Schneier: Lots of Security Software is "Snake Oil"
Bruce Schneier is one of the foremost experts on cryptography and is a well-known security author and commentator. He is the founder of the managed security services company Counterpane, which was acquired in October 2006 by BT. Schneier sat down with IDG News Service at the Infosec security show in London to talk about the effectiveness of security products and the psychology of security.
Are antivirus products just making money by giving people a “feeling” of security rather than true security?
Schneier: Antivirus is easy. Antivirus products actually work. They have for years. A lot of the software on this show floor is just snake oil, but antivirus does work. You should have an antivirus program. You should have it updated regularly. It doesn’t make you secure, but it gets that bottom layer of the trivial stuff. That’s why. It’s not sufficient but it’s certainly necessary.
People are tricked into downloading malicious software through social engineering. Have people become too conditioned—mainly through watching television—to also believe whatever appears on their monitor?
Yes, but it’s not television. People know the Internet is not television. People believe what they see on the Net not because of television but because of the trappings of reality. So when you got to BT.com, you see the BT logo, the BT font, the PR material, and you’ll think, yeah, it’s BT, like when you go to your bank, you see the logo, the tellers. That’s real, that’s expensive stuff.
On the Web, it could be a fake BT.com site and you don’t notice because it’s trivially easy to copy. So people do believe what they see on the Internet, not because of television, but because the Internet has the trappings of the real world. So all of those social cues you get to know to trust something—it looks professional, nothing’s misspelled, you see those things and you believe it’s real. So yes, people are conditioned to accept it but it’s from a whole variety of social conditioning.
Do you think people will ever gain a greater suspicion of the Internet?
Younger people have better bullshit detectors and they’ll pick it up. But certainly you can always fool people unless there is some external validation of [Web sites]. Microsoft tried to do that. Unless you can do that, there’s no guarantee you’re not going to be fooled.
How do we train our brains to be more perceptive?
Experience. Understanding the threats.
So what do you think is the biggest threat right now?
So how do you fix it? It’s expensive to investigate, it’s cross-jurisdictional.
It might not be fixable. A lot of [the solution] is going to be making the things that criminals are going after harder to get. You’re not going to stop the criminals. But in the United States, it’s really easy to get a credit card in someone else’s name. The credit card companies like it that way. So a lot of it is looking at how the criminals are attacking things and making it harder to attack them. The brokerage companies want it to be easy for you to log on and make trades. Make it harder, and the businesses don’t like that.
They’re afraid they’re going to drive away customers?
Of course. If I strip search you before you go into the bank, you might change branches. In the US, the government doesn’t have the balls to require stuff like [stronger authentication]. You’ve got to make the banks responsible for losses. The brokerage company has to [reimburse] me if I didn’t make the trade. Period. End of sentence. That’s how you fix it. Because then, my brokerage is going to start buying security, otherwise they won’t. The basic rule of security: You make the entity in the best position to mitigate the risk, responsible for the risk. Make them responsible. They’ll figure it out. That’s how capitalism works.