Essays in the Category “Business of Security”

The Future of Incident Response

  • Bruce Schneier
  • IEEE Security & Privacy
  • September/October 2014

View or Download in Acrobat Format

Security is a combination of protection, detection, and response. It’s taken the industry a long time to get to this point, though. The 1990s was the era of protection. Our industry was full of products that would protect your computers and network.

Read More →

A Fraying of the Public/Private Surveillance Partnership

  • Bruce Schneier
  • The Atlantic
  • November 8, 2013

The public/private surveillance partnership between the NSA and corporate data collectors is starting to fray. The reason is sunlight. The publicity resulting from the Snowden documents has made companies think twice before allowing the NSA access to their users' and customers' data.

Pre-Snowden, there was no downside to cooperating with the NSA.

Read More →

How Companies Can Protect Against Leakers

  • Bruce Schneier
  • Bloomberg.com
  • August 21, 2013

Ever since Edward Snowden walked out of a National Security Agency facility in May with electronic copies of thousands of classified documents, the finger-pointing has concentrated on government's security failures. Yet the debacle illustrates the challenge with trusting people in any organization.

The problem is easy to describe. Organizations require trusted people, but they don't necessarily know whether those people are trustworthy.

Read More →

The NSA Is Commandeering the Internet

Technology companies have to fight for their users, or they'll eventually lose them.

  • Bruce Schneier
  • The Atlantic
  • August 12, 2013

Danish translation

It turns out that the NSA's domestic and world-wide surveillance apparatus is even more extensive than we thought. Bluntly: The government has commandeered the Internet. Most of the largest Internet companies provide information to the NSA, betraying their users. Some, as we've learned, fight and lose.

Read More →

You Have No Control Over Security on the Feudal Internet

  • Bruce Schneier
  • Harvard Business Review
  • June 6, 2013

Facebook regularly abuses the privacy of its users. Google has stopped supporting its popular RSS feeder. Apple prohibits all iPhone apps that are political or sexual. Microsoft might be cooperating with some governments to spy on Skype calls, but we don't know which ones.

Read More →

Take Stop-and-Scan with a Grain of Salt

Security Has Become a For-Profit Business

  • Bruce Schneier
  • New York Daily News
  • March 3, 2013

This is an edited version of a longer essay.

It's a new day for the New York Police Department, with technology increasingly informing the way cops do their jobs. With innovation come new possibilities, but also new concerns.

For one, the NYPD is testing a security apparatus that uses terahertz radiation to detect guns under clothing from a distance. As Police Commissioner Ray Kelly explained back in January, "If something is obstructing the flow of that radiation, for example a weapon, the device will highlight that object."

Ignore, for a moment, the glaring constitutional concerns, which make the stop-and-frisk debate pale in comparison: virtual strip-searching, evasion of probable cause, potential profiling.

Read More →

Reputation is Everything in IT Security

  • Bruce Schneier
  • The Guardian
  • November 11, 2009

In the past, our relationship with our computers was technical. We cared what CPU they had and what software they ran. We understood our networks and how they worked. We were experts, or we depended on someone else for expertise.

Read More →

Is Perfect Access Control Possible?

  • Bruce Schneier
  • Information Security
  • September 2009

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.

Access control is difficult in an organizational setting. On one hand, every employee needs enough access to do his job. On the other hand, every time you give an employee more access, there's more risk: he could abuse that access, or lose information he has access to, or be socially engineered into giving that access to a malfeasant.

Read More →

Be Careful When You Come to Put Your Trust in the Clouds

Cloud computing may represent the future of computing but users still need to be careful about who is looking after their data

  • Bruce Schneier
  • The Guardian
  • June 4, 2009

This year's overhyped IT concept is cloud computing. Also called software as a service (Saas), cloud computing is when you run software over the internet and access it via a browser. The salesforce.com customer management software is an example of this. So is Google Docs. If you believe the hype, cloud computing is the future.

Read More →

How the Great Conficker Panic Hacked into Human Credulity

  • Bruce Schneier
  • The Guardian
  • April 23, 2009

This essay also appeared in the Gulf Times.

Conficker's April Fool's joke -- the huge, menacing build-up and then nothing -- is a good case study on how we think about risks, one whose lessons are applicable far outside computer security. Generally, our brains aren't very good at probability and risk analysis. We tend to use cognitive shortcuts instead of thoughtful analysis.

Read More →

Blaming The User Is Easy -- But It's Better to Bypass Them Altogether

  • Bruce Schneier
  • The Guardian
  • March 12, 2009

Blaming the victim is common in IT: users are to blame because they don't patch their systems, choose lousy passwords, fall for phishing attacks, and so on. But, while users are, and will continue to be, a major source of security problems, focusing on them is an unhelpful way to think.

People regularly don't do things they are supposed to: changing the oil in their cars, going to the dentist, replacing the batteries in their smoke detectors. Why?

Read More →

Thwarting an Internal Hacker

  • Bruce Schneier
  • The Wall Street Journal
  • February 16, 2009

Rajendrasinh Makwana was a UNIX contractor for Fannie Mae. On October 24, he was fired. Before he left, he slipped a logic bomb into the organization's network. The bomb would have "detonated" on January 31. It was programmed to disable access to the server on which it was running, block any network monitoring software, systematically and irretrievably erase everything -- and then replicate itself on all 4,000 Fannie Mae servers.

Read More →

State Data Breach Notification Laws: Have They Helped?

  • Bruce Schneier
  • Information Security
  • January 2009

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.

THERE ARE THREE REASONS for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law -- "They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing" -- is just wrong.

Read More →

Does Risk Management Make Sense?

  • Bruce Schneier
  • Information Security
  • October 2008

This essay appeared as the first half of a point-counterpoint with Marcus Ranum. Marcus's half is here.

We engage in risk management all the time, but it only makes sense if we do it right.

"Risk management" is just a fancy term for the cost-benefit tradeoff associated with any security decision. It's what we do when we react to fear, or try to make ourselves feel secure.

Read More →

Security ROI: Fact or Fiction?

Bruce Schneier says ROI is a big deal in business, but it's a misnomer in security. Make sure your financial calculations are based on good data and sound methodologies.

  • Bruce Schneier
  • CSO Magazine
  • September 2, 2008

Return on investment, or ROI, is a big deal in business. Any business venture needs to demonstrate a positive return on investment, and a good one at that, in order to be viable.

It's become a big deal in IT security, too.

Read More →

Boston Court's Meddling With "Full Disclosure" Is Unwelcome

  • Bruce Schneier
  • Wired
  • August 21, 2008

In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free.

The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start -- despite facing an open-and-shut case of First Amendment prior restraint.

Read More →

The Problem Is Information Insecurity

  • Bruce Schneier
  • Security Watch
  • August 10, 2008

Information insecurity is costing us billions. We pay for it in theft: information theft, financial theft. We pay for it in productivity loss, both when networks stop working and in the dozens of minor security inconveniences we all have to endure. We pay for it when we have to buy security products and services to reduce those other two losses.

Read More →

Why Being Open about Security Makes Us All Safer in the Long Run

  • Bruce Schneier
  • The Guardian
  • August 7, 2008

German translation

London's Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing. People might be able to use this information to ride for free, but the sky won't be falling. And the publication of this serious vulnerability actually makes us all safer in the long run.

Read More →

Software Makers Should Take Responsibility

  • Bruce Schneier
  • The Guardian
  • July 17, 2008

A recent study of Internet browsers worldwide discovered that over half – 52% – of Internet Explorer users weren't using the current version of the software. For other browsers the numbers were better, but not much: 17% of Firefox users, 35% of Safari users, and 44% of Opera users were using an old version.

This is particularly important because browsers are an increasingly common vector for internet attacks, and old versions of browsers don't have all their security patches up to date. They're open to attack through vulnerabilities the vendors have already fixed.

Read More →

I've Seen the Future, and It Has a Kill Switch

  • Bruce Schneier
  • Wired
  • June 26, 2008

It used to be that just the entertainment industries wanted to control your computers -- and televisions and iPods and everything else -- to ensure that you didn't violate any copyright rules. But now everyone else wants to get their hooks into your gear.

OnStar will soon include the ability for the police to shut off your engine remotely. Buses are getting the same capability, in case terrorists want to re-enact the movie Speed.

Read More →

The Pros and Cons of LifeLock

  • Bruce Schneier
  • Wired
  • June 12, 2008

LifeLock, one of the companies that offers identity-theft protection in the United States, has been taking quite a beating recently. They're being sued by credit bureaus, competitors and lawyers in several states that are launching class action lawsuits. And the stories in the media ... it's like a piranha feeding frenzy.

Read More →

Why Do We Accept Signatures by Fax?

  • Bruce Schneier
  • Wired
  • May 29, 2008

Russian translation

Aren't fax signatures the weirdest thing? It's trivial to cut and paste -- with real scissors and glue -- anyone's signature onto a document so that it'll look real when faxed. There is so little security in fax signatures that it's mind-boggling that anyone accepts them.

Yet people do, all the time.

Read More →

How to Sell Security

  • Bruce Schneier
  • CIO
  • May 26, 2008

It's a truism in sales that it's easier to sell someone something he wants than a defense against something he wants to avoid. People are reluctant to buy insurance, or home security devices, or computer security anything. It's not they don't ever buy these things, but it's an uphill struggle.

The reason is psychological.

Read More →

Prediction: RSA Conference Will Shrink Like a Punctured Balloon

  • Bruce Schneier
  • Wired
  • April 17, 2008

Last week was the RSA Conference, easily the largest information security conference in the world. More than 17,000 people descended on San Francisco's Moscone Center to hear some of the more than 250 talks, attend I-didn't-try-to-count parties, and try to evade over 350 exhibitors vying to sell them stuff.

Talk to the exhibitors, though, and the most common complaint is that the attendees aren't buying.

It's not the quality of the wares.

Read More →

Consolidation: Plague or Progress

  • Bruce Schneier
  • Information Security
  • March 2008

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.

We know what we don't like about buying consolidated product suites: one great product and a bunch of mediocre ones. And we know what we don't like about buying best-of-breed: multiple vendors, multiple interfaces, and multiple products that don't work well together. The security industry has gone back and forth between the two, as a new generation of IT security professionals rediscovers the downsides of each solution.

Read More →

With iPhone, 'Security' Is Code for 'Control'

  • Bruce Schneier
  • Wired
  • February 07, 2008

Buying an iPhone isn't the same as buying a car or a toaster. Your iPhone comes with a complicated list of rules about what you can and can't do with it. You can't install unapproved third-party applications on it. You can't unlock it and use it with the cellphone carrier of your choice.

Read More →

The Death of the Security Industry

  • Bruce Schneier
  • IEEE Security & Privacy
  • November/December 2007

The hardest thing about working in IT security is convincing users to buy our technologies. An enormous amount of energy has been focused on this problem—risk analyses, ROI models, audits—yet critical technologies still remain uninstalled and important networks remain insecure. I’m constantly asked how to solve this by frustrated security vendors and—sadly—I have no good answer. But I know the problem is temporary: in the long run, the information security industry as we know it will disappear.

Read More →

Paying the Cost of Insecure Software

Having a liability clause is one good way to make sure that software vendors fix the security glitches in their products.

  • Bruce Schneier
  • OutlookBusiness
  • October 5, 2007

Information insecurity is costing us billions. We pay for it—year after year—when we buy security products and services. But all the money we spend isn't fixing the problem, which is insecure software. Typically, such software is badly designed and inadequately tested, comprising poorly implemented features and security vulnerabilities.

Read More →

Do We Really Need a Security Industry?

  • Bruce Schneier
  • Wired
  • May 03, 2007

Last week I attended the Infosecurity Europe conference in London. Like at the RSA Conference in February, the show floor was chockablock full of network, computer and information security companies. As I often do, I mused about what it means for the IT industry that there are thousands of dedicated security products on the market: some good, more lousy, many difficult even to describe. Why aren't IT products and services naturally secure, and what would it mean for the industry if they were?

Read More →

Bruce Schneier: Privatizing the Police Puts Us at Greater Risk

Abuses of power and brutality are likelier among private security guards

  • Bruce Schneier
  • Minneapolis Star Tribune
  • February 27, 2007

In Raleigh, N.C., employees of Capitol Special Police patrol apartment buildings, a bowling alley and nightclubs, stopping suspicious people, searching their cars and making arrests.

Sounds like a good thing, but Capitol Special Police isn't a police force at all -- it's a for-profit security company hired by private property owners.

This isn't unique. Private security guards outnumber real police more than 5-1, and increasingly act like them.

Read More →

Information Security and Externalities

  • Bruce Schneier
  • ENISA (European Network and Information Security Agency) Quarterly
  • January 2007

This essay is an update of Information security: How liable should vendors be?, Computerworld, October 28, 2004.

Information insecurity is costing us billions. There are many different ways in which we pay for information insecurity. We pay for it in theft, such as information theft, financial theft and theft of service. We pay for it in productivity loss, both when networks stop functioning and in the dozens of minor security inconveniences we all have to endure on a daily basis.

Read More →

My Data, Your Machine

  • Bruce Schneier
  • Wired
  • November 30, 2006

Consider two different security problems. In the first, you store your valuables in a safe in your basement. The threat is burglars, of course. But the safe is yours, and the house is yours, too.

Read More →

Do Federal Security Regulations Help?

  • Bruce Schneier
  • Information Security
  • November 2006

This essay appeared as part of a point-counterpoint with Marcus Ranum.

Regulation is all about economics. Here's the theory. In a capitalist system, companies make decisions based on their own self-interest. This isn't a bad thing; it's actually a very good thing.

Read More →

Quickest Patch Ever

  • Bruce Schneier
  • Wired
  • September 7, 2006

If you really want to see Microsoft scramble to patch a hole in its software, don't look to vulnerabilities that impact countless Internet Explorer users or give intruders control of thousands of Windows machines. Just crack Redmond's DRM.

Security patches used to be rare. Software vendors were happy to pretend that vulnerabilities in their products were illusory -- and then quietly fix the problem in the next software release.

Read More →

Are Security Certifications Valuable?

  • Bruce Schneier
  • Information Security
  • July 2006

This essay appeared as part of a point-counterpoint with Marcus Ranum.

I've long been hostile to certifications -- I've met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I've come to believe that, while certifications aren't perfect, they're a decent way for a security professional to learn some of the things he's going to know, and a potential employer to assess whether a job candidate has the security expertise he's going to need to know.

What's changed? Both the job requirements and the certification programs.

Read More →

Everyone Wants to 'Own' Your PC

  • Bruce Schneier
  • Wired
  • May 4, 2006

Danish translation

When technology serves its owners, it is liberating. When it is designed to serve others, over the owner's objection, it is oppressive. There's a battle raging on your computer right now -- one that pits you against worms and viruses, Trojans, spyware, automatic update features and digital rights management technologies. It's the battle to determine who owns your computer.

Read More →

The Anti-ID-Theft Bill That Isn't

  • Bruce Schneier
  • Wired
  • April 20, 2006

California was the first state to pass a law requiring companies that keep personal data to disclose when that data is lost or stolen. Since then, many states have followed suit. Now Congress is debating federal legislation that would do the same thing nationwide.

Except that it won't do the same thing: The federal bill has become so watered down that it won't be very effective.

Read More →

Fighting Fat-Wallet Syndrome

  • Bruce Schneier
  • Wired
  • February 9, 2006

I don't know about your wallet, but mine contains a driver's license, three credit cards, two bank ATM cards, frequent-flier cards for three airlines and frequent-guest cards for three hotel chains, memberships cards to two airline clubs, a library card, a AAA card, a Costco membership, and a bunch of other ID-type cards.

Any technologist who looks at the pile would reasonably ask: why all those cards? Most of them are not intended to be hard-to-forge identification cards; they're simply ways of carrying around unique numbers that are pointers into a database. Why does Visa bother issuing credit cards in the first place?

Read More →

Real Story of the Rogue Rootkit

  • Bruce Schneier
  • Wired
  • November 17, 2005

Spanish translation

It's a David and Goliath story of the tech blogs defeating a mega-corporation.

On Oct. 31, Mark Russinovich broke the story in his blog: Sony BMG Music Entertainment distributed a copy-protection scheme with music CDs that secretly installed a rootkit on computers. This software tool is run without your knowledge or consent -- if it's loaded on your computer with a CD, a hacker can gain and maintain access to your system and you wouldn't know it.

The Sony code modifies Windows so you can't tell it's there, a process called "cloaking" in the hacker world.

Read More →

Make Businesses Pay in Credit Card Scam

  • Bruce Schneier
  • New York Daily News
  • June 23, 2005

The epidemic of personal data thefts and losses - most recently 40 million individuals by Visa and MasterCard - should concern us for two reasons: personal privacy and identity theft.

Real reform is required to solve these problems. We need to reduce the amount of personal information collected, limit how it can be used and resold, and require companies that mishandle our data to be liable for that mishandling. And, most importantly, we need to make financial institutions liable for fraudulent transactions.

Read More →

Two-Factor Authentication: Too Little, Too Late

  • Bruce Schneier
  • Communications of the ACM
  • April 2005

Two-factor authentication isn't our savior. It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions.

Read More →

Authentication and Expiration

  • Bruce Schneier
  • IEEE Security & Privacy
  • January/February 2005

There's a security problem with many Internet authentication systems that's never talked about: there's no way to terminate the authentication.

A couple of months ago, I bought something from an e-commerce site. At the checkout page, I wasn't able to just type in my credit-card number and make my purchase. Instead, I had to choose a username and password.

Read More →

Hacking the Business Climate for Network Security

  • Bruce Schneier
  • IEEE Computer
  • April 2004

Computer security is at a crossroads. It's failing, regularly, and with increasingly serious results. CEOs are starting to notice. When they finally get fed up, they'll demand improvements.

Read More →

Con: Trust, but verify, Microsoft's pledge

  • Bruce Schneier
  • CNET News.com
  • January 18, 2002

Microsoft Chairman Bill Gates should be given credit for making security and privacy a top priority for his legions of engineers, but we'll have to wait to see if his call represents a real change or just another marketing maneuver.

Microsoft has made so many empty claims about its security processes--and the security of its processes--that when I hear another one, I can't help believing it's more of the same flim-flam.

Anyone remember last November when Microsoft's Jim Allchin, group vice president, said in a published interview that all buffer overflows were eliminated in Windows XP? Or that the new operating system installed in a minimalist way, with features turned off by default?

Read More →

The Case for Outsourcing Security

  • Bruce Schneier
  • IEEE Computer
  • 2002

Deciding to outsource network security is difficult. The stakes are high, so it's no wonder that paralysis is a common reaction when contemplating whether to outsource or not:

  • The promised benefits of outsourced security are so attractive. The potential to significantly increase network security without hiring half a dozen people or spending a fortune is impossible to ignore.
  • The potential risks of outsourcing are considerable. Stories of managed security companies going out of business, and bad experiences with outsourcing other areas of IT, show that selecting the wrong outsourcer can be a costly mistake.

If deciding whether to outsource security is difficult, deciding what to outsource and to whom seems impossible.

Read More →

Insurance and the Computer Industry

  • Bruce Schneier
  • Communications of the ACM
  • March 2001

In the future, the computer security industry will be run by the insurance industry. I don't mean insurance companies will start selling firewalls, but rather the kind of firewall you use--along with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you use--will be strongly influenced by the constraints of insurance.

Consider security and safety in the real world. Businesses don't install alarms in their warehouses because it makes them safer; they do it because they get a break in their insurance rates.

Read More →

The Insurance Takeover

  • Bruce Schneier
  • Information Security
  • February 2001

Eventually, the insurance industry will subsume the computer security industry. Not that insurance companies will start marketing security products, but rather that the kind of firewall you use--along with the kind of authentication scheme you use, the kind of operating system you use and the kind of network monitoring scheme you use--will be strongly influenced by the constraints of insurance.

Consider security, and safety, in the real world. Businesses don't install building alarms because it makes them feel safer; they do it to get a reduction in their insurance rates.

Read More →

Risks of PKI: Electronic Commerce

  • Carl Ellison and Bruce Schneier
  • Communications of the ACM
  • February 2000

Open any popular article on public-key infrastructure (PKI) and you're likely to read that a PKI is desperately needed for E-commerce to flourish. Don't believe it. E-commerce is flourishing, PKI or no PKI. Web sites are happy to take your order if you don't have a certificate and even if you don't use a secure connection.

Read More →

A Plea for Simplicity

You can't secure what you don't understand.

  • Bruce Schneier
  • Information Security
  • November 19, 1999

Ask any 21 experts to predict the future, and they're likely to point in 21 different directions. But whatever the future holds--IP everywhere, smart cards everywhere, video everywhere, Internet commerce everywhere, wireless everywhere, agents everywhere, AI everywhere, everything everywhere--the one thing you can be sure of is that it will be complex. For consumers, this is great. For security professionals, this is terrifying.

Read More →

Web-Based Encrypted E-Mail

  • Bruce Schneier
  • ZDNet
  • August 1999

A version of this essay appeared on ZDNet.com.

The idea is enticing. Just as you can log onto Hotmail with your browser to send and receive e-mail, there are Web sites you can log on to to send and receive encrypted e-mail. HushMail, ZipLip, YNN-mail, ZixMail. No software to download and install...it just works.

But how well?

Read More →

Intel's Processor ID

  • Bruce Schneier
  • ZDNet News
  • January 26, 1999

Last month Intel Corp. announced that its new processor chips would come equipped with ID numbers, a unique serial number burned into the chip during manufacture. Intel said that this ID number will help facilitate e-commerce, prevent fraud and promote digital content protection.

Unfortunately, it doesn't do any of these things.

To see the problem, consider this analogy: Imagine that every person was issued a unique identification number on a national ID card.

Read More →

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.