Schneier warns of marketers and dancing pigs

newsmaker In a security industry full of FUD and hype, cryptographer and consultant Bruce Schneier offers a no-nonsense reality check verging on social commentary.

He has worked on numerous ciphers, hash functions, and other cryptographic algorithms that are arcane to the average computer user but which have been instrumental in protecting the privacy of data. But his influence extends beyond the world of encryption.

Schneier wrote several bestselling books, including "Secrets and Lies: Digital Security in a Networked World", "Beyond Fear: Thinking Sensibly about Security in an Uncertain World", and his latest, "Schneier on Security", that provide perspective on risks and threats in everything from e-mail to airport security. And his Cryto-Gram newsletter and blog are considered must-reads inside and outside the industry.

Opinionated and cynical, he does not hesitate to point out that one of the biggest limitations of technology is people. ("The user's going to pick dancing pigs over security every time," he has been quoted as saying.)

In an e-mail interview with CNET News, Schneier pokes fun at National Cyber Security Month, talks about his background in crypto and working for the U.S. Defense Department, and says he fears privacy invasion more from marketers than governments or criminals.

Q: You started out as a cryptographer but are considered an expert on all types of security threats, hypes, and realities. Do you still do much cryptography?
Schneier: Some. I'm a member of the cryptographic team that developed the Skein hash function, currently a second-round candidate in NIST's competition to choose an SHA-3. These competitions are kind of like cryptographic demolitions derbies: all the teams put their algorithms in the ring and try to beat up everyone else's. NIST received 64 submissions, of which 51 met the submission criteria. Of those 51, 14 proceeded to the second round. It's great fun to be working on this.

Overall, though, I am not doing a lot of cryptography. Over the past several years I have been studying security economics, and more recently, the psychology of security. These are important new fields that will have many lessons for security technology.

What are your thoughts on the state of cryptography today? There doesn't seem to be anything going on as exciting as the crypto battles of the 1990s.
Schneier: We really have all the cryptography we need for the foreseeable future; the problem is using it securely. Computer and network security are by far the weaker links. Even worse are things like user interface, installation, implementation, configuration, use, and update. There's so much good cryptography that doesn't get used properly because of one of these issues. These are hardly new areas, but they're the areas that need the most work.

Do you encrypt your e-mail?
Schneier: I do not, except for special circumstances.

When will we see more people using encryption for communications, people who aren't geeks and privacy freaks?
Schneier: I used to say when it was enabled by default in the major e-mail readers: Outlook, Thunderbird, Opera. But these days, many people read their e-mail using their browser, and don't have a local e-mail reader at all. People will start using encrypted e-mail when services like Gmail offer encrypted e-mail by default. That means, basically, never.

Has it really even taken off inside the corporate world? If not, why not?
Schneier: It hasn't, because there's no real reason to encrypt corporate e-mail. When we started thinking about security on the Internet, we thought about it in the classic way. Alice wanted to send a message to Bob, and Eve the eavesdropper was in the middle trying to listen in. In that model, encrypting e-mail is important because it prevents eavesdropping. But that's not the real risk to Internet communications. Nobody intercepts e-mails to steal credit card numbers or learn corporate secrets; instead, they break into servers and corporate networks and get at those e-mails before they're sent or after they're received. E-mail encryption doesn't protect against that threat at all. The primary risk to the data is when it's at rest, not when it's in motion. Ubiquitous hard drive encryption improves security much more than ubiquitous e-mail encryption, and good network security is even more effective.

That being said, we now know that the NSA vacuums up all sorts of electronic communications, e-mail included. So maybe it would be a good idea for all of us to routinely encrypt our e-mail. But since most corporations don't regard the NSA as a threat--they're supposedly on the side of the good guys--defending against them isn't high on a CSO's (chief security officer) to-do list, even CSOs of international companies.

Don't people care about their privacy?
Schneier: Of course they do. Survey after survey demonstrates this. What you really want to know is why, if people care about their privacy, do they continue to give up their privacy in return for what seems to be so little? The answer to that question is complicated, and psychologists are not studying it sufficiently. In short, though, it has to do with immediate vs. long-term consequences, the fact that privacy is something people don't notice until it's gone, and how salient privacy is when the decision is being made.

What do you think are the most serious legitimate threats to consumer privacy?
Schneier: Marketing. The legal collection, storage, resale, and reuse of personal information. Information brokers are doing more to hurt consumer privacy than anything criminals or the government can do. And, even worse, the government can buy information from them, and criminals can break into their databases.

What about threats to computer security?
Schneier: Crime. It may come with fancy names like identity theft, but it's really just fraud due to impersonation. That's the key threat, and it's not changing. The tactics might change--phishing, pharming, key logging, social engineering, password guessing, whatever--as security measures make some tactics harder and others easier, but the underlying issue is constant.

Do you use Facebook?
Schneier: I do not. It's not because I don't trust the site's privacy--although their dozens of privacy settings are pretty bewildering--it's because I don't think I could effectively keep my public life and my private life separate. I would want to use Facebook as a way to keep in touch with my friends, but it seems inevitable that my public life would bleed over. I could put up a public Facebook page and basically mirror my Web site and my blog there, but that seems like a lot of work for not a lot of benefit.

I don't use Twitter for much the same reason, even though I have a Twitter account. My social network of choice is LiveJournal.

What advice do you give your friends about how to protect themselves online?
Schneier: First and foremost, keep good backups. When a computer gets infected with malware, the most common thing you lose is your data. Second, acquire and install a good antivirus program (there are good free ones), and configure your OS and router to protect you. And third, pay attention to what you do online. So many attacks these days prey on the ignorance, gullibility, or naiveté of users; it's important to have a good bullshit detector.

It's National Cyber Security Awareness Month. What are your thoughts on cyber security in the U.S.?
Schneier: Really? We have a National Cyber Security Awareness Month? You're kidding. Whose idea was that?

Does it seem to you like our critical infrastructure, government, and corporate networks are just as vulnerable to attack as they were 15 or 20 years ago? Are we making any progress in that area?
Schneier: If anything, they're more vulnerable because there's more of it and it's more critical. We're making some progress against specific attack tactics, but I don't think we're making any real progress overall against the broad threats. Cybercrime is still getting worse.

Do you think the smart grid will be secure or just offer more ways for attackers to disrupt things?
Schneier: "Secure" isn't an absolute; there's just more secure and less secure. I think the smart grid will be more secure than some of the older systems it will replace, but less secure than others. It will defend against some attacks, and some accidents, and it will certainly offer attackers additional ways to disrupt things. This doesn't mean it isn't a good idea, mind you. Security considerations are just one of the things that should influence the decision to implement a smart grid.

Do you expect the Obama administration to be able to make a difference, or will it be business as usual?
Schneier: I wish I knew. I hope the Obama administration can make a difference; there are serious problems that need government intervention to solve. But I worry that the United States is fundamentally ungovernable at the highest levels, that the political process is simply not capable of tackling the major problems of society. So until increased computer and network security has lobbying groups capable of buying legislators and political parties, it's business as usual.

How much of a priority should cybersecurity be, if at all?
Schneier: It should be a major priority. More and more of society--government, corporate, and personal--is in cyberspace. Cyberspace is now where you go if you want to steal money, engage in espionage, or disrupt corporate and government operations. The real world is still more important, but cyberspace is increasingly important.

What do you do now for BT?
Schneier: BT bought Counterpane three years ago. Since then, Counterpane's managed security services have been fully integrated into BT's offerings and I have become the chief security technology officer for BT. As CSTO, my primary job is to evangelize computer and network security. I also get involved with BT's service offerings, and in customer engagements.

How well has the idea of managed security taken off?
Schneier: It's everywhere, but not in the way you're thinking about it. When you use Gmail, you let Google manage your e-mail security. You use managed security on your cell phone, on Facebook--everywhere you buy an outsourced service. Managed security is doing okay as a separate service, but it's doing great when it's part of a broader service.

How did you first get into the area of computer security? Were you one of those third-grade math nerds who could recite pi?
Schneier: No, but I was friends with that guy. I was never good at memorization; in high-school and college physics I would rederive formulas during tests because I could never remember them. But I always liked math, and was always good at it.

I also always liked cryptography. I read the few standard kids' crypto books that everyone read, and practiced making and breaking codes. In eighth grade, I had access to my first computer: a punch-tape terminal connected to a mainframe at a nearby college that could be programmed in BASIC. In college, I majored in physics--basically, mathematics with boundary conditions--and then worked for the U.S. Department of Defense in secure communications. I didn't work for the NSA, although I did work with the NSA. And no, I didn't work directly in cryptography, I worked on the implementation side of the black boxes the NSA developed. I always kept my interest in cryptography, and in 1991 when AT&T Bell Labs laid me off, I decided to write Applied Cryptography and go into consulting. It was the right book at the right time. I really didn't start paying attention to computer security until I noticed that all these fantastically secure cryptographic systems were being broken because the computers and networks they were running on were insecure.

I have read that you are quite the foodie and that you write restaurant reviews for an alternative newspaper in Minneapolis and even wrote a guide book. Tell us more.
Schneier: I am and I do. My wife and I have written restaurant reviews for several Minneapolis newspapers and magazines, including the Star Tribune. Occasionally, I post restaurant reviews on the eGullet Web site--although these days I'm pretty lazy about it. It's a nice change from security writing, I think. I also cook--savories, not sweets--and maintain a decent wine cellar.

Do you bank online? If so, do you ever use a mobile device to do it? If not, why not?
Schneier: I don't do a lot of banking online. I have online access to my accounts, primarily to check balances and receive some credit card statements via e-mail, and I've set up some of my regular bills to be automatically paid. Other than that, I prefer to pay my bills manually. This is less for security reasons, and more because doing banking explicitly makes me more aware of where the money is going.

I've never done any online banking using a mobile device. I can't even imagine why I might want to.

What have I not asked that readers might find interesting?
Schneier: You haven't mentioned the squid at all.