Neowin Interview : Bruce Schneier

Neowin
August 30, 2004

Described by The Economist as a "security guru", Bruce Schneier is a well known security analyst who has gained notoriety from his popular security mailing list, Cryptogram, and his 3 books on various security subjects. Bruce was kind enough to take the time to have a chat with Neowin, and talk about himself, security, Microsoft, and much more.

Bruce, thanks for taking the time to talk to Neowin; could you start by giving us a brief history of yourself, what you've done, and what you're doing at the moment?

My security career seems to have been a continuing process of becoming more generalized. First cryptography, then computer security, and now general security. You can see the progression in my books. Applied Cryptography was my attempt to explain cryptography to programmers. Secrets and Lies was my attempt to explain computer security to IT people. And my latest book, Beyond Fear, explains security and security technology to anyone interested; in today's world, that should be everyone.

The common theme is an attempt to understand how security really works. My latest book has a lot of that. By drawing on examples from personal security, national security, history, biology, economics--from everywhere--I explain how security works, how and why it fails, and why we're stuck with so much lousy security. It's that last bit that's the most interesting to me right now, and what my current research is mostly focused on.

Counterpane is the global leader in Managed Security Services. I know that sounds hokey, but we actually are. In 1999 I invented something called Managed Security Monitoring. It's an outsourced security monitoring service. The philosophy behind Counterpane is that "prevention" can only get you so far in security; you also need "detection and response." Corporate networks have all sorts of security and non-security products--firewalls, IDSs, servers, routers, and lots of other devices--that all produce audit information. If a company really wants to be secure, they need to monitor those audit logs, in real time, and respond to intrusions. Companies just don't have the manpower or expertise to do that 24x7, and that's where Counterpane comes in. We have trained security analysts supported by $40 million in advanced, patented and proven technology and processes. And today we monitor over 400 networks across 28 carriers in 32 countries. No other provider offers this level of visibility or breadth of experience.

We have also built an entire suite of services around monitoring. Counterpane offers firewall and IDS device management, vulnerability scanning, a response service, and consulting. I'm really proud of Counterpane and the security we provide our customers.

There's lots more information about Counterpane here: Counterpane Homepage

Lets move onto Crypto-Gram; can you give us a little of the history of that? Did you ever think it would become as successful and notorious (in a good way) as it now is?

Crypto-Gram is my monthly e-mail newsletter. It's available for free by e-mail, RSS feed, and on the web. It's my vehicle for talking about whatever is interesting in security: general security, computer security, cryptography. Recently I've written a lot about airline security and counter-terrorism, but I've also written about new developments in the cryptanalysis of hash functions and defences for identity theft. Much of what I do is to explain the news; when there's some news story where security is central, I explain how the security aspect works and why it is important. I think it's a slant on the news that you can't find anywhere else.

When I started Crypto-Gram in 1998, I never imagined that it would eventually have over 100,000 readers. I was looking for a vehicle for my essays on security topics, and figured that an e-mail newsletter would be a good idea. I originally thought of charging for it, but I'm very glad I didn't follow through on that idea.

What do you think about Microsoft and its security situation? How well do you rate the improvements in Service Pack 2?

While I'm happy to see SP2, and think it will help, it's just a small part of the solution. SP2 has some good security features--things the company should have done years ago--but I don't expect it to substantially change the security level of the operating system. Deep down, Microsoft still treats security problems as public relations problems. They are still not able to make the hard trade-offs of security and functionality. They still see features as their primary goal, and security secondary.

To be fair, I don't think this is unreasonable on the part of Microsoft. The company is not a charity, and it doesn't make sense for them to make their products more secure than the marketplace demands. And right now the marketplace doesn't demand security.

Having such a high market share, Microsoft and their products are obviously a prime target for virus writers. However, do you think that Linux would fare as badly, or would it perform better, if it had a similar level of exposure? If we were to go "full circle", how would you rate Apple and its Mac OSX in the mix?

I don't know. And moreover, no one knows. The amount of money and effort it would take to perform that kind of comparative analysis is huge, and no one's done it. Microsoft is certainly attacked because it's 1) a popular product, and 2) an arrogant company. They repeatedly make design decisions that are anathema to security, sacrificing security to gain features.. My guess is that Linux and Mac OSX are both more secure pieces of software, simply because both of those operating systems are designed better.

Do you think security will be Microsoft's downfall (ultimately), or will it be an acceptable problem with using Microsoft problems? Do other operating systems offer a viable alternative?

I think Microsoft is too big to be felled by security. Right now many customers are happy to be less secure with Microsoft products. Some aren't. Macintosh users are much more secure, as are Linux users. Regardless of whether the software is innately more secure, people using those operating systems are at a much reduced risk of attack across the Internet. My wife uses a Macintosh, and she laughs at all the worms and Windows vulnerabilities and attack tools--she doesn't have to worry about any of that.

Microsoft is a smart company, and as soon as it becomes financially beneficial for them to produce a secure operating system, they will.

In terms of security, do you buy into the argument that an open source model is better than a closed source model, when related to the Internet, and Operating Systems?

It's more complicated than that. Secure software is software that's been analyzed, again and again by lots of smart people. That kind of analysis is possible in the closed source model--experts can be hired--and it's possible in the open source model. For large pieces of very popular open source software, like Linux, many people have analyzed the code for security vulnerabilities. The result is some very well-written code. But there are lots of open source programs that are obscure, and that no one has ever looked at. Making your code open source allows for it to be analyzed for security, but does not magically make it secure. I've written more here.

More specifically, in terms of browser security, which browser do you feel boasts the most security features to ensure safe online browsing experiences for surfers?

These days, it's anything but Internet Explorer. It's less a matter of security features, and more the lack of insecurity features. Personally, I use Opera. I like the fact that it seems to be designed with the best interests of the user in mind, and not the best interests of large corporate websites.

What do you see as the biggest threat in the IT age?

People. Since the beginning of time, people have always been the biggest security threat. That hasn't changed because of computers. People are why firewalls are invariably misconfigured. They're why social engineering works. They're why good security products are rarely deployed properly. Securing the computer and network is hard, but it's much easier than securing the person sitting on the chair in front of the monitor.

If you were to look at 3 areas - The Software Designer, The Systems Administrator, The User - who would you say should bear the burden of responsibility for security? Or do you perceive it to be a shared responsibility?

Right now, no one is responsible; that's part of the problem. In the abstract, everyone is responsible...but that's not a fair answer. In the end, we all pay. The question really is: what's the most efficient way to assign responsibility? Or: what allocation of responsibility results in the most cost-effective security solutions?

We can't survive with a solution that makes the user responsible, because users don't have the knowledge and expertise to be responsible. The sysadmins have more knowledge and expertise, but they too are overwhelmed by the sheer amount of security nonsense they have to deal with. The only way to solve the security problem is to get to the root of it, and the roots are in the software packages themselves. Right now, software vendors bear no liability for the software vulnerabilities in their products. Changing that would put enormous economic pressure on software vendors, and improve computer security faster and cheaper than anything else we can do. I've written about this here.

Do you have any practical advice for our readers, in terms of staying secure, and safe?

Backup. Backup, backup, backup. You're going to get whacked sooner or later, and the best thing you can do for yourself is to make regular backups.

Staying safe in the Internet is actually pretty simple. If users bought a personal firewall and configured it never to accept incoming connections, and were smart about email attachments and websites, they'd be a lot safer. Also, the fewer Microsoft products the better. There's lots more here.

Thanks again, Bruce, for some great advice and interesting information. We wish you the best of luck in the future.

up to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..