Talking security with Bruce Almighty
When the good folk at Linux Australia sat down with the organisers of the Australian national Linux conference and decided that Bruce Schneier would be the keynote speaker on the opening day of the main conference, they couldn't have made a more correct decision.
Schneier is a man whose security credentials are impeccable, who's probably the world's top security technologist. At the same time, he can talk about security concepts to a teenager - and the kid will understand exactly what he's saying.
When you realise that this same man is an inventor of the Blowfish, Twofish and Yarrow algorithms, then you begin to understand what the word intellectual means.
In his mid-forties, Schneier is a much less phsyically imposing presence than I thought he would be. But once he starts talking, he just grabs your attention.
He spoke to iTWire soon after he had delivered his keynote, "Reconceptualising Security", on day one of the LCA.
iTWire: Let's begin with a bit of geography and history. Which part of the US are you from? Where were you born, where did you study?
Bruce Schneier: I'm from New York, which you can probably tell by my style. I live in Minneapolis. My undergraduate degree is in physics, from the University of Rochester, New York. And my post-graduate degree is in Computer Science from American University in Washington DC. So that's sort of my academic resume. I started working at the US department of defence in security cryptography and security deployment. Then I worked for a start-up in the Chicago area and then for AT&T Bell Labs, and then in 1991 I set out on my own with Counterpane Consulting which became Counterpane Internet Security in 1999, and was purchased by BT in 2006.
What were you like as a little boy, in primary school?
I don't even know how to answer that question. I was regular, we were the smart kids. I mean, when you grow up in New York City, there are always programmes for smart kids. So they'll put them all in one class or two classes. I always had the benefit of being able to be put in classes for smart kids all through high school.
How did you come to take up physics?
That was in college, and I think I took it because it was what I liked, because it was math, but had real world applications. And that's what I got my degree in. But I always enjoyed it. In security, it was like more of a mindset than anything else. And back then there were hardly any computer science departments. So it was still very, very new.
So there's no single incident, person, group of people or group of incidents that focused your mind on this type of career?
Not really. I mean, security is something you're born with. I think as a kid, you walk around thinking, "how could I shoplift here" or you walk into the nursery with your mother and ask, "how could I cheat here?". It's something you just think about as you walk around. It's a way of looking at the world. It's always easier to teach the domain expertise, whether it's cryptography or computer security or crime to someone who has the mindset of a security guy. It's just a way of looking at the world. And I always had it.
You think anybody can be directed towards that kind of career?
I think so. I mean, if they have that mindset, then yes. If they don't, it'll always be a struggle. You have to think like an attacker. You have to think like a security person.
There are a large number of security experts in the US - all learned, all well-known, but nobody is able to relate to the public the way you have. Why?
I think I'm just good at it. Even at college and in my part-time jobs, a lot of what I would do would be communicating between tech and non-tech. And I think it's a matter of being able to understand technology and being able to communicate that. They're skills, completely different skills; if you have one, you often don't have the other. I just think I'm lucky that I'm able to do both, that I'm able to understand the technology and the non-technology. So I can talk between the two worlds.
Would you put this down to a basic gift of yours, or would you say you have cultivated it?
I think it's a bit of both. I have a bit of trouble knowing the difference between something you work on and something you're born with. It's certainly something I've worked on - certainly my later books are better than my earlier books; my later writings are better than my earlier writings. I think I've always liked to do it, it's something I thought was important. It's something I've always been good at but as you do anything you get better at it, so I think it's a combination.
In your talk at the conference you focused on the fact that information is going to be the major way to make people genuinely more secure - as long as they understand the information they're getting. Let's take the Linux conference - people don't make much of an effort to make it known to the public that there's even a conference going on. So would you say there's some level of information dissemination which needs to start right here?
I think we all do. Especially those who of us understand security, we need to talk about it. We need to talk about it rationally. There's so much fear, there's so much politics. There's so much irrational thinking, that I think all of us that understand the issues need to talk about them. Now whether I drag people to a Linux conference depends on the programming and there are certainly conferences for technical people only.
But the more people that talk about this differently, the better we are. I always feel that I should give people language, to go out into the real world and talk about things. I do this in my writings about privacy and security and terrorism. I'm speaking to the converted; I'm not convincing anybody with my writing. What I'm doing is giving my readers language, so that they can go talk to other people. That way, what I say multiplies. There's a real value. And the best compliment I get from one of my writings is, "you change the way I think".
The ability you have to make very complex concepts simple without trivialising them is very rare.
I think we need it everywhere. Because debates in society are hard - when they're about healthcare, which is huge in my country or different aspects of infrastructure or welfare or politics or social networking. These are all complicated issues. I mean, we need to make them accessible.
Take an issue like the national identity card. It is being driven by various special interest groups. Politicians love it because it gives people this apparent feeling of being secure. How exactly do you figh against something like that?
You know, you might not be able to. I combat it with information. I write essays and op-eds explaining why it doesn't make things more secure. I testified for the US senate, for a committee of the US Senate about national ID cards, why they wouldn't help. So you know, my solution is information - and, yeah, it's not perfect, I might not win - but I think that's my only option, to help people understand, by explaining it in a way that they can understand it and explain it to somebody else.
You talk about airline security. Now, in Israel, it has been a fact of life there are Mossad people, Shin Bet people on board the El Al planes. Nobody has known about it for years and years and years, but they've been there, I think, after a hijacking in 1968. So can you really say that the presence of marshals is not of any use?
I don't say it's of no use. In fact, what I say, and I wrote it in a Wired article just last week was that approximately two things have made it safer. The first one is reinforcing the cockpit door and the second is convincing passengers they need to fight back. And the third one, which might or might not be affected, is sky marshals. I don't say they're not effective. i think the jury is out, we don't know for sure.
But it's interesting that it's not sky marshals per se; it's the idea of sky marshals that's effective. Because once I tell you I have them, I actually don't really need them anymore. So that's what I'm not sure about. That's what I've always hedged about, because again we just don't have the data to know really whether it helps or not. But it might, and that's one of the things that I'm on the fence about.
During your career, you've debunked and exposed a large number of snake-oil salesmen. How do you handle it when they attack you back?
A lot of it I ignore. If it gets really bad I'll just publish what they write and that usually makes them go away. Every year or so someone tries to sue me for something I've said and usually it's just a matter of publishing the complaints because it's always entertaining to read. When other people read it and if they get enough negative PR from it they go away.
It's hard, but occasionally people have a legitimate complaint so you have to read everything. So you get attacked, but you know, I'm not perfect, I'll make mistakes. So you can't let it bother you. I tend not to do product reviews. When I put something in the dog house, it's something pretty egregious and it's based on ridiculous marketing claims - not based on source code analyses. I'm doing that, usually doing that as a consultant and that's a different sort of animal. So you live with it, so you deal with it.
So there's never been physical threats or anything like that?
I've never got physical threats, no. I believe I'm perceived as someone with integrity. Even if you disagree with what I say, I'd like to think it's obvious that I don't have an agenda, that I'm not trying to wreck somebody personally, that I'm just saying what I think because I think it's important to say it. And I think that helps.
It's remarkable that inspite of all this, you have come to be known as someone of absolute integrity.
A couple of things - there's value in my doing that. When Counterpane became a company, I made it very clear that having me shill for the company would not be in its best interests. But the value of me being associated with Counterpane is because I'm me, and if I lose that Bruce-ness, that integrity, then I lose that value. And when BT bought Counterpane it's the same thing. You don't want me becoming the BT security spokesman.
British Telecom. They bought us in October of '06. And I said, 'look, if you expect that, this won't work. As soon as you say, you can't write this, you can't say this, I want you to say that, we need to be on the phone when you're talking to a reporter, I'm going to leave'.
But there is value, enormous value for BT in having me as an independent security spokesman. And as long as BT recognises that value, that will be great. And BT's been great. They've never said, 'I want to be around when you talk to a reporter'. They've never said, 'I want to approve what you write. I want to read what you say before you've said it.' They'd never say, 'This is our campaign, and these are your talking points for the month.' BT's been a good company to work for. They do great research which I'm involved in. I do some of their company events. But they don't want me shilling for the company. They want me being me. So it's working out great. I do try to walk that fine line, and I've been lucky to find employers that recognise the value. That's the way it works.
One more thing I find amazing about you is you have an excellent open, dialogue with the media, whoever it is. And you're not a person who says, 'no, I can't speak to so-and-so'. This has served you remarkably well in your career.
You know, I like to think I'm a media slut, basically. I used to say I'm a media whore, but then I realised I didn't get paid. But I think my job, such as it is, is to communicate security to as wide an audience as possible. So it's important, I mean, the press is how the public get their security information.
But you've always written good stuff. There's a lot of press that's lousy out there. And anything I can do to help that, to fix that, I try very hard. Whether it's a big publication, local, national or international, it's all valuable. And especially in the world of internet and blogging and email and forwarding you never know what it is that you write and say that will influence people. So you can't just say, 'I speak to the American press. I speak to the national press. I'm not going to talk to the IT press anymore'. Especially in something like an interview, because that's easy.
In speaking, it's harder. I get three or four speaking invites a week. I have to say no to most of them, because I just can't do it all. And there I have to pick and choose. But for talking to the media, I don't yet have to pick and choose. Someday I might. I may have to say I can only do four interviews today, so you three I'm going to have say no. If that day comes I'll have to do a triage. But until then I can talk to everybody. I think it's important to do so.
You've been talking to all kinds of people. Which do you think is the most effective forum?
I have trouble measuring effectiveness. And it varies so widely. Sometimes it's the right 10 people in the audience. I tend to like large forums where people haven't heard me before. I mean, coming to Linux Australia is good because it's far away and a lot of people have not heard me before because they may not have come to events in the US or Europe, or because it's a good crowd that will appreciate what I have to say and I have a message and I think I can teach them something.
I also like speaking at general business events. I wouldn't give the same talk; I would do a very different talk. But talking to non-security people, talking to a general audience, talking to a civil liberties audience, I think is important. It's hard to say which is more effective, and I think everything is effective in its own way.
But your books have been among the more effective.
A book is an incredible piece of leverage because you write once. Books and writings - I have 150,000 people who read Cryptogram. That's an enormous amount of leverage. Here at Linux Australia there's about 600 to 700 people in the audience. You know, that's a little bit of leverage. But if I write an essay - let's say an op-ed in the Washington Post or the Washington Journal, or even in the Sydney Morning Herald, I'm reaching a lot more people who might not hear what I have to say otherwise. That's why I like it when The Age or the Sydney Morning Herald grabs something that I write. I like it when that happens because here's something that I write and then it goes out to people who might not read me otherwise. I think that's important. I love it when you say I want to republish this. It's fantastic.
Your commercial success hasn't, in any way, been affected due to your attitude, right?
It hasn't, but maybe it has, you know. Maybe I'd be wealthier. Maybe I'd be more successful in business if I focused on business. But life is a trade-off, security is a trade-off. You do what you want, and you do what you have to do. And I'm lucky enough to be in a position where I get a good salary and I can say what I want. And maybe I could get a better salary if I stayed quiet and told a corporate lie and become the vice-president of something, but you know, I'm okay with not doing that.
Looking ahead, what are the things you think you'll be writing about?
More and more of my writing is about the social aspects of security. About psychology, about economics and I think that's where interesting problems are and I think that's what I like looking at. I like looking at political systems as a way to solve security problems. How people subvert systems, looking at capitalism and communism, or any different types of social ideologies, from the lens of a security problem. I think there's a lot of insight to be gained there. So I'm going to be writing more about that. And a lot about this psychology.
Do you think politicians will accept your ideas?
You know, it's just another lens to look through. I think there's politicians who will agree with you, and there will be those who don't. So, the answer will be all over the map.
Why do you think other people don't make an effort to do this kind of thing?
I think this is something I"m good at. It's sort of my no-bullshit, this-is-the-way-it-is attitude, and the way I talk. I think that's just the way I talk and write and it turns out to be very valuable.
Do you think you could do people a service by educating them to do just what you do? Technically qualified, good people...
I'm not sure I can educate people how to do that. I never really think in that methodology. I'm too busy thinking about my topic, to think about my process. So I don't know if I could educate that. There is certainly value in teaching communications - to teach people how to talk to a common audience, how to talk to an uneducated audience, how to talk to an audience educated not in your area of expertise, how to generalise, how to look at things from a meta point of view, how to use examples - all these things I'm sure people teach them. I couldn't teach it. I think I'd do it but I'm not sure how I do it.
You've never had people who've come to you and been attached as understudies or interns?
You know, I have had employees when Counterpane was just a consulting company who would learn from me. At BT Counterpane there are people who learn from how I do things, just from my actions. People who learn how to do what I do. Lots of people are involved with that ethic, at the Electronic Frontier Foundation, the American Civil Liberties Union. I spend time but not in that way. A lot of what I do is one-to-many and I'm a lot less one-to-one. I think my value is in talking about many issues and talking to a broad audience. Influencing a lot of people a little is better math for me than influence a few a lot.
Quite often you have said that companies should provide warranties that their software is safe. Can you really justify that?
I think that's going to be the future whether you justify it or not. You provide it by having an insurance model behind it. It doesn't mean it's true. It just means that if it's wrong, we're going to compensate you. There are warranties all over and products are not very good, but that's not the point. The point is that there is some kind of financial backing in case there is a mistake.
Do you have any examples of this?
Automobiles, any consumer product.
But if you compare a car to software people always laugh. They say a car is a pretty simple thing compared to a computer program.
Sure. But none of this is easy, and a car is actually pretty darn complex. There's lots of parts and lots of different manufacturers. When there's an accident you have the driver, the other driver, the car, the road conditions, maybe things on the road. You have, maybe, a part that might have failed. You have all of these aspects that contribute to negligence. And the courts figure it out and there are complexities there. I don't think software is inherently worse. And certainly cars have computers and software as well.
What would push software companies towards this? Is it only government regulation?
Government regulation. No software company wants this regime. The only thing that will push companies is regulation. Possibly largescale buyers in the world where software is all being sold through re-sellers - they can start demanding insurance models. But government regulation must come first.
You have no examples of governments who are pushing companies towards this?
Not yet, there are some moves towards it. There were complaints from the industry, complaints that it would kill the software industry. But that will change eventually. It has to.