Security Expert Bruce Schneier On Passwords, Privacy and Trust

In today's interconnected world, all it takes is one security mistake to make your whole world come crashing down. Who better to turn to for advice than security expert Bruce Schneier?

If you have even a passing interest in security matters, then you've surely come across the writings of Bruce Schneier, a world-renowned security guru who has served on numerous government committees, testified before Congress, and is the author of 12 books on security issues so far, as well as countless essays and academic papers.

After hearing about Schneier's newest book, Carry On: Sound Advice from Schneier on Security, we decided that it was about time to reach out to Bruce to get some sound advice concerning some of our own pressing privacy and security concerns.

Bruce Schneier—Sound Advice

In a global world filled with international digital espionage, malware and virus threats, and anonymous hackers around every corner—it can be a very scary place for anyone to navigate.

Have no fear—for we asked Bruce to provide us with some guidance about some of the most pressing security issues today.  After reading this interview, you'll at least walk away with a greater awareness of what the threats really are, and what you can really do to protect yourself.

Understanding Security Theater

MUO:  As a consumer, how can I distinguish "security theater" from a genuinely secure app or service? (The term "security theater" was chosen from the term you coined in your past writings about how apps and services claim security as a selling point.)

Bruce: You can't. In our specialized and technological society, you can't tell good from bad products and services in a lot of areas. You can't tell a structurally sound aircraft from an unsafe one. You can't tell a good engineer from a charlatan. You can't tell a good pharmaceutical product from snake oil. That's okay, though. In our society, we trust others to make those determinations for us. We trust government licensing and certification programs. We trust reviewing organizations like Consumers Union. We trust the recommendations of our friends and colleagues. We trust experts.

Security is no different. Because we can't tell a secure app or IT service from an insecure one, we have to rely on other signals. Of course, IT security is so complicated and fast-moving that those signals routinely fail us. But that's theory. We decide who we trust, and then we accept the consequences of that trust.

The trick is to create good mechanisms of trust.

DIY Security Audits?

MUO:  What is a "code audit" or a "security audit" and how does it work?  Crypto.cat was open-source, which made some people feel it was secure, but it turned out nobody audited it. How can I find these audits? Are there ways I could audit my own day-to-day use of tools, to make sure I am using stuff that really protects me?

Bruce: An audit means what you think it means: someone else looked at it, and pronounced it good. (Or, at least, found the bad parts and told someone to fix them.)

The next questions are also obvious: who audited it, how extensive was the audit, and why should you trust them? If you've ever had a home inspection when you bought a house, you understand the issues. In software, good security audits are comprehensive and expensive and—in the end—no guarantee that the software is secure.

Audits can only find problems; they can never prove the absence of problems. You can definitely audit your own software tools, assuming you have the requisite knowledge and experience, access to the software code, and the time. It's just like being your own doctor or attorney. But I don't recommend it.

Just Fly Under the Radar?

MUO: There is also this idea that if you use such highly secure services or precautions, you're somehow acting suspicious. If that idea has merit, should we focus less on more secure services, and instead try to fly under the radar? How would we do that? What kind of behavior is considered suspicious, i.e. what gets you a minority report? What's the best tactic to "lay low"?

Bruce: The problem with the notion of flying under the radar, or lying low, is that it's based on pre-computer notions of the difficulty in noticing someone. When people were the ones doing the watching, it made sense not to attract their attention.

But computers are different. They aren't limited by human notions of attention; they can watch everyone at the same time. So while it may be true that using encryption is something the NSA takes special note of, not using it doesn't mean you'll be noticed less. The best defense is to use secure services, even if it might be a red flag. Think of it this way: you're providing cover for those who need encryption to stay alive.

Privacy and Cryptography

MUO: Vint Cerf said that privacy is a modern anomaly, and that we don't have a reasonable expectation for privacy in the future. Do you agree with this? Is privacy a modern illusion/anomaly?

Bruce: Of course not. Privacy is a fundamental human need, and something that's very real. We will have a need for privacy in our societies as long as they're made up of people.

MUO: Would you say that we as a society have become complacent concerning data cryptography?

Bruce: Certainly we as designers and builders of IT services have become complacent about cryptography, and data security in general. We have built an Internet that is vulnerable to mass surveillance, not just by the NSA but by every other national intelligence organization on the planet, large corporations, and cybercriminals. We have done this for a variety of reasons, ranging from "it's easier that way" to "we like getting things for free on the Internet." But we're starting to realize that the price we're paying is actually pretty high, so hopefully we'll make an effort to change things.

Improving Your Security and Privacy

MUO: What form/combination of passwords/authorization do you consider the most secure? What "best practices" would you recommend for creating an alphanumeric password?

Bruce: I wrote about this recently. The details are worth reading.

Author's Note: The linked article eventually describes the "Schneier Scheme" that works for choosing secure passwords, actually quoted from his own 2008 article on the subject.

My advice is to take a sentence and turn it into a password. Something like "This little piggy went to market" might become "tlpWENT2m." That nine-character password won't be in anyone's dictionary. Of course, don't use this one, because I've written about it. Choose your own sentence—something personal.

MUO: How can the average user best deal/cope with the news that their account with a world-famous website, bank or multinational company has been compromised (I'm talking about data breaches of the Adobe/LinkedIn type here, rather than a single bank account breached through card fraud)? Should they move their business? What do you think it will take to underline to IT/data security departments that immediate, full disclosure is the best PR?

Bruce: This brings us back to the first question. There's not a lot we as customers can do about the security of our data when it's in other organizations' hands. We simply have to trust that they're going to secure our data. And when they don't—when there's a large security breach—our only possible response is to move our data somewhere else.

But 1) we don't know who is more secure, and 2) we have no guarantee that our data will be erased when we move. The only real solution here is regulation. Like so many areas where we don't have the expertise to evaluate, and are required to trust, we expect the government to step in and provide a trustworthy process that we can rely on.

In IT, it will take legislation to ensure that companies secure our data adequately and inform us when there are security breaches.

Conclusion

It goes without saying that it was an honor to sit out and (virtually) discuss these issues with Bruce Schneier. If you're looking for even more insight from Bruce, by all means make sure to check out his latest book, Carry On, which promises Bruce's take on important security issues today like the Boston Marathon bombing, NSA surveillance and Chinese cyber-attacks. You can also get regular doses of Bruce's insight at his blog.

As you can tell from the answers above, staying secure in an insecure world isn't exactly easy, but using the right tools, carefully choosing what businesses and services you decide to "trust," and using common sense with your passwords is a very good start.

Categories: Text, Written Interviews

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.