Bruce Schneier: Questions & Answers
IsacaRoma: Who are you? Your biography says you are an author, technologist and a "security guru." What is your cultural background? How did you arrive at cryptography and security as a profession?
Bruce Schneier: Security is a mindset, and the best security experts come by the profession naturally. They constantly go about the world looking at how to get around security: how to vote twice, how to shoplift, how to sneak in and out. They probably won't do any of these things, but they're always thinking about them.
My background is physics and computer science, and I started working in cryptography first for the U.S. government and then as a consultant. The interesting thing about being a consultant is that you get to work on a wide variety of different problems. Many of these problems suggested avenues of research, which further broadened my interests.
IR: is it possible to learn cryptography without academic background? Have you any recommendations to improve cryptography knowledge for non-specialized people?
BS: Cryptography is a branch of mathematics, and to do it effectively you need to understand mathematics at a graduate level. While it is not essential to learn the mathematics of cryptography at a university, that is by far the easiest way.
Of course it is not necessary to understand cryptography at this level merely to use it properly. There are many good books about implementing cryptography. I recommend my latest book, written with Niels Ferguson: "Practical Cryptography".
Unfortunately, it is easy for someone without a strong mathematical background to think he understands cryptography, and to invent systems he believes to be secure. We call that kind of thing "snake oil" and it's a big problem in security. Everyone should remember that people should not design encryption algorithms until they have several published academic papers breaking existing algorithms.
IR: Your first bestseller, Applied Cryptography, is for a specialized audience. The most recent book, Beyond Fear, tackles the problems of security from the small to the large: personal safety, crime, corporate security. Is there an evolution in your security vision?
BS: My career has been a continuing series of generalizations. My roots are in the mathematics of cryptography. That's what my first book, ""Applied Cryptography", was written about, and that's what most of my academic papers are about. Over the years, I began to realize that cryptography is only a tool, and it is rarely the weakest link in the security chain. More and more of my consulting assignments were about computer security, not cryptography. I wrote "Secrets and Lies" about computer and network security, and formed Counterpane Internet Security, Inc., to provide security services to large corporations.
The concepts of security are the same whether you're talking about computers or the real world. My latest book, "Beyond Fear", takes the systemic way of thinking that comes naturally in computer security and applies it to other areas of security: airline security, national security, personal security, etc.
Lately I have been interested in how people view security, and how they make security decisions. My current research is largely about behavioral economics, law and security, and the psychology of decision making.
IR: You are the founder and CTO of Counterpane Internet Security, Inc. Is it a security consulting firm?
BS: Counterpane Internet Security, Inc., is a managed security services company. In other words, we provide outsourced security services for a variety of organizations. Our service offerings center around real-time expert monitoring, but we also offer security management, e-mail scanning, log retention, vulnerability testing, and security consulting. The company has been in business for six years, and we currently monitor over 500 networks worldwide. Counterpane is far larger than myself, although I am the most public employee of the company.
IR: You recently wrote about Italy requiring passports to use Internet cafes. What is your opinion about this matter?
BS: Anonymity is one of the cornerstones of democracy and liberty. A government should protect anonymity on the Internet, not try to destroy it.
IR: what is Crypto-Gram?
BS: Crypto-Gram is my free monthly e-mail newsletter on security topics. It's entirely written by me, and consists of analysis and opinion of security stories that are making the news. It's not all computer security: I talk about terrorism, personal security, and corporate security too. You can read back issues, and subscribe on the web . It’s also available in blog form.
IR: What’s about the Italian version of your newsletter on the websiteof an Italian Security Service Provider. Is it an official translation? Is Communication Valley a sort of Italian partner of Counterpane?
BS: Crypto-Gram is translated into several languages, and they are all done by people interested in seeing the newsletter more widely distributed. None of the translations are official, and neither I nor Counterpane have any business relationship with any of the translators. I'm just glad that an Italian version of Crypto-Gram exists.
Communication Valley is a value-added resellers (VARs) offering Counterpane's Managed Security Monitoring (MSM) service as you can read in: http://www.counterpane.com/pr-emeavars.html
IR: What is your opinion about regulations to improve security in ICT products and software?
BS: As I’ve repeatedly written, regulations and liabilitities are the only way we’re going to see substantive improvements in computer and network security.