Essays Tagged "Information Security"

Page 3 of 4

Do Federal Security Regulations Help?

  • Bruce Schneier
  • Information Security
  • November 2006

This essay appeared as part of a point-counterpoint with Marcus Ranum.

Regulation is all about economics. Here’s the theory. In a capitalist system, companies make decisions based on their own self-interest. This isn’t a bad thing; it’s actually a very good thing. We don’t want companies to act as public charities; we want them to act as for-profit entities. But there are often effects of company decisions that are not borne by the companies; these are known as “externalities” to the decision. Companies aren’t going to take externalities into account, because, well, because they’re someone else’s problem. If we as a society want externalities to factor into company decisions, then we have to make those externalities internal. Once we do that, the natural engine of capitalism will take over…

Is There Strategic Software?

  • Bruce Schneier
  • Information Security
  • September 2006

This essay appeared as part of a point-counterpoint with Marcus Ranum. Marcus’s side can be found on his website.

If you define “critical infrastructure” as “things essential for the functioning of a society and economy,” then software is critical infrastructure. For many companies and individuals, if their computers stop working then they stop working.

It’s a situation that sneaked up on us. Everyone knew that the software that flies 747s or targets cruise missiles is critical, but who thought of the airlines’ weight and balance computers, or the operating system running the databases and spreadsheets that determine which cruise missiles get shipped where? These sorts of systems are more vulnerable around the edges than they are head-on. And over the years, common, off-the-shelf, personal- and business-grade software has been used for more and more critical applications. Today, we find ourselves in a position where a well-positioned flaw in Windows or Cisco routers or Apache could seriously affect the economy. (Some researchers have suggested that well-designed worms could overwhelm the Internet in fifteen minutes.)…

Are Security Certifications Valuable?

  • Bruce Schneier
  • Information Security
  • July 2006

This essay appeared as part of a point-counterpoint with Marcus Ranum.

I’ve long been hostile to certifications — I’ve met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I’ve come to believe that, while certifications aren’t perfect, they’re a decent way for a security professional to learn some of the things he’s going to know, and a potential employer to assess whether a job candidate has the security expertise he’s going to need to know.

What’s changed? Both the job requirements and the certification programs…

Is User Education Working?

  • Bruce Schneier
  • Information Security
  • April 2006

This essay appeared as part of a point-counterpoint with Marcus Ranum. Marcus’s side can be found on his website.

Marcus, you ignorant slut.

Okay; that’s unfair. You’re not ignorant. You understand technology and security. You’ve spent years steeping in the stuff. You’re fluent in computers – and most importantly – in computer security.

The average users are not. They might be fluent in spreadsheets, or eBay, or sending stupid jokes over e-mail; but they’re not technologists, let alone security people. So of course they’re making all sorts of security mistakes. I too have tried educating users, and I agree that it’s largely futile…

The Insurance Takeover

  • Bruce Schneier
  • Information Security
  • February 2001

Eventually, the insurance industry will subsume the computer security industry. Not that insurance companies will start marketing security products, but rather that the kind of firewall you use–along with the kind of authentication scheme you use, the kind of operating system you use and the kind of network monitoring scheme you use–will be strongly influenced by the constraints of insurance.

Consider security, and safety, in the real world. Businesses don’t install building alarms because it makes them feel safer; they do it to get a reduction in their insurance rates. Building owners don’t install sprinkler systems out of affection for their tenants, but because building codes and insurance policies demand it. Deciding what kind of theft and fire prevention equipment to install are risk management decisions, and the risk taker of last resort is the insurance industry…

The Fallacy of Trusted Client Software

  • Bruce Schneier
  • Information Security
  • August 2000

Controlling what a user can do with a piece of data assumes a trust paradigm that doesn’t exist in the real world. Software copy protection, intellectual property theft, digital watermarking-different companies claim to solve different parts of this growing problem. Some companies market e-mail security solutions in which the e-mail cannot be read after a certain date, effectively “deleting” it. Other companies sell rights-management software: audio and video files that can’t be copied or redistributed, data that can be read but not printed and software that can’t be copied. Still other companies have software copy-protection technologies…

The Process of Security

  • Bruce Schneier
  • Information Security
  • April 2000

I’ve been writing the CryptoRhythms column for this magazine for a little over a year now. When the editor and I sat down a couple months ago to talk about topics for 2000, I told him I wanted to expand the focus a bit from crypto-specific topics to broader information security subjects. So even though the column still falls under the CryptoRhythms banner, you can expect some (but not all) of this year’s columns to address broader security issues that in some way incorporate cryptography. This month’s article does just that, focusing on the process of security…

The 1999 Crypto Year-in-Review

  • Bruce Schneier
  • Information Security
  • December 19, 1999

In 1999, the major developments in cryptography were more political than scientific. Of course, there were scientific conferences and scientific announcements, some of which were significant. But, by far, the most important events happened in the areas of law, court cases and regulation. As we move into the new millennium, these political and regulatory shifts could have resounding effects on the implementation of cryptography, especially in how it relates to balancing privacy concerns with the needs of government and law enforcement.

U.S. Export Control…

A Plea for Simplicity

You can't secure what you don't understand.

  • Bruce Schneier
  • Information Security
  • November 19, 1999

Ask any 21 experts to predict the future, and they’re likely to point in 21 different directions. But whatever the future holds–IP everywhere, smart cards everywhere, video everywhere, Internet commerce everywhere, wireless everywhere, agents everywhere, AI everywhere, everything everywhere–the one thing you can be sure of is that it will be complex. For consumers, this is great. For security professionals, this is terrifying. The worst enemy of security is complexity. This has been true since the beginning of computers, and it’s likely to be true for the foreseeable future…

International Cryptography

  • Bruce Schneier
  • Information Security
  • September 1999

Revised version.

One of the stranger justifications of U.S. export controls is that they prevent the spread of cryptographic expertise. Years ago, the Administration argued that there were no cryptographic products available outside the U.S. When several studies proved that there were hundreds of products designed, built, and marketed outside the U.S., the Administration changed its story. These products were all no good, they argued. Export controls prevent superior American products from getting into foreign hands, forcing them to use inferior non-U.S. products…

Sidebar photo of Bruce Schneier by Joe MacInnis.