Bruce Schneier: Channeling Common Sense
This mastermind's teachings and advice lead back to a singular goal: a common-sense approach to security
By Roger A. Grimes
May 26, 2006
Bruce Schneier, CTO of Counterpane, is one of the world's foremost experts on computer security. From a hard-core technical aspect (his first book, Applied Cryptography, is a long-time best seller for people wishing to understand cryptography in detail) as well as a philosophical viewpoint (his other books, such as Secrets and Lies or Beyond Fear, and his monthly Crypto-Gram newsletter), he continues to promote innovative commonsense security.
Bruce will come at an issue with what seems like an unpopular viewpoint, and turn your initial, gut reaction on its head. Say black, and Bruce is likely to say white. Say we need better security at large sports arenas and Bruce will argue the opposite. Say we need to create national ID cards to separate the terrorists from the law-abiding citizens and Bruce will say "baloney!" Want to spend billions making our skies safe from bomb-toting madmen? Forget about it!
What's amazing is that he is usually right, flying in the face of overwhelming popular odds in the opposite direction.
Often, you'll want to fight his initial response, but Bruce will win you over by convincing you that what you believed before was based upon false assumptions, popular myths, and illogical thinking. He'll argue against himself, both pro and con, so that by the time he gets to his conclusion, he's already out-argued what you could have thrown up against him. In this way, he reminds me of one of my other heroes, Albert Einstein.
I don't agree with everything Bruce says. Nobody is right about everything. But day in and day out, Bruce Schneier is fighting the good fight, and is usually years ahead of everyone else.
Bruce has written tirelessly for more than two decades; search the Internet and you'll find a quote from him on just about everything. Search his Web site for a good compendium of his articles and information.
Bruce is especially good at crafting one-sentence responses to make you realize how wrong you are about an entire spectrum. For example, when the world was talking about a particular network security protocol with a newly found vulnerability, Bruce said, “If this is your company's biggest threat, then you're doing better than most other companies.” It was his way of reminding us that all our security risks have to be ranked by criticality and that the biggest threat to most environments are our end-users, not some obscure, hard-to-manipulate security protocol.
Bruce is quick to reiterate that open source code review doesn't mean open source software will be more secure than closed source software. He rallies to remind us that the number of bugs a particular program has says nothing about its trustworthiness.
He tells us that today's seemingly harmless invention (RFID tags for instance) can easily become tomorrow's security risk. When the “experts” tell us that we're safe because RFID tags can only be read when held incredibly close to the appropriate reader, he reminds us that Bluetooth wireless devices (which were initially said to have only a 10-foot range) can now be read from more than half a mile away, by guys toting Bluetooth “rifles”: “The readable distance always becomes greater over time, not less,” he points out.
Bruce predicts that computer security will get much worse in the future, not better, if we don't change the status quo. He pushes us to ignore the hot technical issue of the moment and instead focus on why it was allowed to be that way. He forces us to look at the real problem, not just the symptom.
When I was interviewing Bruce for my recent series of articles on SSL Trojans, I found interacting with him tough. Giving me just a few minutes before he flew off to Turkey, I felt like he was interviewing me more than the other way around. I was asking him about how banks could protect themselves against the new threat of SSL-evading Trojans; for every question I threw at him, he threw one back.
He seemed irritated by my neophyte questions. I found myself becoming more than a little irritated back -- maybe even becoming angry. But within a few minutes, he led me on my own exploration to a solution that would work. It was then that I realized he was teaching me, and because I “taught myself” through our conversation, I would understand better and faster.
Bruce publishes his thoughts on various security issues every week, and he is almost universally ignored initially. How frustrating it must be for him to keep telling the world the same things over and over, just to be ignored, or to listen to other pontificators, like myself, say the same thing years later, and think it's news?
It's rare that we recognize greatness in a person who is still alive. I believe that any computer security person in this field for the long term should read at least one of Bruce's recent books and subscribe to his Crypto-Gram newsletter. If you don't, you'll miss out on one of our world's best creative thinkers.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..