News in the Category “Articles”
US Senators just introduced new legislation to regulate the purchase of Internet of Things (IoT) devices. Why did they do it, and what chance is there of success?
The Internet of Things Cybersecurity Improvement Act would set minimum security requirements for federal procurements of connected devices. These include the ability to patch code, a lack of hard-coded passwords, and freedom from known security vulnerabilities.
Security expert Schneier is realistic about the dangers posed by putting software in all types of appliances
Schneier, present at the RSA Conference, said that until now everyone had this "special right" to code the world as they saw fit. "My guess is we're going to lose that right because it's too dangerous to give it to a bunch of techies," he added, according to The Register.
His words came after accepting an observation made by Marc Andreessen six years ago that software was eating the world. "As everything turns into a computer, computer security becomes everything security," Schneier said, to give his previous statement some context.
A connected world is great but dangerous
As he likened the Internet to a giant robot, one capable of affecting the physical world just as it affects the virtual one, the threat becomes much more real.
Bruce Schneier on Tuesday called on technologists to get involved with policy, insisting that as the Internet of things continues to unfold, the knowledge security experts have will become more applicable.
Schneier, CTO of IBM Resilient, stressed in a talk here at the RSA Conference that the need has become more pressing in the wake of Mirai; the threats associated with IoT insecurity are more palpable than ever.
"It's one thing for Reddit to be DDoSed, its another thing for your home thermostat to be DDoSed in the winter," Schneier said.
Schneier posted a list of guidelines that have been written for securing the internet of things last week on his blog.
Open source has won, but victory may be fleeting
The Open Source Leadership Summit began on Tuesday amid roads closed by a landslide: held in The Resort at Squaw Creek near Lake Tahoe, California, it was not easily accessible to attendees traveling Highway 80 from the San Francisco Bay Area.
During his opening keynote, Jim Zemlin, executive director of the Linux Foundation, made light of the mudslides that brought traffic to a crawl near Donner Pass on Monday evening. The trip at least was less arduous than it was last year, he said.
Zemlin's remarks amounted to an open-source victory lap.
As if I haven't said it a million times, IoT security is critical.
But just when I thought I had it all figured out, somebody comes along and sheds new light on this very important topic in a different way.
At a November 16 hearing held by the Congress Committee on Energy and Commerce in light of the devastating October 21 Dyn DDoS attack, famous cryptologist and computer security expert Bruce Schneier offered a new perspective on IoT security, which makes it easier for everyone to understand the criticality of the issue.
After watching it at least three times, I decided to share the main concepts with the readers of TechTalks.
During a House Committee hearing today, Bruce Schneier also asks for the establishment of a new government agency devoted to cybersecurity.
Security experts asked lawmakers for more action, today, during a Congressional hearing on IoT security. On their wishlist: consequences to manufacturers for delivering insecure products, a federally funded independent lab for pre-market cybersecurity testing, and an entirely new federal agency devoted to cybersecurity.
The hearing, "Understanding the Role of Connected Devices in Recent Attacks," was held by the US House Committee on Energy and Commerce, with expert witnesses Dale Drew, senior vice president and chief security officer of Level 3 Communications; Dr. Kevin Fu, CEO of Virta Labs and associated professor of electrical engineering and computer science at the University of Michigan; and Bruce Schneier, fellow of the Berkman Klein Center at Harvard University.
"We are in this sorry and deteriorating state because there is almost no cost to a manufacturer for deploying products with poor cybersecurity to consumers," said Dr. Fu. He later added "also there's no benefit if they deploy something with good security."
"The market can't fix this," said Schneier, because "the buyer and seller don't care ...
Computer security experts on Wednesday pressed for comprehensive federal regulations mandating strong security protocols for the Internet of Things, saying it's not a matter of if but when rules are issued for connected devices.
"The Internet of Things affects the world in a directly physical manner—cars, appliances, thermostat, airplanes," said Bruce Schneier, a computer security expert at Harvard University, during testimony at a hearing held by two House Energy and Commerce subcommittees. "There's real risk to life and property. There's real, catastrophic risks."
With the increasing ubiquity and fundamental vulnerability of IoT technology, Schneier said it's a moot point to argue over whether the federal government will eventually regulate the industry.
Pour l'écrivain et expert en cybersécurité et en cryptographie Bruce Schneier, « quelqu'un est en train d'apprendre à détruire Internet », comme il le titre dans son dernier article de blog. L'actuel directeur de la technologie de Resilient, une société d'IBM, affirme que des attaques particulières visent des acteurs majeurs du web depuis déjà deux ans.
Bruce Schneier est une sommité en ce qui concerne la sécurité informatique. L'auteur du mythique livre « Applied Cryptograhy » tient depuis 2004 un blog très fréquenté dans lequel, ce mardi 13 septembre, il a publié un article au titre évocateur : « Quelqu'un est en train d'apprendre à détruire Internet » . Comme il l'affirme, depuis un ou deux ans, certaines compagnies majeures du web subissent des attaques particulières, précises et calibrées, dont le but est de tester les défenses et d'évaluer les meilleurs moyens de les faire tomber.
"I can't think of any other issue that moved people so quickly." By security expert Bruce Schneier's estimation, more than 700 million people worldwide changed their behavior on the Internet as a direct result of what Edward Snowden's NSA leak revealed about government surveillance. Even more amazing: they all did it within one year.
What motivated so many private citizens to take action? "They did that because of secrets.
Some people may think the upcoming US presidential election is a Kobayashi Maru, a lose-lose scenario no matter who wins, but which candidate would best deal with a cyberattack that caused people to die?
In an article about how hacking the Internet of Things will result in real world disasters, security guru Bruce Schneier —who is not known for spreading FUD (fear, uncertainty, doubt) —was not talking about hacks against banks or the smart grid that would cause general chaos; oh no, he was describing hacks against devices connected to the internet which would actually result in people dying.
Writing on Motherboard, Schneier suggested:
The next president will probably be forced to deal with a large-scale internet disaster that kills multiple people.
IoT and cyber-physical systems, according to Schneier, have "given the internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete."
Indeed, there are plenty of scary possibilities which range from targeting one person to targeting hundreds of people at the same instant; hacking cars while they are driving down the highway; remotely assassinating a person by hacking their medical device, hacking a plane full of passengers, remotely taking control of weapon systems such as Patriot missile batteries, hacking a water treatment plant and tweaking the chemical mix; the nightmare scenario list of hacks that we all hope never happen goes on and on.
This year's Infosecurity Europe conference had so many great places to be and things to do that it was often hard to choose how best to spend one's limited time and harder still for many to identify a single highlight. For myself personally, however, it had to be the opportunity to hear one of my favourite writers for many years speaking on the keynote stage.
Whilst terms like "security guru" or even "thought leader" are often bandied around and diluted to the point of being meaningless, few of us mere security mortals can reasonably dispute the influence, credibility and respect that Bruce Scheiner holds as a writer, technologist, cryptographer and entrepreneur. You know that when he speaks at an event like this, it is not an opportunity you're going to get every day.
Governments have a crucial role to play in tackling what he sees as the next big security challenge, he told Infosecurity Europe 2016 in London.
One of the biggest challenges, according to Schneier, is that there is no good regulatory structure for IoT which connects finance, health, energy and transport information.
"We don't know how to do this, so we are going to need government solutions that are holistic that will deal with IoT devices no matter what they are doing," he said.
Systems "too critical to allow programmers to do as they want"
Government regulation of the Internet of Things will become inevitable as connected kit in arenas as varied as healthcare and power distribution becomes more commonplace, according to security guru Bruce Schneier.
"Governments are going to get involved regardless because the risks are too great. When people start dying and property starts getting destroyed, governments are going to have to do something," Schneier said during a keynote speech at the Infosecurity Europe trade show in London.
The choice is between smart (well-informed) or stupid government regulations with the possibility of non-interference getting taken off the table.
"The Internet of Things (IoT) is our next big security challenge and I think it's the way we are going to be colliding with the real world in interesting ways."
Speaking at Infosecurity Europe 2016 Bruce Schneier said that securing the IoT is a lot about what we already know, and some of what we don't know.
"It's one big inter-connected system of systems with threats, attackers, effects; the IoT is everything we've seen now, just turned up to 11 and in a way we can't turn it off."
As the IoT becomes more connected it also becomes more physical, invading our lives on an unprecedented scale with more real-world consequences when a breach occurs, and it's something that we can't afford to fail to secure, Schneier explained.
"I think this is going to hit a tipping point. We're getting into the world of catastrophic risks as our computers become more physical.
Schneier also sees more government meddling in IoT security as ‘inevitable’
Schneier explained how IoT-connected devices such as medical devices, which are almost impossible to keep up to date with the latest security defenses, will go at odds against attackers who are continually improving their attack methods, with "catastrophic" consequences.
"As we move to the Internet of Things, where things are less patchable and less high-end, we're going to have problems," said Schneier, addressing a keynote audience at InfoSec 2016 in London.
"Right now, how you patch your home router is to throw it away and buy a new one.
But government involvement in IoT policies is inevitable, says security expert
Governments lack the expertise to define security policy when it comes to the rapidly growing Internet of Things (IoT), according to Bruce Schneier, security technologist and a member of the Infosecurity Europe Hall of Fame.
Schneier explained that that governments approach topics such as the IoT and cyber security without the technical knowledge to understand the challenges.
"It's surprising how stark the lack of expertise in tech is in these debates," he said at Infosecurity Europe in London.
"Expertise in large correlation data bases, algorithmic decision making, IoT, cloud storage and computing, robotics, autonomous agents; these are all things that the government is going to run headlong into and needs to make decisions about.
An IT security expert has some dire warnings about our brave new world
Either we start to disconnect our increasingly networked world or we risk daunting social, safety, security and privacy consequences, a leading computer security expert and author has warned.
In an expansive talk directly challenging widely held assumptions about the benefits of computing, networks and the internet, Bruce Schneier told a large audience at this year's RSA Security Conference in San Francisco that we were moving towards a networked world so complex that we would be unable to safely manage it or adequately grapple with inevitable disasters.
Schneier, who is always one of the most popular speakers at the event, which drew nearly 40,000 people this year, pinpoints what he calls vast "socio-technical systems" as the critical issue. He describes these as complex, interconnected social and technical systems.
Coders and tech bros playing chance with the future
Security guru Bruce Schneier has issued a stark warning to the RSA 2016 conference—get smart or face a whole world of trouble.
The level of interconnectedness of the world's technology is increasing daily, he said, and is becoming a world-sized web—which he acknowledged was a horrible term—made up of sensors, distributed computers, cloud systems, mobile, and autonomous data processing units. And no one is quite sure where it is all heading.
"The world-sized web will change everything," he said.
Bruce Schneier chats with SearchSecurity during lunch at RSAC about IBM's plans to acquire Resilient Systems to complete their security offering.
RSA Conference is a place to meet and greet anyone involved in security these days, proved by a chance encounter with Bruce Schneier during lunch on Tuesday in the press room. And few individuals had news as big as Schneier, with the announcement yesterday that IBM would acquire Resilient Systems, the company where he serves as CTO.
"For the company, it's fantastic; they have this whole big security strategy and you can see a big hole where we belong, and they see that," Schneier told SearchSecurity while we waited for lunch to be rolled out.
A new report shows that anti-crypto laws wouldn't change a thing, as criminals would simply look globally
In response to attempts to put restrictions on encryption technology, a new report surveys 546 encryption products in 54 countries outside the United States, out of 865 hardware and software products total.
The report demonstrates that encryption technology is very international in nature and that it is impossible for local regulations to have any effect on it, said Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard University,
"The cat is out of the bag," he said. "It is an international world. All the research is international and has been for decades.
Anyone seeking to keep their data hidden could use hundreds of encryption services offered by companies outside the US if Washington compels tech companies to decrypt communications.
If Washington forces American tech companies to give law enforcement access to encrypted communication, it might not provide the advantage investigators want when tracking terrorists or criminals.
Companies outside the US are responsible for nearly two-thirds of tech products that offer some form of encryption, according to a study released Thursday from renowned cryptographer Bruce Schneier. Because those firms are beyond the reach of US laws, he said, anyone who wants to avoid American intelligence agencies or police eavesdropping could simply switch to another secure platform.
"There's this weird belief that if the US law makes a change, that it affects things," said Schneier, chief technology officer of the security firm Resilient Systems and a fellow at Harvard University's Berkman Center for Internet and Society.
In recent months, the FBI has been pushing for stronger US restrictions on encryption — but a new report from Harvard's Berkman Center suggests such laws reach only a small portion of the relevant products. Taking a census of 865 different encryption products from around the world, the report finds that roughly two-thirds are produced and distributed overseas, outside the jurisdiction of US law. Germany was the biggest source of non-US crypto, with 112 separate products either for sale or available free. Just over a third of the foreign products make their code available as open source.
Just today, security technologist and author Bruce Schneier, along with Kathleen Seidel and Saranya Vijayakumar, unveiled a new international survey of encryption products compiled as part of his fellowship at the Berkman Center for Internet and Society at Harvard University. The survey found a total of 865 hardware or software products incorporating encryption from 55 different countries, 546 (around two-thirds) of which were from outside the US. The products included voice encryption, file encryption, email encryption, and text message encryption products, as well was 61 VPNs.
The worldwide survey shows that encryption products are widely available internationally, indicating that any US restrictions on unbreakable crypto are far less likely to thwart terrorists and criminals (who can switch to more secure foreign alternatives) as much as they will negatively impact US companies' bottom line and the safety and security of everyday internet users who typically don't spend a lot of time worrying about encryption.
Like playing a frustrating game of whack-a-mole
In 1999, when a fierce crypto war was raging between governments and developers, researchers undertook a global survey of available encryption products.
Now security guru Bruce Schneier and other experts have repeated the exercise, and it spells bad news for those demanding backdoors in today's cryptography.
The latest study analyzed 865 hardware and software products incorporating encryption from 55 countries, with a third of them coming from the US. That's up from 805 in 35 countries in 1999.
If the US government tries to strong-arm American companies into ending the sale of products or applications with unbreakable encryption, the technology won't disappear, a group of researchers conclude in a new report. It would still be widely available elsewhere.
Some US law enforcement officials argue that unbreakable encryption is interfering with legal surveillance of suspected criminals and terrorists. And some members of Congress are pushing for a nationwide requirement that encryption allow for law-enforcement access.
An estimated 63 percent of the encryption products available today are developed outside US borders, according to a new report that takes a firm stance against the kinds of mandated backdoors some federal officials have contended are crucial to ensuring national security.
The report, prepared by researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar, identified 865 hardware or software products from 55 countries that incorporate encryption. Of them, 546 originated from outside the US. The most common non-US country was Germany, a country that has publicly disavowed the kinds of backdoors advocated by FBI Director James Comey and other US officials.
Findings point to negative impact on US Companies and Internet users
A newly completed international survey of encryption products found 546 different products from 54 different countries outside the US. This survey was headed by Bruce Schneier, as part of his Fellowship at the Berkman Center for Internet and Society at Harvard University.
The findings of this survey identified 619 entities that sell encryption products. Of those 412, or two-thirds, are outside the U.S.-calling into question the efficacy of any US mandates forcing backdoors for law-enforcement access.
A major cyberattack next year will target a U.S. election, security expert Bruce Schneier predicts.
The attack won't hit the voting system and may not involve the presidential election, but the temptation for hackers is too great, even in state and local races, said Schneier, a computer security pioneer and longtime commentator.
"There are going to be hacks that affect politics in the United States," Schneier said.
For some odd reason, data privacy maven Bruce Schneier is an optimist. It's odd because, according to Schneier, there's practically no such thing as data privacy. Just about everything we do these days is under some form of electronic surveillance, with governments and corporations eager to record and analyze our every action.
But when Schneier holds forth on Friday at Harvard University, as part of the ongoing HUBweek festivities, he'll reassure his listeners that the cause is not lost, that our online privacy will someday be ensured.
Um hacker pode invadir uma smarTV, uma geladeira com internet ou outro tipo de produto da chamada "internet das coisas" e, uma vez com acesso, roubar informações de um computador ou de um celular que estiverem conectados à mesma rede. E, por causa da propagação desse tipo de aparelho, nossa segurança digital pode ficar (ainda) mais vulnerável a criminosos.
Essa é a visão de Bruce Schneier, considerado por alguns o maior especialista em segurança na internet no mundo, que vem ao Brasil nesta semana para falar durante um evento de tecnologia, o Mind the Sec.
"Não há um motivo para que uma geladeira conectada não sirva de porta para um outro dispositivo, seja seu celular ou seu computador", disse em entrevista à Folha.
The attack on Sony Pictures over the film The Interview was perpetrated by North Korea, according to security expert Bruce Schneier.
The former chief technology officer of BT Managed Security Solutions, now CTO at Resilient Systems, had expressed scepticism at the time of the attack that the secretive dictatorship had been behind the attack, motivated by the theme of the film: two hapless American agents who were supposed to assassinate the country's leader, Kim Jong-un.
But in a video keynote speech at LinuxCon 2015, Schneier claimed that he had changed his mind. "Many of us, including myself, were skeptical for several months.
Security expert says we're in a cyberwar arms race, and with the Sony attack, North Korea has already taken the first shot at the United States.
LinuxCon is about Linux, cloud, and containers, but it's also about security. In the past year, programmers have been reminded that merely being "open-source" doesn't mean that your code is safe. Assuming you're secure is a mistake. Because, as security maven Bruce Schneier explained to the LinuxCon audience via Google Hangouts, we're in a cyber-arms race.
Security guru Bruce Schneier says there's a kind of cold war now being waged in cyberspace, only the trouble is we don't always know who we're waging it against.
Schneier appeared onscreen via Google Hangouts at the LinuxCon/CloudOpen/ContainerCon conference in Seattle on Tuesday to warn attendees that the modern security landscape is becoming increasingly complex and dangerous.
"We know, on the internet today, that attackers have the advantage," Schneier said. "A sufficiently funded, skilled, motivated adversary will get in.
This interview originally appeared in French on VICE France.
Today's terrorist attack in the Rhône-Alpes region of France, involving the decapitation of a man, has been met with widespread horror and condemnation. So have those in Tunisia, killing 28, and another in Kuwait killing 25. These horrific events are sure to fuel discussion about how to stop this kind of atrocity happening again.
Following January's Charlie Hebdo attacks in Paris, the French government decided to expedite a new surveillance law.
Imagine this: It's the morning of Election Day, 2020. Americans across the country cast secure, encrypted votes from their smartphones and laptops, electronically choosing their president for the first time in history. Turnout reaches record highs. Live results online show that it's a close race between the two leading candidates.
Schneier: Sony hack "high skill, high focused"
We are in the early years of a cyber war arms race, security guru Bruce Schneier warned delegates at the Infosecurity Europe exhibition on Wednesday.
Schneier, CTO of Resilient Systems, said the much publicised Stuxnet attacks on Iran by the US and Israel in 2010, Iran's attack on Saudi Aramco, China's apparent role in hacking GitHub, and the North Korean assault on Sony Pictures last year are all examples of the phenomenon.
"These nations are building up for cyber war and now we're all in the blast radius," he warned, while speaking in London.
Most of these attacks — including Stuxnet and the assault on GitHub — inflict collateral damage, Schneier told El Reg, adding that cyber attacks are likely to become mainstream aspect of many conflicts.
Countries are not attacking each other but striking at the IT infrastructure of enterprises in rival states, says security pundit Bruce Schneier
Cyber attacks—such as that on Sony Pictures in 2014—suggest the world is in the early stages of a cyber war arms race.
So said Bruce Schneier, chief technology officer of Resilient Systems: "We are in the early years of a cyber war arms race.
"There is a lot of nation state rhetoric, and we are seeing a lot of nation state attacks against non nation states," he told Infosecurity Europe 2015 in London.
Schneier cited North Korea's attack on Sony Pictures, China's attack on Github and Iran's attack on Saudi Aramco as examples.
Cryptologist Bruce Schneier tells RSA conference that focus should be on dealing with fallout of cyberattacks
Last year's massive cyberattack on Sony—presumed to have been a nation state attack orchestrated by North Korea—presents many of the most pressing issues of catastrophic risk, says well known cryptologist and author Bruce Schneier, chief security officer at security company Resilient. In a talk at the RSA security conference in San Francisco, Schneier considered the timeline of the attack, and the response to it. During the event, hackers penetrated Sony's network, stole data, and then embarrassed the company by slowly releasing private emails from executives, salary details, copies of unreleased films, and other sensitive information. The hack, which occurred over several weeks in November and December 2014, is believed to have been done in response to the studio's release of the Seth Rogen comedy The Interview, with a plot that revolves around a plan to assassinate North Korean leader Kim Jong-un.
Cybersecurity is becoming increasingly challenging as identifying attackers by their weaponry is difficult to their invisible nature wherein attacks can be launched by a group of hacktivist or sponsored by a nation, according to an expert.
Bruce Schneier, a leading voice on cybersecurity, said a majority of organisations and individuals use the same run-of-the-mill 'warlike weaponry' at a time when the attackers are largely unknown, cybercrime is becoming more difficult to combat.
While the IT security industry knows how to deal with high volume, low-focus attacks, security professionals must be resilient and ensure better management of incident responses in order for organisations to thrive even in the face of a cyberattack, he said.
During his keynote presentation at the third Gulf Information Security Expo and Conference (Gisec) held in Dubai recently, Schneier explained that organisations must create crisis management strategies that would allow them to respond quickly and effectively, while those responsible for the attacks are still being identified.
"As a business or as an individual you have to make a choice. Should I do this thing—whatever it is—on my computer and on my network or on a cloud computer on a cloud network," asked Bruce Schneier (@schneierblog), CTO of Resilient Systems, Inc., in our conversation at the 2015 RSA Conference in San Francisco.
Whatever you choose, you're going to be making a trade-off. Schneier recommends you first look at who your adversaries are.
Catastrophic issues in security can occur, but there are ways to recover.
Speaking at RSA Conference in San Francisco, Bruce Schneier, CTO of Resilient Systems, highlighted the Sony Pictures attack as being an interesting case as it brings catastrophic risk uses to the fore, and not catastrophic as in a life ending sense, but in company terms.
He highlighted seven ways in which a catastrophic incident could be dealt with. Firstly he recommended keeping it internal to "incapsulate the catastrophic risk", secondly consider that attackers on two axes of skills and focus and with someone who is low skilled but has a high focus would use a basic APT, but in the case of Sony this was low skills and low targets.
After spending a lot of time thinking about the massive breach of Sony, security luminary Bruce Schneier came to a scary – but not really surprising – conclusion.
"The lesson is that we are all vulnerable. North Korea could have done it to anyone," said Scheier during a packed session at the RSA conference in San Francisco.
While the IT security industry knows how to deal with high volume, low-focus attacks, Schneier said, security professionals have trouble handling highly skilled and focused attackers, commonly referred to as advanced persistent threats (APTs).
The more things change the more they stay the same, goes an old saying. That certainly seems to be true in IT security.
Despite decades of experience almost every day there's another story about a data breach, software vulnerability or new malware discovered.
So perhaps it's no surprise that the 15th anniversary edition of veteran security expert Bruce Schneier's book Secrets and Lies: Digital Security in a Networked World begins with a foreword that admits how little things have changed since the book first came out in 2000.
Cybersecurity guru Bruce Schneier to reveal lessons learned from the Sony hack scandal at the Gulf Information Security Expo and Conference (GISEC)
Cybercriminal attacks around the world will continue to rise as long as personal data provides the ability to commit fraud, and intellectual property is worth stealing, leaving both individuals and organisations vulnerable to harmful computer and network intrusions.
According to cybersecurity guru Bruce Schneier, one of the keynote speakers at Gulf Information Security Expo and Conference (GISEC), a cyberattack is much easier to implement than it is to install impenetrable cyberdefences.
The 3rd edition of GISEC, the region's leading I.T. security platform, will take place from 26-28 April 2015 at Dubai World Trade Centre.
In the field of cryptography, a secretly planted "backdoor" that allows eavesdropping on communications is usually a subject of paranoia and dread. But that doesn't mean cryptographers don't appreciate the art of skilled cyphersabotage. Now one group of crypto experts has published an appraisal of different methods of weakening crypto systems, and the lesson is that some backdoors are clearly better than others—in stealth, deniability, and even in protecting the victims' privacy from spies other than the backdoor's creator.
In a paper titled "Surreptitiously Weakening Cryptographic Systems," well-known cryptographer and author Bruce Schneier and researchers from the Universities of Wisconsin and Washington take the spy's view to the problem of crypto design: What kind of built-in backdoor surveillance works best?
In December of 2011, Tripwire published a list of security's top 25 influencers. More than three years later, we are pleased to announce a new list for 2015—The Infosec Avengers!
For each influencer whom we have selected, we include their Twitter handle, blog URL and reasoning for selecting them. We also include their answer for what infosec-related superpower they would choose to have.
The Sony hack is "every CEO's worst nightmare" and the leaked data is probably going to send someone to jail, security expert Bruce Schneier says. That, not any threat of violence, is the real power of this hack.
The "Guardians of Peace," as the group behind the attack has called itself, posted a new dump of emails today, this time from CEO Michael Lynton. The hackers also issued a warning implying that any theater screening the political comedy The Interview, which is about the assassination of North Korean leader Kim Jong-un, could be the target of a physical attack as well.
Sony Hackers: It's Not the North Korean Government, nor an Insider, Suggests Security Expert Bruce Schneier
Cryptographer and security expert Bruce Schneier has suggested that the hackers behind the devastating hack and leak of internal data from Sony Pictures is neither the work of the North Korean government, nor of insiders.
"At this point, the attacks seem to be a few hackers and not the North Korean government. (My guess is that it's not an insider, either). That we live in the world where we aren't sure if any given cyber attack is the work of a foreign government or a couple of guys should be scary to us all," he wrote in a blog post.
BetaBoston partnered with Silicon Valley Bank, Hack/Reduce, and Terrible Labs on Thursday to host the Cyber Security Symposium. Security experts from Credit Suisse, Threat Stack, Bit9 and others convened for a day-long event, the second niche-focused conference put together by SVB, Atlas Venture's Cort Johnson and Terrible Labs' Smith Anderson after the Quantified Self Conference in March.
The event was capped off with a talk by security expert Bruce Schneier, a fellow at the Berkman Center for Internet and Society at Harvard, and the chief technology officer at Co3 Systems.
Schneier noted three trends he's currently tracking.
Just how much of your life is watched? Security expert Bruce Schneier points out that it is more than most people think, says Chris Baraniuk.
Do you have secrets? Security expert Bruce Schneier has little patience for those who say they don't.
When asked about government and corporate surveillance, there are some who shrug their shoulders and say they have nothing to fear because they have nothing to hide. Schneier's response?
It's how you respond that's key, says securo guru
Hacking attacks are more or less inevitable, so organisations need to move on from the protection and detection of attacks towards managing their response to breaches so as to minimise harm, according to security guru Bruce Schneier.
Prevention and detection are necessary, but not sufficient, he said. Improving response means that organisations stay on their feet even after they are hit by a serious security breach or hacking attack.
"A sufficiently motivated, funded and skilled hacker will always get in," Schneier told delegates during a keynote at the IP Expo conference in London.
The US National Security Agency (NSA) has turned the internet into a "giant surveillance platform," a leading security specialist has said.
Bruce Schneier, who has written extensively on digital security and privacy, told an audience in Dublin tonight that the revelations by whistleblower Edward Snowden of large-scale surveillance by the NSA showed that we were living in a "golden age of surveillance."
In a lecture for the human rights group Front Line Defenders, Mr. Schneier said the NSA's role changed completely after the 9/11 attacks, when US intelligence agencies were given "an impossible mission: never again." "The only way to ensure something doesn't happen is to know everything that is happening," he said.
This desire to "collect everything" coincided with changes in technology, notably the spread of smartphones, the rise of cloud storage and the fact that it became cheaper for individuals to store data and thereby leave deeper digital footprints for the state to pursue. "The NSA has turned the internet into a giant surveillance platform," he said.
In my continuing series of keynote recaps, I will be covering Bruce Schneier’s keynote at Black Hat USA 2014—yes, it can be called a keynote even though it is more of a briefing. By the way, Black Hat: Next time, please give him appropriate space; people were lining up outside the room waiting to get in because of the lack of space.
I will be sharing what I learned from his speech in my own words with selected graphics. Schneier’s “The State of Incident Response” talk is available online, but if you don’t have an hour to watch that, read this as a recap.
Network breaches are inevitable. It's what happens next that really matters, said renowned cryptographic expert Bruce Schneier during the Black Hat security conference.
If there is something the organization has the attacker wants, the attacker will figure out a way to get in. Regardless of how much the organization invests in its defenses, attackers need to find that one weak spot to succeed.
Bruce Schneier on Expanding the Use of Automated Tools
When the organizers of the just-concluded Black Hat USA conference wanted to explore incident response, they turned to Bruce Schneier, the cryptographer, author, blogger and cybersecurity expert, to make a presentation. Until recently, however, Schneier's name wouldn't be on most people's list of incident response experts.
Schneier's reputation, after all, was built on his keen observations of the influence of IT security on society and vice versa, as well as bringing to light the previously unknown, such as the National Security Agency's tampering with cryptography guidance from the National Institute of Standards and Technology (see NIST to Drop Crypto Algorithm from Guidance).
But since the beginning of the year, Schneier has been serving as chief technology officer of 4-year-old Co3 Systems, which provides automated incident response systems.
In his Black Hat 2014 session entitled "The State of Incident Response," security guru Bruce Schneier, CTO of Co3 Systems, Inc., said that hackers will invariably breach networks, but it is what comes next that really matters.
Placing a great deal of emphasis on automated systems and technology being used to support the people needed for incident response, Schneier proposed a four-step approach: observe, context, decide, and act.
Observe means knowing what is happening on networks in real-time, which can be done using log monitoring, log analysis tools, network management tools and the like, Schneier said.
Context is tantamount to gathering data and intelligence, as in knowing the latest malware and vulnerabilities.
Cyber defenders are currently fighting a losing battle against hackers and government agencies, according to security expert Bruce Schneier.
Speaking in London on Thursday, the security guru said that with cyber criminals' attacks increasing in sophistication all the time, incidents like the Target credit card theft will only become more common.
"Security is a battle of attack versus defence and right now on the internet attack is much easier than defence," he said at the Good Exchange event, attended by V3.
Schneier pointed to advanced persistent threats (APT) as an area where organisations are woefully ill-prepared to prevent attacks.
A short password, or one using a name or a word in a dictionary, can be easily cracked by computers. And simply adding "@" for the letter "a" isn't going to fool the bad guys.
Here's cryptographer and computer security expert Bruce Schneier's advice on using and managing your passwords.
1. Use a "passphrase": a sentence you can remember. Then replace each word of the phrase with its initial, a similar digit or symbol, or, at random, use a whole word.
"Information is power," has been true for so long that it has become a cliché.
But the Internet has increased the power to collect, store and analyze information by such an order of magnitude that we are now in what Bruce Schneier called "the golden age of surveillance," in his keynote address Wednesday morning at SOURCE Boston.
That would be golden for those doing the surveillance, not the subjects of it.
Schneier, author, security guru, blogger and CTO of Co3 Systems, said the expectation that the Internet would mainly empower the powerless—grassroots groups, hackers, minorities and other relatively fringe groups—did come true for a number of years.
BOSTON—History is not entirely kind to those responsible for the Industrial Age in the 19th century. How, for example, were the consequences of industrial innovation such as pollution largely ignored?
Flash forward to today's digital age and ask the same question: How are those responsible for building our infrastructure callously disregarding privacy and security in favor of rapid online innovation?
"I think this is the issue by which we will be judged when our grandchildren read the history of the early days of the Internet," said Bruce Schneier today during his Source Boston keynote.
Data is a natural consequence of computing, and as search tools get better, it shifts the balance of power towards mass collection and surveillance, renowned security expert Bruce Schneier said at the SOURCE Boston conference on Wednesday.
"Surveillance is the business model of the Internet," Schneier told attendees. "We build systems that spy on people in exchange for services. Corporations call it marketing."
The data economy—the growth of mass data collection and tracking—is changing how power is perceived, Schneier said in his keynote speech.
Bruce Schneier says the key to good security is accepting that perfect security doesn’t exist.
Last fall, not long after Bruce Schneier quietly revealed himself as the cryptographer who had helped journalist Glenn Greenwald review Edward Snowden's NSA documents, he found himself on CNN International, talking about allegations that the United States had spied on the chancellor of Germany.
An exasperated host beamed Schneier in from Minneapolis, where he lives, and asked him to "help us," as she put it, "decipher this enigma." Schneier is a legendary encryption specialist who has written or edited 13 books on the subject, and worked for the Department of Defense, telecommunications companies, banks and governments. Most recently, he's been a vocal advocate of the idea that the best security systems accept a reasonable amount of risk; a blind focus on protecting against every threat, he says, usually comes with unexpected costs.
Outside of the cryptography community, however, this view is not widely held, and the simplicity and directness with which Schneier expresses it tends to take people by surprise.
We are entering a new era of Internet connectivity — the Internet of Things. Suddenly our devices are much more than just the computers we can hold in our laps.
These new devices collect information and make decisions on their own. What does this mean for us?
Bruce Schneier, an author and security technologist who has written several articles about the darker side of the Internet of Things, describes the new situation this way:
"The Internet of yesterday was the Internet of the things we typed into it. It was Facebook.
Reuters Technology reporter Joseph Menn interviewed security expert Bruce Schneier in front of last week's TrustyCon audience in San Francisco, where the security expert provided his analysis of the government surveillance controversy
Bruce Schneier has been a vocal critic of the mass surveillance being conducted by the NSA and GCHQ. The security expert recently left his post at BT and joined the board of digital rights firm Electronic Frontier Foundation (EFF), one of TrustyCon's organizers. Although several of TrustyCon's speakers were part of the group who withdrew from their speaking commitments at last week's RSA Conference, Schneier was featured on the agenda at both events.
Schneier said that the NSA's surveillance capabilities are far and away the most advanced in the world, but not necessarily the most skilled.
When Bruce Schneier went on to a different stage at the RSA Conference, resplendent in a purple floral shirt, he gave a very different presentation than an earlier panel from Washington intelligence insiders. Schneier, the CTO of Co3 Systems and author, gave the security-geek view. He also gave his answer to the question everyone has been asking: how do we keep from being spied on?Collect Everything
Schneier laid out the situation as he sees it today: that the NSA has turned the Internet into a giant surveillance platform that is both technically and legally robust.
Of the small pool of people who have seen the Snowden documents, few, if any, are as technically savvy and knowledgeable about security and surveillance as Bruce Schneier. And after reading through stacks and stacks of them, Schneier says that yes, the NSA is extremely capable and full of smart people but "they are not made of magic".
A cryptographer by training and a security thinker by trade, Schneier has spent many hours reading the Snowden documents and thinking about what they mean, both in terms of the NSA's actual capabilities and their effect on data security and privacy. Much of the news, clearly, is not good on that front.
The good news? Strong crypto still works
RSA 2014 If you thought NSA snooping was bad, you ain't seen nothing yet: online criminals have also been watching and should soon be able to copy the agency's invasive surveillance tactics, according to security guru Bruce Schneier.
"The NSA techniques give about a three to five year lead on what cyber-criminals will do," he told an audience at the RSA 2014 conference in San Francisco.
"These techniques for exfiltrating data aren't magical, they are just expensive. Everything we know about technology is that it gets cheaper.
Two recently-discovered flaws in Apple iOS and Mac OS X have security experts openly asking whether the software vulnerabilities represent backdoors inserted for purposes of cyber-espionage. There's no clear answer so far, but it just shows that anxiety about state-sponsored surveillance is running high.
'One line of code—was it an accident or enemy action? I don't know, but it's the kind of bug I'd put in,' remarked Bruce Schneier, chief technology officer at Co3 Systems, about the flaw in Apple OS X SSL encryption that was revealed last week.
Cryptography expert Bruce Schneier, now CTO of Co3 Systems, continued his criticism of the National Security Agency's surveillance during his well-attended talk at the RSA Conference in San Francisco today.
Schneier has been a fierce critic of the National Security Agency (NSA) ever since the details of this surveillance were first revealed by former CIA contractor Edward Snowden last summer. And following on from an interview with CNN this week where he argued for the NSA to be split up, he took the opportunity to champion for stronger encryption in front of a packed audience at the RSA Conference.
Schneier, who left BT—also reportedly offering back doors in products—to join Co3 Systems in December, mused from the beginning that the talk was going to be a prickly and hotly-contested subject. "This will be a fun topic."
His talk was entitled "NSA Surveillance: What we know and what to do about it" and he first ran into the attack techniques—sometimes obscured by odd code names—being used by the NSA and GCHQ to carry out mass surveillance.
Don't feel futile, the Internet can be saved, according to cryptography luminary
There are ways for people to win back their privacy from global intelligence agencies, largely by making bulk collection of data economically unviable, encryption luminary Bruce Schneier told delegates at the RSA 2014 conference today.
This would be doable by placing secure encryption in places where it currently does not reside, from vulnerable mobile applications to people's hard drives.
"Encryption frustrates the NSA at scale," he said. "Our goal should be to leverage economics, physics and maths to make the Internet secure, to make surveillance more expensive.
When incident response software maker Co3 announced earlier this month that Bruce Schneier was joining the company as its first CTO, some observers might have wondered: Huh?
Why would an internationally known thinker on security issues leave a gig as chief security technology officer at a large telecom like BT to serve as CTO of a much smaller software company? Well, the answer is pretty basic. He sees the company offering a product the security and privacy communities desperately need.
A computer cryptography expert revealed that he met Thursday with members of Congress to explain Edward Snowden's revelations about the National Security Agency because "the NSA wasn't forthcoming."
In a brief post on his blog, Bruce Schneier said that he had held a roundtable discussion with six House members, organized by Rep. Zoe Lofgren (D-Calif.), to discuss the NSA's activities.
Schneier, a fellow at the Berkman Center for Internet and Society at Harvard Law School, co-authored a Guardian article with reporter Glenn Greenwald on the NSA's attempts to hack an anonymizing web service and has taken a peek at many of the documents that Snowden leaked.
"Lofgren asked me to brief her and a few Representatives on the NSA," Schneier wrote. "She said that the NSA wasn't forthcoming about their activities, and they wanted me—as someone with access to the Snowden documents—to explain to them what the NSA was doing.
Schneier says new gig at incident response management vendor a natural progression for him
Other articles about Bruce Schneier's new position with Co3 Systems appeared in InfoSecurity Magazine, SearchSecurity, TechWeekEurope, The Inquirer, ZDNet, Help Net Security, Security Week, The Register, SecurityCurrent, Boston Business Journal, Network World, and Threatpost.
Famed security expert Bruce Schneier has left BT and is now CTO of incident response (IR) management startup Co3 Systems.
Schneier, who previously had served on Co3 Systems' advisory board and has helped shape the look and feel of the software-as-a-service firm's architecture, says the time had come for him to make a change and leave BT. He had been the security futurologist for BT since it purchased his network monitoring services firm Counterpane Internet Security in October 2006.
Word that Schneier was leaving BT leaked publicly last month, and speculation arose that it had to do with his outspoken criticism of surveillance by the NSA and Britain's GCHQ.
More than 150 years after Bull Run—the long, bloody battle that foretold of a long, bloody Civil War—a new Bull Run is the symbol of a very different, bloodless fight.
"Bull Run" is code for a National Security Agency program that asks U.S. Internet security providers to poke holes in their systems (also known as "back doors")—and to keep those requests—and weaknesses—a secret. "The conceit here is that only the NSA can exploit this vulnerability," and gain access to encrypted Internet traffic, explained computer security and privacy specialist Bruce Schneier at a recent NSA surveillance briefing convened by the Open Technology Institute on Capitol Hill.
And techies can only fix it if government stays out of the way.
WASHINGTON, DC—To say that there are a lot of people who are angry with the National Security Agency (NSA) right now would be an understatement. But the things that are getting the most political attention right now—such as the invasion of the privacy of American citizens and spying on the leaders of American allies—are just a fraction of the problem, according to cryptographer and Harvard University Berkman Center for Internet and Society Fellow Bruce Schneier.
At a presentation in a conference room inside the US Capitol on Friday, Schneier—who has been helping The Guardian review the trove of documents provided by Snowden—said that in its haste to "weaponize" the Internet, the NSA has broken its mechanisms of security. And those breaks—including the backdoors that the NSA convinced or coerced software developers to put into the implementations of their encryption and other security products, are so severe that it is now just a matter of time before others with less-noble causes than fighting terrorism will be able to exploit the holes the NSA has created.
"The NSA has turned the internet into a giant surveillance platform." Security guru Bruce Schneier (pictured) did not pull his punches when he addressed the 1,200 engineers gathered for the meeting of Internet Engineering Task Force (IETF) in Vancouver last week. But when it came to the question of what should be done about it, he and the other participants in a panel discussion had less to offer.
Mr Schneier, a fellow at Harvard's Berkman Centre on Internet and Society, is one of the few people who had seen most if not all the NSA documents downloaded by Edward Snowden. Only a few have been made public so far, with the most recent revelation being the stealth tapping of Google's internal networks.
The ongoing revelations of governmental electronic spying point to a problem larger than National Security Agency malfeasance, or even of security weaknesses. Rather the controversy arising from Edward Snowden's leaked documents suggest we face unresolved issues around data ownership, argued security expert Bruce Schneier.
"Fundamentally, this is a debate about data sharing, about surveillance as a business model, about the dichotomy of the societal benefits of big data versus the individual risks of personal data," Schneier told attendees of the Usenix LISA (Large Installation System Administration Conference), being held in Washington this week.
"We might not buy [it], but the basic NSA argument is 'You must give us your data because it is keeping you safe.'"
Schneier has been an outspoken critic of the NSA since Snowden, a former NSA contractor, first leaked documents showing the many ways in which the intelligence agency had tapped into the Internet and data centers to collect data en masse about people's activities.
Lessons from NSA revelations hit at heart of the "fundamental issue of the information age," says Bruce Schneier
As custodians of the Internet mull over the lessons that revelations about National Security Agency (NSA) surveillance offer about the insecurity of the Internet's infrastructure, architects must find ways to make wholesale spying more expensive. So said noted cryptographer and security evangelist Bruce Schneier in a talk today about Internet hardening at the Internet Engineering Task Force (IETF) plenary session.
"There are a lot of technical things we can do. The goal is to make eavesdropping expensive," Schneier said.
Over the years, at times, I've seen people criticize Bruce Schneier for perhaps getting more publicity than other security researchers, but it's rare to see people question his knowledge. The complaints often appear to stem more out of jealousy than anything else. But, I've never seen anything quite as ridiculous as this "CNN iReport" by Richard Marshall and Andre Brisson, which appears to be a blatant hatchet job attack on Schneier that is at times incomprehensible, at times factually incorrect and bizarre throughout. Marshall is a former NSA and DHS "cybersecurity" expert, but he's now the CEO of "Whitenoise Labs," (something not mentioned in the article).
National Security Agency Director Gen. Keith Alexander this week defended the private sector's cooperation with the agency's electronic surveillance programs, telling Congress the companies involved are being punished in the media for meeting legal obligations under U.S. law and helping to save lives.
'We have compelled industry to help us…by court order,' said Alexander, during testimony Oct. 29 before the House Permanent Select Committee on Intelligence. 'And what they're doing is saving lives' in the U.S.
Ars asks a tech and legal all-star team how to fix America's security state.
For the last two months, we've all watched the news about the National Security Agency and its friends over at the Foreign Intelligence Surveillance Court (FISC), which approves secret orders on behalf of the NSA and other spy agencies. But more often than not, a lot of these articles take the same basic structure: documents provided by NSA leaker Edward Snowden show X, and then privacy advocates and civil libertarians decry X for Y reason.
That now raises the question, what would these privacy advocates do if they were put in charge of the NSA and the FISC? Or more specifically, what changes would they immediately enact at those two opaque institutions?
Technology expert Bruce Schneier has been blogging about security since 2004. If the subject was ever a niche, those days are long gone. His work touches on vital issues of safety and privacy at home, out in the world and, of course, on computers and other gadgets. Many of his posts simply point you towards items elsewhere — and he’s so important a figure in his field that the mere fact that Bruce Schneier found an article to be worthwhile is a significant endorsement.
If you're looking for more evidence that politicians don't get technology, look no further than the FBI's proposal to make Internet communications easier to wiretap. Specifically, the FBI wants to force companies to design their email, IM, VoIP, and other Internet-based communication products such that law-enforcement agents can eavesdrop on conversations—naturally, in the name of collecting evidence against evil-doers.
Although the plan reportedly has support from the Obama Administration, it doesn't have the backing of a guy who knows a thing or two about security: Bruce Schneier. By the renowned security pro's reckoning—clearly laid out at Foreign Policy—requiring companies to make their products "eavesdroppable" would render them vulnerable to anyone with a little tech savvy.
Bruce Schneier is one of the world's leading cryptographers and theorists of security. Jonathan Zittrain is a celebrated law professor, theorist of digital technology and wonderfully performative lecturer. The two share a stage at Harvard Law School's Langdell Hall. JZ introduces Bruce as the inventor of the phrase 'security theatre', author of a leading textbook on cryptography and subject of a wonderful internet meme.
The last time the two met on stage, they were arguing different sides of an issue -- threats of cyberwar are grossly exaggerated -- in an Oxford-style debate.
We live today in a "feudal security world", says internationally renowned security technologist Bruce Schneier."
We pledge our allegiance to the service providers -- the likes of Google, Facebook - and expect them to provide us with security in return -- akin to serfs and peasants paying tribute to their lords in the form of personal data, says Schneier, the author of Liars and Outliers: Enabling the Trust Society Needs to Survive, and chief security technology officer at BT.
"What I am seeing is a shift in power on the internet, that we generally have less control over our IT infrastructure, our products, our user devices, our services. "We basically have to trust our vendors," he says. "We just don't have the ability to control security or configuration the way we did when we owned and controlled the platforms.
Type 'security expert' into Google and the third result is Schneier on Security, a blog written by Bruce Schneier, the author of several books and chief security technology officer at BT.
The blog is also the top Google result for 'security blogger' and No. 7 for 'computer security expert,' despite the fact that Schneier doesn't describe himself as an expert. (Qualifier: Google customizes results to the user, so your mileage may vary.)
It gets more interesting when you look at references to Bruce Schneier in media outlets: 175 mentions in The New York Times, 146 in The Wall Street Journal and almost 400 each in Computerworld and InformationWeek. All this in a market that is one of the most information-saturated in the technology sphere.
Schneier estimates that his blog and newsletter reach a combined audience of 250,000 people each month.
In the days of feudalism, serfs and minor lords pledged allegiance to the king and received protection in return. As long as the king held up his end of the bargain, the system worked. If he didn't, the system would crumble, as it eventually did in Europe around the 15th century.
Bruce Schneier, CTO of BT Managed Security Solutions, sees the feudalism dynamic happening today on the Web, where users of social networking and other online services must blindly trust that the companies providing those services are paying enough attention to security.
Burger King and Jeep both saw their Twitter accounts get hacked this week.
How and why does this happen?
Bruce Schneier is a revered computer security expert, prominent for his thoughts on the intersection of technology, security, and trust.
He was kind enough to fill us in on the details surrounding how hacks like these are possible.
Coverage of this interview also appeared in International Business Times.
As well as being a renowned cryptographer, influential security expert and outspoken conference favourite, Bruce Schneier has had his share of coverage in recent months as the Prism story unfolded. He chose to leave his position as BT's security futurologist at the end of last month and has now turned his hand to incident response.
Schneier recently left BT, who acquired his company Counterpane in 2006, to join Co3 Systems as chief technology officer this month. I began by asking him what attracted him to a relatively unknown company.
Trying to predict the next security problem is the wrong way to go about things said Bruce Schneier, chief security technology officer at BT who was speaking at an event in Singapore.
"The more we try to predict, the more the bad guys react around us," Schneier said. Contrary to popular IT security ideology, what was more important was the ability to react as well as mitigate and recover.
This attempt to predict where the next attack will come from is creating a gap between security and attackers where cyber criminals will be constantly evolving to develop and exploit new attack vectors with IT departments constantly playing catchup.
SINGAPORE--Companies looking to predict cyberthreats to fend off attacks will not improve their IT systems' security robustness as the criminals responsible will evolve and develop their technologies accordingly.
Speaking at a seminar here Monday, Bruce Schneier, chief security technology officer at BT, said technology has affected the balance of society and social mechanisms such as law and punishment, which help keep people in check so they will not commit crimes, online or otherwise.
For instance, the Internet has given rise to anonymity and made it easier for cybercriminals to perpetrate their attacks without getting caught, Schneier observed.
In response to these online threats, IT security professionals and law enforcement agents often try to predict what kind of cyberattack will hit them to better prepare their network security is robust and catch the online intruders, the executive added.
Bruce Schneier, a legend among hackers and security experts, is having trouble convincing the world that the threat of cyberwar is overstated. In 2010, the year after the US launched a Cyber Command division of its military, he lost a public debate on the subject. And in October, US Secretary of Defense Leon Panetta said that the US should gird itself for a cyber Pearl Harbor . Yet Schneier is undeterred.
Crypto guru urges creative thinking from security pros
Cryptography guru Bruce Schneier called for more creative thinking and a broader perspective as a means to tackle security problems.
For example, the music industry, faced with an explosion in online file-sharing, hired security pros to develop anti-piracy measures, such as digital rights management technology. But these inconvenienced punters while doing little or nothing to stem copyright infringement. A better approach was making songs affordable and easy to buy, a model that has since lined Apple's deep pockets.
A famed computer security expert believes governments are trying to seize control of the internet, but will fail in the long term to reach that goal.
Bruce Schneier, BT's chief technology officer and author of several important books on security, said that governments that didn't understand the internet were trying to take control of it. He looked at US proposals of creating an 'internet kill-switch', claiming that policy makers were crazy to even think of a single mechanism to shut-off all internet traffic.
He said: "You see these types of government proposals, and they come from law enforcement, lobbyists or the military, and we're going to see more of those.
The world's governments are destined to fail in their attempts to control the internet, according to BT security expert Bruce Schneier.
Schneier claimed that the internet is currently going through a dark period, with legislators creating ill-conceived cyber policies that are damaging rather than helping online developments.
"Governments are starting to use it [the internet] for power," said Schneier at a press conference in London.
"We're hitting a period in internet history where governments are seizing more control; one where governments that don't understand the internet are trying to interfere with it."
Schneier touted the recent US proposal to create a "killswitch" for the internet as a prime example of policymaker's lack of understanding.
Security guru Bruce Schneier calls for societal pressure to convince would-be hackers that their actions are not in their own interests
Cyber crime will not be resolved with technology alone, security guru Bruce Schneier warned at the RSA conference in London today. Societal pressure is also need to discourage people from becoming cyber criminals, he argued.
Security experts will always be catching up with criminals when it comes to technological exploits, argued Schneier, who is BT's chief security technology officer. "Attackers have a natural advantage because they can make use of innovations faster and have no procurement pressure or institutional inertia," he said.
Bruce Schneier ordered a Coke, no ice, at the Rio casino on a Saturday afternoon. I ordered Diet Coke, also no ice, and handed the bartender an American Express card. He said he needed to see proof of identity. Credit cards are often stolen around here, and eight casino workers had recently been fired for not demanding ID, he quietly explained.
Bruce Schneier knows a thing or two about security. The author of multiple books on cryptography, Schneier is widely considered to be an expert on the subject of encryption as well as the broader topic of information security. So we jumped at the opportunity to sit down with him for an in-depth interview at the Black Hat 2012 conference in late July. Here are some of the highlights of what he had to say.The State of Encryption: "Not that great, and getting worse"
Asked to share his view of the state of encryption in this new age of cloud computing, Schneier says: "It's not that great, and it's getting worse."
Here's why: "As you move stuff to the cloud you lose control of the data," Schneier says.
This year, more than $22 billion in enterprise security products and services is expected to be sold worldwide. But according to Bruce Schneier, well-known cryptology expert and security luminary, technology alone isn't the answer to better security.
In an in-depth interview with eSecurity Planet at the Black Hat 2012 conference in Las Vegas last week, Schneier argued that looking at security solely from a technology perspective is to take a too narrow view of the problem.
"If you look at broader society, there is a lot of security that happens at a much more personal level," Schneier said.
[In The Righteous Mind, Jonathan] Haidt writes:
Moral systems are interlocking sets of values, virtues, norms, practices, identities, institutions, technologies, and evolved psychological mechanisms that work together to suppress or regulate self-interest and make cooperative societies possible.
It is interesting to compare this perspective with what one finds in Liars and Outliers, a recent book by Bruce Schneier on the social problem of trust and security. Schneier, a security consultant, views our lives from the perspective of game theory. Every day, we must decide whether to cooperate or to defect.
Software liability laws are needed to hold software companies accountable for making faulty products, argued Bruce Schneier, chief technology security officer with BT during a pro-con debate held Wednesday at the RSA Conference.
Schneier said that liability laws would transfer the economic cost for faulty software from the user to the developer and provide an incentive for the developer to fix the problem.
He compared the situation of the software market to the early days of the automobile industry when Congress passed laws that held auto manufacturers responsible for faulty vehicles that caused accidents. This prompted the auto industry to begin fixing the problems, such as stop using wooden wheels that would fall apart at high speeds.
"The only way to convince vendors to actually fix the problem is to make it in their financial interest to do so.
In his session at the RSA Conference in San Francisco, February 28th 2012, Bruce Schneier listed what he perceives to be the three biggest risks to information security right now: The rise of big data; ill-conceived law enforcement regulations; and the cyberwar arms race.The rise of big data
The rise of big data, Schneier declared, is inevitable due to the cost of saving data being so cheap. "It's easy and cheaper to search than sort," he said. "The collection of data is being aggravated – mainly so the companies doing it can make more money… Companies like Apple, Amazon and Google are all competing to be the company that monetises your data."
Schneier spoke of the lack of control that users have over their smartphones and portable devices. "I can't do things as a security professional on my iPhone.
RSA 2012: Schneier on Why Anonymous Is Not a Group and Why They're Certainly Not As Good As You Think They Are
At the RSA Conference 2012 in San Francisco, February 29, Bruce Schneier and Davi Ottenheimer discuss Schneier's latest book and how to enable the trust that society needs to thrive.
Following on from Schneier's talk yesterday on the three biggest risks to information security in 2012, this discussion focussed purely on the topic of Schneier's latest book, Liars and Outliers.
Here are some of the session highlights:
- Security depends on people. "I started in cryptography because I didn't like people. I wanted to study numbers. Anyone in security needs to understand that people act in unpredictable ways."
- The ID theft concern is great. "We worry that ID theft will become such a danger that people would stop shopping and doing stuff online.
RSA 2012 Usually the bête noire of the annual RSA conference is the criminal hacking community, but security guru Bruce Schneier asserts that government, business, and the military may well pose a bigger threat to security professionals.
"The current risks to internet freedom, openness, and innovation don't come from the bad guys -- they are political and technical. I suppose I should call this talk 'Layer eight and nine threats'," he told his audience on Tuesday at RSA 2012.
Attempts at ill-conceived legislation are a major concern, he said.
Cybercriminals are not the greatest threat to Internet security. It's the many forces trying to bend the world's computer network to fit their interests.
That's according to Bruce Schneier, a renowned security technologist and author of several books, including "Applied Cryptography." Schneier told attendees Tuesday at the RSA Conference that the three greatest dangers are Big Data companies, poorly thought out government regulations, and the cyberwar arms race.
These threats foster instability through those lobbying for changes that further their self-interests, instead of what's better universally, Schneier said.
As Bruce Schneier spent the past decade watching the growing rash of phishers, malware attacks, and identity theft, a new Internet threat has emerged that poses even greater risks, the security expert said.
Unlike the security risks posed by criminals, the threat from government regulation and data hoarders such as Apple and Google are more insidious because they threaten to alter the fabric of the Internet itself. They're also different from traditional Internet threats because the perpetrators are shielded in a cloak of legitimacy. As a result, many people don't recognize that their personal information or fortunes are more susceptible to these new forces than they ever were to the Russian Business Network or other Internet gangsters.
Security Myth No. 1: "More Security is Always Better."
Bruce Schneier, security expert and author of several books, including his most recent, Liars and Outliers, explains why this security concept of "you can't get enough" that's often bandied about is off the mark to him. Schneier explains: "More security isn't necessarily better. First security is always a trade-off, and sometimes additional security costs more than it's worth. For example, it's not worth spending $100,000 to protect a donut.
From Bruce Schneier to Moxie Marlinspike, these folks are the ones to listen to for security insight
Bruce Schneier, chief technology officer of BT managed security solutions
With his skill in cryptography and security acumen, Schneier would be welcome on any All-Stars Security team. But it's his ability to write candidly about social and political forces, as well the psychological aspects of security, that increasingly make him a philosopher in a world of technicians. His next book? He says it's about "trust" and how a society does or does not foster it.
In compiling our ranking of the Most Powerful Voices ("MPV") in security, we took advantage of concepts similar to Google PageRank for people, working with researchers and thought leaders such as Mark Fidelman (see "The Most Powerful Voices in Open Source").
The metrics needed to measure both broadcast power and profundity were identified through a number of studies performed across several industry categories. Although there have been many advancements in the area of social marketing, the work presented here still requires techniques not yet offered by any single social graph tool available today.
The MPV formula is based on "reach" by examining the number of followers and buzz an individual has on sites like Google and Twitter.
Bruce Schneier, an author who writes about how we perceive danger, gave a great talk at TED recently, outlining five cognitive biases people fall victim to when making decisions about risk.
None of the five were intended to relate to investing, but all of them can teach investors something about the rampant biases we make with our money.
1. We tend to exaggerate spectacular and rare risks and downplay common risks.
Schneier used the example of flying vs.
The hack attack that forced Sony to take the Playstation Network and Sony Online Entertainment offline and resulted in the theft of personal information from tens of millions of people around the world wasn't really Sony's fault, it was an inevitability, a security expert tells Kotaku.
Bruce Schneier, internationally renowned security technologist and author of Applied Cryptography, Secrets and Lies and Schneier on Security, said that the only thing unusual about the break in to Sony's dual networks is that they are used for gaming, something titillating to the mainstream media.
"It's another network break-in, it happens all of the time," he said. "This stuff happens a lot."
For every incident like the infamous Heartland Payment data breach in 2008, which impact millions, there are dozens of smaller breaches, some under reported or not reported at all.
Security expert Bruce Schneier has called for governments to establish 'hotlines' between their cyber commands, much like the those between nuclear commands, to help them battle against cyber attacks.
Cyber security is high on the national agenda, and is regarded as a top threat to the UK's security. It is also top a concern for other nations around the world. Last month, the EU announced plans to cybercrime centre by 2013, and it agreed with the US to set up a working group on cybersecurity.
A security guru has debunked cyber war and cyber terrorism myths.
The threats of cyber war and cyber terrorism have been grossly exaggerated and are hindering a real understanding of risks on the internet, one of the world's leading information security experts has said. Bruce Schneier, the author and security technologist who is also chief security technology officer with BT, was speaking in Dublin yesterday at an event held by the Irish Institute for European Affairs (IIEA).
Schneier referred to the denial of service attack in Latvia in 2007, which brought down several government services for a time, and said it was most likely the first such cyber war attack against a state.
His talk on security was not, what you might imagine, about HTTPS and secure sockets, but rather a much more philosophical talk on the psychology of security. The point Mr. Schneier was making was that there is a difference between actually being secure, and the feeling of secure.
You can be secure when you don't feel as if you are.
During a panel discussion at the recent Worldwide Cybersecurity Summit in Dallas that otherwise was as dry as a highway in the Sahara, security guru Bruce Schneier made a provocative argument.
He contended that just as pollution was the unfortunate byproduct of the Industrial Revolution, data is the waste product of the digital revolution.
And just like pollution, all the data we generate during our lives never degrades.
He noted that almost every transaction and interaction now generates data.
6. Bruce Schneier
Shaun Nichols: While he's not so known in the larger industry, Bruce Schneier is one of the most respected and revered people in the computer security business. At conferences such as RSA he always seems to be booked for the main stage and we always try to book a few minutes for an interview.
This is because Schneier is not only a respected authority on the antivirus, network security and encryption fields, but he also has a knack for breaking things down in common language.
"Security affects every aspect of people's lives," says world renowed security expert and critic Bruce Schneier, CAS/MS '88. "It helps people make better personal, corporate, and national decisions."
A regular columnist for the Wall Street Journal and the Guardian newspaper in the UK, Schneier calls himself "an explainer." Through his best-selling books, Applied Cryptography, Secrets and Lies, and Beyond Fear, and countless mainstream and security media articles and speaking engagements, he explains difficult topic matter to regular folks. His reputation as a leading cryptographer even got him mentioned in Dan Brown's mega-bestseller, The DaVinci Code.
Schneier's 2008 book, Schneier on Security, offers insight into everything from the shortfalls of airport security and the dangers of identity theft to the long-term security threat of unlimited presidential power and the amazingly easy way to tamper-proof elections.
Schneier is the official rock star of the security industry with deep knowledge of crytopgraphy and privacy. He is the author of Applied Cryptography; Beyond Fear: Thinking Sensibly About Security in an Uncertain World; and Secrets and Lies: Digital Security in a Networked World. Schneier is also a frequent speaker at security events as well as the author of the BlowFish and TwoFish algorithms.
World-renowned IT security expert Bruce Schneier gave a talk on the future of the industry, which remains quite new.
As well as being Chief Security Technology Officer at BT, Bruce Schneier is also the author of several books on the topics of security and cryptography with a particular, if not exclusive, focus on the IT industry, which has led The Economist to describe him as a "security guru". And when discussing security he is refreshingly candid and forthright, not dissimilar in tone to Freakonomics author Steven Levitt, while sharing with Levitt the ability to view his chosen field from an angle less ordinary.
"Security is hard to sell for two reasons, economic and psychological," he says. The industry is not necessarily logical: it is by nature complex, and as a consequence easy to get wrong.
BROOKLYN -- Americans living in the age of ultra-security have been subjected to a massive number of small accommodations in the name of the "War on Terror."
Although most people have become accustomed to not bringing bottles of water on airplanes, there exists some cynicism about the effectiveness of our new security measures and how they relate to our day-to-day lives.
However, it takes an experienced security analyst like Brooklyn's Bruce Schneier to understand the connections between the face of national security that we all can see, and the facts and technology behind it.
"So when does it end? The terrorists invented a particular tactic, and you're defending against it.
Over the years, Mr. Schneier has been a tough critic of the security agency, though he credits Mr. Hawley for "doing the best job he could with the bad hand he was dealt." By that, he says he means that the agency operates under mandates from Congress and elsewhere that resulted in a vast, expensive bureaucracy.
The agency, he argues, is required to spend less effort than it should on sophisticated intelligence-gathering and more than it should on deeply flawed procedures, like depending on travel documents that can be easily counterfeited, or fishing in passengers' bags for contraband screwdrivers and prohibited items like jars of spaghetti sauce that exceed three ounces.
Incessant warnings about "inappropriate" comments are "police state-like," he said.
"It's watch what you say, watch what you say," he said.
This day, however, would feature a different sort of experiment, designed to prove not only that the TSA often cannot find anything on you or in your carry-on, but that it has no actual idea who you are, despite the government's effort to build a comprehensive "no-fly" list. A no-fly list would be a good idea if it worked; Bruce Schneier's homemade boarding passes were about to prove that it doesn't. Schneier is the TSA's most relentless, and effective, critic; the TSA director, Kip Hawley, told me he respects Schneier's opinions, though Schneier quite clearly makes his life miserable.
"The whole system is designed to catch stupid terrorists," Schneier told me.
WHEN IT comes to security, Bruce Schneier would like people to stop worrying about what he calls "movie plot" scenarios. Exploding aircraft, attacks on landmark buildings, the whole category of "cyberterrorism" all rankle with Schneier, who thinks the ultimate security risk is "people."
He may not be a household name, but he is quite possibly the most namechecked security expert in the world among technologists - and science fiction fans.
Schneier, who with ponytail and greying beard looks pleasingly like an eminent cryptologist should look, created two of the best-known security algorithms, nicknamed Blowfish and Twofish, and wrote Applied Cryptography, the bible of the digital security industry. The Economist hails him as "a security guru." He is even mentioned in The Da Vinci Code.
We recently sat down with security guru Bruce Schneier to talk about Internet security and, boy, did we get more than what we bargained for.
WITH the advance of new and better cybersecurity technologies, you'd expect the Internet to be a lot safer place for average users.
However, the world-renowned security expert Bruce Schneier paints an entirely different picture — in fact, a pretty gloomy one where no matter what you do to beef up security, it will not be enough. And in the future, things will even get a lot worse.
Security expert Bruce Schneieris rightly regarded as one of the industry's most intelligent and insightful participants. He has made substantial personal contributions to the science of cryptology, and has written some of the best books on the subject.
Like many smart people, Schneier is also highly opinionated. Although I have yet to hear a technical opinion from Schneier that I disagree with, some of his nontechnical opinions are--in my opinion--open to debate.
"Security theater" lecture complements photography exhibit showcasing images of fear, safety and liberty in post-9/11 America
Bruce Schneier shared his ideas about the psychology of security, and the need for thinking sensibly about security, in his hometown last week when he gave a lecture at the Weisman Art Museum in the US.
Schneier's lecture was scheduled in conjunction with an exhibition of photographer Paul Shambroom's images of power (Shambroom's photographs capture scenes in industrial, business, community and military environments.) The association of Schneier's lecture with the photography exhibit says a lot about how the security guru's focus has evolved over the years from the bits and bytes of cryptography and computer security to include a more broad examination of personal safety, crime, corporate security and national security.
The theme of Schneier's talk was the "security theater," a term he uses to describe security measures that are designed to make people feel safer but don't necessarily do so.
"Security is really two different things.
InfoWorld's Roger Grimes weighs in on why security expert Bruce Schneier thinks computer security won't get any better in the next 10 years
As longtime readers already know, I'm a big fan of Bruce Schneier, CTO and founder of BT Counterpane. Besides being a cryptographic and computer security authority, cryptographic algorithm creator, and author of many best-selling books on security, Bruce produces some of the most relevant conversations on computer security. I consider his books, his Cryptogram newsletter, and his blog must-reads for anyone in computer security.
Bruce is a guy who pushes us to rethink our currently held paradigms.
But protection remains a hard sell with many companies, says security expert
EDMONTON - Technology's becoming so fast and complex it's outstripping our ability to keep out hackers and criminals, computer security guru Bruce Schneier said Monday.
"Complexity is the worst enemy of security," Schneier told the Canadian Information Processing Society (CIPS) conference Monday. "It's getting worse faster than security is getting better, and we have no idea how to fix this."
The hacker hobbyists of 10 years ago have been replaced by sophisticated criminals who can get into your computer or server without you knowing about it, said Schneier, whose latest book is Beyond Fear: Thinking Sensibly About Security in an Uncertain World.
They can send a worm into your system just to assess your vulnerability to an attack.
Bruce Schneier, leading cryptologist described as a "security guru" and a "leading counterterrorism contrarian" by the media, shares his thoughts about the future of information security.
"Crime, Crime, Crime!" Bruce Schneier is adamant when asked to talk about the worst security threats. It's not coming from fanatics, but from people out to steal for money, he insists.
"It doesn't matter what form it takes," he says.
A leading security expert has warned businesses to beware of buying shoddy security products.
Bruce Schneier, founder and chief technical officer of BT Counterpane, issued the warning at the RSA Conference Europe 2007 in London on Tuesday. He told delegates that they should not necessarily trust security vendors to give a fair representation of the security of those products.
"There might be a political bent to security decisions, or there might be a marketing bent," said Schneier, citing as an example people selling smart cards who "do a lot to convince us that smart cards are the answer to security problems. For every company that's secure, there's at least one 'me too.'"
Schneier said it was difficult for companies to judge the security of varying products because known attacks are relatively rare, making it hard to collect enough data for security-product evaluations.
So says counterterrorism contrarian Bruce Schneier. And the Transportation Security Administration is listening.
In late July, Transportation Security Administration chief Kip Hawley announced a change in his agency's air travel screening policy: Effective August 4, cigarette lighters would no longer be banned from airplanes.
Explaining the measure in an interview with the New York Times, Hawley acknowledged that confiscating lighters at security checkpoints—the TSA's policy for the last two years in the wake of a failed shoe-bombing attempt—had been a waste of resources. Terrorists, he noted, might just as well ignite bombs on airplanes using small batteries (or, as he didn't note, matches).
"Taking lighters away is security theater," Hawley told the Times.
O'Hare, Chicago, the day before Thanksgiving. The nation's busiest airport is straining against the nation's busiest holiday. Among the crowd grumbling through the lengthy security line is a lone traveler with an attaché case. He removes a laptop computer from the case and places it on the tray provided.
Outspoken author and security guru Bruce Schneier has questioned the very existence of the security industry, suggesting it merely indicates the willingness of other technology companies to ship insecure software and hardware.
Speaking at Infosecurity Europe 2007, a leading trade show for the security industry, Schneier said, "the fact this show even exists is a problem. You should not have to come to this show ever."
"We shouldn't have to come and find a company to secure our e-mail. E-mail should already be secure.
Since the World Trade Center and Pentagon attacks in 2001, Americans have had to endure tighter screening at airports, a color-coded national alert system, irradiated mail, the Patriot Act, and the Department of Homeland Security.
But according to security expert Bruce Schneier, all these measures, meant to protect the population at large, overlook dangers at a more personal, if less lethal, level.
Average people should be less worried about being attacked by terrorists, said Schneier, and more concerned about protecting their identities on-line.
"Crime, crime, crime," Schneier told NJ Jewish News in an e-mail interview while on a working vacation in London and Marrakech.
By now, Bruce Schneier is reconciled to the fact that most people will always be interested in him first and foremost because he's been mentioned in Dan Brown's The Da Vinci Code. Sceptical, aren't you, about the 'reconciled' bit? Schneier's own achievements are no less striking actually. Or else, why would he be in the best-seller for that matter.
Founder and chief technology officer of BT Counterpane, which was acquired by BT in 2005, Schneier is a security technologist and cryptographer.
Bearded, wiry, with his eyes sparkling as he unfurls accurate sound bites, Bruce Schneier hardly looks like the master geek that he is. But his claim to fame is precisely that: Schneier has breathed passion, detail and a touch of evangelism to the business of computer network security, a dull topic even for those who need it badly.
The global cyber cop is the chief technical officer of BT Counterpane, the British telecom company's subsidiary that adds security layers and network patrolling to its business of building and managing computer networks. Schneier, who landed in Delhi to promote cyber security services targeting IT companies and call centers, believes hacking by cocky young men seeking short-term fame has given way to more methodical and dangerous cyber crime gangs that need checking.
Security guru--and part-time restaurant critic--Bruce Schneier is best known as the developer of the Blowfish and Twofish encryption algorithms and author of books that examine security and society. He's also a renowned speaker, blogger, and columnist.
- TASTE OF SECURITY
Schneier writes restaurant reviews as an escape, but he sees ties to his security work: "Food is more about how a culture uses what it has to make an interesting meal. That's the same thinking as security.
Security decisions often are much less rational than one would prefer, Schneier says
SAN FRANCISCO -- One of the security industry’s most outspoken experts, Bruce Schneier, spoke at RSA Conference on the topic of how security decisions and perceptions are often driven by irrational and subconscious motives in human beings.
The CTO at BT Counterpane, who is known for his talent in cryptography as well as his critical observations about technology use, yesterday turned his attention to a different matter: an analysis of human behavior in the face of risk-management decisions.
In Schneier’s view, security managers need to be aware that they themselves, their business managers and their corporate user groups are likely to make critical security decisions based on barely acknowledged impressions of fear and irrational response, rather than a careful study of facts.
"Security is a tradeoff," Schneier said, speaking to a packed audience at his RSA session.
This article was linked from Slashdot.
Cryptologist and now, psychologist: Renowned security expert Bruce Schneier once again is turning security on its head -- literally. Schneier will share his latest research and insight at the RSA conference next week on the interplay between psychology and security. (See Schneier On Schneier.)
Schneier says the goal of his talk at RSA is not to discuss security technologies or tactics, but to explain how people think, and feel, about security. "A lot of the time at RSA, we are just puzzled why people don't secure their computers, and why they behave irrationally.
He's eaten guinea pig in Peru, whale in Japan, and tried insects in Australia. But security guru -- and part-time restaurant critic -- Bruce Schneier mostly steers clear of chain restaurants, which he finds oppressively uniform.
When he's not sampling exotic cuisine, Schneier is best known as the developer of the Blowfish and Twofish encryption algorithms and as the bestselling author of Applied Cryptography, which has been called the bible for hackers. He's written other books that examine security and society, and he is a renowned security speaker, blogger, and columnist, as well as a popular media talking head who offers unique views on everything from encryption to post-9/11 security overkill.
To paraphrase a classic line from Lily Tomlin, I worry that the person who thought up the rules for carrying liquids and gels on airplanes last year is busy thinking up something new this year.
The thought arises partly because of a scene just after Christmas at an airport security checkpoint, where a half-dozen festive snow globes — like the ones with Frosty the Snowman in a liquid-filled glass globe that simulates snowfall when you shake it — were lined up on a counter.
Wasn't that nice! The Transportation Security Administration had decorated the checkpoint!
FOR theater on a grand scale, you can't do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration.
As passengers, we tender our boarding passes and IDs when asked. We stand in lines. We empty pockets.
Minnesota-based author Bruce Schneier challenges the conventional wisdom about what makes people, corporations and nations safer in the post-9/11 world.
Want to keep your kids safe? Teach them to talk to strangers, says Bruce Schneier, a Minneapolis author who happens to be one of the world's leading security experts.
The Brooklyn transplant made his reputation as a cryptographer -- his work has been mentioned in "The Da Vinci Code" and on the TV show "24" -- and as co-founder of the network security company Counterpane, which was recently acquired by BT, the former British Telecom.
A geek's geek who gets treated like a rock star at hacker conventions and mainstream security conferences alike, he continues as chief technology officer of BT Counterpane, a Silicon Valley-based company that manages the security of hundreds of corporations worldwide.
PROVIDENCE — The government is wasting billions of dollars on fruitless antiterrorist tactics when what’s needed is more old-fashioned police work, a visiting security expert said yesterday.
The expensive and invasive high-tech surveillance schemes and armed guards at airport won’t block terrorist attacks, said Bruce Schneier, because the terrorists can simply go elsewhere.
If we guard the Super Bowl, the terrorists can attack a playoff game instead. Or a shopping mall.
MINNEAPOLIS (AP) - It must say something about our times that Bruce Schneier, a geeky computer encryption expert turned all-purpose security guru, occasionally gets recognized in public. "My life is just plain surreal," he says.
Schneier, 43, has made it so by popping up whenever technology and regular life intersect, weighing in on everything from the uselessness of post-Sept. 11 airport security measures to the perils of electronic voting machines and new passports with radio chips.
He does it by writing books, essays, a frequently updated Web log and an e-mail newsletter with 125,000 subscribers.
This mastermind's teachings and advice lead back to a singular goal: a common-sense approach to security
Bruce Schneier, CTO of Counterpane, is one of the world's foremost experts on computer security. From a hard-core technical aspect (his first book, Applied Cryptography, is a long-time best seller for people wishing to understand cryptography in detail) as well as a philosophical viewpoint (his other books, such as Secrets and Lies or Beyond Fear, and his monthly Crypto-Gram newsletter), he continues to promote innovative commonsense security.
Bruce will come at an issue with what seems like an unpopular viewpoint, and turn your initial, gut reaction on its head. Say black, and Bruce is likely to say white.
Bruce Schneier, founder and chief technical officer of Counterpane Internet Security Inc., has spent much of his career educating people about digital security.
His book, "Secrets and Lies: Digital Security in a Networked World," serves as a non-technical introduction to the full, messy complexity of digital security.
Most recently, Mr. Schneier wrote, "Beyond Fear: Thinking Sensibly About Security in an Uncertain World." This book about security technology—computer and otherwise, is geared toward the intelligent layman: anyone from a security engineer to a concerned citizen.
Founder of Internet Security Firm Inspires Reaction: 'We Trust Bruce'
Bruce Schneier, founder and chief technical officer of Counterpane Internet Security, might be as close as the computer security industry gets to its own celebrity.
Although not as well known as Larry Ellison at Oracle or Bill Gates at Microsoft, Schneier is still the public face of his company, recognized by industry insiders as one of their gurus. Businesses hire Counterpane to guard their networks from hackers and viruses in the same way a nervous homeowner would pay a home-security provider like ADT to watch for fires or burglars.
But unlike most entrepreneurs, Schneier admits that he spends much of his time not focused on his creation.
Think sensibly, and act with confidence
Security expert Bruce Schneier takes a much-ado-about-nothing view of terrorist fears. The odds of such an attack are close to zero, so better to worry about things that have at least some likelihood of occurring, he maintains.
"We as a society always fear the rare and spectacular more than the pedestrian," says the cyber-security whiz and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World (Copernicus Books, $25).
Though not geared specifically to travelers, his new book espouses the notion that security measures involve trade-offs — both monetary and personal.
Q: Will computers be more or less secure in 2028 than they are today?
A: Computers will be just as insecure, but computing will be more secure. Right now our major problem is that computer security is brittle; when it breaks, it breaks completely. As computing becomes embedded and invisible, it will become more resilient. Different systems will work in tandem, providing defense in depth.
Like or loathe him, you've got to admit that cryptographer Bruce Schneier knows how to capture media attention. From titillating talks to shamelessly promote his books (including the best-selling Secret & Lies and the recently released Beyond Fear), to outrageous remarks on the speaker circuit, Schneier frequently grabs the spotlight with outspoken opinion and candor.
For example: "Most advisories trade on fear. Most newspaper and magazine articles trade on fear," Schneier said in a recent Information Security interview.
A top expert says America's approach to protecting itself will only make matters worse. Forget "foolproof" technology—we need systems designed to fail smartly
- To stop the rampant theft of expensive cars, manufacturers in the 1990s began to make ignitions very difficult to hot-wire. This reduced the likelihood that cars would be stolen from parking lots—but apparently contributed to the sudden appearance of a new and more dangerous crime, carjacking.
- After a vote against management Vivendi Universal announced earlier this year that its electronic shareholder-voting system, which it had adopted to tabulate votes efficiently and securely, had been broken into by hackers. Because the new system eliminated the old paper ballots, recounting the votes—or even independently verifying that the attack had occurred—was impossible.
- To help merchants verify and protect the identity of their customers, marketing firms and financial institutions have created large computerized databases of personal information: Social Security numbers, credit-card numbers, telephone numbers, home addresses, and the like. With these databases being increasingly interconnected by means of the Internet, they have become irresistible targets for criminals.
Contestant would do it again 'in a second'
Last month we reported the triumph of two Belgian academics in the US encryption standard contest. But how was the contest organised? If you're not interested, stop reading now.
In the early seventies the US government put out a call for an encryption algorithm. It had no response.
Bruce Schneier of Counterpane Internet Security says computing today is unsafe at any speed. But we can minimize the dangers
Hardly a week goes by when corporate computing czars don't have to absorb some rude piece of news from the security front. It may be a gaping hole somebody discovers in a browser or e-mail system, or a virulent new pest with a name like Melissa or Worm.ExploreZip. Against these mounting threats, the usual defensive arsenal of virus-scanning software, encryption, and firewalls seems flimsy indeed.
Brace yourself: The situation is going to get worse, according to Bruce Schneier, 36-year-old cryptography guru and author of Crypto-gram, an influential monthly newsletter. As new releases of common software grow more complex -- and interact with one another in ways that nobody can predict -- security products purchased off-the-rack will offer less and less protection from malicious viruses and hackers, Schneier warns.
The Internet is not a danger zone, but you do need to take steps to safeguard your PC and your privacy. Of the products we tested, these four tools offer the best personal protection.
Password Safe 1.7
Counterpane Systems' Password Safe is an easy, secure, and free solution to the password problem.
In a paper released last week, computer security specialists from Counterpane Security and L0pht Heavy Industries went over with a fine-tooth comb Microsoft Corp.'s built-in Windows virtual private network (VPN) support.
Their target: Microsoft Point-to-Point Tunneling Protocol (PPTP) version 2. Their conclusions? While better than version 1, MS PPTP still leaves VPNs open to attack.
For encryption developers, a secure system is only as good as its pseudorandom number generator (PRNG). PRNGs produce unique keys that can lock and unlock encrypted data. But Bruce Schneier, president of Counterpane Systems, says that PRNGs lack security and portability.
PRNGs generate numbers based on a variety of factors, such as a user's mouse movements, and store this data in an entropy pool, which is later tapped by security software to create an encryption key.
The successor to the aging Data Encryption Standard (DES) will begin to emerge this week as some of the world's top cryptographers convene to review proposals for a new, advanced encryption standard.
Officials at the National Institute for Standards and Technology (NIST) will kick off the first round of "evaluation and analysis" of proposed DES algorithm replacements at the Advanced Encryption Standard (AES) Candidate Conference in Ventura, Calif., later this week.
"This is sort of the debut of the candidate algorithms and the opportunity for any interested [cryptographer] to find out how they work," said Miles Smid, manager of NIST's security technology group.
The AES conference is being held a few days before the International Cryptographer Conference, enabling leading cryptographers from around the world to review the proposals, Smid said.
Despite oven-hot July heat, a recent trip to Las Vegas to hear Bruce Schneier speak to IT security pros and customers at the second annual Black Hat Briefings (www.blackhat.com) was well worthwhile.
In remarks titled "A Hacker Looks at Cryptography," Schneier punctured the hype that often surrounds his own area of expertise. You might not expect to hear Schneier, author of the widely praised book "Applied Cryptography," reminding an audience of a comment that's often quoted, but that neither of the suspected sources will admit to having made: "If you think cryptography can solve your problem, then you don't understand your problem and you don't understand cryptography."
In his talk, Schneier added a bit, so to speak, to the popular top-10 format, building his talk around the top 20 causes of cryptographic failure. "Most cryptographic products are not secure," he asserted, emphasizing that cryptography itself is stronger than it generally needs to be, while the rest of a crypto-based system often falls short.
A team led by Applied Cryptography author Bruce Schneier has invented a new block encryption algorithm and submitted it for consideration as the next new federal government standard for data scrambling.
Twofish, the sequel to Schneier's 5-year-old Blowfish block cypher, was submitted last week to the National Institute of Standards and Technology (NIST) for consideration as the Advanced Encryption Standard.
Twofish is designed to be flexible with respect to the necessary performance tradeoffs between the creation of a "secret key" and execution of the actual encryption. As such, it is well suited to large microprocessors, smart cards, and dedicated hardware.
Flaws in Microsoft Corp.'s Windows NT software threaten the security of companies using the Internet to tie together their far-flung corporate locations, a computer security consulting firm declared on Monday. "We were able to sniff passwords, eavesdrop on the networks, and passively do traffic analysis," said Bruce Schneier, president of Counterpane Systems Inc., of Minneapolis, Minn. "Any Microsoft NT server on the Internet is insecure."
Counterpane discovered the problems while doing a security analysis on a Windows NT, an operating system used by a swiftly growing number of corporations as the foundation for their computer networks. Microsoft confirmed the security problems later the same day.
VPNs increasingly popular
The flaws weaken the security of so-called "virtual private networks," or VPNs, based on NT and point-to-point tunneling protocol, or PPTP.
A top cryptographer said Microsoft's version of a key protocol in Windows NT is so flawed that users should avoid using virtual private network software based on Microsoft's Point to Point Tunneling Protocol.
Bruce Schneier, a noted cryptographer, said the PPTP in Windows NT 4.0 is so broken it can't be fixed with patches--a position that Microsoft disputes.
"I believe it's fundamentally broken," said Schneier, who authored a widely used cryptography textbook. "What we're seeing is the basic problem of proprietary security standards.
Listen to security expert and consultant Bruce Schneier and he'll tell you that Windows NT's security mechanism for running virtual private networks is so weak as to be unusable. Microsoft counters that the issues Schneier points out have mostly been addressed by software updates or are too theoretical to be of major concern.
Schneier, who runs a security consulting firm in Minneapolis, says his in-depth "cryptanalysis" of Microsoft's implementation of the Point-to-Point Tunneling Protocol (PPTP) reveals fundamentally flawed security techniques that dramatically compromise the security of company information.
"PPTP is a generic protocol that will support any encryption.
MINNEAPOLIS — A computer security expert will announce today that he has found a flaw in Microsoft Corp.'s implementation of a communications protocol used in many virtual private networks.
Bruce Schneier, president of Counterpane Systems here, said Microsoft's implementation of the point-to-point-tunneling protocol will lead to compromised passwords, disclosure of private information and server break downs in virtual private networks running under Windows NT and 95.
"Microsoft's implementation is seriously flawed on several levels," said Schneier. "It uses weak authentication and poor encryption." For example, he said Microsoft employed users' passwords as an encryption key instead of using other well-known and more secure alternatives.
Used with permission
As the world goes digital, encryption standards become more important.
Even those who don't use the Internet are affected by security in the online age--everything from bank account and medical information to credit card numbers and transactions requires some form of coding to protect it from prying eyes.
Yet all is not well--with each new standard comes crackers to break it. And, at the other end, governments--particularly that of the United States--are trying their darndest to ensure that encryption technology doesn't get too powerful.
When Thomas Paine published Common Sense in 1776 - arguing that the American cause was not merely a revolt against unfair taxation, but a demand for independence - he had no idea that more than 200 years later, the struggle for freedom would be waged between privacy advocates and the national-security establishment. This time, the dispute is over not taxation without representation, but communication without government intervention.
One of today's crypto revolutionaries is Bruce Schneier, the neatly dressed, ponytailed author of Applied Cryptography. Schneier also recently helped identify a key flaw in the encryption scheme the US digital cellular industry had adopted for use in cell phones.
A few minutes work on a computer can break the codes that are supposed to protect new digital cellular phone technology from eavesdroppers, a team of researchers said Thursday. The cellular phone industry claimed the impact on users would be "virtually none," since engineers were working to strengthen the encryption and since a separate code that scrambles voices was not broken.
The Cellular Telecommunications Industry Association also denied that its codes could be broken so easily.
"It involves very sophisticated knowledge," an association statement said.
used with permission
In 1992, the wireless industry adopted an encryption system that was deliberately made less secure than what knowledgeable experts recommended at the time. It was accepted by the industry because it was a standard that would meet federal export regulations and would enable digital cell phone manufacturers to make one phone that could be sold in either the US or abroad, thus saving money.
As a result, the potential for eavesdropping has always existed and, some say, has been waiting for criminals with advanced techniques to exploit it.
Yesterday, a trio of computer experts released the news that digital isn't all it's cracked up to be--and that they have, in fact, cracked the most difficult part of the code that's used by phones to send digits from the keypad, making eavesdropping and cloning a real likelihood even on digital phones. Even this morning's Wall Street Journal, when referring to the assurances made by wireless phone companies to subscribers about the security of digital phones, [called them] "hollow promises."
WirelessNOW has conducted an exclusive interview with the head of the code-cracking triumvirate and found his straightforward responses to our questions open - and at least somewhat frightening.
A group of prominent cryptographers will announce today that they have discovered a hole in the privacy protection in next-generation digital cellular telephones. The new phones were supposed to be far more secure from eavesdropping and fraud than the analog phones used by most mobile-phone customers today. But Bruce Schneier, a well-known expert on code breaking, and other researchers have found a way to easily monitor any numbers dialed on a digital phone, such as credit card numbers or passwords. In addition, they say, voice conversations can easily be deciphered.
Computer scientists have broken a crucial code that protects the new generation of cellular phones from certain kinds of eavesdropping.
The news is a blow to those who would promote digital cellular telephones as highly secure systems, said Bruce Schneier of Minneapolis-based Counterpane Systems, one of the cryptographers who broke the code.
Breaking the code takes just minutes on a powerful desktop computer, Schneier said.
Schneier and his colleagues, John Kelsey of Counterpane and David Wagner from the University of California-Berkeley, said they broke one of three encryption systems used in the new generation of digital cellular phones.
A team of well-known computer security experts will announce on Thursday that they have cracked a key part of the electronic code meant to protect the privacy of calls made with the new, digital generation of cellular telephones.
These technologists, who planned to release their findings in a news release on Thursday, argue that the best way to insure that the strongest security codes are developed is to conduct the work in a public forum. And so they are sharply critical of the current industry standard setting process, which has made a trade secret of the underlying mathematical formulas used to create the security codes.
"Our work shows clearly why you don't do this behind closed doors," Schneier said. "I'm angry at the cell phone industry because when they changed to the new technology, they had a chance to protect privacy and they failed."
Carroll, head of the industry's privacy committee, said it planned to revise the process for reviewing proposed technical standards.
Photo of Bruce Schneier by Per Ervland.
Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.