[ISN] Schneier On Schneier

From: InfoSec News (alerts@private)
Date: Wed Jan 10 2007 - 22:36:44 PST


By Kelly Jackson Higgins 
January 10, 2007

Security is a system, he says, and you have to look at security 
technologies in that broader context

He's eaten guinea pig in Peru, whale in Japan, and tried insects in 
Australia. But security guru -- and part-time restaurant critic -- Bruce 
Schneier mostly steers clear of chain restaurants, which he finds 
oppressively uniform.

When he's not sampling exotic cuisine, Schneier is best known as the 
developer of the Blowfish and Twofish encryption algorithms and as the 
bestselling author of Applied Cryptography, which has been called the 
bible for hackers. He's written other books that examine security and 
society, and he is a renowned security speaker, blogger, and columnist, 
as well as a popular media talking head who offers unique views on 
everything from encryption to post-9/11 security overkill.

Schneier, a contributing editor to Dr. Dobb's Journal and recipient of 
the magazine's 2006 Excellence in Programming Award, says he writes 
restaurant reviews as an escape from his work in security, but he does 
see some symmetry in security and food: "Food is more about how a 
culture uses what it has to make an interesting meal. That's the same 
thinking as security," he says. "I look at it from a systemic point of 
view -- what is going on here in the bigger picture that creates this 
traditional dish. Tibetan food is moderately spicy, because spices don't 
grow that high [in elevation]," for example, says Schneier, founder and 
CTO of BT Counterpane, now part of British Telecom.

Security is a system, he says, and you have to look at security 
technologies in that broader context, from cryptography to airline 
security. "A lot of technologists focus on the details of the 
technology, such as biometrics or explosive-detection machines. I look 
at the big picture," he says. "The lessons in my writings are not about 
specific technologies, but about the world and human nature."

That's really what it's all about for Schneier, 43, who had a big year 
last year. His managed security services company, Counterpane, was 
purchased by British Telecom in October. Schneier admits he was 
initially worried the BT deal would stifle his work and public persona 
he has built, but BT made it clear it was hiring him not as a pitch man, 
but as an independent voice. "That's important to me," he says. "BT is 
giving me a bigger platform to do the things I do for Counterpane."

And his security research options will expand, given BT's global 
presence. Schneier travels to London next week to meet with BT's 
research group and discuss its work, which ranges from biometrics, 
quantum cryptography, and identity management -- things outside of what 
Counterpane has done, he says. Schneier's not sure what his level of 
involvement will be in BT research just yet, but he hopes to be an 
adviser to marketing and research.

He doesn't expect any of this to detract from the Bruce Schneier brand, 
however, which feeds off Schneier's candid and sometimes controversial 
commentary on all things security.

"BT recognizes the more general I am, the more value I give BT. They get 
that," he says. "Everything feeds into everything else, the writing the 
speaking. I can't just go inside BT and disappear doing BT work, because 
everything [I do is related to] BT work."

Schneier won't shy away from the hot-button topics in IT security or 
physical security. Last week, for example, he told a reporter at a 
Tacoma, Wash.-based radio station after the school shooting there, that 
metal detectors would be a waste of money. "The goal isn't to stop 
shootings in schools. It's to stop shootings," he says, by investing in 
ways to ensure a kid doesn't resort to violence at all. "If a kid shoots 
another kid in the playground because there's a metal detector in the 
building," then the physical security was ineffective, he adds.

"That's a tough message for people to hear."

Meanwhile, Schneier says today's hackers/researchers are doing some good 
work poking holes in software, but there is some of what he calls 
"ethical sloppiness" out there. "People who don't pay attention to the 
ramifications of what they are doing." As for the vulnerability 
disclosure debate, Schneier is all for it, as long as it's for 
legitimate purposes and not "self-aggrandizing," he says.

"It's polite to give vendors advanced notice. But companies shouldn't 
expect advanced notice, because the bad guys won't give it to them," he 
says. "A lot of this debate obscures the fact that these bugs are 
mistakes. We focus on the person who disclosed it, but it's a 
programming error...a mistake someone made."

His latest work is on brain heuristics and perceptions of security, and 
he'll be doing a presentation on that topic at the RSA Conference next 
month. "I'm looking at the differences between the feeling and reality 
of security," he says. "I want to talk about why our perceptions of risk 
don't match reality, and there's a lot of brain science that can help 
explain this."

And as for now, Schneier's title remains CTO of Counterpane, but he and 
BT are cooking up an updated title for him. Nothing is firm yet, but 
don't expect it to have "evangelist" in it: "I hate the word 
'evangelist,'" he says. "It's not a bad term, but I don't like the 
implications... It's almost like a cheerleader."

He may not be shy about speaking his mind on hot-potato security topics, 
but Schneier makes it a policy not to write bad reviews on indie or 
mom-and-pop restaurants. "I try not to write bad restaurant reviews," he 
says. "If a restaurant is bad, I'd prefer to simply ignore them. A bad 
review only hurts them."

Personality Bytes

* What scares Schneier most about security: "Crime. We over-emphasize 
  cyber terrorism and under-emphasize cyber crime. But cyber crime is 
  where the attacks are coming from."
* On Microsoft and security: "They're getting a lot of things right, but 
  Microsoft continually uses security as a way to solidify its monopoly 
  position. Microsoft is right to treat security as a business issue -- 
  they're not a public charity -- but it hurts all of us when they use 
  it to lock out the competition."   
* Favorite team: "I tend not to pay attention to spectator sports."    
* Favorite hangout: "Home. I'm on the road 40 percent of the time..."    
* After hours: "Spending time with people I'm close to... friends."    
* In Schneier's iPod right now: "All sorts of things. Folk, folk rock, 
  Irish and Celtic music, singer-songwriters. My favorite band at the 
  moment is Crooked Still."    
* Biggest pet peeve: "Airport security is the stupid security I most 
  come into contact with."
* PC or Mac: "PC."    
* Wheels: "My wife buys the cars we have at home. The car I most 
  commonly drive is a rental."    
* Next Career: "Curmudgeon. Anyone can be cynical and bitter, but being 
  a curmudgeon is hard."

Kelly Jackson Higgins is a Senior Editor at Dark Reading.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Jan 10 2007 - 23:01:30 PST