News in the Category “Text”
Bruce Schneier on How Insecure Electronic Voting Could Break the United States—and Surveillance Without Tyranny
Nobody is in favor of the power going down. Nobody is in favor of all cell phones not working. But an election? There are sides.
Forget the fact that this esteemed security expert is also a cryptographer and author of seminal cybersecurity books including Data and Goliath and Liars and Outliers…does Click Here to Kill Everybody live up to its own hype or is is just all theatrics?
Although I’ve never met Bruce Schneier, I can gather from his personality and the way my colleagues speak of him that he is the security expert’s expert. Up until June of this year, Bruce was the CTO for Resilient Systems, a private company that offered incident response solutions. Basically, IBM saw that they were doing good work cleaning up corporate security messes all over the infosec world and entered into an agreement with them not too long before acquiring them back in 2016. Schneier, their CTO had already made a name for himself as a fellow at the Berkman Center for Internet and Society at Harvard Law School and also as a burgeoning writer of many technical publications on cryptography and books on cybersecurity.
But those credentials don’t necessarily translate into great reading of 300+ pages of a cybersecurity tome so how does Click Here To Kill Everybody: Security and Survival in a Hyper-connect World fare?
LAS VEGAS. Technologists are the missing voice in cyber policy debates on issues ranging from encryption to supply-chain security, says Bruce Schneier of Harvard Law’s Berkman Klein Center for Internet and Society, who made several presentations here calling for development of a robust “public- interest technologist” community to help shape laws and rules for this technology century.
As an example, he pointed to a “25-year debate on ‘going dark,’” or whether government should be able to access encrypted communications, and said, “It’s a scare term. We’ll never get the policy right if the policy makers get the technology wrong.”
“Here’s the issue,” Schneier said, “none of the policy makers have the technology chops to discuss it.” The separate worlds of technology and policy “was okay in 1959,” but now “technology makes de facto policy – and the policy is always catching up.”
“What I’m calling for is public-interest technologists” who can help policy makers reach informed decisions at the beginning and throughout the policy-making process, he said.
"¿Alarmista? ¡Qué va! Es un gran título, estoy orgulloso de él. Recuerda: los títulos están para vender libros".
Bruce Schneier announced in a blog post that his three-year stint at IBM is officially over:
"Today is my last day at IBM.
If you've been following along, IBM bought my startup Resilient Systems in Spring 2016. Since then, I have been with IBM, holding the nicely ambiguous title of 'Special Advisor.' As of the end of the month, I will be back on my own.
I will continue to write and speak, and do the occasional consulting job.
Bruce Schneier announced in a brief blog post, "I'm leaving IBM." His three-year stint with what he calls "the nicely ambiguous title of 'Special Advisor'" ended at the end of June 2019. He gives no specific future plans beyond saying that he will continue to write, speak, teach and occasionally consult.
Schneier has been a cybersecurity luminary since his book Applied Cryptography was published in 1994. Since then he has developed several ciphers, including Blowfish, Twofish, Threefish, and MacGuffin.
Infosec veteran Bruce Schneier has said he'll step down as a "special advisor" to IBM's security business to, in part, focus his time on teaching the next generation of security pros.
Schneier said he also wanted to focus on work with nonprofit projects including Tor and the Electronic Frontier Foundation (EFF), where he is a board member.
The cryptographer, formerly BT's chief security technology officer, has been writing about security since 1998 and has produced more than a dozen books, as well as hundreds of articles, essays and academic papers.
«El único sistema verdaderamente seguro es el que se apaga, se coloca en un bloque de hormigón y se sella en una habitación revestida de plomo con guardias armados. Aun así tengo mis dudas». Son palabras de Gene Spafford, experto en ciberseguridad. pronunciadas en 1989, cuando internet estaba en pañales.
Veteran security researcher, cryptographer, and author Bruce Schneier is one of the many cybersecurity experts who will be speaking at Black Hat USA in Las Vegas this August.
He's presenting Information Security in the Public Interest, a 50-minute Briefing about why it's so important for public policy discussions to include technologists with practical understanding of how today's tech can be used and abused.
Schneier has become a vocal advocate for more public-minded technologists, noting in a recent interview with Dark Reading that "in a major law firm, you are expected to do some percentage of pro bono work. I'd love to have the same thing happen in technology."
He recently took time to chat with us via email about what he's hoping to accomplish at Black Hat USA this year, and why he thinks Black Hat attendees are well-suited to serving the greater good as public-interest technologists.
Code for America Summit is just around the corner, and in the coming weeks we'll be giving you a preview of our lineup of inspiring speakers. These are leaders in tech and government who not only share our vision for a radically improved future for government services, but show what works and imagine what's possible. Want to hear more? It's not too late to get your tickets!
Bruce Schneier is an internationally renowned security technologist who has testified before Congress and served on several government committees.
Q&A: Crypto-Guru Bruce Schneier on Teaching Tech to Lawmakers, Plus Privacy Failures—and a Call to Techies to Act
Politicians are, by and large, clueless about technology, and it's going to be up to engineers and other techies to rectify that, even if it means turning down big pay packets for a while.
This was the message computer security guru Bruce Schneier gave at last week's RSA Conference in San Francisco, during a keynote address, and it appeared to strike a chord with listeners. Schneier pointed out that, for lawyers, doing pro bono work was expected and a route to career success. The same could be true for the technology industry, he opined.
Ben's Book of the Month: Review of "Click Here to Kill Everybody: Security and Survival in a Hyper-connected World"
Perhaps the most meaningless term in information security is though leader. I know what it is supposed to mean, but many people who consider themselves information security thought leaders are anything but that. Nonetheless, if there is anyone who is a thought leader in the true sense of the term, it's Bruce Schneier. Schneier has written on near every aspect of information security.
Policy-makers must get to grips with "the internet of things." I'm recommending this book to them
Oh no! Another book with a terrifying, it's-the-end-of-the-world title. They're in vogue at the moment. Sadly, for us mere mortals, Click Here to Kill Everybody is by Bruce Schneier, who is one of the world's top cyber-security experts, and not someone given to exaggeration.
More than 40 years ago, Bill Gates and Paul Allen founded Microsoft with a vision for putting a personal computer on every desk.
No one really believed them, so few tried to stop them. Then before anyone realized it, the deed was done: Just about everyone had a Windows machine, and governments were left scrambling to figure out how to put Microsoft's monopoly back in the bottle.
This sort of thing happens again and again in the tech industry.
The world is wired. Thanks to the Internet of Things (IoT), pretty much every electronic device we own can now talk to each of our other devices. While it might seem fun to be able to adjust settings on your refrigerator from your cell phone or track brush strokes from your e-toothbrush app, the IoT comes with a brand new set of vulnerabilities as well. Last spring, a computer security company revealed that hackers had stolen a casino's entire database of high rollers by exploiting vulnerabilities in an Internet-connected aquarium.
A report last week from Bloomberg Businessweek suggested that Chinese spies had embedded tiny little microchips on motherboards that control computers in order to steal information from nearly 30 U.S. companies, including Apple and Amazon. Both of those companies, and Super Micro Computer Inc., the electronics maker that was allegedly infiltrated have categorically denied the report. China issued a statement in response to the report that said in part: "Supply chain safety in cyberspace is an issue of common concern, and China is also a victim." But the story is lingering, in part because it brings up a very scary reality that lots of cybersecurity experts keep talking about.
The US government and Silicon Valley have designed and created an insecure world to maximize political control and corporate profit, but in the cyberphysical world we now live in, where cars, planes, trains and nuclear power plants are connected to the internet, that deliberate insecurity must be reversed — for safety reasons, or people are going to start dying, Bruce Schneier argues in his new book, Click Here to Kill Everybody (W.W. Norton & Company, 2018).
The days of "going online" are over. We now live on the internet.
Schneier (Data and Goliath), a fellow at the Berkman Center for Internet and Society at Harvard University, provides a clear perspective on the threat posed by the evolution of the internet into what is commonly referred to as the “internet of things.” As “everything is becoming a computer... on the Internet,” with even pedestrian items such as light bulbs or refrigerators collecting, using, and communicating data, the convenience and efficiency of such “smart” technology comes at the cost of increased vulnerability to the schemes of crafty hackers. Horror stories, such as a vehicle’s controls being taken over remotely, are not new, but Schneier’s vast experience enables him to tie together many strands and put them in context. For example, after discussing the inherent security issues with software (there are “undiscovered vulnerabilities in every piece”), Schneier goes on to observe that such flaws are only part of the problem; he convincingly demonstrates that a major, if not the main, reason, for an insecure internet is that its “most powerful architects—governments and corporations—have manipulated the network to make it serve their own interests.” Schneier concedes that his book has “a gaping hole” in not explaining how his nuanced recommendations for increasing security and resilience could become policy, but it is a useful introduction to the dimensions of the challenge.
Electronic security expert Bruce Schneier's studiously terrifying new book Click Here To Kill Everybody: Security and Survival in a Hyper-connected World, is a concerted counter-playbook to the end of human civilization, and the deaf ears it will fall upon have been deadened by two completely erroneous assumptions: that an unregulated Internet is better than a regulated one, and that Internet problems only affect people on the Internet.
Ninety percent of Schneier's readers have more than one "smart" electronic device, be it a cellphone or a tablet or a laptop or a new-model automobile. And ninety percent of that ninety percent have the same personal password for all of those separate devices and haven't changed that password in years. Virtually every single one of Schneier's readers who choose to download his book instead of buying a printed copy in a bookstore leaves a wide and easily-followed data-trail back to themselves.
Schneier is a security guru. And in his new book, subtitled Security and Survival in a Hyper-Connected World, he explains the real risks in a world where everything is becoming a computer, and networked in a way that he calls "internet plus."
From hacked cars to vulnerable power grids, Schneier paints a detailed picture of just how IT-dependent our modern world is. And how fragile it has become, in the context of what he calls "internet plus."
Nora Young: People often use this term 'Internet of Things'.
FIX THE INTERNET BEFORE IT FIXES US — Technologist Bruce Schneier is out with his latest book and his most alarming title yet: "Click Here to Kill Everybody." In fact, it's one of the most ominous in the entire cybersecurity canon. Even in his introduction, Schneier admits to hyperbole, yet writes the title isn't without merit since "we're already living in a world where computer attacks can crash cars and disable power plants — both actions that can easily result in catastrophic deaths if done at scale."
So, OK, it's scary. In this outing, published last week, Schneier digs into the dangers posed by the rapid spread of internet connectivity into all our things. But since he doesn't think the marketing term "internet of things" is encompassing enough, he coined his own term: Internet+.
That’s the view of security expert Bruce Schneier, who fears lives will be lost in a cyber disaster unless governments act swiftly.
Smart gadgets are everywhere. The chances are you have them in your workplace, in your home, and perhaps on your wrist. According to an estimate from research firm Gartner, there will be over 11 billion internet-connected devices (excluding smartphones and computers) in circulation worldwide this year, almost double the number just a couple of years ago.
Many billions more will come online soon.
The great and memorable title of Bruce Schneier's latest book, Click Here to Kill Everybody, certainly caught the eye of those in my household—my children kept trying to touch the button on the front cover to 'kill everybody'! (Indeed, the book's attention-grabbing title may make me a little wary about reading it openly on the Tube or while going through airport security.)
Of course, the book is not really about how to kill everybody, but rather how, from an ethical standpoint on the part of tech, and a moral standpoint on the part of government, we appear to be sleep-walking into a scenario where something, whether by accident or design, could possibly 'click here' and kill everyone.
My advance reading copy wasn't quite ready for publishing, but as it stood the book was divided into three approximately equal sections:
- The first section describes the issues of computing, IOT, and an Internet of the future.
- The second section describes the things technologists and policy makers should consider in order to bring about the changes needed for the Internet of the future.
- Finally, as with Schneier's previous book, the third section contains copious notes.
In the introduction ('Everything is a Computer'), Bruce describes three situations: hacking a car; hacking the power supply; and hacking printers (conventional, 3D and bioprinters). For each of these he expands on the potential issues: death of multiple passengers; wide-scale human and economic damage; etc.
If I were still doing radio shows, I would happily welcome Bruce Schneier back as a guest. He's a security expert who I first spoke with when he revealed the uselessness of the TSA's screening procedures at airports, which he labelled "security theater." Since then, he's made multiple appearances with me.
Bruce has just published a new book, Click Here To Kill Everybody: Security and Survival in a Hyper-connected World, and asked me to review it.
As in his previous works, Bruce sees the holes that exist in the digital world and explains the risks of having so many more things connected as part of the Internet of Things, from thermostats to refrigerators to manufacturing equipment to your kid's dolls.
Pervasive connected devices mean we REALLY can't afford shitty internet policy
Bruce Schneier (previously) has spent literal decades as part of the vanguard of the movement to get policy makers to take internet security seriously: to actually try to make devices and services secure, and to resist the temptation to blow holes in their security in order to spy on "bad guys." In Click Here to Kill Everybody: Security and Survival in a Hyper-connected World, Schneier makes a desperate, impassioned plea for sensible action, painting a picture of a world balanced on the point of no return.
Click Here... describes a world where all the bad policy decisions of PCs and laptops and phones are starting to redound onto embedded systems in voting machines and pacemakers and cars and nuclear reactors. He calls this internet-plus-IoT system the "Internet+" and the case he makes for its importance is by turns inspiring and devastating.
That's because Schneier, more than the average policymaker or marketing blowhard, has a pretty good idea of what the actual benefits of these systems can be.
Bruce Schneier’s new book, Click Here to Kill Everybody, explains the security risks of a new world of household devices connected to the Internet. I asked him what the risks are, why they are so serious and what their consequences are for politics.
HF: Technology has created a hyper-connected world. How does this lead to vulnerabilities?
BS: As we connect more things to the Internet, they can affect each other.
Big Brother is watching and scheming and up to no good—and, writes security technologist Schneier (Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, 2015), it looks like he's winning.
By way of an opening gambit, the author posits three scenarios in which hackers take over machines and computer systems, from printers to power plants, both to demonstrate their ability to do so and to show how the interdependence of the web can easily be put to work against us. In one of those scenarios, real-world to the core, Russian hackers came into a Ukrainian power plant through a malware backdoor, "then remotely took control of the center's computers and turned the power off." That's not just a threat to life, but it also erodes trust in social and economic systems, the basis for civil society. In another scenario, which gives the book its title, a "bio-printer" is hacked to "print a killer virus"—and does.
Click Here to Kill Everybody: Security and Survival in a Hyper-connected World Bruce Schneier W. W. Norton (2018)
Hardly a day now passes without reports of a massive breach of computer security and the theft or compromise of confidential data. That digital nightmare is about to get much worse, asserts security technologist Bruce Schneier in Click Here to Kill Everybody, his critique of government inertia on Internet security.
The burgeoning threat, writes Schneier, arises from the rapid expansion of online connectivity to billions of unsecured nodes.
The early architects of the internet did not want it to kill anybody. In cyber security expert Bruce Schneier's new book, David Clark, a professor at the Massachusetts Institute of Technology, recalls their philosophy: "It is not that we didn't think about security. We knew that there were untrustworthy people out there, and we thought we could exclude them".
Schneier describes how the internet, developed as a gated community, is now a battleground where these untrustworthy people cause great harm: harnessing computers to kill by crashing cars, disabling power plants and perhaps, soon enough, using bioprinters to cause epidemics.
Bruce Schneier is a computer security expert who, for decades, has been a leading voice for cryptography and all things security. In this question-and-answer formatted interview, Schneier describes the disjunction of today's abundance of encryption tools and a dearth of personal security. Schneier also touches on some of the dangers associated with "middle ground" compromises in encryption to placate law enforcement.
TP: What does the term "going dark" mean to you and is there a middle ground where law enforcement and cryptographers can meet?
Bruce: "Going dark" is a marketing term for an FBI narrative that encryption makes it impossible for the FBI to solve crimes.
With today's rapid technological advancement, almost every activity such as communication, work, and business can be done easily and efficiently through the many available devices and applications. Although it seems that we have so many benefits of the rapid development of technologies, many unseen threats also await. One of the most serious issues in this digital era is concerning our privacy and data protection. Today, in this big data era, governments and private companies can easily obtain our data from various media—such as devices and applications developed by the governments and private companies—and use these data to "surveil" us.
Bruce Schneier had harsh words at RSA Conference 2018 for U.S. lawmakers on the topic of cyber regulations.
Schneier, security expert and CTO of IBM Resilient, spoke twice this week at RSAC about the coming wave of cyber regulations and the dangers those laws and policies will bring if the lack of input from technologists continues. Speaking at a panel discussion Wednesday titled "Identity Insecurity—Another Data Hurricane Without 'Building Codes'," he discussed how new regulations are inevitable in light of recent privacy and data misuse episodes and renewed his call for more technology and security professionals to get involved in the policy-making process.
In a keynote at the SecTor security conference, Bruce Schneier makes a case for more regulatory oversight for software and the Internet of Things
The time has come for the U.S. government and other governments around the world, to start regulating Internet of Things (IoT) security, according to Bruce Schneier, CTO of IBM's Resilient Systems.
Schneier delivered his message during a keynote address at the SecTor security conference here. He noted that today everything is basically a computer, whether it's a car, a watch, a phone or a television.
Bruce Schneier is a world-renowned cryptographer and security technologist whom the Economist has dubbed an "internet-security guru." Schneier has authored a dozen books since 1993, with his next book—Click Here to Kill Everybody: Peril and Promise in a Hyper-Connected World—due for release in September 2018, and set to tackle the burgeoning trends of cybercrime, corporate surveillance, and how to mitigate the catastrophic risks from unsecured devices.
Earlier this year, Schneier wrote a chilling article in New York Magazine detailing the pressing dangers of unsecured IoT devices and, more recently, consulted on bipartisan legislation that will ensure devices purchased by the U.S. government meet specific security standards.
On top of all that, Schneier frequently blogs on internet and security matters and runs a monthly newsletter, "Crypto-gram," that has amassed a following exceeding 250,000—so we thought he'd be perfect for an ExpressVPN cybersecurity Q+A.
"Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World" is a book meant to scare you, and it does a good job. The book is designed to get our attention and serve as a wake-up call on a number of issues that beg for more robust public discussion. Chief among these issues are mass surveillance from governments and the commercial world, and how this is affecting personal privacy and even public security. More importantly, I believe Bruce Schneier offers some excellent recommendations as to what we should all be talking about and doing when it comes to bringing these critical issues out of the shadows and into the light.
‘Surveillance Is the Business Model of the Internet,’ Berkman and Belfer Fellow Says
In the internet era, consumers seem increasingly resigned to giving up fundamental aspects of their privacy for convenience in using their phones and computers, and have grudgingly accepted that being monitored by corporations and even governments is just a fact of modern life.
In fact, internet users in the United States have fewer privacy protections than those in other countries. In April, Congress voted to allow internet service providers to collect and sell their customers' browsing data. By contrast, the European Union hit Google this summer with a $2.7 billion antitrust fine.
To assess the internet landscape, the Gazette interviewed cybersecurity expert Bruce Schneier, a fellow with the Berkman Klein Center for Internet & Society and the Belfer Center for Science and International Affairs at Harvard Kennedy School.
US Senators just introduced new legislation to regulate the purchase of Internet of Things (IoT) devices. Why did they do it, and what chance is there of success?
The Internet of Things Cybersecurity Improvement Act would set minimum security requirements for federal procurements of connected devices. These include the ability to patch code, a lack of hard-coded passwords, and freedom from known security vulnerabilities.
Under surveillance capitalism, we’ve lost control of our devices and our data – but there is a way back. Interview with Bruce Schneier by Agne Pix.
Agne Pix (AP): Does technology protect our privacy on the internet or is it a threat?
Bruce Schneier (BS): There are a lot of technologies that help preserve privacy and keep us and our data secure, like for example encryption. Technology can also remove privacy: you may think of cameras or listening devices and insecure internet connections. We are living in a world where we often interact with computers. They produce data about these interactions, which is data about ourselves and that is collected by corporations.
Dubbed a 'security guru' by The Economist, Bruce Schneier has authored several books, including NYT bestseller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, as well as hundreds of articles and academic papers. In 2013, the American security technologist was invited to brief a US Congress group about the documents revealed by whistleblower Edward Snowden, and to explain 'what the NSA (National Security Agency) was doing'. In an email interview to Kim Arora , he spoke about the recent Wannacry ransomware attack, cybersecurity, and threats to privacy. Excerpts:
With the Wannacry ransomware attack, we saw how neglecting to install a security update in time led to massive losses worldwide.
In today’s episode, together with Bruce Schneier, we are talking about how to start and skyrocket your career in cybersecurity.
Paula: I’m here with Bruce Schneier. The most prominent person in security. Thank you so much for being with me.
Security expert Bruce Schneier says we're creating an Internet that senses, thinks, and acts, which is is the classic definition of a robot. "I contend that we're building a world-sized robot without even realizing it," he said recently at the Open Source Leadership Summit (OSLS).
In his talk, Schneier explained this idea of a world-sized robot, created out of the Internet, that has no single consciousness, no single goal, and no single creator. You can think of it, he says, as an Internet that affects the world in a direct physical manner.
WikiLeaks may have exposed the CIA's ability to hack into phones, televisions, cars—pretty much everything, but according to internationally renowned security technologist and author Bruce Schneier, it isn't the intelligence agencies you should be worried about. He's more concerned that these technologies have been around for decades. Bruce is sharing three things to be concerned about with Kristina Guerrero.
Does latest data dump mean people should throw out their smartphones?
Metro spoke to cybersecurity expert Bruce Schneier about the latest revelations from Wikileaks about U.S. government spying and what they mean to regular people. The leaked documents, which appear to be from the Central Intelligence Agency, describes software tools that the agency uses to hack into cellphones, computers and internet-connected televisions.
Metro: Do these revelations from Wikileaks surprise you at all?
We couldn’t put together a list of cyber security blogs and not include Schneier on Security. The author, Bruce Schneier, is an internationally renowned security technologist, and his blog reaches over 250,000 people.
His research, analysis, and comment on all things security make the site worth regular visits for anyone looking to learn and stay on top of the latest goings on within the industry.
Security expert Schneier is realistic about the dangers posed by putting software in all types of appliances
Schneier, present at the RSA Conference, said that until now everyone had this "special right" to code the world as they saw fit. "My guess is we're going to lose that right because it's too dangerous to give it to a bunch of techies," he added, according to The Register.
His words came after accepting an observation made by Marc Andreessen six years ago that software was eating the world. "As everything turns into a computer, computer security becomes everything security," Schneier said, to give his previous statement some context.
A connected world is great but dangerous
As he likened the Internet to a giant robot, one capable of affecting the physical world just as it affects the virtual one, the threat becomes much more real.
Bruce Schneier on Tuesday called on technologists to get involved with policy, insisting that as the Internet of things continues to unfold, the knowledge security experts have will become more applicable.
Schneier, CTO of IBM Resilient, stressed in a talk here at the RSA Conference that the need has become more pressing in the wake of Mirai; the threats associated with IoT insecurity are more palpable than ever.
"It's one thing for Reddit to be DDoSed, its another thing for your home thermostat to be DDoSed in the winter," Schneier said.
Schneier posted a list of guidelines that have been written for securing the internet of things last week on his blog.
Open source has won, but victory may be fleeting
The Open Source Leadership Summit began on Tuesday amid roads closed by a landslide: held in The Resort at Squaw Creek near Lake Tahoe, California, it was not easily accessible to attendees traveling Highway 80 from the San Francisco Bay Area.
During his opening keynote, Jim Zemlin, executive director of the Linux Foundation, made light of the mudslides that brought traffic to a crawl near Donner Pass on Monday evening. The trip at least was less arduous than it was last year, he said.
Zemlin's remarks amounted to an open-source victory lap.
According to the IT security expert Bruce Schneier, the consequences of unrestricted connectivity in the Internet of Things could be devastating. In the interview, he calls for greater security for the Internet of Things (IoT).
"The era of fun and games is over," said Bruce Schneier at the Telekom Security Congress in Frankfurt in November 2016. The American expert for IoT security and cryptography is Chief Technology Officer (CTO) of IBM Resilient.
As if I haven't said it a million times, IoT security is critical.
But just when I thought I had it all figured out, somebody comes along and sheds new light on this very important topic in a different way.
At a November 16 hearing held by the Congress Committee on Energy and Commerce in light of the devastating October 21 Dyn DDoS attack, famous cryptologist and computer security expert Bruce Schneier offered a new perspective on IoT security, which makes it easier for everyone to understand the criticality of the issue.
After watching it at least three times, I decided to share the main concepts with the readers of TechTalks.
During a House Committee hearing today, Bruce Schneier also asks for the establishment of a new government agency devoted to cybersecurity.
Security experts asked lawmakers for more action, today, during a Congressional hearing on IoT security. On their wishlist: consequences to manufacturers for delivering insecure products, a federally funded independent lab for pre-market cybersecurity testing, and an entirely new federal agency devoted to cybersecurity.
The hearing, "Understanding the Role of Connected Devices in Recent Attacks," was held by the US House Committee on Energy and Commerce, with expert witnesses Dale Drew, senior vice president and chief security officer of Level 3 Communications; Dr. Kevin Fu, CEO of Virta Labs and associated professor of electrical engineering and computer science at the University of Michigan; and Bruce Schneier, fellow of the Berkman Klein Center at Harvard University.
"We are in this sorry and deteriorating state because there is almost no cost to a manufacturer for deploying products with poor cybersecurity to consumers," said Dr. Fu. He later added "also there's no benefit if they deploy something with good security."
"The market can't fix this," said Schneier, because "the buyer and seller don't care ...
Computer security experts on Wednesday pressed for comprehensive federal regulations mandating strong security protocols for the Internet of Things, saying it's not a matter of if but when rules are issued for connected devices.
"The Internet of Things affects the world in a directly physical manner—cars, appliances, thermostat, airplanes," said Bruce Schneier, a computer security expert at Harvard University, during testimony at a hearing held by two House Energy and Commerce subcommittees. "There's real risk to life and property. There's real, catastrophic risks."
With the increasing ubiquity and fundamental vulnerability of IoT technology, Schneier said it's a moot point to argue over whether the federal government will eventually regulate the industry.
The hacking of Democratic Party organizations has made internet security germane to the 2016 presidential election campaign. America's intelligence community has accused high-level Russian officials of backing these cyberattacks in an attempt to influence the election result. Such allegations have helped thrust relations between Washington and Moscow to their lowest point in decades.
Meanwhile, the integrity of America's internet infrastructure was tested on Oct. 21, 2016 with a distributed denial of service (DDoS) attack.
One of the most striking paradoxes of our time resides in our smartphones. Our everyday use of these iconic and progressively factotum apparatuses records at various levels every activity we do in space and time, with the unbelievable outcome that, on a mass scale, we're happy about that and willfully give up our intimate privacy to be allowed to continue using them. It's nothing new, but we're still turning our head to what is behind. There are battles going on to conquer the most strategic parts of the big data we produce, in the huge business called "DaaS" (data as a service).
Pour l'écrivain et expert en cybersécurité et en cryptographie Bruce Schneier, « quelqu'un est en train d'apprendre à détruire Internet », comme il le titre dans son dernier article de blog. L'actuel directeur de la technologie de Resilient, une société d'IBM, affirme que des attaques particulières visent des acteurs majeurs du web depuis déjà deux ans.
Bruce Schneier est une sommité en ce qui concerne la sécurité informatique. L'auteur du mythique livre « Applied Cryptograhy » tient depuis 2004 un blog très fréquenté dans lequel, ce mardi 13 septembre, il a publié un article au titre évocateur : « Quelqu'un est en train d'apprendre à détruire Internet » . Comme il l'affirme, depuis un ou deux ans, certaines compagnies majeures du web subissent des attaques particulières, précises et calibrées, dont le but est de tester les défenses et d'évaluer les meilleurs moyens de les faire tomber.
"I can't think of any other issue that moved people so quickly." By security expert Bruce Schneier's estimation, more than 700 million people worldwide changed their behavior on the Internet as a direct result of what Edward Snowden's NSA leak revealed about government surveillance. Even more amazing: they all did it within one year.
What motivated so many private citizens to take action? "They did that because of secrets.
Some people may think the upcoming US presidential election is a Kobayashi Maru, a lose-lose scenario no matter who wins, but which candidate would best deal with a cyberattack that caused people to die?
In an article about how hacking the Internet of Things will result in real world disasters, security guru Bruce Schneier —who is not known for spreading FUD (fear, uncertainty, doubt) —was not talking about hacks against banks or the smart grid that would cause general chaos; oh no, he was describing hacks against devices connected to the internet which would actually result in people dying.
Writing on Motherboard, Schneier suggested:
The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.
IoT and cyber-physical systems, according to Schneier, have "given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete."
Indeed, there are plenty of scary possibilities which range from targeting one person to targeting hundreds of people at the same instant; hacking cars while they are driving down the highway; remotely assassinating a person by hacking their medical device, hacking a plane full of passengers, remotely taking control of weapon systems such as Patriot missile batteries, hacking a water treatment plant and tweaking the chemical mix; the nightmare scenario list of hacks that we all hope never happen goes on and on.
This year's Infosecurity Europe conference had so many great places to be and things to do that it was often hard to choose how best to spend one's limited time and harder still for many to identify a single highlight. For myself personally, however, it had to be the opportunity to hear one of my favourite writers for many years speaking on the keynote stage.
Whilst terms like "security guru" or even "thought leader" are often bandied around and diluted to the point of being meaningless, few of us mere security mortals can reasonably dispute the influence, credibility and respect that Bruce Scheiner holds as a writer, technologist, cryptographer and entrepreneur. You know that when he speaks at an event like this, it is not an opportunity you're going to get every day.
Governments have a crucial role to play in tackling what he sees as the next big security challenge, he told Infosecurity Europe 2016 in London.
One of the biggest challenges, according to Schneier, is that there is no good regulatory structure for IoT which connects finance, health, energy and transport information.
"We don't know how to do this, so we are going to need government solutions that are holistic that will deal with IoT devices no matter what they are doing," he said.
Systems "too critical to allow programmers to do as they want"
Government regulation of the Internet of Things will become inevitable as connected kit in arenas as varied as healthcare and power distribution becomes more commonplace, according to security guru Bruce Schneier.
"Governments are going to get involved regardless because the risks are too great. When people start dying and property starts getting destroyed, governments are going to have to do something," Schneier said during a keynote speech at the Infosecurity Europe trade show in London.
The choice is between smart (well-informed) or stupid government regulations with the possibility of non-interference getting taken off the table.
"The Internet of Things (IoT) is our next big security challenge and I think it's the way we are going to be colliding with the real world in interesting ways."
Speaking at Infosecurity Europe 2016 Bruce Schneier said that securing the IoT is a lot about what we already know, and some of what we don't know.
"It's one big inter-connected system of systems with threats, attackers, effects; the IoT is everything we've seen now, just turned up to 11 and in a way we can't turn it off."
As the IoT becomes more connected it also becomes more physical, invading our lives on an unprecedented scale with more real-world consequences when a breach occurs, and it's something that we can't afford to fail to secure, Schneier explained.
"I think this is going to hit a tipping point. We're getting into the world of catastrophic risks as our computers become more physical.
Schneier also sees more government meddling in IoT security as ‘inevitable’
Schneier explained how IoT-connected devices such as medical devices, which are almost impossible to keep up to date with the latest security defenses, will go at odds against attackers who are continually improving their attack methods, with "catastrophic" consequences.
"As we move to the Internet of Things, where things are less patchable and less high-end, we're going to have problems," said Schneier, addressing a keynote audience at InfoSec 2016 in London.
"Right now, how you patch your home router is to throw it away and buy a new one.
But government involvement in IoT policies is inevitable, says security expert
Governments lack the expertise to define security policy when it comes to the rapidly growing Internet of Things (IoT), according to Bruce Schneier, security technologist and a member of the Infosecurity Europe Hall of Fame.
Schneier explained that that governments approach topics such as the IoT and cyber security without the technical knowledge to understand the challenges.
"It's surprising how stark the lack of expertise in tech is in these debates," he said at Infosecurity Europe in London.
"Expertise in large correlation data bases, algorithmic decision making, IoT, cloud storage and computing, robotics, autonomous agents; these are all things that the government is going to run headlong into and needs to make decisions about.
Security expert Bruce Schneier discusses security from the perspectives of both the National Security Agency and the National Institution of Standards and Technology.
Since the 1930s at Bletchley Park, there has been a continuous arms race to both improve and break cryptography. The files leaked by National Security Agency (NSA) contractor Edward Snowden made it clear that governments regularly gather data on average citizens, which makes us wonder if privacy is even possible. Do our carefully designed cryptographic systems protect our information as we expect them to, or are they just thin veils that can easily be pierced by the government? I posed these questions to leading security expert Bruce Schneier.
An IT security expert has some dire warnings about our brave new world
Either we start to disconnect our increasingly networked world or we risk daunting social, safety, security and privacy consequences, a leading computer security expert and author has warned.
In an expansive talk directly challenging widely held assumptions about the benefits of computing, networks and the internet, Bruce Schneier told a large audience at this year's RSA Security Conference in San Francisco that we were moving towards a networked world so complex that we would be unable to safely manage it or adequately grapple with inevitable disasters.
Schneier, who is always one of the most popular speakers at the event, which drew nearly 40,000 people this year, pinpoints what he calls vast "socio-technical systems" as the critical issue. He describes these as complex, interconnected social and technical systems.
It's going to get worse before it gets better
Security guru Bruce Schneier is a regular at shows like RSA and his talks are usually standing-room-only affairs.
Schneier has written some of the definitive texts for modern cryptography teaching and his current book, Data and Goliath, examines the perils and solutions to government and corporate surveillance of internet users. The Register sat down with him to talk over the news of the day, and to get an idea of where the security industry is going.
Q: First things first—you're the CTO of Resilient Systems, which IBM is in the process of buying.
Coders and tech bros playing chance with the future
Security guru Bruce Schneier has issued a stark warning to the RSA 2016 conference—get smart or face a whole world of trouble.
The level of interconnectedness of the world's technology is increasing daily, he said, and is becoming a world-sized web—which he acknowledged was a horrible term—made up of sensors, distributed computers, cloud systems, mobile, and autonomous data processing units. And no one is quite sure where it is all heading.
"The world-sized web will change everything," he said.
Bruce Schneier chats with SearchSecurity during lunch at RSAC about IBM's plans to acquire Resilient Systems to complete their security offering.
RSA Conference is a place to meet and greet anyone involved in security these days, proved by a chance encounter with Bruce Schneier during lunch on Tuesday in the press room. And few individuals had news as big as Schneier, with the announcement yesterday that IBM would acquire Resilient Systems, the company where he serves as CTO.
"For the company, it's fantastic; they have this whole big security strategy and you can see a big hole where we belong, and they see that," Schneier told SearchSecurity while we waited for lunch to be rolled out.
A new report shows that anti-crypto laws wouldn't change a thing, as criminals would simply look globally
In response to attempts to put restrictions on encryption technology, a new report surveys 546 encryption products in 54 countries outside the United States, out of 865 hardware and software products total.
The report demonstrates that encryption technology is very international in nature and that it is impossible for local regulations to have any effect on it, said Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard University,
"The cat is out of the bag," he said. "It is an international world. All the research is international and has been for decades.
Anyone seeking to keep their data hidden could use hundreds of encryption services offered by companies outside the US if Washington compels tech companies to decrypt communications.
If Washington forces American tech companies to give law enforcement access to encrypted communication, it might not provide the advantage investigators want when tracking terrorists or criminals.
Companies outside the US are responsible for nearly two-thirds of tech products that offer some form of encryption, according to a study released Thursday from renowned cryptographer Bruce Schneier. Because those firms are beyond the reach of US laws, he said, anyone who wants to avoid American intelligence agencies or police eavesdropping could simply switch to another secure platform.
"There's this weird belief that if the US law makes a change, that it affects things," said Schneier, chief technology officer of the security firm Resilient Systems and a fellow at Harvard University's Berkman Center for Internet and Society.
In recent months, the FBI has been pushing for stronger US restrictions on encryption — but a new report from Harvard's Berkman Center suggests such laws reach only a small portion of the relevant products. Taking a census of 865 different encryption products from around the world, the report finds that roughly two-thirds are produced and distributed overseas, outside the jurisdiction of US law. Germany was the biggest source of non-US crypto, with 112 separate products either for sale or available free. Just over a third of the foreign products make their code available as open source.
Just today, security technologist and author Bruce Schneier, along with Kathleen Seidel and Saranya Vijayakumar, unveiled a new international survey of encryption products compiled as part of his fellowship at the Berkman Center for Internet and Society at Harvard University. The survey found a total of 865 hardware or software products incorporating encryption from 55 different countries, 546 (around two-thirds) of which were from outside the US. The products included voice encryption, file encryption, email encryption, and text message encryption products, as well was 61 VPNs.
The worldwide survey shows that encryption products are widely available internationally, indicating that any US restrictions on unbreakable crypto are far less likely to thwart terrorists and criminals (who can switch to more secure foreign alternatives) as much as they will negatively impact US companies' bottom line and the safety and security of everyday internet users who typically don't spend a lot of time worrying about encryption.
Like playing a frustrating game of whack-a-mole
In 1999, when a fierce crypto war was raging between governments and developers, researchers undertook a global survey of available encryption products.
Now security guru Bruce Schneier and other experts have repeated the exercise, and it spells bad news for those demanding backdoors in today's cryptography.
The latest study analyzed 865 hardware and software products incorporating encryption from 55 countries, with a third of them coming from the US. That's up from 805 in 35 countries in 1999.
If the US government tries to strong-arm American companies into ending the sale of products or applications with unbreakable encryption, the technology won't disappear, a group of researchers conclude in a new report. It would still be widely available elsewhere.
Some US law enforcement officials argue that unbreakable encryption is interfering with legal surveillance of suspected criminals and terrorists. And some members of Congress are pushing for a nationwide requirement that encryption allow for law-enforcement access.
An estimated 63 percent of the encryption products available today are developed outside US borders, according to a new report that takes a firm stance against the kinds of mandated backdoors some federal officials have contended are crucial to ensuring national security.
The report, prepared by researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar, identified 865 hardware or software products from 55 countries that incorporate encryption. Of them, 546 originated from outside the US. The most common non-US country was Germany, a country that has publicly disavowed the kinds of backdoors advocated by FBI Director James Comey and other US officials.
Findings point to negative impact on US Companies and Internet users
A newly completed international survey of encryption products found 546 different products from 54 different countries outside the US. This survey was headed by Bruce Schneier, as part of his Fellowship at the Berkman Center for Internet and Society at Harvard University.
The findings of this survey identified 619 entities that sell encryption products. Of those 412, or two-thirds, are outside the U.S.-calling into question the efficacy of any US mandates forcing backdoors for law-enforcement access.
Networked technology increasingly touches all aspects of our lives. When essential systems are connected to a networked environment, it becomes important to make sure that they're protected from attack. We continue improving the mathematics and algorithms used to secure these systems, but attackers tend to exploit weaknesses in how the math-ematics and technologies are used.
As effective security becomes more vital, many computer science students are becoming interested in making security part of their education.
Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World: Bruce Schneier could have justifiably written an angry diatribe full of vitriol against President Obama, his administration, and the NSA for their wholesale spying on innocent Americans and violations of myriad laws and the Constitution. Instead, he has written a thoroughly convincing and brilliant book about big data, mass surveillance and the ensuing privacy dangers.
A major cyberattack next year will target a U.S. election, security expert Bruce Schneier predicts.
The attack won't hit the voting system and may not involve the presidential election, but the temptation for hackers is too great, even in state and local races, said Schneier, a computer security pioneer and longtime commentator.
"There are going to be hacks that affect politics in the United States," Schneier said.
Bruce Schneier was honored as the Business Leader in Cybersecurity by the Boston Global Forum, for dedicating his career to the betterment of technology security and privacy.
Mr. Schneier attended and sent his acceptance speech remotely via online conference.
Data and Goliath
by Bruce Schneier
W. W. Norton & Company
From the moment you wake up, you start generating data. Your phone tracks your movements. Your purchases signal whether you’re sick or pregnant or going on vacation.
Bruce Schneier is a man worth listening to. In 1993, just as the Internet was gaining speed, he wrote one of the earliest books on applying cryptography to network communications, and has since become a well-known security specialist and author of about a dozen books on Internet security and related matters. So when someone like Schneier says we're in big trouble and we need to do something fast to keep it from getting worse, we should at least pay attention.
The trouble is mass surveillance.
For some odd reason, data privacy maven Bruce Schneier is an optimist. It's odd because, according to Schneier, there's practically no such thing as data privacy. Just about everything we do these days is under some form of electronic surveillance, with governments and corporations eager to record and analyze our every action.
But when Schneier holds forth on Friday at Harvard University, as part of the ongoing HUBweek festivities, he'll reassure his listeners that the cause is not lost, that our online privacy will someday be ensured.
If the subject is security, chances are Bruce Schneier has an opinion on it, and that opinion has been published somewhere—on his blog, in the New York Times, on the BBC, in the Guardian, in Wired, in one of his 13 books. You get the point. On security, Schneier is among the most well-known and most prolific authorities in the world. Since coming to prominence in the mid-90s through his writings on cryptography, he has testified on the floor of Congress, served on several government committees, coined the term 'security theater' in the wake of 9/11, and hooked a global following of some quarter-million readers through his website and newsletter alone.
Data and Goliath is a fascinating exploration of this post-Snowden world we live in. It shows how the back-doors that technology companies were forced to implement for the NSA, have actually become weapons for other agencies and hackers to use. We're taken through the murky world of international espionage, and shown how we have all become collateral damage in this digital arms race. Schneier also explains that even when we try to protect ourselves by leaving Facebook or Gmail, the fact that our friends and relatives still use them means we're caught up in this global informational dragnet.
The attack on Sony Pictures over the film The Interview was perpetrated by North Korea, according to security expert Bruce Schneier.
The former chief technology officer of BT Managed Security Solutions, now CTO at Resilient Systems, had expressed scepticism at the time of the attack that the secretive dictatorship had been behind the attack, motivated by the theme of the film: two hapless American agents who were supposed to assassinate the country's leader, Kim Jong-un.
But in a video keynote speech at LinuxCon 2015, Schneier claimed that he had changed his mind. "Many of us, including myself, were skeptical for several months.
Security expert says we're in a cyberwar arms race, and with the Sony attack, North Korea has already taken the first shot at the United States.
LinuxCon is about Linux, cloud, and containers, but it's also about security. In the past year, programmers have been reminded that merely being "open-source" doesn't mean that your code is safe. Assuming you're secure is a mistake. Because, as security maven Bruce Schneier explained to the LinuxCon audience via Google Hangouts, we're in a cyber-arms race.
Security guru Bruce Schneier says there's a kind of cold war now being waged in cyberspace, only the trouble is we don't always know who we're waging it against.
Schneier appeared onscreen via Google Hangouts at the LinuxCon/CloudOpen/ContainerCon conference in Seattle on Tuesday to warn attendees that the modern security landscape is becoming increasingly complex and dangerous.
"We know, on the internet today, that attackers have the advantage," Schneier said. "A sufficiently funded, skilled, motivated adversary will get in.
In Data and Goliath, Bruce Schneier, a security technologist and fellow at Harvard Law School, explores what it means to have entered the age of mass surveillance. Our data are collected in the first instance by private corporations, but are increasingly exploited, as Edward Snowden has shown, by government intelligence agencies. The NSA didn't have to build from scratch a vast database on billions of innocent citizens the world over, Schneier explains, because private corporations had already done so. All the NSA needed was access.
"I like to measure the performance of the team," said Bruce Schneier (@schneierblog), CTO of Resilient Systems, Inc., in our conversation at the 2015 Black Hat Conference in Las Vegas. "I like to see metrics about people, about process, about technology. There isn't one metric that works since it's such a complicated and moving target... Right now companies have to use the data that they have to figure out if their teams are effective."
Schneier feels that certain metrics, such as blocked attacks, don't really provide a gauge of how secure you are.
The American security guru fears that the diffusion of the software could be used by criminal groups
This interview also appeared in Italian.
You wrote in your blog: "I don't think the company is going to survive". However, at least in Italy and in the US Hacking Team has powerful sponsors...Will they survive?
«It remains to be seen. We know from the leaked documents that they have sold their products to the most repressive governments in the world...and overcharged them whenever possible.
Cyberattacks are getting more frequent, sophisticated and successful. Can organizations adapt security choices to cope better?
Nobody would disagree that IT security is necessary.
At minimum, it's needed to satisfy relevant government and industry compliance regulations, along with your insurance company, investors, suppliers, customers and other business partners. At most, it also protects your data and systems from much-dreaded cyberattacks.
The hard part lies in the details.
Bruce Schneier has been writing about security issues on his blog, his blog, Schneier on Security, since 2004, and in a monthly newsletter since 1998. He writes books, articles, and academic papers. Currently, he is the Chief Technology Officer of Resilient Systems, a fellow at Harvard's Berkman Center, and a board member of Electronic Frontier Foundation.
What do you see as the greatest cyber risks today?
I don't like ranking risks, and I worry that concentrating on the 'greatest' risk obscures all of the other risks. Basically, the big cyber risks are what everyone is talking about.
iPhone and mobile banking can feel like setting foot in the jungle: You don't know what's in there, but you suspect a lot of it's not good. We hear a lot of terms thrown around when it comes to iPhone banking security: 128 bit encryption, two factor authentication, security dongles—and a lot of scary anecdotes about millions of credit card account numbers being stolen from this or that company. Getting to the bottom of whether iPhone banking is safe can be confusing at best. So is iPhone banking safe?
Corporate and government IT teams have been rushing to prevent the kind of large-scale cyberattack experienced recently by Sony Pictures, Blue Cross, Anthem, Target, Home Depot and the U.S. Department of the Interior, among others. In each of these cases, hackers from locations around the globe were able to gain access to computer networks housing sensitive information, accounts, and personal data, such as the social security and credit card numbers of consumers and employees. The consequences of such security breaches can be devastating.
A highly respected cryptographer and security expert is warning that David Cameron's proposed ban on strong encryption threatens to "destroy the internet."
Last week, the British Prime Minister told Parliament that he wants to "ensure that terrorists do not have a safe space in which to communicate."
Strong encryption refers to the act of scrambling data in such a way that it cannot be understood by anyone without the correct key or password — even law enforcement with a warrant, or the software manufacturer itself. It's used in some of the most popular tech products in the world, including the iPhone, WhatsApp messenger, and Facebook.
But amid heightened terror fears, Cameron says "we must look at all the new media being produced and ensure that, in every case, we are able, in extremis and on the signature of a warrant, to get to the bottom of what is going on."
The Prime Minister first indicated that he would try and clamp down on secure communications that could not be decrypted by law enforcement even with a warrant back in January, in the aftermath of the Charlie Hebdo shootings in Paris. His comments sparked an immediate flurry of condemnation from privacy and security activists, but his recent statements show he's not backing down.
Bruce Schneier has been called a "security guru" by the Economist. He has written 13 books and hundreds of articles, and his influential newsletter Crypto-Gram and his blog Schneier on Security have over 250,000 readers. He has testified before the U.S. Congress, is a frequent guest on television and radio, and has served on several U.S.
I'm interested how we choose the books we read. Here is my request to you. Please keep track of, and share with our IHE community, how you select your books.
For one of the recent books that I read I can definitely share my book selection process.
This interview originally appeared in French on VICE France.
Today's terrorist attack in the Rhône-Alpes region of France, involving the decapitation of a man, has been met with widespread horror and condemnation. So have those in Tunisia, killing 28, and another in Kuwait killing 25. These horrific events are sure to fuel discussion about how to stop this kind of atrocity happening again.
Following January's Charlie Hebdo attacks in Paris, the French government decided to expedite a new surveillance law.
Imagine this: It's the morning of Election Day, 2020. Americans across the country cast secure, encrypted votes from their smartphones and laptops, electronically choosing their president for the first time in history. Turnout reaches record highs. Live results online show that it's a close race between the two leading candidates.
Schneier, a fellow at Harvard’s Berkman Center for Internet and Society, has written an exceptionally readable yet thoroughly chilling book about the dangers of the ubiquitous mass surveillance we face thanks to modern life. While the author focuses on the United States, the rest of the world is largely capable of nearly the same levels of surveillance thanks to the openness of the Internet and the availability of cell phones. Schneier describes the types of data being collected about us, stemming from our interactions, activities, purchases, and where we go. As he competently explains, this “metadata” provides those collecting it with the entire framework of our existence: who we converse with and the duration of the conversation, the things we read (especially electronically), and what we buy.
With so much going on in the enterprise security space, it can be hard to keep up with the flow of information and to know where to turn for actionable advice. This list of security experts, selected by eSecurityPlanet, is a good place to start.
All are active bloggers and even more active as Twitter users. These thought leaders have a variety of backgrounds, numerous years of experience and unique viewpoints.
Bruce Schneier is an internationally renowned security technologist and the author of 13 books—including 'Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World'—as well as hundreds of articles, essays, and academic papers. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Chief Technology Officer at Resilient Systems, Inc. You can follow him on Twitter @schneierblog
Christy Quinn: As of Tuesday, President Obama has just signed the USA Freedom Act into law, banning the NSA's bulk collection of telephony metadata. Do you think this marks the acceptance amongst security officials and policymakers in the US that there need to be limits to metadata collection?
Bruce Scheier: It's certainly a watershed moment, because it's the first time the US government has placed limitations on the NSA's metadata collection. The limitations are minimal, and won't have much actual effect on the surveillance of Americans by the NSA.
Schneier: Sony hack "high skill, high focused"
We are in the early years of a cyber war arms race, security guru Bruce Schneier warned delegates at the Infosecurity Europe exhibition on Wednesday.
Schneier, CTO of Resilient Systems, said the much publicised Stuxnet attacks on Iran by the US and Israel in 2010, Iran's attack on Saudi Aramco, China's apparent role in hacking GitHub, and the North Korean assault on Sony Pictures last year are all examples of the phenomenon.
"These nations are building up for cyber war and now we're all in the blast radius," he warned, while speaking in London.
Most of these attacks — including Stuxnet and the assault on GitHub — inflict collateral damage, Schneier told El Reg, adding that cyber attacks are likely to become mainstream aspect of many conflicts.
Countries are not attacking each other but striking at the IT infrastructure of enterprises in rival states, says security pundit Bruce Schneier
Cyber attacks—such as that on Sony Pictures in 2014—suggest the world is in the early stages of a cyber war arms race.
So said Bruce Schneier, chief technology officer of Resilient Systems: "We are in the early years of a cyber war arms race.
"There is a lot of nation state rhetoric, and we are seeing a lot of nation state attacks against non nation states," he told Infosecurity Europe 2015 in London.
Schneier cited North Korea's attack on Sony Pictures, China's attack on Github and Iran's attack on Saudi Aramco as examples.
Over the past two decades, few voices have shouted louder from the rooftops about global cybersecurity and digital privacy concerns than Bruce Schneier. He's the CTO of Resilient Systems, a board member of the Electronic Frontier Foundation (EFF) and has authored 14 books—his latest, Data and Goliath, was published in March.
As Facebook and Google have infiltrated our every waking moment, Schneier warns that these data giants, if left unchecked, could compromise the very principles of a democratic society. Web companies collect metrics like age, gender and social interests (to serve up better advertisements), while cellular networks track everyone's geolocation with homing devices we call smartphones.
Paul Bernal clicks with a maverick thinker who shows how business and governments are building a global surveillance network and how we can fight back
Investigating surveillance—whether corporate or governmental—can be a demoralising process. Those performing that surveillance, from the US' National Security Agency and the UK's Government Communications Headquarters (GCHQ) to Google and Facebook, are giants so overwhelmingly powerful that it seems too daunting to even contemplate taking them on. Their agendas may be even more terrifying: as Bruce Schneier observes, "The endgame of this isn't pretty: it's a global surveillance network where all countries collude to surveil everyone on the entire planet." What's more, he adds, the governments and the corporations are both in the same game: "It's a powerful feedback loop: the business model supports the government effort, and the government effort justifies the business model."
And yet, as the title of this book suggests, these giants are not invincible. Goliath was brought down to size—and here, Schneier attempts to set out how the new Goliaths might suffer a similar fate.
This book has been difficult to review. It has proved tricky not because I didn't enjoy the book or because it was boring or badly written, but because it was so pertinent. Every time I went to write about it, a news story would emerge referencing the subject and I would find that my opinions of the news were influenced by the book and my opinions of the book were influenced by the news. This is an important topic and everyone should make up their own minds based on a decent knowledge and understanding of the issues.
Privacy is becoming an antiquated concept. In “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World” (ISBN: 9780393244816), security expert Bruce Schneier leads you through a labyrinth of surveillance that should scare the hell out of you.
Welcome to the NSA! We want to thank you for helping us with our collection of data about your work and personal habits. By using the computer, phone, public transportation, private vehicle, credit cards, library, banking systems, online shopping, or retail shopping, you are contributing to our data files.
DATA AND GOLIATH. By Bruce Schneier. Norton. 365 pages. $27.95.
Think of some of the ways the Enlightenment helped advance the human individual. The ability to shape your identity. The ability to own and control your stuff. Economic autonomy.
Cybersecurity is becoming increasingly challenging as identifying attackers by their weaponry is difficult to their invisible nature wherein attacks can be launched by a group of hacktivist or sponsored by a nation, according to an expert.
Bruce Schneier, a leading voice on cybersecurity, said a majority of organisations and individuals use the same run-of-the-mill 'warlike weaponry' at a time when the attackers are largely unknown, cybercrime is becoming more difficult to combat.
While the IT security industry knows how to deal with high volume, low-focus attacks, security professionals must be resilient and ensure better management of incident responses in order for organisations to thrive even in the face of a cyberattack, he said.
During his keynote presentation at the third Gulf Information Security Expo and Conference (Gisec) held in Dubai recently, Schneier explained that organisations must create crisis management strategies that would allow them to respond quickly and effectively, while those responsible for the attacks are still being identified.
I finally got around to finishing Bruce Schneier's latest bestseller: Data and Goliath. I've read a few of Bruce's books over the years (and own most of the rest, waiting patiently to be read). I've watched Bruce on many TV news segments, lectures, interviews, and web videos. I follow his blog and Twitter posts.
"As a business or as an individual you have to make a choice. Should I do this thing—whatever it is—on my computer and on my network or on a cloud computer on a cloud network," asked Bruce Schneier (@schneierblog), CTO of Resilient Systems, Inc., in our conversation at the 2015 RSA Conference in San Francisco.
Whatever you choose, you're going to be making a trade-off. Schneier recommends you first look at who your adversaries are.
Catastrophic issues in security can occur, but there are ways to recover.
Speaking at RSA Conference in San Francisco, Bruce Schneier, CTO of Resilient Systems, highlighted the Sony Pictures attack as being an interesting case as it brings catastrophic risk uses to the fore, and not catastrophic as in a life ending sense, but in company terms.
He highlighted seven ways in which a catastrophic incident could be dealt with. Firstly he recommended keeping it internal to "incapsulate the catastrophic risk", secondly consider that attackers on two axes of skills and focus and with someone who is low skilled but has a high focus would use a basic APT, but in the case of Sony this was low skills and low targets.
After spending a lot of time thinking about the massive breach of Sony, security luminary Bruce Schneier came to a scary – but not really surprising – conclusion.
"The lesson is that we are all vulnerable. North Korea could have done it to anyone," said Scheier during a packed session at the RSA conference in San Francisco.
While the IT security industry knows how to deal with high volume, low-focus attacks, Schneier said, security professionals have trouble handling highly skilled and focused attackers, commonly referred to as advanced persistent threats (APTs).
Who are you, and what do you do?
Security expert Bruce Schneier has looked at and written about difficulties the Internet of Things presents - such as the fact that the "things" are by and large insecure and enable unwanted surveillance—and concludes that it's a problem that's going to get worse before it gets better.
After a recent briefing with him at Resilient Systems headquarters in Cambridge, Mass., where he is CTO, he answered a few questions about the IoT and what corporate security executives ought to be doing about it right now. Here's a transcript of the exchange.
What should enterprises worry about when it comes to the Internet of things?
The Internet birthed unprecedented freedom of communication, interconnecting individuals from every corner of the globe and every walk of life. This free flow of information has the potential to establish a world of truly free and equal citizens, yet many politicians want to turn this technology inside out and use the Internet as a universal surveillance mechanism. This path would roll back centuries of civil rights and revive feudalism on a global scale. Sadly, this rush to oppression isn't restricted to some backwater dictator massaging his own ego.
Bruce Schneier is a world-renowned cryptographer, computer security and privacy specialist, and author of numerous books on security. So when he speaks, TechMan tends to listen.
In his latest book, “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World,” his point is well worth taking note of: Surveillance and data collections are a trade-off between individual value and group value. You give Google personal information in return for free search, free email, free maps and all the other free things Google provides.
"Over the past twenty years," complained Newsweek, the United States has become "one of the snoopiest and most data-conscious nations in the history of the world." Part of the problem is that "the average American trails data behind him like spoor through the length of his life." Another part of the problem is that the government and private firms "have been chasing down, storing, and putting to use every scrap of information they can find." These "vast reservoirs of personal information" are "poured into huge computers" and "swapped with mountains of other data from other sources" with "miraculous speed and capacity." As a result of these forces, "Americans have begun to surrender both the sense and the reality of their own right to privacy—and their reaction to their loss has been slow and piecemeal."
The Newsweek article—published in 1970, and entitled The Assault on Privacy—nicely captures the thesis of Bruce Schneier's new book, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. That doesn't mean that Schneier's book isn't valuable—it is. It just means that there is something to be learned about Schneier's argument from the fact that it was made 45 years ago. (Disclosure: I gave Schneier comments on a draft of his book and he and I are teaching a class together on Internet power and governance.)
Data and Goliath is an informed, well-written, accessible, and opinionated critique of "ubiquitous mass surveillance" by governments and corporations—how it happens, its costs, and what to do about it.
A computer-security expert weighs up the costs and benefits of collecting masses of personal data
Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. By Bruce Schneier.W.W. Norton; 383 pages; $27.95 and £17.99.
SOCIETY has more digital information than ever and can do new things with it. Google can identify flu outbreaks using search queries; America's National Security Agency (NSA) aspires to do the same to find terrorists.
Mass surveillance by governments and corporations is comparable to child labor or environmental pollution. That is the largely persuasive claim of security expert Bruce Schneier in his new book "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World." Resistance is not futile, Schneier thinks, although it will be tricky to fight overreaching securocrats and snooping online advertisers without giving up at least some of the genuine advantages of Big Data.
Much of the problem lies in excessive expectations about what mass surveillance can achieve, writes Schneier, who is chief technology officer at security firm Resilient Systems and a fellow at Harvard Law School's Berkman Center for Internet and Society. It might seem that the combination of huge amounts of collected data and sophisticated data-mining could have prevented the 9/11 attacks or the Boston Marathon bombing.
A couple of weeks ago, I mentioned that I was reading Bruce Schneier's new book, Data and Goliath, just published by Norton. The subtitle (which, as is the custom these days, is more or less an elevator pitch for the book) provides a hint of what's inside: The Hidden Battles to Collect Your Data and Control Your World. What's missing from this descriptive subtitle is the best part: And Here's How We Can Fix It. Because unlike a lot of books that focus on big scary issues, this one has lots of concrete recommendations and encouragement to think that we can actually make change happen.
This is, above all, a refreshingly rational book. The subject matter is frightening, but Schneier doesn't use our anxiety to dramatize the importance of his subject or to threaten us with doom if we fail to take his advice.
Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World By Bruce Schneier Norton 384 pages ISBN 978-0-393-24481-6 $27.95
We did not exactly know the trade-offs we would be making in 2015 when we first began using email or got our first mobile phones. If anyone had asked 15 years ago whether we wanted a device that enabled governments and corporations to monitor our whereabouts and access the details of our personal, business, and social lives at all times, it's pretty clear that almost everyone would have said 'no'.
Similarly, few of us would have argued for developing technology to give governments the ability to spy on all aspects of the lives of billions of people. That we have arrived here is a matter of billions of individual choices, made one by one in the interests of convenience and functionality.
From spyware designed to catch students misbehaving to police tracking rioters by phone, we are spied on as never before, reveals a book by Bruce Schneier
"DEAR subscriber, you have been registered as a participant in a mass disturbance." This text was sent by the Ukrainian government last year to everyone with a cellphone known to have been near a protest in the capital, Kiev.
Just what you'd expect from an ex-Soviet country? Not so fast. In the US and Europe, police are also seeking information on phones linked to specific places and times—and always without a warrant.
As author of a dozen books plus hundreds of shorter works on security and privacy, security technologist Bruce Schneier, Chief Technology Officer of Resilient Systems, is one of the better known—and frequently quoted—experts in these areas. His "Schneier on Security" blog and Crypto-Gram monthly newsletter are read by an estimated quarter-million people. You can follow him on Twitter @schneierblog.
Schneier's most recent book—a New York Times bestseller—is "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World", which, Schneier said in his blog, "is a book about surveillance, both government and corporate.
If you'd asked me a year ago, 'do you worry about government surveillance?', I would have said no. But today, my answer would be an empathic YES.
The scary part is that, like most Canadians, I hadn't worried about that kind of surveillance until the current debate around C-51. (If you don't know what that is, check it out here.) This terrifying bill would, among many other things, make it illegal to talk positively of terrorism on the internet.
Bruce Schneier has built a career explaining the principles of security in plain English, helping the uninitiated to think clearly and critically about managing risk, and exposing the nonsense peddled by government spokesmen and high-tech hucksters. He is at once a great popularizer and a great debunker.
Schneier's new book, Data and Goliath, examines the prevalence, mechanisms, uses, and dangers of mass surveillance.
This book scared the hell out of me.
"The surveillance society snuck up on us," says Bruce Schneier in Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World. It's a thought-provoking, absorbing, and comprehensive guide to our new big data world. Most important, it's a call for a serious discussion and urgent action to stop the harms caused by the mass collection and mining of data by governments and corporations. To paraphrase Schneier's position on anonymity—we either need to develop more robust techniques for preserving our freedom, or give up on the idea entirely.
During the Cold War, communist East Germany was perhaps the most spied-upon nation on earth, with one secret police informant for every 66 citizens.
Those were the good old days. In 21st-century America, we've got more informants than citizens, all of them digital. Our phones and computers incessantly rat us out, broadcasting our interests, friendships, and locations to governments and corporations alike, according to renowned cryptographer and Internet privacy advocate Bruce Schneier in his new book, "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World."
Nobody planned it this way; hyper-surveillance just happened.
Your cellphone emits a signal that tags your location every minute of every day. Your Google search log records your private anxieties and interests. Your text messages and social media accounts capture every detail of your social life. Your store purchases produce records of your spending habits.
The more things change the more they stay the same, goes an old saying. That certainly seems to be true in IT security.
Despite decades of experience almost every day there's another story about a data breach, software vulnerability or new malware discovered.
So perhaps it's no surprise that the 15th anniversary edition of veteran security expert Bruce Schneier's book Secrets and Lies: Digital Security in a Networked World begins with a foreword that admits how little things have changed since the book first came out in 2000.
Cybersecurity guru Bruce Schneier to reveal lessons learned from the Sony hack scandal at the Gulf Information Security Expo and Conference (GISEC)
Cybercriminal attacks around the world will continue to rise as long as personal data provides the ability to commit fraud, and intellectual property is worth stealing, leaving both individuals and organisations vulnerable to harmful computer and network intrusions.
According to cybersecurity guru Bruce Schneier, one of the keynote speakers at Gulf Information Security Expo and Conference (GISEC), a cyberattack is much easier to implement than it is to install impenetrable cyberdefences.
The 3rd edition of GISEC, the region's leading I.T. security platform, will take place from 26-28 April 2015 at Dubai World Trade Centre.
"Even the East Germans couldn't follow everybody all the time," Bruce Schneier writes. "Now it's easy."
This may sound hyperbolic, but Schneier's lucid and compelling Data and Goliath is free of the hysteria that often accompanies discussions about surveillance. Yes, our current location, purchases, reading history, driving speed and Internet use are being tracked and recorded. But Schneier's book, which focuses mainly on the United States, is not a rant against the usual bad guys such as the U.S.
Sind Privatsphäre und Sicherheit wirklich ein Gegensatz? Bruce Schneier ist einer der bekanntesten Experten für Verschlüsselung. Er fordert, der Geheimdienst NSA solle zerschlagen werden.
Damit Bruce Schneier für einen kurzen Augenblick seine ruhige Art vergisst, reicht es aus, wie der Chef der zum Inlandsgeheimdienst gewandelten US-Bundespolizei FBI zu argumentieren. Etwa so: Haben Strafverfolgungsbehörden recht, wenn sie davor warnen, bald im Dunkeln zu tappen, weil sich Verbrecher immer stärker in den digitalen Raum verziehen?
MARK COLVIN: The ALP has agreed to support an amended version of the Government's bill to force Internet Service Providers to keep their customers' data for two years.
It'll let government agencies see what we've all been doing on the phone or online.
Bipartisan support means the bill is likely to pass.
The bodies expected to get access range from various police and customs agencies to the Competition watchdog, the ACCC.
In Data and Goliath, one of the world's foremost security experts piles on the evidence that privacy is dead -- and proposes a detailed plan to restore it
You can't help but get a little depressed as you read Bruce Schneier's latest book, "Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World." It confirms over and over how all our supposed guaranteed personal privacy, digital or otherwise, is nothing but a façade. Here are some examples from the book:
- It doesn't take much metadata to specifically identify and track anyone.
- "We kill people based on metadata."—General Michael Hayden, former director of the NSA and the CIA
- The U.S. Post Office photographs (and keeps) the exterior back and front of every piece of mail sent in the United States, and this data is available to other agencies.
- "... man who complained to a Target store that had sent baby-related coupons to his teenage daughter, only to find out later that Target was correct."
- In 2011, a man forced Facebook to turn over all data it had on him.
A mature democracy needs to carefully balance individual privacy, national security and business efficiency.
New technologies are always a mixed blessing, their potential for good carrying with it the risk of evil. The deep challenge for a democracy is to develop legal rules, social practices and institutional arrangements that, at some reasonable cost, separate good from bad behavior. The exponential improvement in computation and communication technologies over the past few decades has posed this challenge in an acute form. Both large bureaucracies and determined individuals can now collect and organize huge amounts of information—and all of it,, in one sense or another, is about all of us.
Book Review of Data and Goliath by Bruce Schneier
There is a certain predictability to media and technology finance. Any company looking for money is inevitably characterized as similar to whatever has recently garnered the highest valuations.
For instance, when all of the software as a service (referred to in tech jargon as SaaS) companies traded in the public markets at 10 times revenue, other businesses looked desperately for something in their operations that could be tied, however tenuously, to SaaS.
The trouble with this approach is that bubbles tend to burst, as the SaaS one did last year.
Part 2 of our discussion with Bruce Schneier about about the golden age of surveillance and his new book, "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World."
AMY GOODMAN: This is Democracy Now!, democracynow.org, The War and Peace Report. I'm Amy Goodman, with Juan González. Our guest is Bruce Schneier. He is a leading security technologist.
Leading security and privacy researcher Bruce Schneier talks about about the golden age of surveillance and his new book, "Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World." The book chronicles how governments and corporation have built an unprecedented surveillance state. While the leaks of Edward Snowden have shed light on the National Security Agency's surveillance practices, less attention has been paid to other forms of everyday surveillance—license plate readers, facial recognition software, GPS tracking, cellphone metadata and data mining.
JUAN GONZÁLEZ: We turn now to look at what our next guest calls the "golden age of surveillance." The leading security and privacy researcher Bruce Schneier is out with a new book, Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. The book chronicles how governments and corporations have build an unprecedented surveillance state.
Bruce Schneier did a one-hour open question and answer session on Gizmodo.
Within a remarkably short period of time—less than two decades—all of us have become immersed in a sea of electronic data collection. Our purchases, communications, Internet searches, and even our movements all generate collectible traces that can be recorded, packaged, and sold or exploited.
Before we have had a chance to collectively think about what this phenomenal growth in data production and collection means, and to decide what to do about it, it threatens to become an irreversible feature of our lives.
In his new book Data and Goliath: The Hidden Battles to Capture Your Data and Control Your World (Norton, 2015), author and security technologist Bruce Schneier aims to forestall that outcome, and to help recover the possibility of personal privacy before it is lost or forgotten.
EMMA ALBERICI, PRESENTER: One of the world's leading experts in online security is Bruce Schneier. He's a fellow at Harvard University's Berkman Center for Internet and Society. His latest book, 'Data and Goliath', is about how governments and corporations are using and controlling our data.
I spoke to Bruce Schneier from Minneapolis.
In Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, author Bruce Schneier could have justifiably written an angry diatribe full of vitriol against President Obama, his administration, and the NSA for their wholesale spying on innocent Americans and violations of myriad laws and the Constitution. Instead, he has written a thoroughly convincing and brilliant book about big data, mass surveillance and the ensuing privacy dangers facing everyone.
A comment like what's the big deal? often indicates a naiveté about a serious significant underlying issue. The idea that if you have nothing to hide you have nothing to fear is a dangerously narrow concept on the value of privacy.
A Way Forward: Bruce Schneier’s Data and Goliath Explains Where Our Privacy is Now, and How We Fix It
EFF is honored to have renowned security technologist Bruce Schneier as a member of our board and a collaborator for nearly 20 years. But even if we'd never met him, we'd still be incredibly excited about the release of his new book, Data and Goliath.
Schneier has been providing detailed analyses of cryptography, big data, NSA leaks, security flaws, and more for decades (when he's not terrifying NSA Director Mike Rogers with deceptively simple questions about security). What's exceptional about his writing and his is that he manages to be well-researched, in-depth, and accurate while remaining accessible to non-technical readers.
Bruce Schneier's 'Data and Goliath' a lucid overview of how corporate and governmental surveillance works
On a recent trip overseas, I brushed up against these overlapping systems of control. In the international airport in Ho Chi Minh City, Vietnam, I saw devices set up that automatically took temperature readings of arriving passengers (the Ebola scare was ongoing). When I returned from my trip and entered customs at John F. Kennedy International Airport, security officers divided us into lines based on national background. I swiped my passport at a kiosk, received some sort of receipt, and was made to wait again.
Bruce has just published Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World, a book that will interest many Lawfare readers. Data and Goliath is deeply informed and accessibly written analysis of mass surveillance by firms and the government. Part One is a terrific tutorial on big data and data mining, in the public and private sectors (and the two sectors in conjunction). Part Two explains the many reasons Bruce thinks we should worry about big data and data mining.
Stop feeling guilty about skimming the Terms of Service. Get mad instead.
Reading this right now?
Congratulations. You're winning.
Yes, all of the usual corporate and government entities know you're here.
Bruce Schneier's Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (Book Review)
No one explains security, privacy, crypto and safety better than Bruce Schneier, and while he's been talking about this subject for decades, it's never been more relevant, as his new guide to the post-Snowden world Data and Goliath demonstrates.
It's been nearly two years since the Snowden revelations, and we're nowhere near figuring out what to make of his revelations, but now there's a book that collects all the most significant facts, implications and insights from the debates and packages them in a way that is accessible, smart, and important.
Since the first Snowden leaks, we've been buffeted by new revelations that made it hard -- even impossible -- to understand exactly what kind of spying was taking place, under whose oversight, and what effect it was having. Schneier starts with the nature of data and surveillance in the Internet age, the way that data use and abuse can empower us or harm us (both individually or as a society), patiently steps through a condensed (but still representative) account of the leaks, and then combines all this in a powerful argument that out-of-control, unaccountable, mass-scale surveillance has harmed us, and presents an existential threat to a good, safe and just society.
The world is not becoming less computerized, after all.
A new book by security expert Bruce Schneier is raising serious questions about the state of privacy in the big data age, and whether giving corporations and government access to the most intimate details of our lives in exchange for convenience and security is a tradeoff we should be making.
Since 9/11, Schneier has been an outspoken critic of the government's sometimes ham-handed approach to security. Take the airport security checkpoints, for example. Is the economic loss from asking everybody to wait in line and take off their belts and shoes (more than $10 billion per year in 2004 dollars) or the added deaths from people deciding to drive instead of fly (500 per year) worth the marginal increase in security we get from the checkpoints?
In my Open Forum article, “Privacy and Social Media,” February 2015, I mentioned Bruce Schneier's new book, Data and Goliath (W.W.Norton & Company). For those concerned with the arrival of the surveillance state, this is a must-read book, and one of the best assessments of our current state of affairs. Schneier delves into all of the areas that I find most disconcerting, including our general loss of privacy and anonymity and the omnipresence of corporate and government Big Brother in nearly all facets of our lives. Are we really surprised that most social media, online search engines, and other corporations are selling our data, while others are aggregating that data (think big data and analytics), disabling our ability to remain anonymous?
Security technologist, commentator, and popular author Schneier was one of the first to analyze the documentation of NSA surveillance practices leaked by Edward Snowden. What he discovered fueled his mission to zap our complacency regarding “ubiquitous mass surveillance.” In this mind-blowing exposé, backed by 130 pages of revelatory notes, Schneier reveals exactly how all the information generated by our smartphones and computers regarding our exact location, communications, financial and medical transactions, everything we read in digital form, and every Google search is captured, stored, and traded. He elucidates the difference between data and metadata (an email’s content is data; all records pertaining to the sender, recipient, and routing are metadata), and explains how metadata is used to track our activities, interests, and concerns. With meticulously researched details and high-velocity prose, he outs the federal government’s intrusive “data mining,” the immensely profitable big-data industry, and the hidden collusion between them.
In the field of cryptography, a secretly planted "backdoor" that allows eavesdropping on communications is usually a subject of paranoia and dread. But that doesn't mean cryptographers don't appreciate the art of skilled cyphersabotage. Now one group of crypto experts has published an appraisal of different methods of weakening crypto systems, and the lesson is that some backdoors are clearly better than others—in stealth, deniability, and even in protecting the victims' privacy from spies other than the backdoor's creator.
In a paper titled "Surreptitiously Weakening Cryptographic Systems," well-known cryptographer and author Bruce Schneier and researchers from the Universities of Wisconsin and Washington take the spy's view to the problem of crypto design: What kind of built-in backdoor surveillance works best?
Neither Borgman nor Lohr truly grapples with the immensity of the big-data story. At its core, big data is not primarily a business or research revolution, but a social one. In the past decade, we have allowed machines to act as intermediaries in almost every aspect of our existence. When we communicate with friends, entertain ourselves, drive, exercise, go to the doctor, read a book—a computer transmitting data is there.
A jeremiad suggesting our addiction to data may have made privacy obsolete.
Prolific technological writer Schneier (Fellow/Berkman Center for Internet and Society, Harvard Law School; Carry On: Sound Advice from Schneier on Security, 2013, etc.) clearly examines how technology has transformed every interaction, noting how our intimate communications are now "saved in ways we have no control over." He suggests that most Americans remain unconcerned about the relationship between data and surveillance, due to the attraction of "free" products like Gmail. He focuses on the social costs of surveillance, which "puts us at risk of abuses by those in power—exacerbated by the fact that we are generating so much data and storing it indefinitely." He also argues that this "pervasive mass surveillance" will inevitably chill progressive movements—e.g., gay rights and cannabis decriminalization. The problem is more sprawling than most realize: Edward Snowden's revelations clarified "how much the NSA relies on US corporations to eavesdrop on the Internet," and corporations are using such technologies for their own ends.
In December of 2011, Tripwire published a list of security's top 25 influencers. More than three years later, we are pleased to announce a new list for 2015—The Infosec Avengers!
For each influencer whom we have selected, we include their Twitter handle, blog URL and reasoning for selecting them. We also include their answer for what infosec-related superpower they would choose to have.
After the online breach of JPMorgan Chase, cybersecurity awareness is growing in the financial world. But what exactly is cybersecurity (and cybervulnerability)? What can or cannot be done to make sensitive information more secure?
A leading computer security and privacy expert, Bruce Schneier is one of the world's most recognizable voices on cybersecurity, author of the popular security blog Schneier on Security, board member of the Electronic Frontier Foundation, and CTO of Co3 Systems.
Schneier on Security by Bruce Schneier
One of those security blogs you cannot afford to avoid, it focuses on a wide range of subjects, and one of the most common topics in 2014 was the NSA and Edward Snowden affair. I like this blog because Bruce doesn't publish only his articles: he also comments on various other security news and publications, so you can use it as a kind of a portal to a wider picture of the security world.
One of his most popular posts was on the Heartbleed bug—almost 300 comments there.
The Sony hack is "every CEO's worst nightmare" and the leaked data is probably going to send someone to jail, security expert Bruce Schneier says. That, not any threat of violence, is the real power of this hack.
The "Guardians of Peace," as the group behind the attack has called itself, posted a new dump of emails today, this time from CEO Michael Lynton. The hackers also issued a warning implying that any theater screening the political comedy The Interview, which is about the assassination of North Korean leader Kim Jong-un, could be the target of a physical attack as well.
Sony Hackers: It's Not the North Korean Government, nor an Insider, Suggests Security Expert Bruce Schneier
Cryptographer and security expert Bruce Schneier has suggested that the hackers behind the devastating hack and leak of internal data from Sony Pictures is neither the work of the North Korean government, nor of insiders.
"At this point, the attacks seem to be a few hackers and not the North Korean government. (My guess is that it's not an insider, either). That we live in the world where we aren't sure if any given cyber attack is the work of a foreign government or a couple of guys should be scary to us all," he wrote in a blog post.
According to Bruce Schneier, his career in IT security has been an endeavor he naturally "flowed into." Schneier, a prominent cryptologist who developed numerous encryption algorithms, including Blowfish and Twofish, has continued to contribute to the industry through his musings and insight on his esteemed blog "Schneier on Security," and newsletter "Crypto-Gram," which have garnered a major following in the community. Having gotten his start in cryptography, Schneier says he eventually moved into computer security, network security and security technology as a focus. In his attempt to "understand context" as it pertains to the threat landscape, Schneier also turned to examining the economics, psychology and sociology of security and now he primarily studies and shares his views on the political science of security, he tells SC Magazine. Schneier is currently working on a book called Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (due late February), and at Co3 Systems, he focuses on building coordination software for incident response, "a long-neglected aspect of IT security," as he puts it.
BetaBoston partnered with Silicon Valley Bank, Hack/Reduce, and Terrible Labs on Thursday to host the Cyber Security Symposium. Security experts from Credit Suisse, Threat Stack, Bit9 and others convened for a day-long event, the second niche-focused conference put together by SVB, Atlas Venture's Cort Johnson and Terrible Labs' Smith Anderson after the Quantified Self Conference in March.
The event was capped off with a talk by security expert Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard, and the chief technology officer at Co3 Systems.
Schneier noted three trends he's currently tracking.
Democrats didn't need this: Another cyberattack on an unclassified White House computer network (and unconfirmed reports of Russian involvement) in the closing days of a midterm election in which voter frustration toward President Barack Obama, government dysfunction and national security fears already are hurting their chances of hanging onto control of the Senate.
Chinese hackers reportedly targeted White House staffers' Gmail accounts in 2011. The next year, Chinese hackers reportedly used spear phishing to break into an unclassified network of the White House Military Office. But the problem didn't start with Obama—attempted cyberattacks on the White House date at least to 2008, during George W. Bush's administration.
Just how much of your life is watched? Security expert Bruce Schneier points out that it is more than most people think, says Chris Baraniuk.
Do you have secrets? Security expert Bruce Schneier has little patience for those who say they don't.
When asked about government and corporate surveillance, there are some who shrug their shoulders and say they have nothing to fear because they have nothing to hide. Schneier's response?
It's how you respond that's key, says securo guru
Hacking attacks are more or less inevitable, so organisations need to move on from the protection and detection of attacks towards managing their response to breaches so as to minimise harm, according to security guru Bruce Schneier.
Prevention and detection are necessary, but not sufficient, he said. Improving response means that organisations stay on their feet even after they are hit by a serious security breach or hacking attack.
"A sufficiently motivated, funded and skilled hacker will always get in," Schneier told delegates during a keynote at the IP Expo conference in London.
The US National Security Agency (NSA) has turned the internet into a "giant surveillance platform," a leading security specialist has said.
Bruce Schneier, who has written extensively on digital security and privacy, told an audience in Dublin tonight that the revelations by whistleblower Edward Snowden of large-scale surveillance by the NSA showed that we were living in a "golden age of surveillance."
In a lecture for the human rights group Front Line Defenders, Mr. Schneier said the NSA's role changed completely after the 9/11 attacks, when US intelligence agencies were given "an impossible mission: never again." "The only way to ensure something doesn't happen is to know everything that is happening," he said.
This desire to "collect everything" coincided with changes in technology, notably the spread of smartphones, the rise of cloud storage and the fact that it became cheaper for individuals to store data and thereby leave deeper digital footprints for the state to pursue. "The NSA has turned the internet into a giant surveillance platform," he said.
In my continuing series of keynote recaps, I will be covering Bruce Schneier’s keynote at Black Hat USA 2014—yes, it can be called a keynote even though it is more of a briefing. By the way, Black Hat: Next time, please give him appropriate space; people were lining up outside the room waiting to get in because of the lack of space.
I will be sharing what I learned from his speech in my own words with selected graphics. Schneier’s “The State of Incident Response” talk is available online, but if you don’t have an hour to watch that, read this as a recap.
Almost a year and a half after the Snowden revelations, it’s business as usual for America’s giant global eavesdropping and spying organisation: the NSA, the National Security Agency.
As revelations continue to unfold, legislative attempts to rein in the NSA's powers appear to be stalling. But, Harvard University security analyst Bruce Schneier says the situation is unacceptable.
In the future, argues Schneier, people will look back at the way we ignore privacy today and ask "how could we be that immoral?" He’s put forward his own plan for breaking -up the NSA, and in so doing, bringing its activities under greater civilian control.
Network breaches are inevitable. It's what happens next that really matters, said renowned cryptographic expert Bruce Schneier during the Black Hat security conference.
If there is something the organization has the attacker wants, the attacker will figure out a way to get in. Regardless of how much the organization invests in its defenses, attackers need to find that one weak spot to succeed.
Bruce Schneier on Expanding the Use of Automated Tools
When the organizers of the just-concluded Black Hat USA conference wanted to explore incident response, they turned to Bruce Schneier, the cryptographer, author, blogger and cybersecurity expert, to make a presentation. Until recently, however, Schneier's name wouldn't be on most people's list of incident response experts.
Schneier's reputation, after all, was built on his keen observations of the influence of IT security on society and vice versa, as well as bringing to light the previously unknown, such as the National Security Agency's tampering with cryptography guidance from the National Institute of Standards and Technology (see NIST to Drop Crypto Algorithm from Guidance).
But since the beginning of the year, Schneier has been serving as chief technology officer of 4-year-old Co3 Systems, which provides automated incident response systems.
In his Black Hat 2014 session entitled "The State of Incident Response," security guru Bruce Schneier, CTO of Co3 Systems, Inc., said that hackers will invariably breach networks, but it is what comes next that really matters.
Placing a great deal of emphasis on automated systems and technology being used to support the people needed for incident response, Schneier proposed a four-step approach: observe, context, decide, and act.
Observe means knowing what is happening on networks in real-time, which can be done using log monitoring, log analysis tools, network management tools and the like, Schneier said.
Context is tantamount to gathering data and intelligence, as in knowing the latest malware and vulnerabilities.
Cyber defenders are currently fighting a losing battle against hackers and government agencies, according to security expert Bruce Schneier.
Speaking in London on Thursday, the security guru said that with cyber criminals' attacks increasing in sophistication all the time, incidents like the Target credit card theft will only become more common.
"Security is a battle of attack versus defence and right now on the internet attack is much easier than defence," he said at the Good Exchange event, attended by V3.
Schneier pointed to advanced persistent threats (APT) as an area where organisations are woefully ill-prepared to prevent attacks.
Security technologist Bruce Schneier tells DW why he finds it curious that the German BND is getting a free pass on surveillance and why Europe should take the lead on protecting privacy in the digital age.
DW: One year ago the Guardian published the first article on the NSA's surveillance activities based on the disclosures of Edward Snowden. Many other revelations have followed since and triggered a robust international debate about surveillance and privacy. Now one year later what is the most significant consequence of Snowden's disclosures?
Bruce Schneier: Right now the most significant consequence has been the knowledge that has fueled the debate. A lot of what we have read from these NSA documents isn't surprising, but the details make them real in a way that speculation doesn't.
A short password, or one using a name or a word in a dictionary, can be easily cracked by computers. And simply adding "@" for the letter "a" isn't going to fool the bad guys.
Here's cryptographer and computer security expert Bruce Schneier's advice on using and managing your passwords.
1. Use a "passphrase": a sentence you can remember. Then replace each word of the phrase with its initial, a similar digit or symbol, or, at random, use a whole word.
"Information is power," has been true for so long that it has become a cliché.
But the Internet has increased the power to collect, store and analyze information by such an order of magnitude that we are now in what Bruce Schneier called "the golden age of surveillance," in his keynote address Wednesday morning at SOURCE Boston.
That would be golden for those doing the surveillance, not the subjects of it.
Schneier, author, security guru, blogger and CTO of Co3 Systems, said the expectation that the Internet would mainly empower the powerless—grassroots groups, hackers, minorities and other relatively fringe groups—did come true for a number of years.
BOSTON—History is not entirely kind to those responsible for the Industrial Age in the 19th century. How, for example, were the consequences of industrial innovation such as pollution largely ignored?
Flash forward to today's digital age and ask the same question: How are those responsible for building our infrastructure callously disregarding privacy and security in favor of rapid online innovation?
"I think this is the issue by which we will be judged when our grandchildren read the history of the early days of the Internet," said Bruce Schneier today during his Source Boston keynote.
Data is a natural consequence of computing, and as search tools get better, it shifts the balance of power towards mass collection and surveillance, renowned security expert Bruce Schneier said at the SOURCE Boston conference on Wednesday.
"Surveillance is the business model of the Internet," Schneier told attendees. "We build systems that spy on people in exchange for services. Corporations call it marketing."
The data economy—the growth of mass data collection and tracking—is changing how power is perceived, Schneier said in his keynote speech.
In today's interconnected world, all it takes is one security mistake to make your whole world come crashing down. Who better to turn to for advice than security expert Bruce Schneier?
If you have even a passing interest in security matters, then you've surely come across the writings of Bruce Schneier, a world-renowned security guru who has served on numerous government committees, testified before Congress, and is the author of 12 books on security issues so far, as well as countless essays and academic papers.
After hearing about Schneier's newest book, Carry On: Sound Advice from Schneier on Security, we decided that it was about time to reach out to Bruce to get some sound advice concerning some of our own pressing privacy and security concerns.
Bruce Schneier says the key to good security is accepting that perfect security doesn’t exist.
Last fall, not long after Bruce Schneier quietly revealed himself as the cryptographer who had helped journalist Glenn Greenwald review Edward Snowden's NSA documents, he found himself on CNN International, talking about allegations that the United States had spied on the chancellor of Germany.
An exasperated host beamed Schneier in from Minneapolis, where he lives, and asked him to "help us," as she put it, "decipher this enigma." Schneier is a legendary encryption specialist who has written or edited 13 books on the subject, and worked for the Department of Defense, telecommunications companies, banks and governments. Most recently, he's been a vocal advocate of the idea that the best security systems accept a reasonable amount of risk; a blind focus on protecting against every threat, he says, usually comes with unexpected costs.
Outside of the cryptography community, however, this view is not widely held, and the simplicity and directness with which Schneier expresses it tends to take people by surprise.
We are entering a new era of Internet connectivity — the Internet of Things. Suddenly our devices are much more than just the computers we can hold in our laps.
These new devices collect information and make decisions on their own. What does this mean for us?
Bruce Schneier, an author and security technologist who has written several articles about the darker side of the Internet of Things, describes the new situation this way:
"The Internet of yesterday was the Internet of the things we typed into it. It was Facebook.
Reuters Technology reporter Joseph Menn interviewed security expert Bruce Schneier in front of last week's TrustyCon audience in San Francisco, where the security expert provided his analysis of the government surveillance controversy
Bruce Schneier has been a vocal critic of the mass surveillance being conducted by the NSA and GCHQ. The security expert recently left his post at BT and joined the board of digital rights firm Electronic Frontier Foundation (EFF), one of TrustyCon's organizers. Although several of TrustyCon's speakers were part of the group who withdrew from their speaking commitments at last week's RSA Conference, Schneier was featured on the agenda at both events.
Schneier said that the NSA's surveillance capabilities are far and away the most advanced in the world, but not necessarily the most skilled.
Bruce Schneier is the man who literally wrote the book on modern encryption, publishing Applied Cryptography in 1994, and for the past 20 years has been an important and sometimes outspoken voice in the security industry.
He founded the firm Counterpane Internet Security (later sold to BT), and is also a board member of the Electronic Frontier Foundation and an Advisory Board Member of the Electronic Privacy Information Center.
More recently he's been working on documents released by Edward Snowden on NSA activities and presented his findings at this year's RSA conference in San Francisco. The Register took the opportunity of sitting down with Schneier at the event and chewing through the current state of security, privacy and government intrusion online.
When Bruce Schneier went on to a different stage at the RSA Conference, resplendent in a purple floral shirt, he gave a very different presentation than an earlier panel from Washington intelligence insiders. Schneier, the CTO of Co3 Systems and author, gave the security-geek view. He also gave his answer to the question everyone has been asking: how do we keep from being spied on?Collect Everything
Schneier laid out the situation as he sees it today: that the NSA has turned the Internet into a giant surveillance platform that is both technically and legally robust.
Of the small pool of people who have seen the Snowden documents, few, if any, are as technically savvy and knowledgeable about security and surveillance as Bruce Schneier. And after reading through stacks and stacks of them, Schneier says that yes, the NSA is extremely capable and full of smart people but "they are not made of magic".
A cryptographer by training and a security thinker by trade, Schneier has spent many hours reading the Snowden documents and thinking about what they mean, both in terms of the NSA's actual capabilities and their effect on data security and privacy. Much of the news, clearly, is not good on that front.
The good news? Strong crypto still works
RSA 2014 If you thought NSA snooping was bad, you ain't seen nothing yet: online criminals have also been watching and should soon be able to copy the agency's invasive surveillance tactics, according to security guru Bruce Schneier.
"The NSA techniques give about a three to five year lead on what cyber-criminals will do," he told an audience at the RSA 2014 conference in San Francisco.
"These techniques for exfiltrating data aren't magical, they are just expensive. Everything we know about technology is that it gets cheaper.
Two recently-discovered flaws in Apple iOS and Mac OS X have security experts openly asking whether the software vulnerabilities represent backdoors inserted for purposes of cyber-espionage. There's no clear answer so far, but it just shows that anxiety about state-sponsored surveillance is running high.
'One line of code—was it an accident or enemy action? I don't know, but it's the kind of bug I'd put in,' remarked Bruce Schneier, chief technology officer at Co3 Systems, about the flaw in Apple OS X SSL encryption that was revealed last week.
Cryptography expert Bruce Schneier, now CTO of Co3 Systems, continued his criticism of the National Security Agency's surveillance during his well-attended talk at the RSA Conference in San Francisco today.
Schneier has been a fierce critic of the National Security Agency (NSA) ever since the details of this surveillance were first revealed by former CIA contractor Edward Snowden last summer. And following on from an interview with CNN this week where he argued for the NSA to be split up, he took the opportunity to champion for stronger encryption in front of a packed audience at the RSA Conference.
Schneier, who left BT—also reportedly offering back doors in products—to join Co3 Systems in December, mused from the beginning that the talk was going to be a prickly and hotly-contested subject. "This will be a fun topic."
His talk was entitled "NSA Surveillance: What we know and what to do about it" and he first ran into the attack techniques—sometimes obscured by odd code names—being used by the NSA and GCHQ to carry out mass surveillance.
Don't feel futile, the Internet can be saved, according to cryptography luminary
There are ways for people to win back their privacy from global intelligence agencies, largely by making bulk collection of data economically unviable, encryption luminary Bruce Schneier told delegates at the RSA 2014 conference today.
This would be doable by placing secure encryption in places where it currently does not reside, from vulnerable mobile applications to people's hard drives.
"Encryption frustrates the NSA at scale," he said. "Our goal should be to leverage economics, physics and maths to make the Internet secure, to make surveillance more expensive.
When incident response software maker Co3 announced earlier this month that Bruce Schneier was joining the company as its first CTO, some observers might have wondered: Huh?
Why would an internationally known thinker on security issues leave a gig as chief security technology officer at a large telecom like BT to serve as CTO of a much smaller software company? Well, the answer is pretty basic. He sees the company offering a product the security and privacy communities desperately need.
A computer cryptography expert revealed that he met Thursday with members of Congress to explain Edward Snowden's revelations about the National Security Agency because "the NSA wasn't forthcoming."
In a brief post on his blog, Bruce Schneier said that he had held a roundtable discussion with six House members, organized by Rep. Zoe Lofgren (D-Calif.), to discuss the NSA's activities.
Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School, co-authored a Guardian article with reporter Glenn Greenwald on the NSA's attempts to hack an anonymizing web service and has taken a peek at many of the documents that Snowden leaked.
"Lofgren asked me to brief her and a few Representatives on the NSA," Schneier wrote. "She said that the NSA wasn't forthcoming about their activities, and they wanted me—as someone with access to the Snowden documents—to explain to them what the NSA was doing.
Cyptographer, essayist, book author, free thinker, privacy advocate and cybersecurity thought leader Bruce Schneier announced a few days ago that he's joining Co3 Systems as its new CTO. The Cambridge, Mass.-based start up helps companies comply deal with data privacy and data loss disclosure regulations. Schneier shared what's top of his mind with CyberTruth.
CT: You started in encryption, and had a great run as a globe trotting cybersecurity guru.
Schneier says new gig at incident response management vendor a natural progression for him
Other articles about Bruce Schneier's new position with Co3 Systems appeared in InfoSecurity Magazine, SearchSecurity, TechWeekEurope, The Inquirer, ZDNet, Help Net Security, Security Week, The Register, SecurityCurrent, Boston Business Journal, Network World, and Threatpost.
Famed security expert Bruce Schneier has left BT and is now CTO of incident response (IR) management startup Co3 Systems.
Schneier, who previously had served on Co3 Systems' advisory board and has helped shape the look and feel of the software-as-a-service firm's architecture, says the time had come for him to make a change and leave BT. He had been the security futurologist for BT since it purchased his network monitoring services firm Counterpane Internet Security in October 2006.
Word that Schneier was leaving BT leaked publicly last month, and speculation arose that it had to do with his outspoken criticism of surveillance by the NSA and Britain's GCHQ.
Becoming a fellow isn't your first interaction with the Berkman Center—you spoke here in April about "IT, Security, and Power" with Jonathan Zittrain. In light of that talk and the research you intend to conduct exploring the intersection of security, technology, and people, can you tell us more about the direction your research is going in, any challenges you currently face, and what you will be focusing on as a Berkman fellow?
I've been thinking about several things, all centered around power in the information age. I summarized them here before my Spring Berkman visit, and perhaps it's better to send readers there than to rewrite what I wrote then. Since then, of course, I have been thinking and writing about the Snowden documents and ubiquitous Internet surveillance.
There needs to be wider debate on the value of privacy on the internet — and in society as a whole, a leading computer security and privacy specialist said at the Summit on the Global Agenda in Abu Dhabi. Cryptographer Bruce Schneier says classified documents leaked by former US National Security Agency contractor Edward Snowden could ultimately make all internet users more secure.
The documents leaked by the American whistleblower show how easy it is for parties to indiscriminately capture the personal data on a global scale, said Schneier, who is participating in the summit as a member of the Global Agenda Council on the Future of the Internet. The future of surveillance has been identified as an urgent emerging issue by Global Agenda Council Members in the World Economic Forum's 2014 Outlook report.
More than 150 years after Bull Run—the long, bloody battle that foretold of a long, bloody Civil War—a new Bull Run is the symbol of a very different, bloodless fight.
"Bull Run" is code for a National Security Agency program that asks U.S. Internet security providers to poke holes in their systems (also known as "back doors")—and to keep those requests—and weaknesses—a secret. "The conceit here is that only the NSA can exploit this vulnerability," and gain access to encrypted Internet traffic, explained computer security and privacy specialist Bruce Schneier at a recent NSA surveillance briefing convened by the Open Technology Institute on Capitol Hill.
And techies can only fix it if government stays out of the way.
WASHINGTON, DC—To say that there are a lot of people who are angry with the National Security Agency (NSA) right now would be an understatement. But the things that are getting the most political attention right now—such as the invasion of the privacy of American citizens and spying on the leaders of American allies—are just a fraction of the problem, according to cryptographer and Harvard University Berkman Center for Internet and Society Fellow Bruce Schneier.
At a presentation in a conference room inside the US Capitol on Friday, Schneier—who has been helping The Guardian review the trove of documents provided by Snowden—said that in its haste to "weaponize" the Internet, the NSA has broken its mechanisms of security. And those breaks—including the backdoors that the NSA convinced or coerced software developers to put into the implementations of their encryption and other security products, are so severe that it is now just a matter of time before others with less-noble causes than fighting terrorism will be able to exploit the holes the NSA has created.
"The NSA has turned the internet into a giant surveillance platform." Security guru Bruce Schneier (pictured) did not pull his punches when he addressed the 1,200 engineers gathered for the meeting of Internet Engineering Task Force (IETF) in Vancouver last week. But when it came to the question of what should be done about it, he and the other participants in a panel discussion had less to offer.
Mr Schneier, a fellow at Harvard's Berkman Centre on Internet and Society, is one of the few people who had seen most if not all the NSA documents downloaded by Edward Snowden. Only a few have been made public so far, with the most recent revelation being the stealth tapping of Google's internal networks.
The ongoing revelations of governmental electronic spying point to a problem larger than National Security Agency malfeasance, or even of security weaknesses. Rather the controversy arising from Edward Snowden's leaked documents suggest we face unresolved issues around data ownership, argued security expert Bruce Schneier.
"Fundamentally, this is a debate about data sharing, about surveillance as a business model, about the dichotomy of the societal benefits of big data versus the individual risks of personal data," Schneier told attendees of the Usenix LISA (Large Installation System Administration Conference), being held in Washington this week.
"We might not buy [it], but the basic NSA argument is 'You must give us your data because it is keeping you safe.'"
Schneier has been an outspoken critic of the NSA since Snowden, a former NSA contractor, first leaked documents showing the many ways in which the intelligence agency had tapped into the Internet and data centers to collect data en masse about people's activities.
Lessons from NSA revelations hit at heart of the "fundamental issue of the information age," says Bruce Schneier
As custodians of the Internet mull over the lessons that revelations about National Security Agency (NSA) surveillance offer about the insecurity of the Internet's infrastructure, architects must find ways to make wholesale spying more expensive. So said noted cryptographer and security evangelist Bruce Schneier in a talk today about Internet hardening at the Internet Engineering Task Force (IETF) plenary session.
"There are a lot of technical things we can do. The goal is to make eavesdropping expensive," Schneier said.
Over the years, at times, I've seen people criticize Bruce Schneier for perhaps getting more publicity than other security researchers, but it's rare to see people question his knowledge. The complaints often appear to stem more out of jealousy than anything else. But, I've never seen anything quite as ridiculous as this "CNN iReport" by Richard Marshall and Andre Brisson, which appears to be a blatant hatchet job attack on Schneier that is at times incomprehensible, at times factually incorrect and bizarre throughout. Marshall is a former NSA and DHS "cybersecurity" expert, but he's now the CEO of "Whitenoise Labs," (something not mentioned in the article).
National Security Agency Director Gen. Keith Alexander this week defended the private sector's cooperation with the agency's electronic surveillance programs, telling Congress the companies involved are being punished in the media for meeting legal obligations under U.S. law and helping to save lives.
'We have compelled industry to help us…by court order,' said Alexander, during testimony Oct. 29 before the House Permanent Select Committee on Intelligence. 'And what they're doing is saving lives' in the U.S.
During a podcast on Occupy Radio, the host and a renowned security expert Bruce Schneier get to discuss the NSA practices in terms of treating citizen privacy and other related issues.
- Bruce Schneier is an internationally recognized expert on cryptography and data security. He was dubbed a 'Security Guru' by the Economist magazine. His most recent book is 'Liars and Outliers: Enabling the Trust that Society Needs to Thrive'. Bruce's newsletter, Cryptogram, and his blog Schneier on Security are read by over a quarter of a million people.
The security researcher Bruce Schneier, who is now helping the Guardian newspaper review Snowden documents, suggests that more revelations are on the way.
Bruce Schneier, a cryptographer and author on security topics, last month took on a side gig: helping the Guardian newspaper pore through documents purloined from the U.S. National Security Agency by contractor Edward Snowden, lately of Moscow.
In recent months that newspaper and other media have issued a steady stream of revelations, including the vast scale at which the NSA accesses major cloud platforms, taps calls and text messages of wireless carriers, and tries to subvert encryption.
This year Schneier is also a fellow at Harvard's Berkman Center for Internet and Society.
Five More Questions: Privacy Expert Bruce Schneier Sees Outdated Data Laws Benefiting Feds, Businesses
Editor's note: Five More Questions is an occasional series by Brian Lambert that follows up on people who recently made news.
Bruce Schneier has carved out an interesting niche for himself.
The southwest Minneapolis resident has become one, if not the best-known, of credible voices on the topics of privacy and security, personal and otherwise. His thinking on matters from Edward Snowden and the NSA to the nexus of government and corporate data-mining has made him a regular presence on The Atlantic, Forbes, Foreign Policy, Bloomberg and Guardian websites.
It also earned him a nod in the current issue of Wired magazine as one of the 101 essential "signals" (as opposed to "noise") to follow on the Internet.
Ars asks a tech and legal all-star team how to fix America's security state.
For the last two months, we've all watched the news about the National Security Agency and its friends over at the Foreign Intelligence Surveillance Court (FISC), which approves secret orders on behalf of the NSA and other spy agencies. But more often than not, a lot of these articles take the same basic structure: documents provided by NSA leaker Edward Snowden show X, and then privacy advocates and civil libertarians decry X for Y reason.
That now raises the question, what would these privacy advocates do if they were put in charge of the NSA and the FISC? Or more specifically, what changes would they immediately enact at those two opaque institutions?
Technology expert Bruce Schneier has been blogging about security since 2004. If the subject was ever a niche, those days are long gone. His work touches on vital issues of safety and privacy at home, out in the world and, of course, on computers and other gadgets. Many of his posts simply point you towards items elsewhere — and he’s so important a figure in his field that the mere fact that Bruce Schneier found an article to be worthwhile is a significant endorsement.
As Edward Snowden is linked to one country after the next, the media has its eye fixed on where he will next request asylum. (Today, it's Russia.) Meanwhile, back at US headquarters, as NSA officials speak in a House Judiciary Committee hearing, the agency is still doing what it's doing. To get more information on exactly what that means, the TED Blog wrote to two security experts, Bruce Schneier (watch his talk) and Mikko Hypponen (see his talk), to ask them about what it is we should be worried about. Turns out, pretty much everything.
The Berkman Center for Internet & Society at Harvard University today announced the fellows, faculty associates, and affiliates who will join the community in the 2013-2014 academic year, continuing a tradition of providing a home for some of the most incisive minds in law, technology, and social science, alongside path-breaking entrepreneurs and activists.
"Our incoming community is brimming with vision, talent, and a commitment to understand and drive change across the world, both online and off," Urs Gasser, Berkman's Executive Director, said. "With curiosity, rigor, and friendship, this network will explore and transform our collective knowledge, use, and governance of the Internet and digital technologies. We are privileged to bring these incredible people together at Berkman in the coming year."
The diverse class of fellows will work primarily in Cambridge, MA alongside Berkman Directors and staff, and will serve as key instigators within the vibrant research community.
If you're looking for more evidence that politicians don't get technology, look no further than the FBI's proposal to make Internet communications easier to wiretap. Specifically, the FBI wants to force companies to design their email, IM, VoIP, and other Internet-based communication products such that law-enforcement agents can eavesdrop on conversations—naturally, in the name of collecting evidence against evil-doers.
Although the plan reportedly has support from the Obama Administration, it doesn't have the backing of a guy who knows a thing or two about security: Bruce Schneier. By the renowned security pro's reckoning—clearly laid out at Foreign Policy—requiring companies to make their products "eavesdroppable" would render them vulnerable to anyone with a little tech savvy.
From online companies tracking users' digital footprints to the trend for more and more data to be stored on cloud servers, Internet privacy seems like a thing of the past -- if it ever existed at all. RFE/RL correspondent Deana Kjuka recently spoke about these issues with online security analyst Bruce Schneier, author of the book "Liars and Outliers: Enabling the Trust Society Needs to Survive."
RFE/RL: It is no secret that online companies like Google, Facebook, and Twitter are tracking users' digital footprints. How accurate are these online profiles? What are they used for, other than advertising?
Bruce Schneier: We don't know how accurate it is.
Bruce Schneier is one of the world's leading cryptographers and theorists of security. Jonathan Zittrain is a celebrated law professor, theorist of digital technology and wonderfully performative lecturer. The two share a stage at Harvard Law School's Langdell Hall. JZ introduces Bruce as the inventor of the phrase 'security theatre', author of a leading textbook on cryptography and subject of a wonderful internet meme.
The last time the two met on stage, they were arguing different sides of an issue -- threats of cyberwar are grossly exaggerated -- in an Oxford-style debate.
We live today in a "feudal security world", says internationally renowned security technologist Bruce Schneier."
We pledge our allegiance to the service providers -- the likes of Google, Facebook - and expect them to provide us with security in return -- akin to serfs and peasants paying tribute to their lords in the form of personal data, says Schneier, the author of Liars and Outliers: Enabling the Trust Society Needs to Survive, and chief security technology officer at BT.
"What I am seeing is a shift in power on the internet, that we generally have less control over our IT infrastructure, our products, our user devices, our services. "We basically have to trust our vendors," he says. "We just don't have the ability to control security or configuration the way we did when we owned and controlled the platforms.
Type 'security expert' into Google and the third result is Schneier on Security, a blog written by Bruce Schneier, the author of several books and chief security technology officer at BT.
The blog is also the top Google result for 'security blogger' and No. 7 for 'computer security expert,' despite the fact that Schneier doesn't describe himself as an expert. (Qualifier: Google customizes results to the user, so your mileage may vary.)
It gets more interesting when you look at references to Bruce Schneier in media outlets: 175 mentions in The New York Times, 146 in The Wall Street Journal and almost 400 each in Computerworld and InformationWeek. All this in a market that is one of the most information-saturated in the technology sphere.
Schneier estimates that his blog and newsletter reach a combined audience of 250,000 people each month.
In the days of feudalism, serfs and minor lords pledged allegiance to the king and received protection in return. As long as the king held up his end of the bargain, the system worked. If he didn't, the system would crumble, as it eventually did in Europe around the 15th century.
Bruce Schneier, CTO of BT Managed Security Solutions, sees the feudalism dynamic happening today on the Web, where users of social networking and other online services must blindly trust that the companies providing those services are paying enough attention to security.
Burger King and Jeep both saw their Twitter accounts get hacked this week.
How and why does this happen?
Bruce Schneier is a revered computer security expert, prominent for his thoughts on the intersection of technology, security, and trust.
He was kind enough to fill us in on the details surrounding how hacks like these are possible.
A couple weeks ago we asked Bruce Schneier if he would be kind enough to respond to a few questions about security related to critical infrastructures such as the power grid. We are delighted and honored that Mr. Schneier would take the time from his busy schedule to answer our request! Below is a perspective that we are certain you will find interesting and useful in your quests to build and support practical security solutions at your organization.
Q1: There seems to be a great deal of fear and hyperbole about potentially catastrophic cyberattacks against critical infrastructure such as the power grid. How do we clear away the hype and determine what threats realistically exist and what should the industry consider doing about them?
Bruce: With expertise.
Coverage of this interview also appeared in International Business Times.
As well as being a renowned cryptographer, influential security expert and outspoken conference favourite, Bruce Schneier has had his share of coverage in recent months as the Prism story unfolded. He chose to leave his position as BT's security futurologist at the end of last month and has now turned his hand to incident response.
Schneier recently left BT, who acquired his company Counterpane in 2006, to join Co3 Systems as chief technology officer this month. I began by asking him what attracted him to a relatively unknown company.
9. Bruce Schneier, BT Managed Security Solutions
"Bruce Schneier instantly knows the amount of Jelly Beans in a jar" — this is one of many "facts" about the security technologist and author from the website schneierfacts.com, an Internet meme dedicated to him.
And there's a reason his fans attach his face to the body of Chuck Norris: He is killing it in the world of online security.
He founded the company that became BT Managed Security Solutions of which he remains chief security technology officer.
Bruce Schneier is a bestselling author, TED speaker, and the founder and chief technology officer of BT Managed Security Solutions. ReadWrite got the chance to speak with the candid technologist about digital feudalism, widely considered one of the foremost voices in the world of security and privacy, government regulations and the reality of cyber warfare.
Online Lord & Vassal
ReadWrite: I read your blog post the other day about Facebook having a "feudal lord" relationship with its users. Tell me what feudal security is.
Computerworld Hong Kong (CWHK): Are we actually any more secure today than we were five years ago?
Bruce Schneier (BS): In short, no. It's interesting that every year we have new technologies, new products, new ideas, companies and research, yet people continue to ask why things are so bad with security? And the answer is that fundamentally the problem is complexity.
Trying to predict the next security problem is the wrong way to go about things said Bruce Schneier, chief security technology officer at BT who was speaking at an event in Singapore.
"The more we try to predict, the more the bad guys react around us," Schneier said. Contrary to popular IT security ideology, what was more important was the ability to react as well as mitigate and recover.
This attempt to predict where the next attack will come from is creating a gap between security and attackers where cyber criminals will be constantly evolving to develop and exploit new attack vectors with IT departments constantly playing catchup.
SINGAPORE--Companies looking to predict cyberthreats to fend off attacks will not improve their IT systems' security robustness as the criminals responsible will evolve and develop their technologies accordingly.
Speaking at a seminar here Monday, Bruce Schneier, chief security technology officer at BT, said technology has affected the balance of society and social mechanisms such as law and punishment, which help keep people in check so they will not commit crimes, online or otherwise.
For instance, the Internet has given rise to anonymity and made it easier for cybercriminals to perpetrate their attacks without getting caught, Schneier observed.
In response to these online threats, IT security professionals and law enforcement agents often try to predict what kind of cyberattack will hit them to better prepare their network security is robust and catch the online intruders, the executive added.
Bruce Schneier, a legend among hackers and security experts, is having trouble convincing the world that the threat of cyberwar is overstated. In 2010, the year after the US launched a Cyber Command division of its military, he lost a public debate on the subject. And in October, US Secretary of Defense Leon Panetta said that the US should gird itself for a cyber Pearl Harbor . Yet Schneier is undeterred.
As we all buy smartphones and use the cloud, we are doing something that's never been done before: trusting a few big IT companies with our lives. That's not necessarily in our best interest, but we have no choice.
So says world-famous security expert Bruce Schneier.
Schneier's latest book, "Liars and Outliers," looks at the psychology needed to keep humans safe.
Jeg har lige lagt Bruce Schneiers "Liars and Outliers" fra mig og det bliver ikke nemt at gøre den retfærdighed i en boganmeldelse.
Denne gang har han skrevet en bog om sikkerhed der ikke handler om computere og faktisk kun halvvejs handler om sikkerhed.
Bogen er i bund og grund en analyse af hvordan mennesker omgås hinanden, hverken mere eller mindre, men det er ikke nogen særlig hjælpsom opsummering, for det dækker alt fra affaldshåndtering over skattelovgivning til computersikkerhed.
Crypto guru urges creative thinking from security pros
Cryptography guru Bruce Schneier called for more creative thinking and a broader perspective as a means to tackle security problems.
For example, the music industry, faced with an explosion in online file-sharing, hired security pros to develop anti-piracy measures, such as digital rights management technology. But these inconvenienced punters while doing little or nothing to stem copyright infringement. A better approach was making songs affordable and easy to buy, a model that has since lined Apple's deep pockets.
A famed computer security expert believes governments are trying to seize control of the internet, but will fail in the long term to reach that goal.
Bruce Schneier, BT's chief technology officer and author of several important books on security, said that governments that didn't understand the internet were trying to take control of it. He looked at US proposals of creating an 'internet kill-switch', claiming that policy makers were crazy to even think of a single mechanism to shut-off all internet traffic.
He said: "You see these types of government proposals, and they come from law enforcement, lobbyists or the military, and we're going to see more of those.
The world's governments are destined to fail in their attempts to control the internet, according to BT security expert Bruce Schneier.
Schneier claimed that the internet is currently going through a dark period, with legislators creating ill-conceived cyber policies that are damaging rather than helping online developments.
"Governments are starting to use it [the internet] for power," said Schneier at a press conference in London.
"We're hitting a period in internet history where governments are seizing more control; one where governments that don't understand the internet are trying to interfere with it."
Schneier touted the recent US proposal to create a "killswitch" for the internet as a prime example of policymaker's lack of understanding.
Security guru Bruce Schneier calls for societal pressure to convince would-be hackers that their actions are not in their own interests
Cyber crime will not be resolved with technology alone, security guru Bruce Schneier warned at the RSA conference in London today. Societal pressure is also need to discourage people from becoming cyber criminals, he argued.
Security experts will always be catching up with criminals when it comes to technological exploits, argued Schneier, who is BT's chief security technology officer. "Attackers have a natural advantage because they can make use of innovations faster and have no procurement pressure or institutional inertia," he said.
Bruce Schneier, the well-known American cryptographer and security specialist, gives an interview to Radio New Zealand's Bryan Crump during his visit to the country, discussing real-world security issues and whether anti-terror measures done by the authorities worldwide are as effective as expected.
(Bryan Crump): -- Bruce Schneier is a security specialist who seems to be trying to talk himself out of a job. His point is a lot of what we do to protect ourselves against terrorism is pointless. The best weapons against terror are, in his opinion, good intelligence and refusing to be terrorized. Bruce is based in the United States of America, was in New Zealand for a conference on identity and identity theft.
Bruce Schneier ordered a Coke, no ice, at the Rio casino on a Saturday afternoon. I ordered Diet Coke, also no ice, and handed the bartender an American Express card. He said he needed to see proof of identity. Credit cards are often stolen around here, and eight casino workers had recently been fired for not demanding ID, he quietly explained.
Bruce Schneier knows a thing or two about security. The author of multiple books on cryptography, Schneier is widely considered to be an expert on the subject of encryption as well as the broader topic of information security. So we jumped at the opportunity to sit down with him for an in-depth interview at the Black Hat 2012 conference in late July. Here are some of the highlights of what he had to say.The State of Encryption: "Not that great, and getting worse"
Asked to share his view of the state of encryption in this new age of cloud computing, Schneier says: "It's not that great, and it's getting worse."
Here's why: "As you move stuff to the cloud you lose control of the data," Schneier says.
This year, more than $22 billion in enterprise security products and services is expected to be sold worldwide. But according to Bruce Schneier, well-known cryptology expert and security luminary, technology alone isn't the answer to better security.
In an in-depth interview with eSecurity Planet at the Black Hat 2012 conference in Las Vegas last week, Schneier argued that looking at security solely from a technology perspective is to take a too narrow view of the problem.
"If you look at broader society, there is a lot of security that happens at a much more personal level," Schneier said.
"Liars & Outliers: Enabling the Trust that Society Needs to Thrive," by Bruce Schneier
Internationally renowned security expert Bruce Schneier delves into the world of trust, bringing together "ideas from across the social and biological sciences to explain how society induces trust ... how trust works and fails in social settings, communities, organizations, countries and the world."
Stuxnet Cyberattack by US a "Destabilizing and Dangerous" Course of Action, Security Expert Bruce Schneier Says
Revelations by The New York Times that President Barack Obama in his role as commander in chief ordered the Stuxnet cyberattack against Iran's uranium-enrichment facility two years ago in cahoots with Israel is generating controversy, with Washington in an uproar over national-security leaks. But the important question is whether this covert action of sabotage against Iran, the first known major cyberattack authorized by a U.S. president, is the right course for the country to take. Are secret cyberattacks helping the U.S.
Tomas Gilså har läst ”Liars & Outliers” – en utmärkt grundkurs i mänskligt beteende utifrån ett säkerhetsperspektiv.
Bruce Schneier, it-säkerhetsbranschens husgud, har lyft blicken än en gång. Efter att ha börjat med ”Applied Cryptography” 1994 och fortsatt med böcker om allmän it-säkerhet, informationssäkerhet och praktisk säkerhet är han idag framme vid sin trettonde bok, ”Liars & Outliers”. Med den tar han steget upp på samhällsnivå.
”Liars & Outliers” förklarar säkerhet som en funktion av tillit, dess fördelar och tilkortakommanden.
One of the best books I've read this year is by a security technologist, Bruce Schneier. In Liars and Outliers, he sets out to investigate how trust works in society and in business, how it is betrayed and the degree to which technology changes all of that, for the better or the worse.
Schneier absolutely understands how profoundly trust oils the wheels of business and of daily life. "The more customers trust merchants, the more business gets done.
Software liability laws are needed to hold software companies accountable for making faulty products, argued Bruce Schneier, chief technology security officer with BT during a pro-con debate held Wednesday at the RSA Conference.
Schneier said that liability laws would transfer the economic cost for faulty software from the user to the developer and provide an incentive for the developer to fix the problem.
He compared the situation of the software market to the early days of the automobile industry when Congress passed laws that held auto manufacturers responsible for faulty vehicles that caused accidents. This prompted the auto industry to begin fixing the problems, such as stop using wooden wheels that would fall apart at high speeds.
"The only way to convince vendors to actually fix the problem is to make it in their financial interest to do so.
In his session at the RSA Conference in San Francisco, February 28th 2012, Bruce Schneier listed what he perceives to be the three biggest risks to information security right now: The rise of big data; ill-conceived law enforcement regulations; and the cyberwar arms race.The rise of big data
The rise of big data, Schneier declared, is inevitable due to the cost of saving data being so cheap. "It's easy and cheaper to search than sort," he said. "The collection of data is being aggravated – mainly so the companies doing it can make more money… Companies like Apple, Amazon and Google are all competing to be the company that monetises your data."
Schneier spoke of the lack of control that users have over their smartphones and portable devices. "I can't do things as a security professional on my iPhone.
RSA 2012: Schneier on Why Anonymous Is Not a Group and Why They're Certainly Not As Good As You Think They Are
At the RSA Conference 2012 in San Francisco, February 29, Bruce Schneier and Davi Ottenheimer discuss Schneier's latest book and how to enable the trust that society needs to thrive.
Following on from Schneier's talk yesterday on the three biggest risks to information security in 2012, this discussion focussed purely on the topic of Schneier's latest book, Liars and Outliers.
Here are some of the session highlights:
- Security depends on people. "I started in cryptography because I didn't like people. I wanted to study numbers. Anyone in security needs to understand that people act in unpredictable ways."
- The ID theft concern is great. "We worry that ID theft will become such a danger that people would stop shopping and doing stuff online.
RSA 2012 Usually the bête noire of the annual RSA conference is the criminal hacking community, but security guru Bruce Schneier asserts that government, business, and the military may well pose a bigger threat to security professionals.
"The current risks to internet freedom, openness, and innovation don't come from the bad guys -- they are political and technical. I suppose I should call this talk 'Layer eight and nine threats'," he told his audience on Tuesday at RSA 2012.
Attempts at ill-conceived legislation are a major concern, he said.
Cybercriminals are not the greatest threat to Internet security. It's the many forces trying to bend the world's computer network to fit their interests.
That's according to Bruce Schneier, a renowned security technologist and author of several books, including "Applied Cryptography." Schneier told attendees Tuesday at the RSA Conference that the three greatest dangers are Big Data companies, poorly thought out government regulations, and the cyberwar arms race.
These threats foster instability through those lobbying for changes that further their self-interests, instead of what's better universally, Schneier said.
Modern society depends on trust more than we realise, and the basis for that trust is security. The trick, says the security guru, is preserving the forces that allow us to trust one another, while also knowing who not to trust
You're best known as a security expert but our theme today is "trust". How would you describe the connection between the two?
Security exists to facilitate trust. Trust is the goal, and security is how we enable it. Think of it this way: As members of modern society, we need to trust all sorts of people, institutions and systems.
As Bruce Schneier spent the past decade watching the growing rash of phishers, malware attacks, and identity theft, a new Internet threat has emerged that poses even greater risks, the security expert said.
Unlike the security risks posed by criminals, the threat from government regulation and data hoarders such as Apple and Google are more insidious because they threaten to alter the fabric of the Internet itself. They're also different from traditional Internet threats because the perpetrators are shielded in a cloak of legitimacy. As a result, many people don't recognize that their personal information or fortunes are more susceptible to these new forces than they ever were to the Russian Business Network or other Internet gangsters.
Security Myth No. 1: "More Security is Always Better."
Bruce Schneier, security expert and author of several books, including his most recent, Liars and Outliers, explains why this security concept of "you can't get enough" that's often bandied about is off the mark to him. Schneier explains: "More security isn't necessarily better. First security is always a trade-off, and sometimes additional security costs more than it's worth. For example, it's not worth spending $100,000 to protect a donut.
Society runs on trust and would collapse without it. The interconnectedness of the modern world creates new and dangerous risks to trust.
Bruce Schneier's recent book Liars and Outliers is a philosophical exploration of the role of trust in society, and is likely to appeal more to policy makers and academics than to information security practitioners. He describes how theories regarding trust (and perhaps trust itself) have evolved over time and sets this within the context of today's global interconnected society.
Schneier has done a very careful literature review, citing theories and experiments across multiple disciplines such as sociology, anthropology, and psychology.
Liars and Outliers, Bruce Schneier's most recent security-related text, is an interesting and wide-ranging review of trust in commerce and broader society. And I do mean wide-ranging -- he covers everything from the implications of early mankind's organization into groups of around 150 individuals (the "Dunbar number") to reputation systems such as eBay and Yelp reviews. Liars and Outliers doesn't hang together quite as well as his previous books, but it's still a terrific primer for readers who want more insights into the complex world of security and trust.
I had the opportunity to speak with Dr. Schneier about his book.
Bruce Schneier’s new book explores the relationships of trust on which civilization depends
Bruce Schneier is a security icon, the cryptological equivalent of action-movie superstar Chuck Norris, able to straighten elliptic curves with his bare hands. Liars & Outliers isn’t the book you’d expect from someone whose portrait adorns posters—nor from the coauthor of several important encryption algorithms (one of them a finalist for the next generation of national encryption standards).
On his blog, Schneier reminds us almost daily that protecting our secrets with a 4096-bit key doesn’t do much good if we have to tape the new pass phrase to our monitors, and that an unforgeable ID card can be a very bad idea if someone can get one by slipping 20 bucks to a file clerk. In Liars & Outliers, however, he takes an almost Aristotelian step back from those frontline concerns to discuss the first causes of security: the kinds of trust that security measures help to enable; why we secure things in the first place, even when—indeed, especially when—we know that security will never be perfect; and why we probably shouldn’t even want security to be perfect.
Since the days when Plato and Aristotle walked this Earth, philosophers have debated what constitutes the ideal state and, more specifically, what holds societies together. Why doesn't society just fall apart? How does society function when you know you can't possibly trust everyone in it? And why aren't we living in what Thomas Hobbes memorably referred to as a state of constant "war of all against all"?
From Bruce Schneier to Moxie Marlinspike, these folks are the ones to listen to for security insight
Bruce Schneier, chief technology officer of BT managed security solutions
With his skill in cryptography and security acumen, Schneier would be welcome on any All-Stars Security team. But it's his ability to write candidly about social and political forces, as well the psychological aspects of security, that increasingly make him a philosopher in a world of technicians. His next book? He says it's about "trust" and how a society does or does not foster it.
In compiling our ranking of the Most Powerful Voices ("MPV") in security, we took advantage of concepts similar to Google PageRank for people, working with researchers and thought leaders such as Mark Fidelman (see "The Most Powerful Voices in Open Source").
The metrics needed to measure both broadcast power and profundity were identified through a number of studies performed across several industry categories. Although there have been many advancements in the area of social marketing, the work presented here still requires techniques not yet offered by any single social graph tool available today.
The MPV formula is based on "reach" by examining the number of followers and buzz an individual has on sites like Google and Twitter.
Homeland Security NewsWire: In your opinion, what is the cause behind the recent increase of sophisticated cyber attacks against major corporations and government entities by hacktivist groups like Anonymous, AntiSec, and LulzSec?
Bruce Schneier: I'm not sure there has been any recent increase of sophisticated cyberattacks. There has certainly been a recent increase in the press reporting incidences of sophisticated cyber attacks. I think this is because several groups have attached them to political causes -- for example the torture of Bradley Manning by the United States -- and because media attention begets more media attention.
BT's Bruce Schneier has made a reputation for himself by exploring the unconventional sides of security. Drew Amorosi sat down with this industry luminary to gain a greater understanding of the man and, briefly, dive into the mind and life that is Bruce S
Bruce Schneier is, without question, a superstar of the security industry. Often labeled as a security "expert" or "guru," there is perhaps nobody in the field that is more often quoted or respected. His name is as synonymous with security as Michael Jordan's is with basketball, or the Beatles are with rock and roll. But, as he told me when I sat down with him in London this spring, "Bruce Schneier the security celebrity" was spawned from rather accidental beginnings.
Bruce Schneier, an author who writes about how we perceive danger, gave a great talk at TED recently, outlining five cognitive biases people fall victim to when making decisions about risk.
None of the five were intended to relate to investing, but all of them can teach investors something about the rampant biases we make with our money.
1. We tend to exaggerate spectacular and rare risks and downplay common risks.
Schneier used the example of flying vs.
The hack attack that forced Sony to take the Playstation Network and Sony Online Entertainment offline and resulted in the theft of personal information from tens of millions of people around the world wasn't really Sony's fault, it was an inevitability, a security expert tells Kotaku.
Bruce Schneier, internationally renowned security technologist and author of Applied Cryptography, Secrets and Lies and Schneier on Security, said that the only thing unusual about the break in to Sony's dual networks is that they are used for gaming, something titillating to the mainstream media.
"It's another network break-in, it happens all of the time," he said. "This stuff happens a lot."
For every incident like the infamous Heartland Payment data breach in 2008, which impact millions, there are dozens of smaller breaches, some under reported or not reported at all.
As Russia reels in the aftermath of a brutal terror attack yielding an estimated 35 casualties at Domodedovo Airport -- Moscow's busiest -- much of the awe and reaction toward this specific incident is focused on the location: not just an airport, but a restaurant at an airport, outside of the baggage claim, before anyone reaches a security checkpoint. Especially as the terrorists in question are initially being reported as Arab, governments (and specifically: ours) beginning to react on their own turfs outside of Russia is a given. Yet, while responses by Western Governments to terror attacks anywhere are subject to variables generally extending to who's been attacked, who has done the attacking, and whether continuity within the attack is a possibility, they all typically have a common link: the intensifying of security at corresponding locations. Is that going to happen here?
Security expert Bruce Schneier has called for governments to establish 'hotlines' between their cyber commands, much like the those between nuclear commands, to help them battle against cyber attacks.
Cyber security is high on the national agenda, and is regarded as a top threat to the UK's security. It is also top a concern for other nations around the world. Last month, the EU announced plans to cybercrime centre by 2013, and it agreed with the US to set up a working group on cybersecurity.
Since 9/11, cryptology expert and security consultant Bruce Schneier has been one of the most pointed critics of the government's anti-terrorism security programs. In his 2003 book "Beyond Fear," he coined the phrase "security theater" to refer to measures which are undertaken not because they will be effective at thwarting attacks, but because the agencies carrying them out need to appear to be doing something useful. We spoke to Schneier about the recent controversy involving the Transport Security Agency's use of invasive scanners and full-body pat-downs.
Q: What is really being seen by these machines?
A security guru has debunked cyber war and cyber terrorism myths.
The threats of cyber war and cyber terrorism have been grossly exaggerated and are hindering a real understanding of risks on the internet, one of the world's leading information security experts has said. Bruce Schneier, the author and security technologist who is also chief security technology officer with BT, was speaking in Dublin yesterday at an event held by the Irish Institute for European Affairs (IIEA).
Schneier referred to the denial of service attack in Latvia in 2007, which brought down several government services for a time, and said it was most likely the first such cyber war attack against a state.
His talk on security was not, what you might imagine, about HTTPS and secure sockets, but rather a much more philosophical talk on the psychology of security. The point Mr. Schneier was making was that there is a difference between actually being secure, and the feeling of secure.
You can be secure when you don't feel as if you are.
As an author of books on security, the influential Crypto-Gram newsletter and the blog Schneier on Security (www.schneier.com), as well as a frequent guest on TV and radio, Bruce Schneier has become something of a celebrity in the world of security: He may be the only CSO whose likeness is used to sell T-shirts. Still, the most rewarding aspect of his career, as he conveyed in this interview conducted by e-mail, is that he believes he is having an impact on people's thinking about security.
CSO: What are three fail-proof principles of security leadership?
Bruce Schneier: One, tell the truth as you see it. Two, don't be afraid to change your mind.
During a panel discussion at the recent Worldwide Cybersecurity Summit in Dallas that otherwise was as dry as a highway in the Sahara, security guru Bruce Schneier made a provocative argument.
He contended that just as pollution was the unfortunate byproduct of the Industrial Revolution, data is the waste product of the digital revolution.
And just like pollution, all the data we generate during our lives never degrades.
He noted that almost every transaction and interaction now generates data.
In the wake of Shahzad's arrest, the dangers of disposable phones are likely to be scrutinized once again -- and there are sure to be renewed calls for their closer regulation. We called Bruce Schneier, security technologist, chief security technology officer at British Telecom, and author of "Beyond Fear: Thinking Sensibly About Security in an Uncertain World," to find out how dangerous they really are.
How dangerous are these disposable cellphones from a national security perspective?
I think it's a trivial danger. There are a lot of people who will say these anonymous cellphones are bad, that we're all going to die.
6. Bruce Schneier
Shaun Nichols: While he's not so known in the larger industry, Bruce Schneier is one of the most respected and revered people in the computer security business. At conferences such as RSA he always seems to be booked for the main stage and we always try to book a few minutes for an interview.
This is because Schneier is not only a respected authority on the antivirus, network security and encryption fields, but he also has a knack for breaking things down in common language.
1. Summary of the review
Bruce Schneier's Beyond Fear is a book about security in general. In contrast to many other books, Schneier explains how security works in the most general case, starting from protecting your diary of your sister to protecting the nation from global terrorism. Schneier's book does not focus on cryptography or network security, instead it uses examples of systems everyone is expected to be familiar with.
Schneier on security, SSL and squid
V3.co.uk managed to get five minutes with security legend Bruce Schneier at RSA 2010 in San Francisco to get his views on the current threat landscape.
Yesterday we saw a presentation saying that anti-virus systems are failing 10-30 per cent of the time. What's your take on that?
I don't believe that, otherwise I'd be infected with lots of malware. If it is, I'm not paying attention.
"Security affects every aspect of people's lives," says world renowed security expert and critic Bruce Schneier, CAS/MS '88. "It helps people make better personal, corporate, and national decisions."
A regular columnist for the Wall Street Journal and the Guardian newspaper in the UK, Schneier calls himself "an explainer." Through his best-selling books, Applied Cryptography, Secrets and Lies, and Beyond Fear, and countless mainstream and security media articles and speaking engagements, he explains difficult topic matter to regular folks. His reputation as a leading cryptographer even got him mentioned in Dan Brown's mega-bestseller, The DaVinci Code.
Schneier's 2008 book, Schneier on Security, offers insight into everything from the shortfalls of airport security and the dangers of identity theft to the long-term security threat of unlimited presidential power and the amazingly easy way to tamper-proof elections.
Schneier is the official rock star of the security industry with deep knowledge of crytopgraphy and privacy. He is the author of Applied Cryptography; Beyond Fear: Thinking Sensibly About Security in an Uncertain World; and Secrets and Lies: Digital Security in a Networked World. Schneier is also a frequent speaker at security events as well as the author of the BlowFish and TwoFish algorithms.
If one were to close one's eyes and imagine a BT Executive, one would never conjure up Bruce Schneier. He is one of the greatest experts in cryptography, and a well-known mathematician. He even got a brief mention in the book The Da Vinci Code. He also remains an outspoken and articulate critic of the way that security is actually implemented in applications, as Richard Morris found out when we dispatched him to interview him.
Once a sleepy IT backwater, Identity Management has been thrust into the spotlight over the past few years.
Der Experte für IT-Sicherheit über Lauschangriffe ohne Nutzwert, notwendiges Vertrauen und Daten als Umweltverschmutzung des Informationszeitalters
Lufthansa Exclusive: Mr. Schneier, Sie sind Spezialist für IT-Sicherheit und Kryptografie. Trotzdem als Erstes eine Frage, die eher ins Fach Psychologie fällt. Ich versende manche E-Mails verschlüsselt, das eingebaute Mikrofon meines Computers ist im Normalfall deaktiviert, auf meiner Festplatte befindet sich eine verschlüsselte Partition. Und wenn ich ein wirklich vertrauliches Gespräch unter vier Augen führen wollte, würde ich den Akku aus meinem Smartphone entfernen.
Could you please tell us how you got involved in security?
Cryptography has always been a hobby of mine. My first job after college was with the Department of Defense. Years later, I was laid off from AT&T Bell Labs; I started writing about cryptography for computer magazines, and then my first book: Applied Cryptography. I also started doing cryptography consulting, forming a company Counterpane.
Bruce Schneier, my security guru, thinks that the President should confront the American people with the hard truth: Onerous new security regimes in our civilian aviation system won't protect us. What will protect us is our own resilience. I had an e-mail exchange with Bruce yesterday, and here is an edited transcript:
Jeffrey Goldberg: Do you think that we are moving toward the Israelification of American airport security?
Bruce Schneier: I don't think it's possible.
BT Group PLC Chief Security Technology Officer Bruce Schneier logs long hours trudging through airports to attend conferences and speaking engagements on a wide range of security issues. By his own count, he will take 170 flights this year.
Mr. Schneier relishes pointing out flaws in institutions' security plans--sometimes testing the boundaries himself--and has been a critic of post-9/11 security measures like those at airports. He recently spoke to The Wall Street Journal about "airport-land" rules, skipping to the head of the security line and getting your sandwich taken by the U.S.
Leading security expert Bruce Schneier was in London this week on a whirlwind lecture tour. ZDNet UK caught up with the ex-NSA man, who is now BT's chief security technology officer, at lectures in parliament and at University College London.
Schneier talked to ZDNet UK about his views on behavioural advertising, the efforts of various governments to tackle unlawful file-sharing, cyber-warfare and vendor lock-in.
Q: The UK government is currently trying to pass the Digital Economy Bill, which includes provisions to penalise unlawful file-sharing. Is this technically feasible?
A: The problem with a lot of these measures is that they only affect the average user.
Cybercrime is just like any other type of crime only with different tactics, Bruce Schneier tells Infosecurity.
"In information security there are very real threats, and the main threat is crime," Schneier said, although he also pointed out that many information security threats are due to 'accidents' rather than malice.
Another trend going forward, is the interaction between IT and physical systems such as ID cards, ATM machines, Oyester cards, etc. "When the physical hits the IT world.
Managing security effectively is critical when sharing data over the internet
Dubai: Online security, server crashes, disaster recovery, data theft, cyber crime... these are just some of the challenges faced by businesses worldwide.
How does one handle them? The solution lies with the information technology departments and their heads — usually chief technology officers.
World-renowned IT security expert Bruce Schneier gave a talk on the future of the industry, which remains quite new.
As well as being Chief Security Technology Officer at BT, Bruce Schneier is also the author of several books on the topics of security and cryptography with a particular, if not exclusive, focus on the IT industry, which has led The Economist to describe him as a "security guru". And when discussing security he is refreshingly candid and forthright, not dissimilar in tone to Freakonomics author Steven Levitt, while sharing with Levitt the ability to view his chosen field from an angle less ordinary.
"Security is hard to sell for two reasons, economic and psychological," he says. The industry is not necessarily logical: it is by nature complex, and as a consequence easy to get wrong.
In a security industry full of FUD and hype, cryptographer and consultant Bruce Schneier offers a no-nonsense reality check verging on social commentary.
He has worked on numerous ciphers, hash functions, and other cryptographic algorithms that are arcane to the average computer user but which have been instrumental in protecting the privacy of data. But his influence extends beyond the world of encryption.
Schneier wrote several bestselling books--including "Secrets and Lies: Digital Security in a Networked World," "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," and his latest, "Schneier on Security"--that provide perspective on risks and threats in everything from e-mail to airport security.
Security guru Bruce Schneier says that whatever cloud computing is, the security issues and conversations around it are nothing new. The key, he says, always comes down to trust and transparency.
Cloud computing is all the buzz. Amidst all the noise, a lot of the discussion has been about what cloud computing actually is. Some say it is anything you consume outside the firewall.
Security guru Bruce Schneier is best known as the developer of the Blowfish and Twofish encryption algorithms and author of books that examine security and society. He is the chief security technology officer of BT Group and a founder and the chief technical officer of BT Counterpane. Described by The Economist as a "security guru," Bruce has authored a series of books on security and related technologies. His first bestseller, Applied Cryptography explained how the arcane science of secret codes works, and was described by Wired as "the book the National Security Agency wanted never to be published." His latest book, Beyond Fear, tackles the problems of security from the small to the large: personal safety, crime, corporate security, national security.
BROOKLYN -- Americans living in the age of ultra-security have been subjected to a massive number of small accommodations in the name of the "War on Terror."
Although most people have become accustomed to not bringing bottles of water on airplanes, there exists some cynicism about the effectiveness of our new security measures and how they relate to our day-to-day lives.
However, it takes an experienced security analyst like Brooklyn's Bruce Schneier to understand the connections between the face of national security that we all can see, and the facts and technology behind it.
"So when does it end? The terrorists invented a particular tactic, and you're defending against it.
The IAPP is pleased that security guru, chief technologist and author Bruce Schneier will present a keynote address at the Privacy Summit, March 11-13 in Washington, DC. Here's a preview of what you'll hear when Schneier takes the stage.
IAPP: You have a cult-like following youon Facebook. One group is called Bruce Schneier for president (31 members); another calls itself Bruce Schneier is my hero (200 members).
Security expert Bruce Schneier talks about privacy and property in the information state
As Washington, D.C., gears up for the inauguration, there's one thing that you're not seeing around town. Shoe-checking stations. While one attempted shoe bombing was enough to make all of us wander unshod through the airports of this great nation for years -- there will be security check points all over Capitol Hill -- shoe checking will not be part of the action.
Bruce Schneier, a security commentator and author who The Register calls, "The closest the security industry has to a rock star," took time to correspond via e-mail with Government Technology about the latest security threats to public-sector IT.
He publishes a popular blog and newsletter on Schneier.com. His most recent book, Schneier on Security, is a collection of previously published essays on security-related topics, such as identification cards, cyber-crime, election security and the psychology of security.
A few CIOs in government are touting "user-generated government" -- i.e., mash-up applications and open source built by citizens.
Bruce Schneier's evolution of interests is well documented, moving from encryption to broader and broader perspectives on security. (Hence his recent appearance on 60 Minutes, commenting on TSA's airport screening procedures.) To bring wider perspectives to bear on security issues, Schneier (Chief Security Technology Officer at BT) held in 2008 the first Workshop in Security and Human Behavior, with participants from a broad swath of disciplines including economics, psychology and more. Schneier spoke with CSOonline about his multidisciplinary view of the field and plans for 2009.
CSO: What was the biggest surprise or most enlightening development at the Workshop in Security and Human Behavior?
The most interesting aspect of the workshop was how different the ways in which people were thinking about the same sorts of issues.
Over the years, Mr. Schneier has been a tough critic of the security agency, though he credits Mr. Hawley for "doing the best job he could with the bad hand he was dealt." By that, he says he means that the agency operates under mandates from Congress and elsewhere that resulted in a vast, expensive bureaucracy.
The agency, he argues, is required to spend less effort than it should on sophisticated intelligence-gathering and more than it should on deeply flawed procedures, like depending on travel documents that can be easily counterfeited, or fishing in passengers' bags for contraband screwdrivers and prohibited items like jars of spaghetti sauce that exceed three ounces.
Incessant warnings about "inappropriate" comments are "police state-like," he said.
"It's watch what you say, watch what you say," he said.
There are no easy solutions to today's security challenges, and companies often approach them in the wrong way, says Bruce Schneier.
Talking with security expert Bruce Schneier does not always leave a person feeling more secure. That's because Schneier doesn't sell easy solutions. Instead, he challenges businesses, governments and individuals to examine their assumptions about risk, to eschew simplistic answers and to accept the fact that no system is—or can be—perfectly secure.
Now the chief security technology officer of BT, Schneier worked at the Department of Defense and Bell Labs before founding Counterpane Internet Security, which was acquired by BT.
#19: Bruce Schneier, Influential Security Technologist
Bruce Schneier is an internationally renowned security technologist, referred to by The Economist as a "security guru." He is the author of eight books – including the best sellers Beyond Fear: Thinking Sensibly about Security in an Uncertain World; Secrets and Lies; and Applied Cryptography – as well as hundreds of articles and essays in national and international publications, and many more academic papers. His influential newsletter Crypto-Gram, and his blog Schneier on Security, are read by over 250,000 people. "I consider myself a synthesist and a communicator. My biggest accomplishments involve understanding complex ideas and explaining them simply, as well as finding connections and patterns and commonalities among diverse ideas.
He might be called the international rock star of computer security. Having testified before Congress and given well-regarded speeches the world over, when Bruce Schneier talks about security, experts listen. A prolific author, he has penned articles for publications ranging from Wired to The Guardian to the Sydney Morning Herald. His books include Applied Cryptography, which delves into the science of secret codes, and Beyond Fear, which details how to protect security on the personal and national level.
An edited version of this interview will appear in CIO Insight.
Schneier: The security of voting machines points to two big issues. The first one is that security is actually very hard. People think technology magically makes security worries a thing of the past, but it's just not true.
This day, however, would feature a different sort of experiment, designed to prove not only that the TSA often cannot find anything on you or in your carry-on, but that it has no actual idea who you are, despite the government's effort to build a comprehensive "no-fly" list. A no-fly list would be a good idea if it worked; Bruce Schneier's homemade boarding passes were about to prove that it doesn't. Schneier is the TSA's most relentless, and effective, critic; the TSA director, Kip Hawley, told me he respects Schneier's opinions, though Schneier quite clearly makes his life miserable.
"The whole system is designed to catch stupid terrorists," Schneier told me.
"There is a perception in both the private and government sector, that security, both physical and digital, is something you can buy. Witness the mammoth growth of airport security products following 9/11, and the sheer number of vendors at security conferences. With that, government officials and corporate executives often think you can simply buy products and magically get instant security by flipping on the switch. The reality is that security is not something you can buy; it is something you must get."
Perhaps no one in the world gets security like author Bruce Schneier does.
WHEN IT comes to security, Bruce Schneier would like people to stop worrying about what he calls "movie plot" scenarios. Exploding aircraft, attacks on landmark buildings, the whole category of "cyberterrorism" all rankle with Schneier, who thinks the ultimate security risk is "people."
He may not be a household name, but he is quite possibly the most namechecked security expert in the world among technologists - and science fiction fans.
Schneier, who with ponytail and greying beard looks pleasingly like an eminent cryptologist should look, created two of the best-known security algorithms, nicknamed Blowfish and Twofish, and wrote Applied Cryptography, the bible of the digital security industry. The Economist hails him as "a security guru." He is even mentioned in The Da Vinci Code.
Checking in with expert Bruce Schneier about the state of security.
DDJ: A decade ago, you said that computer security, with all of its advances, would likely get worse in the future. Is this the way things turned out? If so, why? And what does this tell us about the next 10 years?
It's been ten years since Bruce Schneier - founder of security monitoring firm Counterpane Internet Security - launched his newsletter, Crypto-Gram, which expanded from covering computer security issues to a broader investigation into security issues of all sorts. Now Counterpane belongs to BT, where Schneier is chief security technology officer, and as he tells global technology editor John C Tanner security is still a hard sell
Telecom Asia: Your background is computer security and cryptography - how did you end up applying that knowledge into the world at large?
Schneier: I think it's just what happens when I start looking at something. I start looking at the bigger picture. The first sort of major milestone was the post 9/11 issue.
One of the meetings held in conjunction with the recent World Congress on Information Technology (WCIT) 2008 in Kuala Lumpur was the Infosec.my information security conference and the International Multilateral Partnership Against Cyber Terrorism (IMPACT) World Cyber Security Summit. While the thought of combating cyber terrorism is exciting, Bruce Schneier, founder and chief technical officer of BT Counterpane, thinks the term "cyber terrorism" is misleading and its usage cheapens the meaning of terrorism.
"Cyber terrorism is a myth," he says. "We all know what terrorism is; it involves innocent people being killed in a very public way, in an attempt to cause terror in the greater population."
However, Schneier does believe very much in cyber threats and thinks governments should do more, such as cooperating to use their collective bargaining power to demand more security from software vendors.
We recently sat down with security guru Bruce Schneier to talk about Internet security and, boy, did we get more than what we bargained for.
WITH the advance of new and better cybersecurity technologies, you'd expect the Internet to be a lot safer place for average users.
However, the world-renowned security expert Bruce Schneier paints an entirely different picture — in fact, a pretty gloomy one where no matter what you do to beef up security, it will not be enough. And in the future, things will even get a lot worse.
For Bruce Schneier, the security discipline still evolves and expands. Now he's the one trying to expand it.
In September 2003, CSO published a groundbreaking interview with security guru Bruce Schneier. At the time, Schneier was evolving from cryptographer to general security thinker. An emerging generation of Internet criminals and the new realities of a post-9/11 world were fueling his ideas beyond information security to the broader realm where technology and the physical world interacted. He was beginning to see security as a social science.
Bruce Schneier is one of the foremost experts on cryptography and is a well-known security author and commentator. He is the founder of the managed security services company Counterpane, which was acquired in October 2006 by BT. Schneier sat down with IDG News Service at the Infosec security show in London to talk about the effectiveness of security products and the psychology of security.
Are antivirus products just making money by giving people a "feeling" of security rather than true security?
Schneier: Antivirus is easy.
Security expert Bruce Schneieris rightly regarded as one of the industry's most intelligent and insightful participants. He has made substantial personal contributions to the science of cryptology, and has written some of the best books on the subject.
Like many smart people, Schneier is also highly opinionated. Although I have yet to hear a technical opinion from Schneier that I disagree with, some of his nontechnical opinions are--in my opinion--open to debate.
"Security theater" lecture complements photography exhibit showcasing images of fear, safety and liberty in post-9/11 America
Bruce Schneier shared his ideas about the psychology of security, and the need for thinking sensibly about security, in his hometown last week when he gave a lecture at the Weisman Art Museum in the US.
Schneier's lecture was scheduled in conjunction with an exhibition of photographer Paul Shambroom's images of power (Shambroom's photographs capture scenes in industrial, business, community and military environments.) The association of Schneier's lecture with the photography exhibit says a lot about how the security guru's focus has evolved over the years from the bits and bytes of cryptography and computer security to include a more broad examination of personal safety, crime, corporate security and national security.
The theme of Schneier's talk was the "security theater," a term he uses to describe security measures that are designed to make people feel safer but don't necessarily do so.
"Security is really two different things.
What follows is a transcript of my discussion with Bruce Schneier, Founder and Chief Technology Officer of BT Counterpane and the well-known Schneier on Security blogger. In this podcast we discuss current vulnerabilities, what the future of the security industry will look like, security industry consolidation, encryption, and finally, the time frame for changes in the industry to come about.
First, what threats do you see that companies need to be most concerned with at this point?
The biggest threat right now is crime. About five years ago, criminals discovered the internet in a big way and whether it's identity theft which is fraud or denial of service extortion or other attempts to make money, crime is the primary threat on the net and when we're worried about internet threats, we're worried about crime.
Bruce Schneier and Peter Schoof of ebizQ discuss current vulnerabilities, what the future of the security industry will look like, security industry consolidation, encryption, and finally, the time frame for changes in the industry to come about.
First, what threats do you see that companies need to be most concerned with at this point?
The biggest threat right now is crime. About five years ago, criminals discovered the internet in a big way and whether it's identity theft which is fraud or denial of service extortion or other attempts to make money, crime is the primary threat on the net and when we're worried about internet threats, we're worried about crime.
I've read some of your general comments about, essentially, in a perfect world, the security industry would be unneeded.
An Interview With Bruce Schneier on Science and Security
Earlier this month the National Research Council released a Congressionally-mandated report, "Science and Security in a Post 9/11 World," which recognizes that the 9/11 attacks provoked a misallocation of United States security resources and led to counter-productive security measures. The NRC warns that the widespread practice of labeling scientific research as "sensitive but unclassified" has had grave consequences for our security and our economy. In order to encourage more sensible science-security policymaking, the NRC has recommended the creation of a new high-level Science and Security Commission to give scientists and government security officials a place to deliberate and negotiate security policies as they relate to science and engineering research.
To better understand the relationship between scientific research and national defense, Science Progress spoke with security technologist and author Bruce Schneier about why secrecy makes for bad policy in science and engineering, and whether or not a new institutionalized science-security dialogue would be helpful or simply theatrical.
A recent National Research Council report recognizes that the 9/11 attacks provoked counter-productive security measures that stifle access to fruitful scientific research. Security expert Bruce Schneier talks with Science Progress about the science that makes us smarter and the security that makes us safer.
Earlier this month the National Research Council released a Congressionally-mandated report, 'Science and Security in a Post 9/11 World,' which recognizes that the 9/11 attacks provoked a misallocation of United States security resources and led to counter-productive security measures. The NRC warns that the widespread practice of labeling scientific research as 'sensitive but unclassified' has had grave consequences for our security and our economy.
The following is an excerpt from an interview with Bruce Schneier. Matt Pasiewicz, EDUCAUSE content program manager, conducted the interview at the EDUCAUSE 2007 Annual Conference.
MP: Bruce, perhaps you can get us started by sharing some of your thoughts about the psychology and economics of security.
Schneier: Security is a lot more about people than technology. One thing I've learned from studying economics, the psychology of risk, security, and people is that those problems are actually way harder than the tech problems.
Expert says security benefits must be weighed against tradeoffs
Q: When a company or government entity has a security proposal, how should they evaluate that? What sort of principles should they be looking for to determine whether this is going to be an effective security solution?
A: First, you have to understand that security is a tradeoff. Whether you give money, or time, or convenience, or civil liberties, or American servicemen's lives, you give something and you get some security in return.
InfoWorld's Roger Grimes weighs in on why security expert Bruce Schneier thinks computer security won't get any better in the next 10 years
As longtime readers already know, I'm a big fan of Bruce Schneier, CTO and founder of BT Counterpane. Besides being a cryptographic and computer security authority, cryptographic algorithm creator, and author of many best-selling books on security, Bruce produces some of the most relevant conversations on computer security. I consider his books, his Cryptogram newsletter, and his blog must-reads for anyone in computer security.
Bruce is a guy who pushes us to rethink our currently held paradigms.
Bruce Schneier, founder and CTO of Counterpane, outlines the cybercrime landscape enterprises face today. He explains to CWHK's Stefan Hammond that insiders are a problem, managed security services are a solution, and a determined crew with a chainsaw and a truck is a big problem.
CWHK: Computer security never seems to get better, only worse. Why?
Bruce Schneier: Because security is fundamentally not a technology problem--it's a people problem.
When the good folk at Linux Australia sat down with the organisers of the Australian national Linux conference and decided that Bruce Schneier would be the keynote speaker on the opening day of the main conference, they couldn't have made a more correct decision.
Schneier is a man whose security credentials are impeccable, who's probably the world's top security technologist. At the same time, he can talk about security concepts to a teenager - and the kid will understand exactly what he's saying.
When you realise that this same man is an inventor of the Blowfish, Twofish and Yarrow algorithms, then you begin to understand what the word intellectual means.
Computer security expert Bruce Schneier took a swipe at a number of sacred cows of security including RFID tags, national ID cards and public CCTV security cameras in his keynote address to Linux.conf.au this morning.
These technologies were all examples of security products tailored to provide the perception of security rather than tackling actual security risks, he said.
"Camera companies are pushing it, but all the actual data points the other way," Schneier said. "RFID is another one -- the industry pushing it is very much distorting facts."
The discussion of public security -- which has always been clouded by emotional decision making -- has been railroaded by groups with vested interests such as security vendors and political groups, he said.
Computer Professionals for Social Responsibility honors Bruce Schneier, internationally renowned security technologist and author, with its 2008 Norbert Wiener Award.
CPSR's Vice President, Fyodor Vaskovich, notes that "Bruce has long been a passionate advocate for privacy, security, and civil liberties. He is distinguished by technical accomplishments such as designing the Blowfish and Twofish algorithms, bringing cryptography to a wider audience with his book Applied Cryptography, and founding security vendor BT Counterpane. But CPSR particularly applauds Bruce for his higher level social and political accomplishments.
Author, blogger, cryptographer and security luminary Bruce Schneier shares his opinions on the trends and technology of the last 10 years in information security.
Share your opinion on the most important trend(s) of the last decade; technology trends, as well as overall strategic/business trends?
Bruce Schneier: The most amazing thing about the last ten years is how little things have changed technologically. Firewalls, IDSs, worms and viruses, spam, denial of service: they're all still here. Sure, there have been technological advances in both attacks and defences - phishing is relatively new, for example - but for the most part we're using the same technological defences against the same technological attacks.
What has changed is the business motivations.
Schneier is one of three keynote speakers at Linux.conf.au 2008 and speaks with Dahna McConnachie about his presentation, books and thoughts.
Internationally renowned security guru, Bruce Schneier, will be encouraging technologists at linux.conf.au to take a lesson from Luke Skywalker, and "feel the force" a little more when it comes to security.
Schneier, who is CTO of BT Counterpane, is one of the three keynote speakers at the 2008 Linux.conf.au. He joins Python release manager, Anthony Baxter and founding member of HP's Linux division, Stormy Peters.
Dahna McConnachie speaks with Schneier about his talk, "Reconceptualising Security" and how technologists need to remember the importance of the human element.
Last week, we solicited your questions for Internet security guru Bruce Shneier. He responded in force, taking on nearly every question, and his answers are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for “crime pays” to see his sober assessment of why it’s better to earn a living as a security expert than as a computer criminal.
Thanks to Bruce and to all of you for participating.
They'll be absorbed by big companies as security gets built into products, Bruce Schneier predicts to OO GIN LEE
He is sounding the death knell of the consumer IT security market.
IT security guru Bruce Schneier is "100 per cent sure" that consumer security products will cease to exist in the future.
"Companies like Symantec, Network Associates and Qualis will be eventually subsumed as part of larger IT vendors," said Bruce, who was in town earlier this month to give a talk to the local security industry.
Bruce who is mentioned in the Da Vinci Code novel as a modern cryptologist, gave the recent examples of IBM buying security company Internet Security Systems (ISS)and British Telecom (BT) acquiring Counterpane, the company he founded.
But protection remains a hard sell with many companies, says security expert
EDMONTON - Technology's becoming so fast and complex it's outstripping our ability to keep out hackers and criminals, computer security guru Bruce Schneier said Monday.
"Complexity is the worst enemy of security," Schneier told the Canadian Information Processing Society (CIPS) conference Monday. "It's getting worse faster than security is getting better, and we have no idea how to fix this."
The hacker hobbyists of 10 years ago have been replaced by sophisticated criminals who can get into your computer or server without you knowing about it, said Schneier, whose latest book is Beyond Fear: Thinking Sensibly About Security in an Uncertain World.
They can send a worm into your system just to assess your vulnerability to an attack.
BT Counterpane's Bruce Schneier talks to Eleanor Dallaway about why he hasn't been fired yet
Bruce Schneier has increased BT's press mentions in the North American press by 21% since the UK telecom giant's acquisition of his firm Counterpane one year ago. BT insists that the acquisition ran smoothly and that the two companies are working well together, and Bruce tells us that the Counterpane people are happy. But it seems there are a few creases in the BT Counterpane story that still need to be ironed out -- Bruce's job title being the first.
"I thought that by now I'd have had a BT title, but find me the person to give me one," Schneier said, speaking to Infosecurity at the RSA Conference on 23 October.
Bruce Schneier, leading cryptologist described as a "security guru" and a "leading counterterrorism contrarian" by the media, shares his thoughts about the future of information security.
"Crime, Crime, Crime!" Bruce Schneier is adamant when asked to talk about the worst security threats. It's not coming from fanatics, but from people out to steal for money, he insists.
"It doesn't matter what form it takes," he says.
A leading security expert has warned businesses to beware of buying shoddy security products.
Bruce Schneier, founder and chief technical officer of BT Counterpane, issued the warning at the RSA Conference Europe 2007 in London on Tuesday. He told delegates that they should not necessarily trust security vendors to give a fair representation of the security of those products.
"There might be a political bent to security decisions, or there might be a marketing bent," said Schneier, citing as an example people selling smart cards who "do a lot to convince us that smart cards are the answer to security problems. For every company that's secure, there's at least one 'me too.'"
Schneier said it was difficult for companies to judge the security of varying products because known attacks are relatively rare, making it hard to collect enough data for security-product evaluations.
So says counterterrorism contrarian Bruce Schneier. And the Transportation Security Administration is listening.
In late July, Transportation Security Administration chief Kip Hawley announced a change in his agency's air travel screening policy: Effective August 4, cigarette lighters would no longer be banned from airplanes.
Explaining the measure in an interview with the New York Times, Hawley acknowledged that confiscating lighters at security checkpoints—the TSA's policy for the last two years in the wake of a failed shoe-bombing attempt—had been a waste of resources. Terrorists, he noted, might just as well ignite bombs on airplanes using small batteries (or, as he didn't note, matches).
"Taking lighters away is security theater," Hawley told the Times.
In April, Kip Hawley, the head of the Transportation Security Administration (TSA), invited me to Washington for a meeting. Despite some serious trepidation, I accepted. And it was a good meeting. Most of it was off the record, but he asked me how the TSA could overcome its negative image.
O'Hare, Chicago, the day before Thanksgiving. The nation's busiest airport is straining against the nation's busiest holiday. Among the crowd grumbling through the lengthy security line is a lone traveler with an attaché case. He removes a laptop computer from the case and places it on the tray provided.
A screen shot of a blocked website in Iran (RFE/RL)
June 27, 2007 (RFE/RL) --A recent reportby Freedom House has detailed a "new form of censorship" that has taken hold in CIS states. A particular target of governments' efforts to control what their citizens read is the Internet -- and blocking websites has become common practice in some countries. RFE/RL correspondent Heather Maher asked Bruce Schneier, chief technical officer of computer-security company BT Counterpane, about how such blocking works and what can be done to counter it.
RFE/RL: How exactly does someone -- a government official -- block a website?
Or is security the computer equivalent of the War on Terror? Bruce Schneier gives us the story.
Bruce Schneier is as close as you can get to being a rock star in the security industry. A cryptographer, computer security specialist and bestselling author of numerous books, he’s written countless articles and columns on security issues. He blogs about them at "Schneier on Security" http://www.schneier.com/blog, and publishes the monthly Crypto-Gram Newsletter that has a global readership of around 130,000.
He also finds time to be active in the industry as chief technology officer of BT Counterpane, http://www.counterpane.com/ a managed security services and consulting company he started in 1999 – plus he's one of our Top 59 Influencers in IT Security .
Security is a trade, says BT's Chief Technical Officer Bruce Schneier: and currently we're trading off the risk of crime on the internet today with the big, scary 'cyber terrorism', which is largely a media creation. Here's more.
Chris Gibbons: Well coming up at the end of the month, 22 to 25 May, in fact is the IT Web Security Summit. Now in recent years, security has dominated the corporate agenda.
Sikkerhetsguru Bruce Schneier forteller det nettbankene ikke tør si.
— Gi opp sikkerhet hvis svindel er billigere!
Bruce Schneier er det nærmeste man kommer en rockestjerne innen it-sikkerhet. Teknologisjefen i BT Counterpane er mest kjent som frittalende blogger, og nyter usedvanlig stor respekt for sin innsikt i sikkerhet.
Spissformuleringene sitter tett når han snakker, og nylig var han i Oslo på Ciscos sikkerhetskonferanse for å snakke om det eneste middelet han tror på for å få orden på it-sikkerheten – ren egeninteresse.
Slik vurderer Bruce Schneier, kjent ekspert innen IT-sikkerhet, Microsofts utvikling de siste årene.
Bruce Schneier er blant verdens mest kjente eksperter på IT-sikkerhet. Han er utdannet innen kryptografi og er gründer og teknisk sjef i et selskap som i fjor høst ble kjøpt av British Telecom (BT). Selskapet heter nå BT Counterpane.
Schneier var i forrige uke i Norge og digi.no fikk en prat med ham.
BT Counterpane's founder and chief technology officer talks to SA Mathieson at Infosecurity Europe
Bruce Schneier packed out the show's keynote theatre when he spoke about 'The Psychology of Security', based on a draft essay he published in February. He outlined a range of research suggesting that our perceptions of a given risk are heightened if it is - among other things - spectacular, discussed widely, outside our normal experience or willingly taken rather than beyond our control. Such biases are ideal for hunter-gatherers living in small family groups in Kenya in 100 000BC, he argues, but not for modern life.
So how does this apply to infosecurity risks?
Outspoken author and security guru Bruce Schneier has questioned the very existence of the security industry, suggesting it merely indicates the willingness of other technology companies to ship insecure software and hardware.
Speaking at Infosecurity Europe 2007, a leading trade show for the security industry, Schneier said, "the fact this show even exists is a problem. You should not have to come to this show ever."
"We shouldn't have to come and find a company to secure our e-mail. E-mail should already be secure.
According to the sleeve of his latest book, Beyond Fear: Thinking Sensibly About Security "in an Uncertain World, Bruce Schneier is the go-to security expert for business leaders and policy makers." If only the policy makers would listen, we'd be safer, happier and still free.
Other books include Applied Cryptography, described by Wired as "the book the NSA wanted never to be published."
Beyond Fear deals with security issues ranging from personal safety to national security and terrorism. Schneier is also a frequent contributor to Wired magazine, The Minneapolis Star-Tribune, and many other fine periodicals. He also writes a monthly newsletter, Cryptogram.
San Francisco - The Electronic Frontier Foundation (EFF) is pleased to announce the winners of its 2007 Pioneer Awards: Professor Yochai Benkler of Yale Law School, writer and Boing Boing co-editor Cory Doctorow, and security technologist Bruce Schneier. Mark Cuban -- HDNet Chairman and NBA Dallas Mavericks owner -- and EFF's Fred von Lohmann will debate copyright, YouTube and the future of Web 2.0 at the award ceremony.
The 16th annual Pioneer Awards will be held at 7:30pm, March 27th at the Manchester Grand Hyatt in San Diego in conjunction with the O'Reilly Emerging Technology Conference.
Professor Yochai Benkler of Yale Law School researches the effects of laws on information, knowledge, and culture in the digital world.
Since the World Trade Center and Pentagon attacks in 2001, Americans have had to endure tighter screening at airports, a color-coded national alert system, irradiated mail, the Patriot Act, and the Department of Homeland Security.
But according to security expert Bruce Schneier, all these measures, meant to protect the population at large, overlook dangers at a more personal, if less lethal, level.
Average people should be less worried about being attacked by terrorists, said Schneier, and more concerned about protecting their identities on-line.
"Crime, crime, crime," Schneier told NJ Jewish News in an e-mail interview while on a working vacation in London and Marrakech.
By now, Bruce Schneier is reconciled to the fact that most people will always be interested in him first and foremost because he's been mentioned in Dan Brown's The Da Vinci Code. Sceptical, aren't you, about the 'reconciled' bit? Schneier's own achievements are no less striking actually. Or else, why would he be in the best-seller for that matter.
Founder and chief technology officer of BT Counterpane, which was acquired by BT in 2005, Schneier is a security technologist and cryptographer.
Bearded, wiry, with his eyes sparkling as he unfurls accurate sound bites, Bruce Schneier hardly looks like the master geek that he is. But his claim to fame is precisely that: Schneier has breathed passion, detail and a touch of evangelism to the business of computer network security, a dull topic even for those who need it badly.
The global cyber cop is the chief technical officer of BT Counterpane, the British telecom company's subsidiary that adds security layers and network patrolling to its business of building and managing computer networks. Schneier, who landed in Delhi to promote cyber security services targeting IT companies and call centers, believes hacking by cocky young men seeking short-term fame has given way to more methodical and dangerous cyber crime gangs that need checking.
Security guru--and part-time restaurant critic--Bruce Schneier is best known as the developer of the Blowfish and Twofish encryption algorithms and author of books that examine security and society. He's also a renowned speaker, blogger, and columnist.
- TASTE OF SECURITY
Schneier writes restaurant reviews as an escape, but he sees ties to his security work: "Food is more about how a culture uses what it has to make an interesting meal. That's the same thinking as security.
Security decisions often are much less rational than one would prefer, Schneier says
SAN FRANCISCO -- One of the security industry’s most outspoken experts, Bruce Schneier, spoke at RSA Conference on the topic of how security decisions and perceptions are often driven by irrational and subconscious motives in human beings.
The CTO at BT Counterpane, who is known for his talent in cryptography as well as his critical observations about technology use, yesterday turned his attention to a different matter: an analysis of human behavior in the face of risk-management decisions.
In Schneier’s view, security managers need to be aware that they themselves, their business managers and their corporate user groups are likely to make critical security decisions based on barely acknowledged impressions of fear and irrational response, rather than a careful study of facts.
"Security is a tradeoff," Schneier said, speaking to a packed audience at his RSA session.
Balancing security and functionality is nothing new. But is there a way to fairly allocate the security costs to the users who benefit from the functionality? We ask the LinuxWorld OpenSolutions Summit keynote speaker Bruce Schneier.
LinuxWorld: Welcome to the Linux World Podcast.
This article was linked from Slashdot.
Cryptologist and now, psychologist: Renowned security expert Bruce Schneier once again is turning security on its head -- literally. Schneier will share his latest research and insight at the RSA conference next week on the interplay between psychology and security. (See Schneier On Schneier.)
Schneier says the goal of his talk at RSA is not to discuss security technologies or tactics, but to explain how people think, and feel, about security. "A lot of the time at RSA, we are just puzzled why people don't secure their computers, and why they behave irrationally.
He's eaten guinea pig in Peru, whale in Japan, and tried insects in Australia. But security guru -- and part-time restaurant critic -- Bruce Schneier mostly steers clear of chain restaurants, which he finds oppressively uniform.
When he's not sampling exotic cuisine, Schneier is best known as the developer of the Blowfish and Twofish encryption algorithms and as the bestselling author of Applied Cryptography, which has been called the bible for hackers. He's written other books that examine security and society, and he is a renowned security speaker, blogger, and columnist, as well as a popular media talking head who offers unique views on everything from encryption to post-9/11 security overkill.
To paraphrase a classic line from Lily Tomlin, I worry that the person who thought up the rules for carrying liquids and gels on airplanes last year is busy thinking up something new this year.
The thought arises partly because of a scene just after Christmas at an airport security checkpoint, where a half-dozen festive snow globes — like the ones with Frosty the Snowman in a liquid-filled glass globe that simulates snowfall when you shake it — were lined up on a counter.
Wasn't that nice! The Transportation Security Administration had decorated the checkpoint!
Bruce Schneier started his immensely popular blog Schneier on Security in October 2004. He is the CTO of BT Counterpane and the author of eight books, including the bestselling Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Secrets and Lies: Digital Security in a Networked World, Applied Cryptography, and Practical Cryptography.
Bruce, 44, has a B.S. in Physics from the University of Rochester and an M.S.
FOR theater on a grand scale, you can't do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration.
As passengers, we tender our boarding passes and IDs when asked. We stand in lines. We empty pockets.
Minnesota-based author Bruce Schneier challenges the conventional wisdom about what makes people, corporations and nations safer in the post-9/11 world.
Want to keep your kids safe? Teach them to talk to strangers, says Bruce Schneier, a Minneapolis author who happens to be one of the world's leading security experts.
The Brooklyn transplant made his reputation as a cryptographer -- his work has been mentioned in "The Da Vinci Code" and on the TV show "24" -- and as co-founder of the network security company Counterpane, which was recently acquired by BT, the former British Telecom.
A geek's geek who gets treated like a rock star at hacker conventions and mainstream security conferences alike, he continues as chief technology officer of BT Counterpane, a Silicon Valley-based company that manages the security of hundreds of corporations worldwide.
PROVIDENCE — The government is wasting billions of dollars on fruitless antiterrorist tactics when what’s needed is more old-fashioned police work, a visiting security expert said yesterday.
The expensive and invasive high-tech surveillance schemes and armed guards at airport won’t block terrorist attacks, said Bruce Schneier, because the terrorists can simply go elsewhere.
If we guard the Super Bowl, the terrorists can attack a playoff game instead. Or a shopping mall.
MINNEAPOLIS (AP) - It must say something about our times that Bruce Schneier, a geeky computer encryption expert turned all-purpose security guru, occasionally gets recognized in public. "My life is just plain surreal," he says.
Schneier, 43, has made it so by popping up whenever technology and regular life intersect, weighing in on everything from the uselessness of post-Sept. 11 airport security measures to the perils of electronic voting machines and new passports with radio chips.
He does it by writing books, essays, a frequently updated Web log and an e-mail newsletter with 125,000 subscribers.
Security guru Bruce Schneier busts the myths of post-9/11 safety measures
Bruce Schneier has little patience for pointless security measures. As an internationally acclaimed cryptographer and security expert who travels extensively for work, he encounters them every day. Most airline passengers probably have wondered whether taking off their shoes for airport screeners accomplishes anything. Schneier not only understands why it doesn't, he can explain why it actually make us less secure.
This mastermind's teachings and advice lead back to a singular goal: a common-sense approach to security
Bruce Schneier, CTO of Counterpane, is one of the world's foremost experts on computer security. From a hard-core technical aspect (his first book, Applied Cryptography, is a long-time best seller for people wishing to understand cryptography in detail) as well as a philosophical viewpoint (his other books, such as Secrets and Lies or Beyond Fear, and his monthly Crypto-Gram newsletter), he continues to promote innovative commonsense security.
Bruce will come at an issue with what seems like an unpopular viewpoint, and turn your initial, gut reaction on its head. Say black, and Bruce is likely to say white.
1 - Would a more proactive approach to security—working to ensure that stronger software security is built into applications—work any better than the reactive approaches, such as patches and external software safeguards?
Of course. It's the only possible approach. The notion that we can write lousy software, throw it out into the world and then patch it later has failed. It doesn't work.
The Dr. Dobb's Journal Excellence in Programming Award is an annual award that acknowledges individuals who, in the spirit of innovation and cooperation, have made significant contributions to the advancement of software development. Past recipients include leaders and thinkers in the development community such as Linus Torvalds, James Gosling, Erich Gamma, Guido van Rossum, Jon Bentley, Anders Hejlsberg, P.J. Plauger, and Guy Steele Jr., among others.
This year's recipient -- Bruce Schneier -- is unique in that he has long been a member of the Dr. Dobb's family, so to speak.
Which IT security issues are really important? Which are the main topics enterprises are dealing with in 2006? What is the role of encryption? – When people want to know how security really works, they often turn to Bruce Schneier, internationally-renowned security technologist and author.
Bruce Schneier is an expert for cryptography and computer security, developer of popular crypto algorithms, author of many books and co-founder of Counterpane Internet Security.
scip AG: Hello Bruce. Thank you very much for your time. How is it going?
The seemingly constant industry buzz surrounding Schneier is well-deserved. With a trail of bestselling books in his wake and two encryption algorithms, Blowfish and Twofish, to his credit, Schneier is well-placed to discuss/argue various IT security-related issues in his free monthly newsletter Crypto-Gram. Most recently, he questioned reported comments made by Howard Schmidt that noted Schmidt's support for holding programmers personally accountable for insecure code. These published accounts, which sometimes seem to allude to personal liability, are inaccurate, Schmidt says. He notes that his comments were made "in the context of how [programmers'] ability to write secure code should be a part of performance reviews." Schneier says, however, "It is the software manufacturers that should be held liable" for insecure code.
IsacaRoma: Who are you? Your biography says you are an author, technologist and a "security guru." What is your cultural background? How did you arrive at cryptography and security as a profession?
Bruce Schneier: Security is a mindset, and the best security experts come by the profession naturally.
Mountain View (CA) - Throughout the past two decades, Bruce Schneier has provided one of the most well-reasoned, clear, and unbiased perspectives regarding the broad and complex topic of implementing security and trust in computer systems and networks. Schneier co-developed the widely used Twofish encryption algorithm, authored 1995's ground-breaking Applied Cryptography - which defined how crypto could be used reliably for authentication and communication - and founded network security provider Counterpane, where he currently serves as CTO. But his life's mission of late has been to cast a skeptical eye upon any and every measure that purports to solve the overall problem of security, even from a personal vantage point.
So when Schneier proclaims there's something he actually fears, alarm bells should sound.
You call "identity theft" a misnomer, saying that the fight against fraud might be more effective if we thought of it as impersonation rather than ID theft. Could you elaborate on why?
"Identity theft" doesn't make sense as a term. Your identity is the only thing about you that cannot be stolen. The real crime is fraud due to impersonation.
Bruce Schneier, founder and chief technical officer of Counterpane Internet Security Inc., has spent much of his career educating people about digital security.
His book, "Secrets and Lies: Digital Security in a Networked World," serves as a non-technical introduction to the full, messy complexity of digital security.
Most recently, Mr. Schneier wrote, "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." This book about security technology—computer and otherwise, is geared toward the intelligent layman: anyone from a security engineer to a concerned citizen.
As CTO and founder of Counterpane Internet Security, Bruce Schneier invented outsourced security-monitoring services. Following methodology similar to that used by the Centers for Disease Control, Counterpane has created a worldwide early-warning system that responds quickly to attacks on corporate infrastructures. But that’s only one of Schneier’s full-time jobs. Inventor of the Blowfish encryption algorithm and author of eight books on cryptography and security, Schneier consults with organizations as diverse as the Department of Homeland Security and the American Civil Liberties Union.
Founder of Internet Security Firm Inspires Reaction: 'We Trust Bruce'
Bruce Schneier, founder and chief technical officer of Counterpane Internet Security, might be as close as the computer security industry gets to its own celebrity.
Although not as well known as Larry Ellison at Oracle or Bill Gates at Microsoft, Schneier is still the public face of his company, recognized by industry insiders as one of their gurus. Businesses hire Counterpane to guard their networks from hackers and viruses in the same way a nervous homeowner would pay a home-security provider like ADT to watch for fires or burglars.
But unlike most entrepreneurs, Schneier admits that he spends much of his time not focused on his creation.
BRUCE SCHNEIER is an internationally renowned security technologist and author. Described by The Economist as a "security guru," Schneier is best known as a candid and lucid security critic and commentator. He has written articles for, among other publications, Boston Globe, San Francisco Chronicle, Sydney Morning Herald, International Herald Tribune, The Baltimore Sun, Newsday, Salon.com, Wired Magazine, and San Jose Mercury News. He is also the founder and CTO of Counterpane Internet Security, Inc., the world's leading protector of networked information—the inventor of outsourced security monitoring and the foremost authority on effective mitigation of emerging IT threats.
Schneier's book publications include Beyond Fear: Thinking Sensibly About Security in an Uncertain World; Secrets & Lies: Digital Security in a Networked World; Applied Cryptography; Protect Your Macintosh; E-Mail Security; Practical Cryptography (with co-author Niels Ferguson); and The Electronic Privacy Papers: Documents on the Battle for Privacy in the Age or Surveillance (with co-author David Banisar).
Schneier also publishes a free monthly newsletter, Crypto-Gram (http:// www.schneier.com/crypto-gram.html), which counts over 100,000 readers. Additionally, Schneier maintains a weblog, covering security and security technology issues.
Bruce Schneier is founder and chief technology officer of Mountain View, Calif.-based MSSP Counterpane Internet Security Inc. and author of Applied Cryptography, Secrets and Lies and Beyond Fear. He also publishes Crypto-Gram, a free monthly newsletter, and writes op-ed pieces for various publications. Schneier spoke to SearchSecurity.com about the latest threats, Microsoft's ongoing security struggles and other topics in a two-part interview that took place by e-mail and phone last month. In this installment, he talks about the "hype" of SP2 and explains why it's "foolish" to use Internet Explorer.
What's the biggest threat to information security at the moment?
Security expert Bruce Schneier talks with CIO Update about how CIOs can best meet the security challenge.
Bruce Schneier, one of the country's leading computer-security experts, is the author of the highly acclaimed Beyond Fear. This no-nonsense look at security -- both in the real-world and on corporate networks -- dissects security in such a way as to help readers become better consumers of it.
Schneier certainly knows his way around such questions. He is the founder of Counterpane Internet Security, a global provider of outsourced security monitoring services. With a suite of services -- including firewall and IDS device management, vulnerability scanning and consulting -- Counterpane monitors security on more than 400 networks in 32 countries.
Described by The Economist as a "security guru", Bruce Schneier is a well known security analyst who has gained notoriety from his popular security mailing list, Cryptogram, and his 3 books on various security subjects. Bruce was kind enough to take the time to have a chat with Neowin, and talk about himself, security, Microsoft, and much more.
Bruce, thanks for taking the time to talk to Neowin; could you start by giving us a brief history of yourself, what you've done, and what you're doing at the moment?
My security career seems to have been a continuing process of becoming more generalized. First cryptography, then computer security, and now general security.
Bruce Schneier, an international security expert and author
The Sept. 11 Commission's recommendation that Congress create a national intelligence director to oversee the country's 15 information-gathering agencies has been gaining support in recent weeks. But Bruce Schneier, an international security expert and author of numerous books on security technology, said the government should focus more on changing the culture of U.S. intelligence agencies.
The cofounder and chief technical officer of Counterpane Internet Security Inc., a Mountain View, Calif., provider of managed security-monitoring services, Schneier takes a skeptical view of centralized security efforts such as the Homeland Security Department and its U.S.
Here are some recently released top-quality books:
Beyond Fear: Thinking Sensibly About Security In An Uncertain World, by Bruce Schneier. Schneier continues proving himself a leading thinker on security issues, in part because he continues to evolve from an expert who first approached security as a techno-centrist to one who now sees security as a process involving a broader set of factors, including power, agenda, bureaucracy and people. A goal of the latest book is to take the lessons that Schneier has learned in his computer security work and apply them to other security concerns, like protecting the nation from terrorist attacks, or protecting homes from burglars.
A theme of this latest book, Schneier's third in a series, is that "security" always involves "trade-offs." He outlines five steps for evaluating a security program's worth: (1) What assets are you trying to protect?
Bruce Schneier is perhaps the best example of why IT security professionals are "eating the lunch" of physical security managers in some corporations. He thinks creatively, he expresses himself logically, and he has cultivated the ear of people high on the corporate food chain. His latest book will be food for thought for security professionals.
Beyond Fear is organized into three sections: "Sensible Security," "How Security Works," and "The Game of Security." The first section introduces three of Schneier's core concepts: that all security involves trade-offs, that trade-offs are subjective, and that they depend on power and agenda.
The following is a conversation between Bruce Schneier -- a renowned security expert and founder and CTO of Counterpane Internet Security, Inc. whose newest book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World, explains how security really works -- and Bruce Sterling, whose new techno-thriller, The Zenith Angle, is about computer security and Washington politics. Sterling also wrote The Hacker Crackdown: Law and Disorder on the Electronic Frontier, a nonfiction book about computer hackers and cyber-police. The two Bruces, long-time admirers of each other’s work, got together to discuss the nexus of security, technology, and the real world.
Schneier: We both write about security and technology. I see technology continually changing the balance between attacker and defender.
March 17 - The coordinated train bombings last Thursday in Spain marked the country's deadliest terror attack ever, killing at least 200 and injuring at least 1,500. Indications -- still unconfirmed -- that Islamic fundamentalists with ties to Al Qaeda may have been behind the blasts have prompted emergency meetings among European leaders and raised fears of another attack on the United States. But are Washington's precautions enough? And has its allocation of resources focused too much on air safety and not enough on other forms of public transportation?
It's a rare security book that can raise awareness without resorting to sensationalism, but Bruce Schneier's recent title Beyond Fear is one of them. It covers the theory behind both good and bad security practices, though it's not a manual. It does not explain how to make whatever you wish to defend more secure, but it will help you to think clearly about how to do that.
The book clearly defines the essential concepts and basic practices behind security in all areas of life.
Bruce Schneier has been one of my heroes for many years, not least because of the clarity of his thought and the crispness of his writing. Readers of this column have seen references in the past to his free monthly Crypto-Gram newsletter, and I hope you have subscribed to that always-worthwhile publication.
In 2000, Schneier published a groundbreaking primer for non-nerds called Secrets & Lies in which he confronted many misunderstandings and outright myths about security in the digital realm. In 2003, he continued his educational efforts with Beyond Fear, a superb analysis of the basis of rational thought about security in the wider world—not just computers and networks.
In 1996, a man named Willis Robinson reprogrammed a computerized cash register at a Taco Bell in Maryland. The compromised machine would ring a $2.99 item internally as a one-cent sale, even as it showed the proper amount on its screen. Robinson skimmed $3,600 from his employer. He was caught only because he bragged about his exploits.
Think sensibly, and act with confidence
Security expert Bruce Schneier takes a much-ado-about-nothing view of terrorist fears. The odds of such an attack are close to zero, so better to worry about things that have at least some likelihood of occurring, he maintains.
"We as a society always fear the rare and spectacular more than the pedestrian," says the cyber-security whiz and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, $25).
Though not geared specifically to travelers, his new book espouses the notion that security measures involve trade-offs — both monetary and personal.
Q: Will computers be more or less secure in 2028 than they are today?
A: Computers will be just as insecure, but computing will be more secure. Right now our major problem is that computer security is brittle; when it breaks, it breaks completely. As computing becomes embedded and invisible, it will become more resilient. Different systems will work in tandem, providing defense in depth.
Först skrev han "Applied Cryptography" som snabbt blev standardverket om kryptering. Sedan började han tvivla på att kryptering var nyckeln till datasäkerhet.
Datasäkerhet, säger Bruce Schneier, står och faller med mänskligt omdöme. I stället för att jaga efter nya krypteringsmetoder bör vi komma ihåg gamla sanningar som att ingen kedja är starkare än sin svagaste länk.
Like or loathe him, you've got to admit that cryptographer Bruce Schneier knows how to capture media attention. From titillating talks to shamelessly promote his books (including the best-selling Secret & Lies and the recently released Beyond Fear), to outrageous remarks on the speaker circuit, Schneier frequently grabs the spotlight with outspoken opinion and candor.
For example: "Most advisories trade on fear. Most newspaper and magazine articles trade on fear," Schneier said in a recent Information Security interview.
In his recently released book, Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, 2003), security guru Bruce Schneier argues for a more common-sense and less technology-centric approach to both IT security and physical security. In this interview with Computerworld, Schneier shares his views on IT security.
You recently co-wrote the report "CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft's Products Poses a Risk to Security." Would you have written it if the world had been standardized around another operating system?
It's a gutsy way to start a book on security. In "Beyond Fear," published this month by Copernicus Books, Bruce Schneier asks us to set aside our revulsion and horror to grasp what the 9-11 terrorists accomplished. What they did, he says, was efficient, audacious, well-planned, simple and, from their view, successful. This understanding is key to moving beyond fear and improving security, says Schneier, who created some well-known encryption algorithms—formulas used to scramble and unscramble computer data.
For a while, it seemed as if Bruce Schneier himself was encrypted. No one could decipher his whereabouts for an interview with CSO. This was unusual because Schneier, founder and CTO of Counterpane Internet Security, is usually aggressively available to the press. Plus, he has a new book to promote—Beyond Fear: Thinking Sensibly About Security in an Uncertain World—a decidedly iconoclastic and non-IT view of security.
Bruce Schneier is a rare creature in the computer-security world. Although he made his name as an alpha geek in cryptography and later, as chief technology officer of Net-security outfit Counterpane, Schneier can also speak to laypeople about the general security matters that increasingly touch all of our lives.
In the post September 11 era, he has emerged as one of the more cogent and quotable thinkers on the topic. In particular, he has asked hard questions about the effectiveness of some of the security measures passed after the terrorists' massacre.
Bruce Schneier contends that the strongest security systems benefit from redundancy and variety. And as the Homeland Security Department consolidates a number of different agencies, Schneier warns that entrusting a centralized authority with securing the nation may make the country less, rather than more, secure.
Few in the field of information technology security have more expertise and industry respect than Schneier. Not only is he the author of "Applied Cryptography," one of the seminal textbooks on encryption, but his Two fish encryption algorithm was a finalist far the National Institute of Standards and Technology's new Federal Advanced Encryption Standard.
Tech entrepreneur Bruce Schneier is one of America's best-known computer security experts. His testimony before Congress helped defeat legal restrictions on cryptography sought by the FBI and the National Security Agency when an appellate court ruled in 1999 that crypto algorithms were a form of speech covered by the First Amendment.
Schneier co-founded security services company Counterpane Internet Security, where he serves as chief technologist. Arguing that constant vigilance, not technology, is the best defense against computer break-ins, Schneier believes security breaches are nonetheless fated to increase as networking systems become more complex.
A top expert says America's approach to protecting itself will only make matters worse. Forget "foolproof" technology—we need systems designed to fail smartly
- To stop the rampant theft of expensive cars, manufacturers in the 1990s began to make ignitions very difficult to hot-wire. This reduced the likelihood that cars would be stolen from parking lots—but apparently contributed to the sudden appearance of a new and more dangerous crime, carjacking.
- After a vote against management Vivendi Universal announced earlier this year that its electronic shareholder-voting system, which it had adopted to tabulate votes efficiently and securely, had been broken into by hackers. Because the new system eliminated the old paper ballots, recounting the votes—or even independently verifying that the attack had occurred—was impossible.
- To help merchants verify and protect the identity of their customers, marketing firms and financial institutions have created large computerized databases of personal information: Social Security numbers, credit-card numbers, telephone numbers, home addresses, and the like. With these databases being increasingly interconnected by means of the Internet, they have become irresistible targets for criminals.
Security expert pushes full disclosure, forcing vendors to admit and fix bugs quickly.
Bruce Schneier is founder and chief technology officer of Internet security firm Counterpane. He has written two books on cryptography and computer security, Secrets and Lies and Applied Cryptography, and is an outspoken critic of Microsoft and other software vendors that produce products that contain dangerous security holes. We spoke with him about who is responsible for software security flaws and what consumers can do about the growing problem.
PCW: Are there more security holes in software, or are we just getting better at finding them?
Contestant would do it again 'in a second'
Last month we reported the triumph of two Belgian academics in the US encryption standard contest. But how was the contest organised? If you're not interested, stop reading now.
In the early seventies the US government put out a call for an encryption algorithm. It had no response.
Secrets and Lies: Digital Security in a Networked World.
By Bruce Schneier.
John Wiley & Sons; 432 pages; $29.99 and £19.50
WHEN an acknowledged expert suddenly announces that his previous views are completely wrong, it is time to take notice. That is exactly what Bruce Schneier, an authority on computer security, has just done in "Secrets and Lies". Like many in his field, he used to be beguiled by the mathematics of cryptography, and believed that, with enough fancy encryption and authentication, it was possible to build a totally secure system—a mathematical utopia he described in a previous book, "Applied Cryptography", which became a standard work.
Secrets and Lies by Bruce Schneier, John Wiley, £19.50, ISBN 0471253111
An exceptional amount of disinformation plagues the world of information security. For decades spies obstructed the "proliferation" of cryptographic and security know-how. This made their job of snooping far easier.
When in 1993 I tried to organise a research programme in computer security, cryptography and coding theory, a spook in a suit approached the institute involved.
Bruce Schneier's book Secrets and Lies won a Productivity Award in the 13th Annual Software Development Magazine Product Excellence Awards.
Bruce Schneier of Counterpane Internet Security says computing today is unsafe at any speed. But we can minimize the dangers
Hardly a week goes by when corporate computing czars don't have to absorb some rude piece of news from the security front. It may be a gaping hole somebody discovers in a browser or e-mail system, or a virulent new pest with a name like Melissa or Worm.ExploreZip. Against these mounting threats, the usual defensive arsenal of virus-scanning software, encryption, and firewalls seems flimsy indeed.
Brace yourself: The situation is going to get worse, according to Bruce Schneier, 36-year-old cryptography guru and author of Crypto-gram, an influential monthly newsletter. As new releases of common software grow more complex -- and interact with one another in ways that nobody can predict -- security products purchased off-the-rack will offer less and less protection from malicious viruses and hackers, Schneier warns.
Most of the questions we got for crypto guru Bruce Schneier earlier this week were pretty deep, and so are his answers. But even if you're not a crypto expert, you'll find them easy to understand, and many of Bruce's thoughts (especially on privacy and the increasing lack thereof) make interesting reading even for those of you who have no interest in crypto because you believe you have "nothing to hide." This is a *long and strong* Q&A session.
First Bruce says, by way of introduction...
"I'd like to start by thanking people for sending in questions. I enjoyed answering all of them.
The Internet is not a danger zone, but you do need to take steps to safeguard your PC and your privacy. Of the products we tested, these four tools offer the best personal protection.
Password Safe 1.7
Counterpane Systems' Password Safe is an easy, secure, and free solution to the password problem.
In a paper released last week, computer security specialists from Counterpane Security and L0pht Heavy Industries went over with a fine-tooth comb Microsoft Corp.'s built-in Windows virtual private network (VPN) support.
Their target: Microsoft Point-to-Point Tunneling Protocol (PPTP) version 2. Their conclusions? While better than version 1, MS PPTP still leaves VPNs open to attack.
For encryption developers, a secure system is only as good as its pseudorandom number generator (PRNG). PRNGs produce unique keys that can lock and unlock encrypted data. But Bruce Schneier, president of Counterpane Systems, says that PRNGs lack security and portability.
PRNGs generate numbers based on a variety of factors, such as a user's mouse movements, and store this data in an entropy pool, which is later tapped by security software to create an encryption key.
The successor to the aging Data Encryption Standard (DES) will begin to emerge this week as some of the world's top cryptographers convene to review proposals for a new, advanced encryption standard.
Officials at the National Institute for Standards and Technology (NIST) will kick off the first round of "evaluation and analysis" of proposed DES algorithm replacements at the Advanced Encryption Standard (AES) Candidate Conference in Ventura, Calif., later this week.
"This is sort of the debut of the candidate algorithms and the opportunity for any interested [cryptographer] to find out how they work," said Miles Smid, manager of NIST's security technology group.
The AES conference is being held a few days before the International Cryptographer Conference, enabling leading cryptographers from around the world to review the proposals, Smid said.
Despite oven-hot July heat, a recent trip to Las Vegas to hear Bruce Schneier speak to IT security pros and customers at the second annual Black Hat Briefings (www.blackhat.com) was well worthwhile.
In remarks titled "A Hacker Looks at Cryptography," Schneier punctured the hype that often surrounds his own area of expertise. You might not expect to hear Schneier, author of the widely praised book "Applied Cryptography," reminding an audience of a comment that's often quoted, but that neither of the suspected sources will admit to having made: "If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography."
In his talk, Schneier added a bit, so to speak, to the popular top-10 format, building his talk around the top 20 causes of cryptographic failure. "Most cryptographic products are not secure," he asserted, emphasizing that cryptography itself is stronger than it generally needs to be, while the rest of a crypto-based system often falls short.
A team led by Applied Cryptography author Bruce Schneier has invented a new block encryption algorithm and submitted it for consideration as the next new federal government standard for data scrambling.
Twofish, the sequel to Schneier's 5-year-old Blowfish block cypher, was submitted last week to the National Institute of Standards and Technology (NIST) for consideration as the Advanced Encryption Standard.
Twofish is designed to be flexible with respect to the necessary performance tradeoffs between the creation of a "secret key" and execution of the actual encryption. As such, it is well suited to large microprocessors, smart cards, and dedicated hardware.
Flaws in Microsoft Corp.'s Windows NT software threaten the security of companies using the Internet to tie together their far-flung corporate locations, a computer security consulting firm declared on Monday. "We were able to sniff passwords, eavesdrop on the networks, and passively do traffic analysis," said Bruce Schneier, president of Counterpane Systems Inc., of Minneapolis, Minn. "Any Microsoft NT server on the Internet is insecure."
Counterpane discovered the problems while doing a security analysis on a Windows NT, an operating system used by a swiftly growing number of corporations as the foundation for their computer networks. Microsoft confirmed the security problems later the same day.
VPNs increasingly popular
The flaws weaken the security of so-called "virtual private networks," or VPNs, based on NT and point-to-point tunneling protocol, or PPTP.
A top cryptographer said Microsoft's version of a key protocol in Windows NT is so flawed that users should avoid using virtual private network software based on Microsoft's Point to Point Tunneling Protocol.
Bruce Schneier, a noted cryptographer, said the PPTP in Windows NT 4.0 is so broken it can't be fixed with patches--a position that Microsoft disputes.
"I believe it's fundamentally broken," said Schneier, who authored a widely used cryptography textbook. "What we're seeing is the basic problem of proprietary security standards.
Listen to security expert and consultant Bruce Schneier and he'll tell you that Windows NT's security mechanism for running virtual private networks is so weak as to be unusable. Microsoft counters that the issues Schneier points out have mostly been addressed by software updates or are too theoretical to be of major concern.
Schneier, who runs a security consulting firm in Minneapolis, says his in-depth "cryptanalysis" of Microsoft's implementation of the Point-to-Point Tunneling Protocol (PPTP) reveals fundamentally flawed security techniques that dramatically compromise the security of company information.
"PPTP is a generic protocol that will support any encryption.
MINNEAPOLIS — A computer security expert will announce today that he has found a flaw in Microsoft Corp.'s implementation of a communications protocol used in many virtual private networks.
Bruce Schneier, president of Counterpane Systems here, said Microsoft's implementation of the point-to-point-tunneling protocol will lead to compromised passwords, disclosure of private information and server break downs in virtual private networks running under Windows NT and 95.
"Microsoft's implementation is seriously flawed on several levels," said Schneier. "It uses weak authentication and poor encryption." For example, he said Microsoft employed users' passwords as an encryption key instead of using other well-known and more secure alternatives.
Used with permission
As the world goes digital, encryption standards become more important.
Even those who don't use the Internet are affected by security in the online age--everything from bank account and medical information to credit card numbers and transactions requires some form of coding to protect it from prying eyes.
Yet all is not well--with each new standard comes crackers to break it. And, at the other end, governments--particularly that of the United States--are trying their darndest to ensure that encryption technology doesn't get too powerful.
When Thomas Paine published Common Sense in 1776 - arguing that the American cause was not merely a revolt against unfair taxation, but a demand for independence - he had no idea that more than 200 years later, the struggle for freedom would be waged between privacy advocates and the national-security establishment. This time, the dispute is over not taxation without representation, but communication without government intervention.
One of today's crypto revolutionaries is Bruce Schneier, the neatly dressed, ponytailed author of Applied Cryptography. Schneier also recently helped identify a key flaw in the encryption scheme the US digital cellular industry had adopted for use in cell phones.
A few minutes work on a computer can break the codes that are supposed to protect new digital cellular phone technology from eavesdroppers, a team of researchers said Thursday. The cellular phone industry claimed the impact on users would be "virtually none," since engineers were working to strengthen the encryption and since a separate code that scrambles voices was not broken.
The Cellular Telecommunications Industry Association also denied that its codes could be broken so easily.
"It involves very sophisticated knowledge," an association statement said.
used with permission
In 1992, the wireless industry adopted an encryption system that was deliberately made less secure than what knowledgeable experts recommended at the time. It was accepted by the industry because it was a standard that would meet federal export regulations and would enable digital cell phone manufacturers to make one phone that could be sold in either the US or abroad, thus saving money.
As a result, the potential for eavesdropping has always existed and, some say, has been waiting for criminals with advanced techniques to exploit it.
Yesterday, a trio of computer experts released the news that digital isn't all it's cracked up to be--and that they have, in fact, cracked the most difficult part of the code that's used by phones to send digits from the keypad, making eavesdropping and cloning a real likelihood even on digital phones. Even this morning's Wall Street Journal, when referring to the assurances made by wireless phone companies to subscribers about the security of digital phones, [called them] "hollow promises."
WirelessNOW has conducted an exclusive interview with the head of the code-cracking triumvirate and found his straightforward responses to our questions open - and at least somewhat frightening.
A group of prominent cryptographers will announce today that they have discovered a hole in the privacy protection in next-generation digital cellular telephones. The new phones were supposed to be far more secure from eavesdropping and fraud than the analog phones used by most mobile-phone customers today. But Bruce Schneier, a well-known expert on code breaking, and other researchers have found a way to easily monitor any numbers dialed on a digital phone, such as credit card numbers or passwords. In addition, they say, voice conversations can easily be deciphered.
Computer scientists have broken a crucial code that protects the new generation of cellular phones from certain kinds of eavesdropping.
The news is a blow to those who would promote digital cellular telephones as highly secure systems, said Bruce Schneier of Minneapolis-based Counterpane Systems, one of the cryptographers who broke the code.
Breaking the code takes just minutes on a powerful desktop computer, Schneier said.
Schneier and his colleagues, John Kelsey of Counterpane and David Wagner from the University of California-Berkeley, said they broke one of three encryption systems used in the new generation of digital cellular phones.
A team of well-known computer security experts will announce on Thursday that they have cracked a key part of the electronic code meant to protect the privacy of calls made with the new, digital generation of cellular telephones.
These technologists, who planned to release their findings in a news release on Thursday, argue that the best way to insure that the strongest security codes are developed is to conduct the work in a public forum. And so they are sharply critical of the current industry standard setting process, which has made a trade secret of the underlying mathematical formulas used to create the security codes.
"Our work shows clearly why you don't do this behind closed doors," Schneier said. "I'm angry at the cell phone industry because when they changed to the new technology, they had a chance to protect privacy and they failed."
Carroll, head of the industry's privacy committee, said it planned to revise the process for reviewing proposed technical standards.
Sidebar photo of Bruce Schneier by Joe MacInnis.