Schneier: Microsoft still has work to do

By Bill Brenner, News Writer
Searchsecurity.com

Part 1, October 4, 2004

Bruce Schneier is founder and chief technology officer of Mountain View, Calif.-based MSSP Counterpane Internet Security Inc. and author of Applied Cryptography, Secrets and Lies and Beyond Fear. He also publishes Crypto-Gram, a free monthly newsletter, and writes op-ed pieces for various publications. Schneier spoke to SearchSecurity.com about the latest threats, Microsoft's ongoing security struggles and other topics in a two-part interview that took place by e-mail and phone last month. In this installment, he talks about the "hype" of SP2 and explains why it's "foolish" to use Internet Explorer.

What's the biggest threat to information security at the moment?

Schneier: Crime. Criminals have discovered IT in a big way. We're seeing a huge increase in identity theft and associated financial theft. We're seeing a rise in credit card fraud. We're seeing a rise in blackmail. Years ago, the people breaking into computers were mostly kids participating in the information-age equivalent of spray painting. Today there's a profit motive, as those same hacked computers become launching pads for spam, phishing attacks and Trojans that steal passwords. Right now we're seeing a crime wave against Internet consumers that has the potential to radically change the way people use their computers. When enough average users complain about having money stolen, the government is going to step in and do something. The results are unlikely to be pretty.

Which threats are overly hyped?

Schneier: Cyberterrorism. It's not much of a threat. These attacks are very difficult to execute. The software systems controlling our nation's infrastructure are filled with vulnerabilities, but they're generally not the kinds of vulnerabilities that cause catastrophic disruptions. The systems are designed to limit the damage that occurs from errors and accidents. They have manual overrides. These systems have been proven to work; they've experienced disruptions caused by accident and natural disaster. We've been through blackouts, telephone switch failures and disruptions of air traffic control computers. The results might be annoying, and engineers might spend days or weeks scrambling, but it doesn't spread terror. The effect on the general population has been minimal.

Microsoft has made much of the added security muscle in SP2. Has it measured up to the hype?

Schneier: SP2 is much more hype than substance. It's got some cool things, but I was unimpressed overall. It's a pity, though. They had an opportunity to do more, and I think they could have done more. But even so, this stuff is hard. I think the fact that SP2 was largely superficial speaks to how the poor security choices Microsoft made years ago are deeply embedded inside the operating system.

Is Microsoft taking security more seriously?

Schneier: Microsoft is certainly taking it more seriously than three years ago, when they ignored it completely. But they're still not taking security seriously enough for me. They've made some superficial changes in the way they approach security, but they still treat it more like a PR problem than a technical problem. To me, the problem is economic. Microsoft -- or any other software company -- is not a charity, and we should not expect them to do something that hurts their bottom line. As long as we all are willing to buy insecure software, software companies don't have much incentive to make their products secure. For years I have been advocating software liability as a way of changing that balance. If software companies could get sued for defective products, just as automobile manufacturers are, then they would spend much more money making their products secure.

After the Download.ject attack in June, voices advocating alternatives to Internet Explorer grew louder. Which browser do you use?

Schneier: I think it's foolish to use Internet Explorer. It's filled with security holes, and it's too hard to configure it to have decent security. Basically, it seems to be written in the best interests of Microsoft and not in the best interests of the customer. I have used the Opera browser for years, and I am very happy with it. It's much better designed, and I never have to worry about Explorer-based attacks.

Part 2, October 5, 2004

Bruce Schneier is founder and chief technology officer of Mountain View, Calif.-based MSSP Counterpane Internet Security Inc. and author of Applied Cryptography, Secrets and Lies and Beyond Fear. He also publishes Crypto-Gram, a free monthly newsletter, and writes op-ed pieces for various publications. Schneier spoke to SearchSecurity.com about the latest threats, Microsoft's ongoing security struggles and other topics in a two-part interview that took place by e-mail and phone last week. In this installment, he talks about the safety of open source vs. closed source, the future of security management and spread of blogs.

Are open source products more secure than closed source?

Schneier: It's more complicated than that. To analyze the security of a software product you need to have software security experts analyze the code. You can do that in the closed-source model by hiring them, or you can do that in the open-source model by making the code public and hoping that they do so for free. Both work, but obviously the latter is cheaper. It's also not guaranteed. There's lots of open-source software out there that no one has analyzed and is no more secure than all the closed-source products that no one has analyzed. But then there are things like Linux, Apache or OpenBSD that get a lot of analysis. When open-source code is properly analyzed, there's nothing better. But just putting the code out in public is no guarantee. A recent Yankee Group report said enterprises will outsource 90% of their security management by 2010; that more businesses have made security a priority to meet growing threats and comply with laws like HIPAA and Sarbanes-Oxley. Do you agree?

Schneier: I think that network security will largely be outsourced by 2010 regardless of compliance issues. It's infrastructure, and infrastructure is always outsourced eventually. I say eventually because it often takes years for companies to come to terms with it. But Internet security is no different than tax preparation, legal services, food services, cleaning services or phone service. It will be outsourced. I do believe that the various compliance issues, like the laws you mention, are causing companies to increase their security budgets. It's the same economic driver that I talked about in your question about Microsoft. By increasing the penalties to companies if they don't have adequate security, the laws induce companies to spend more on security. That's good for everyone.

How is Crypto-Gram doing?

Schneier: Crypto-Gram currently has about 100,000 readers; 75,000 get it in e-mail every month and another 25,000 read it on the Web. When I started it in 1998, I had no idea it would get this big. I actually thought about charging for it, which would have been a colossal mistake. I think the key to Crypto-Gram's success is that it's both interesting and honest. Security is an amazingly rich topic, and there are always things in the news to talk about. Last month I talked about airline security, the Olympics and cellphones. This month I'm going to talk about academic freedom, the security of elections, and RFID chips in passports.

Some people compare Crypto-Gram to a blog. Is that a reasonable comparison?

Schneier: It's reasonable in the sense that it's one person writing on topics that interests him. But the form-factor is different. Blogs are Web-based journals, updated regularly. Crypto-Gram is a monthly e-mail newsletter. Sometimes I wish I had the immediacy of a blog, but I like the discipline of a regular publishing schedule. And I think I have more readers because I push the content to my readers' e-mail boxes.

Do you think blogs have become more useful than traditional media as a way to get the latest security news to IT managers?

Schneier: Blogs are faster, but they're unfiltered. They're definitely the fastest way to get the latest news -- on security or any other topic -- as long as you're not too concerned about accuracy. Traditional news sources are slower, but there's higher quality. So they're both useful, as long as you understand their relative strengths and weaknesses.

up to News and Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..