Schneier on Schneier
By Kelly Jackson Higgins
He's eaten guinea pig in Peru, whale in Japan, and tried insects in Australia. But security guru -- and part-time restaurant critic -- Bruce Schneier mostly steers clear of chain restaurants, which he finds oppressively uniform.
When he's not sampling exotic cuisine, Schneier is best known as the developer of the Blowfish and Twofish encryption algorithms and as the bestselling author of Applied Cryptography, which has been called the bible for hackers. He's written other books that examine security and society, and he is a renowned security speaker, blogger, and columnist, as well as a popular media talking head who offers unique views on everything from encryption to post-9/11 security overkill.
Schneier says he writes restaurant reviews as an escape from his work in security, but he does see some symmetry in security and food: "Food is more about how a culture uses what it has to make an interesting meal. That's the same thinking as security," he says. "I look at it from a systemic point of view -- what is going on here in the bigger picture that creates this traditional dish. Tibetan food is moderately spicy, because spices don't grow that high [in elevation]," for example, says Schneier, founder and CTO of BT Counterpane, now part of British Telecom.
Security is a system, he says, and you have to look at security technologies in that broader context, from cryptography to airline security. "A lot of technologists focus on the details of the technology, such as biometrics or explosive-detection machines. I look at the big picture," he says. "The lessons in my writings are not about specific technologies, but about the world and human nature."
That's really what it's all about for Schneier, 43, who had a big year last year. His managed security services company, Counterpane, was purchased by British Telecom in October. Schneier admits he was initially worried the BT deal would stifle his work and public persona he has built, but BT made it clear it was hiring him not as a pitch man, but as an independent voice. "That's important to me," he says. "BT is giving me a bigger platform to do the things I do for Counterpane."
And his security research options will expand, given BT's global presence. Schneier travels to London next week to meet with BT's research group and discuss its work, which ranges from biometrics, quantum cryptography, and identity management -- things outside of what Counterpane has done, he says. Schneier's not sure what his level of involvement will be in BT research just yet, but he hopes to be an adviser to marketing and research.
He doesn't expect any of this to detract from the Bruce Schneier brand, however, which feeds off Schneier's candid and sometimes controversial commentary on all things security.
"BT recognizes the more general I am, the more value I give BT. They get that," he says. "Everything feeds into everything else, the writing the speaking. I can't just go inside BT and disappear doing BT work, because everything [I do is related to] BT work."
Schneier won't shy away from the hot-button topics in IT security or physical security. Last week, for example, he told a reporter at a Tacoma, Wash.-based radio station after the school shooting there, that metal detectors would be a waste of money. "The goal isn't to stop shootings in schools. It's to stop shootings," he says, by investing in ways to ensure a kid doesn't resort to violence at all. "If a kid shoots another kid in the playground because there's a metal detector in the building," then the physical security was ineffective, he adds.
"That's a tough message for people to hear."
Meanwhile, Schneier says today's hackers/researchers are doing some good work poking holes in software, but there is some of what he calls "ethical sloppiness" out there. "People who don't pay attention to the ramifications of what they are doing." As for the vulnerability disclosure debate, Schneier is all for it, as long as it's for legitimate purposes and not "self-aggrandizing," he says.
"It's polite to give vendors advanced notice. But companies shouldn’t expect advanced notice, because the bad guys won't give it to them," he says. "A lot of this debate obscures the fact that these bugs are mistakes. We focus on the person who disclosed it, but it's a programming error...a mistake someone made."
His latest work is on brain heuristics and perceptions of security, and he'll be doing a presentation on that topic at the RSA Conference next month. "I'm looking at the differences between the feeling and reality of security," he says. "I want to talk about why our perceptions of risk don't match reality, and there's a lot of brain science that can help explain this."
And as for now, Schneier's title remains CTO of Counterpane, but he and BT are cooking up an updated title for him. Nothing is firm yet, but don't expect it to have "evangelist" in it: "I hate the word 'evangelist,'" he says. "It's not a bad term, but I don't like the implications... It's almost like a cheerleader."
He may not be shy about speaking his mind on hot-potato security topics, but Schneier makes it a policy not to write bad reviews on indie or mom-and-pop restaurants. "I try not to write bad restaurant reviews," he says. "If a restaurant is bad, I'd prefer to simply ignore them. A bad review only hurts them."
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.