Security Is a State of Mind
Checking in with expert Bruce Schneier about the state of security.
DDJ: A decade ago, you said that computer security, with all of its advances, would likely get worse in the future. Is this the way things turned out? If so, why? And what does this tell us about the next 10 years?
BS: It has gotten worse. In all of computer science, security is unique in that it has completely failed almost all the time. There are a lot of reasons for this, but the most important is complexity. Complexity is the worst enemy of security: as systems get more complex, they get less secure. So even though there have been, and continue to be, a constant stream of improvements in security—new ideas, new research, new techniques, new products, and services—things continue to get worse. Systems are getting more complex faster than security is improving, so we lose ground even as we get better.
I don't see this changing in the next 10 years. We all like complexity, and the things that complexity brings us. We like peer-to-peer networking, 802.11, and Blackberries. We like Web 2.0 sites, smart phones, and VoIP. But all of these complexities bring with them insecurities—and that's not going to change any time soon.
DDJ: What's been the biggest step forward in security recently: algorithms, protocols, or common sense?
BS: I wish I could say common sense; it's where we need some serious improvement. There's not a lot of work that needs to be done in algorithms or protocols. Of course, there are open research problems and a lot of fun applications to work on, but for the most part, the simpler things we developed in the 1990s work just fine. Where we need work is in the human aspects of security: Installation and configuration, user interface, education, even economic and psychological motivations and limitations. The biggest step forward in recent years is the increasing recognition that these issues are central to security and not marginal concerns.
DDJ: The Data Encryption Standard (DES) was around for a lot of years, then replaced by the Advanced Encryption Standard (AES), also known as Rijndael. Is AES holding up? Will it be around as long as DES?
BS: AES was approved as a standard in 2002 after a five-year competition process run by NIST. The algorithm has held up very well since then. Of course, there have been new academic cryptanalysis results—and of course there will be more in the future—but there's nothing that even remotely affects its security in practice. Even at its weakest, AES has a 128-bit key. It is going to take some pretty serious breakthroughs in cryptography to bring an attack against AES into the range of human possibility.
That said, another lesson of the past decade is that the encryption algorithm is not particularly relevant to security. Security is a chain, and the weakest link breaks it. Even when the algorithms are lousy, there are invariably weaker links. Brute-force decryption programs now do things like employ smart dictionaries and guess more common keys first, or scan users' hard drives for any printable string and try those as keys. These techniques are remarkably effective in practice, and they are completely independent of key length or algorithm. And exploiting software and network vulnerabilities are an even easier way to bypass encryption. It doesn't matter what kind of encryption you're using if someone can stick a key logger on your machine.
DDJ: In terms of software, what best gets the job done: security built into the operating system, security by design, secure coding, none of the above, all of the above?
BS: They're all different aspects of the same thing—doing security right at the beginning rather than trying to bolt it on after the fact. And they're all important. The era of throwing products together and letting the users deal with security are ending—and that's a good thing.
DDJ: You've written articles related to security for Dr. Dobb's since the early 1990s. Have your thoughts regarding security changed over that time?
BS: My career has been an endless series of generalizations. My initial writings on cryptography in Dr. Dobb's Journal led to my first book, Applied Cryptography, in 1994. In 2000, I wrote Secrets and Lies, about computer and network security. Beyond Fear, published in 2003, took the analysis techniques and ways of thinking developed in information security and applied it to general security. Since then, I have been primarily focused on the human aspects of security: the economics of security and—most recently—the psychology of security. I have a new book coming out this fall: Schneier on Security. It's a collection of essays and newspaper op eds from 2003 to 2008. More than anything else, that book charts my changing thinking about security from a technology focus to a human focus.