. They're open to attack through vulnerabilities the vendors have already fixed.

Read More →

How a Classic Man-in-the-Middle Attack Saved Colombian Hostages

  • Bruce Schneier
  • Wired
  • July 10, 2008

Last week's dramatic rescue of 15 hostages held by the guerrilla organization FARC was the result of months of intricate deception on the part of the Colombian government. At the center was a classic man-in-the-middle attack.

In a man-in-the-middle attack, the attacker inserts himself between two communicating parties. Both believe they're talking to each other, and the attacker can delete or modify the communications at will.

Read More →

How the Human Brain Buys Security

  • Bruce Schneier
  • IEEE Security & Privacy
  • July/August 2008

People tend to be risk-averse when it comes to gains, and risk-seeking when it comes to losses. If you give people a choice between a $500 sure gain and a coin-flip chance of a $1,000 gain, about 75 percent will pick the sure gain. But give people a choice between a $500 sure loss and a coin-flip chance of a $1,000 loss, about 75 percent will pick the coin flip.

People don't have a standard mathematical model of risk in their heads.

Read More →

Chinese Cyberattacks: Myth or Menace?

  • Bruce Schneier
  • Information Security
  • July 2008

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.

The popular media narrative is that there is a coordinated attempt by the Chinese government to hack into U.S. computers--military, government, corporate--and steal secrets. The truth is a lot more complicated.

Read More →

CCTV Doesn't Keep Us Safe, Yet the Cameras Are Everywhere

  • Bruce Schneier
  • The Guardian
  • June 26, 2008

Pervasive security cameras don't substantially reduce crime. There are exceptions, of course, and that's what gets the press. Most famously, CCTV cameras helped catch James Bulger's murderers in 1993. And earlier this year, they helped convict Steve Wright of murdering five women in the Ipswich area.

Read More →

I've Seen the Future, and It Has a Kill Switch

  • Bruce Schneier
  • Wired
  • June 26, 2008

It used to be that just the entertainment industries wanted to control your computers -- and televisions and iPods and everything else -- to ensure that you didn't violate any copyright rules. But now everyone else wants to get their hooks into your gear.

OnStar will soon include the ability for the police to shut off your engine remotely. Buses are getting the same capability, in case terrorists want to re-enact the movie Speed.

Read More →

The Truth About Chinese Hackers

  • Bruce Schneier
  • Discovery Technology
  • June 19, 2008

The scoop: Last week, Rep. Frank Wolf, a Virginia Republican, said four of his government computers had been hacked by sources working out of China. Bruce Schneier, an internationally renowned security technologist, gives us his take on what went down.

The popular media concept is that there is a coordinated attempt by the Chinese government to hack into U.S. computers -- military, government corporate -- and steal secrets. The truth is a lot more complicated.

Read More →

The Pros and Cons of LifeLock

  • Bruce Schneier
  • Wired
  • June 12, 2008

LifeLock, one of the companies that offers identity-theft protection in the United States, has been taking quite a beating recently. They're being sued by credit bureaus, competitors and lawyers in several states that are launching class action lawsuits. And the stories in the media ... it's like a piranha feeding frenzy.

Read More →

Are Photographers Really a Threat?

  • Bruce Schneier
  • The Guardian
  • June 4, 2008

What is it with photographers these days? Are they really all terrorists, or does everyone just think they are?

Since 9/11, there has been an increasing war on photography. Photographers have been harrassed, questioned, detained, arrested or worse, and declared to be unwelcome.

Read More →

Why Do We Accept Signatures by Fax?

  • Bruce Schneier
  • Wired
  • May 29, 2008

Russian translation

Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them.

Yet people do, all the time.

Read More →

How to Sell Security

  • Bruce Schneier
  • CIO
  • May 26, 2008

It's a truism in sales that it's easier to sell someone something he wants than a defense against something he wants to avoid. People are reluctant to buy insurance, or home security devices, or computer security anything. It's not they don't ever buy these things, but it's an uphill struggle.

The reason is psychological.

Read More →

Our Data, Ourselves

  • Bruce Schneier
  • Wired
  • May 15, 2008

Dutch version by Jeroen van der Ham

In the information age, we all have a data shadow.

We leave data everywhere we go. It's not just our bank accounts and stock portfolios, or our itemized bills, listing every credit card purchase and telephone call we make. It's automatic road-toll collection systems, supermarket affinity cards, ATMs and so on.

Read More →

Crossing Borders with Laptops and PDAs

  • Bruce Schneier
  • The Guardian
  • May 15, 2008

Last month a US court ruled that border agents can search your laptop, or any other electronic device, when you're entering the country. They can take your computer and download its entire contents, or keep it for several days. Customs and Border Patrol has not published any rules regarding this practice, and I and others have written a letter to Congress urging it to investigate and regulate this practice.

But the US is not alone.

Read More →

America's Dilemma: Close Security Holes, or Exploit Them Ourselves

  • Bruce Schneier
  • Wired
  • May 01, 2008

On April 27, 2007, Estonia was attacked in cyberspace. Following a diplomatic incident with Russia about the relocation of a Soviet World War II memorial, the networks of many Estonian organizations, including the Estonian parliament, banks, ministries, newspapers and broadcasters, were attacked and -- in many cases -- shut down. Estonia was quick to blame Russia, which was equally quick to deny any involvement.

It was hyped as the first cyberwar: Russia attacking Estonia in cyberspace.

Read More →

The Ethics of Vulnerability Research

  • Bruce Schneier
  • Information Security
  • May 2008

Vietnamese translation

The standard way to take control of someone else's computer is by exploiting a vulnerability in a software program on it. This was true in the 1960s when buffer overflows were first exploited to attack computers. It was true in 1988 when the Morris worm exploited a Unix vulnerability to attack computers on the Internet, and it's still how most modern malware works.

Vulnerabilities are software mistakes--mistakes in specification and design, but mostly mistakes in programming.

Read More →

Prediction: RSA Conference Will Shrink Like a Punctured Balloon

  • Bruce Schneier
  • Wired
  • April 17, 2008

Last week was the RSA Conference, easily the largest information security conference in the world. More than 17,000 people descended on San Francisco's Moscone Center to hear some of the more than 250 talks, attend I-didn't-try-to-count parties, and try to evade over 350 exhibitors vying to sell them stuff.

Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.

It's not the quality of the wares.

Read More →

Secret Questions Blow a Hole in Security

  • Bruce Schneier
  • ComputerWeekly
  • April 4, 2008

It's a mystery to me why websites think "secret questions" are a good idea. We sign up for an online service, choose a hard-to-guess (and equally hard-to-remember) password, and are then presented with a "secret question" to answer.

Twenty years ago, there was just one secret question: what's your mother's maiden name? Today, there are several: what street did you grow up on?

Read More →

The Difference Between Feeling and Reality in Security

  • Bruce Schneier
  • Wired
  • April 03, 2008

Security is both a feeling and a reality, and they're different. You can feel secure even though you're not, and you can be secure even though you don't feel it. There are two different concepts mapped onto the same word -- the English language isn't working very well for us here -- and it can be hard to know which one we're talking about when we use the word.

There is considerable value in separating out the two concepts: in explaining how the two are different, and understanding when we're referring to one and when the other.

Read More →

Inside the Twisted Mind of the Security Professional

  • Bruce Schneier
  • Wired
  • March 20, 2008

Uncle Milton Industries has been selling ant farms to children since 1956. Some years ago, I remember opening one up with a friend. There were no actual ants included in the box. Instead, there was a card that you filled in with your address, and the company would mail you some ants.

Read More →

Census of Cyberspace Censoring

Book Review of Access Denied
Edited by Ronald Deibert, John Palfrey, Rafal Rohozinski and Jonathan Zittrain
MIT Press: 2008. 320 pp. $20.00, £12.95

  • Bruce Schneier
  • Nature
  • March 13, 2008

China restricts Internet access by keyword.

In 1993, Internet pioneer John Gilmore said "the net interprets censorship as damage and routes around it", and we believed him.

Read More →

The Myth of the "Transparent Society"

  • Bruce Schneier
  • Wired
  • March 06, 2008

Danish translation

When I write and speak about privacy, I am regularly confronted with the mutual disclosure argument. Explained in books like David Brin's The Transparent Society, the argument goes something like this: In a world of ubiquitous surveillance, you'll know all about me, but I will also know all about you. The government will be watching us, but we'll also be watching the government. This is different than before, but it's not automatically worse.

Read More →

Consolidation: Plague or Progress

  • Bruce Schneier
  • Information Security
  • March 2008

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.

We know what we don't like about buying consolidated product suites: one great product and a bunch of mediocre ones. And we know what we don't like about buying best-of-breed: multiple vendors, multiple interfaces, and multiple products that don't work well together. The security industry has gone back and forth between the two, as a new generation of IT security professionals rediscovers the downsides of each solution.

Read More →

Bruce Schneier: Security at What Cost?

National ID System Is Not Worth The $23 Billion Price Tag

  • Bruce Schneier
  • Minneapolis Star Tribune
  • February 23, 2008

The argument was so obvious it hardly needed repeating: We would all be safer if we had a better ID card. A good, hard-to-forge national ID is a no-brainer (or so the argument goes), and it's ridiculous that a modern country such as the United States doesn't have one. One result of this line of thinking is the planned Real ID Act, which forces all states to conform to common and more stringent rules for issuing driver's licenses.

But security is always a tradeoff; it must be balanced with the cost.

Read More →

When the Internet Is My Hard Drive, Should I Trust Third Parties?

  • Bruce Schneier
  • Wired
  • February 21, 2008

Wine Therapy is a web bulletin board for serious wine geeks. It's been active since 2000, and its database of back posts and comments is a wealth of information: tasting notes, restaurant recommendations, stories and so on. Late last year someone hacked the board software, got administrative privileges and deleted the database. There was no backup.

Read More →

Driver's Licenses for Immigrants: Denying Licenses Makes Us Less Safe

  • Bruce Schneier
  • Detroit Free Press
  • February 7, 2008

Many people say that allowing illegal aliens to obtain state driver's licenses helps them and encourages them to remain illegally in this country. Michigan Attorney General Mike Cox late last year issued an opinion that licenses could be issued only to legal state residents, calling it "one more tool in our initiative to bolster Michigan's border and document security."

In reality, we are a much more secure nation if we do issue driver's licenses and/or state IDs to every resident who applies, regardless of immigration status. Issuing them doesn't make us any less secure, and refusing puts us at risk.

The state driver's license databases are the only comprehensive databases of U.S.

Read More →

With iPhone, 'Security' Is Code for 'Control'

  • Bruce Schneier
  • Wired
  • February 07, 2008

Buying an iPhone isn't the same as buying a car or a toaster. Your iPhone comes with a complicated list of rules about what you can and can't do with it. You can't install unapproved third-party applications on it. You can't unlock it and use it with the cellphone carrier of your choice.

Read More →

What Our Top Spy Doesn't Get: Security and Privacy Aren't Opposites

  • Bruce Schneier
  • Wired
  • January 24, 2008

Danish translation

If there's a debate that sums up post-9/11 politics, it's security versus privacy. Which is more important? How much privacy are you willing to give up for security? Can we even afford privacy in this age of insecurity?

Read More →

The Psychology of Security (Part 2)

  • Bruce Schneier
  • January 18, 2008

Return to Part 1

The Availability Heuristic

The "availability heuristic" is very broad, and goes a long way toward explaining how people deal with risk and trade-offs. Basically, the availability heuristic means that people "assess the frequency of a class or the probability of an event by the ease with which instances or occurrences can be brought to mind."28 In other words, in any decision-making process, easily remembered (available) data are given greater weight than hard-to-remember data.

In general, the availability heuristic is a good mental shortcut. All things being equal, common events are easier to remember than uncommon ones.

Read More →

The Psychology of Security (Part 1)

  • Bruce Schneier
  • January 18, 2008

Introduction

Security is both a feeling and a reality. And they're not the same.

The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary, based on such factors as the crime rate in the neighborhood you live in and your door-locking habits.

Read More →

Steal This Wi-Fi

  • Bruce Schneier
  • Wired
  • January 10, 2008

Whenever I talk or write about my own security setup, the one thing that surprises people -- and attracts the most criticism -- is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.