Essays: 2011 Archives

Detecting Cheaters

  • Bruce Schneier
  • IEEE Security & Privacy
  • March/April 2011

Our brains are specially designed to deal with cheating in social exchanges. The evolutionary psychology explanation is that we evolved brain heuristics for the social problems that our prehistoric ancestors had to deal with. Once humans became good at cheating, they then had to become good at detecting cheating -- otherwise, the social group would fall apart.

Perhaps the most vivid demonstration of this can be seen with variations on what's known as the Wason selection task, named after the psychologist who first studied it.

Read More →

Why Terror Alert Codes Never Made Sense

  • Bruce Schneier
  • CNN
  • January 28, 2011

The Department of Homeland Security is getting rid of the color-coded threat level system. It was introduced after 9/11, and was supposed to tell you how likely a terrorist attack might be. Except that it never did.

Attacks happened more often when the level was yellow ("significant risk") than when it was orange ("high risk").

Read More →

Schneier-Ranum Face-Off on Whitelisting and Blacklisting

  • Bruce Schneier
  • Information Security
  • January 2011

This essay appeared as the second half of a point/counterpoint with Marcus Ranum.

The whitelist/blacklist debate is far older than computers, and it's instructive to recall what works where. Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock. We do it this way not because it's easier -- although it is generally much easier to make a list of people who should be allowed through your office door than a list of people who shouldn't--but because it's a security system that can be implemented automatically, without people.

To find blacklists in the real world, you have to start looking at environments where almost everyone is allowed.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.