Bruce Almighty: Schneier preaches security to Linux faithful

Schneier is one of three keynote speakers at Linux.conf.au 2008 and speaks with Dahna McConnachie about his presentation, books and thoughts.

By Dahna McConnachie
Computerworld
December 27, 2007

Internationally renowned security guru, Bruce Schneier, will be encouraging technologists at linux.conf.au to take a lesson from Luke Skywalker, and "feel the force" a little more when it comes to security.

Schneier, who is CTO of BT Counterpane, is one of the three keynote speakers at the 2008 Linux.conf.au. He joins Python release manager, Anthony Baxter and founding member of HP's Linux division, Stormy Peters.

Dahna McConnachie speaks with Schneier about his talk, "Reconceptualising Security" and how technologists need to remember the importance of the human element. He also discusses cyber-war, what Linux has done for security, and the likelihood of another edition of Applied Cryptography.

What do you spend most of your spare time working on these days?

Much of my work these days involves the human motivations around security: the economics of security, the psychology of security, and so on. Again and again I see good technology failing because these aspects of the security system haven't been well thought out, and these social science communities have a lot to teach us in computer security.

(Read some of Bruce's recent thoughts on the psychology of security here)

What will your keynote talk "Reconceptualising Security" be about?

Security is both a feeling and a reality, and they're different. You can feel secure, even if you're not. And you can be secure, even if you don't feel it. Really, there are two different concepts sharing the same word. My talk is about the feeling and reality of security: when they are different, why they diverge, and how they can be made to converge. As technologists we tend to focus on the reality of security and ignore the feeling. I will argue that both are important.

Do you think that technologists sometimes forget about the human element generally when designing, developing, testing, implementing and/or maintaining systems?

Sometimes? I think they forget almost all the time.

One of the messages you preach is that organisations need more than secure algorithms to be secure. Can you synthesise this argument, in terms of what it means, particularly in today's Web 2.0 environment?

Security is fundamentally a people problem. It doesn't matter how many bits your encryption algorithm has if your employees go home and blog about your company's secrets.

Analysing the security stories that make the news is one of your pastimes. Is there a disparity between what gets covered and what matters the most?

I think the media covers security stories more or less at random: they cover stories that aren't important, and they miss ones that are important. Largely, this is because the stories can be complicated and technical, and reporters don't have the expertise to separate what's important from what isn't.

You have said that we have not yet seen true cyber war, but that it is not a myth. Does this mean that real cyber war is inevitable?

War is inevitable; we as a species don't know how to resolve large nation-state conflict without it. And any war encompasses all theatres: land, sea, air, and now cyberspace. Any future war will include a cyber component, so by that reasoning cyber war is inevitable. But don't think of it as a separate thing. Cyber war is part of war, and not a substitute for or a precursor to war.

Have most countries developed cyber-war tactics?

Of course not. There are 245 countries on the planet, and most of them aren't doing anything with respect to cyber-war. The large countries with large military budgets are. All of them. They'd be foolish not to.

Where do you think the tension between government's increased desire for information (in the form of data mining and surveillance for example) and public freedom and privacy will lead?

Martin Luther King Jr once said that the arc of history is long, but it bends towards justice. There will always be a tension between a government's desire to control its population and the peoples' desire for liberty. And while governments are winning today, mostly because of the scary bugaboo of terrorism, there's no reason to believe that this will continue. It may take a generation, but the balance will shift and liberty will again be important.

What are some examples of where too much trust has been placed in security products?

We trusted airport security before 9/11, with disastrous results. We trust firewalls, IDSs, encryption, and almost every computer security product, and are continually surprised when they're broken. No security system is perfect; defense in depth is the only reasonable strategy.

What are some of the most significant ways that Linux, open source software, and the free and open software philosophy have contributed to the security landscape?

The most important thing Linux has done to improve security is to be competition for Windows. Monopolies are complacent, and by being an alternative, Linux forces Microsoft to improve its own operating system.

What will be the biggest security issues in the future?

Crime. Crime, crime, crime. Everything else pales in comparison.

What will be the largest cyber-threats to freedom and privacy in the future?

Government. And criminals. Both are large threats, in different ways. The latter is more tactical; the former is more serious and more long term.

At the time that you released Blowfish, most other designs were proprietary, patented and/or kept confidentially by governments. Why did you decide to release Blowfish into the public domain?

If I kept blowfish proprietary, or patented it, it would have died a quiet and lonely death. With few exceptions, proprietary and patented algorithms don't get used by anybody.

A rough count from the list on your Web site indicates that there are well over 150 software products (including the mainline Linux kernel, from v2.5.47) that use Blowfish. Has it exceeded or met your expectations?

I don't know if I had any expectations. There weren't enough alternatives to DES out there. I wrote Blowfish as such an alternative, but I didn't even know if it would survive a year of cryptanalysis. Writing encryption algorithms is hard, and it's always amazing if one you write actually turns out to be secure. At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead.

You recently launched a stinging attack on the elliptic curve-based Dual_EC_DRBG, one of four techniques RNG designs approved by the US National Institute of Standards and Technology (NIST) in March of this year. The controversy surrounds numbers used to define the algorithm's elliptic curve from which RNGs are created, which appear to be derived from a second set of hidden numbers - the so called 'backdoor'. What significance does this have on the outside world?

Minimal. I don't think anyone would use the algorithm anyway, since it's about 1000 times slower than the alternatives for absolutely no relative benefit. But it is in the standard, so felt I needed to warn people against using it.

How widely do you think the design is used?

I have no idea. My guess is that someone, somewhere, is already using it and NIST didn't want to piss them off -- that's why the algorithm is in the standard.

Do random number generators have much security value?

Yes. They're vitally important to most security protocols. If they're broken, the whole thing is broken.

Many people have asked for a third edition of Applied Cryptography. Is this likely to happen, and if so, any time soon?

At this point I have no plans to write a third edition of Applied Cryptography. There are several reasons. The field of cryptography has exploded since I wrote the second edition. There are dozens of new algorithms, protocols, and systems. I would have to cover all of the Internet protocols, all of the new MACs and signature schemes, all of the new analysis techniques. Because Applied Cryptography is designed to be comprehensive, there would be no way for me to edit things down...only include the three most important algorithms, for example. So, I would have no choice but to include everything. This would make the book too large for one binding. And publishers hate multiple volumes. And in any case, I just don't have the time to do all the necessary work.

However, in a way there is now a sequel. Practical Cryptography, by Neils Ferguson and myself, was published this year. It's about cryptography as it is used in real-world systems, about cryptography as an engineering discipline rather than cryptography as a mathematical science.

This is the book we wish we'd had more than a decade ago when we started our cryptographic careers. It collects our combined experiences on how to design cryptographic systems the right way. In some ways, this book is a sequel to Applied Cryptography, but it focuses on very practical problems and on how to build a secure system rather than just design a cryptographic protocol.

earlier story: Bruce Schneier Blazes Through Your Questions
later story: Bruce Schneier Reflects on a Decade of Security Trends
back to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..