http://freakonomics.blogs.nytimes.com/2007/12/04/bruce-schneier-blazes-through-your-questions/ By Stephen J. Dubner Freakonomics December 4, 2007 Last week, we solicited your questions for Internet security guru Bruce Shneier. He responded in force, taking on nearly every question, and his answers are extraordinarily interesting, providing mandatory reading for anyone who uses a computer. He also plainly thinks like an economist: search below for crime pays to see his sober assessment of why its better to earn a living as a security expert than as a computer criminal. Thanks to Bruce and to all of you for participating. Heres a note that Bruce attached at the top of his answers: Thank you all for your questions. In many cases, Ive written longer essays on the topics youve asked about. In those cases, Ive embedded the links into the necessarily short answers I've given here. Q: Assuming we are both still here in 50 years, what do you believe will be the most incredible, fantastic, mind-blowing advance in computers/technology at that time? A: Fifty years is a long time. In 1957, fifty years ago, there were fewer than 2,000 computers total, and they were essentially used to crunch numbers. They were huge, expensive, and unreliable; sometimes, they caught on fire. There was no word processing, no spreadsheets, no e-mail, and no Internet. Programs were written on punch cards or paper tape, and memory was measured in thousands of digits. IBM sold a disk drive that could hold almost 4.5 megabytes, but it was five-and-a-half feet tall by five feet deep and would just barely fit through a standard door. Read the science fiction from back then, and youd be amazed by what they got wrong. Sure, they predicted smaller and faster, but no one got the socialization right. No one predicted eBay, instant messages, or blogging. Moores Law predicts that in fifty years, computers will be a billion times more powerful than they are today. I dont think anyone has any idea of the fantastic emergent properties you get from a billion-times increase in computing power. (I recently wrote about what security would look like in ten years, and that was hard enough.) But I can guarantee that it will be incredible, fantastic, and mind-blowing. Q: With regard to identity theft, do you see any alternatives to data being king? Do you see any alternative systems which will mean that just knowing enough about someone is not enough to commit a crime? A: Yes. Identity theft is a problem for two reasons. One, personal identifying information is incredibly easy to get; and two, personal identifying information is incredibly easy to use. Most of our security measures have tried to solve the first problem. Instead, we need to solve the second problem. As long as its easy to impersonate someone if you have his data, this sort of fraud will continue to be a major problem. The basic answer is to stop relying on authenticating the person, and instead authenticate the transaction. Credit cards are a good example of this. Credit card companies spend almost no effort authenticating the person hardly anyone checks your signature, and you can use your card over the phone, where they cant even check if youre holding the card and spend all their effort authenticating the transaction. Of course its more complicated than this; I wrote about it in more detail here and here. Q: Whats the next major identity verification system? A: Identity verification will continue to be the hodge-podge of systems we have today. Youre recognized by your face when you see someone you know; by your voice when you talk to someone you know. Open your wallet, and youll see a variety of ID cards that identify you in various situations some by name and some anonymously. Your keys identify you as someone allowed in your house, your office, your car. I dont see this changing anytime soon, and I dont think it should. Distributed identity is much more secure than a single system. I wrote about this in my critique of REAL ID. Q: If we can put a man on the moon, why in the world cant we design a computer that can cold boot nearly instantaneously? I know about hibernation, etc., but when I do have to reboot, I hate waiting those three or four minutes. A: Of course we can; Amiga was a fast booting computer, and OpenBSD boxes boot in less than a minute. But the current crop of major operating systems just dont. This is an economics blog, so you tell me: why dont the computer companies compete on boot-speed? Q: Considering the carelessness with which the government (state and federal) and commercial enterprises treat our confidential information, is it essentially a waste of effort for us as individuals to worry about securing our data? A: Yes and no. More and more, your data isnt under your direct control. Your e-mail is at Google, Hotmail, or your local ISP. Online merchants like Amazon and eBay have records of what you buy, and what you choose to look at but not buy. Your credit card company has a detailed record of where you shop, and your phone company has a detailed record of who you talk to (your cell phone company also knows where you are). Add medical databases, government databases, and so on, and theres an awful lot of data about you out there. And data brokers like ChoicePoint and Acxiom collect all of this data and more, building up a surprisingly detailed picture on all Americans. As you point out, one problem is that these commercial and government organizations dont take good care of our data. Its an economic problem: because these parties dont feel the pain when they lose our data, they have no incentive to secure it. I wrote about this two years ago, stating that if we want to fix the problem, we must make these organizations liable for their data losses. Another problem is the law; our Fourth Amendment protections protect our data under our control which means in our homes, in our cars, and on our computers. We dont have nearly the same protection when we give our data to some other organization for use or safekeeping. That being said, theres a lot you can do to secure your own data. I give a list here. Q: How do you remember all of your passwords? A: I cant. No one can; there are simply too many. But I have a few strategies. One, I choose the same password for all low-security applications. There are several Web sites where I pay for access, and I have the same password for all of them. Two, I write my passwords down. Theres this rampant myth that you shouldnt write your passwords down. My advice is exactly the opposite. We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet. And three, I store my passwords in a program I designed called Password Safe. Its is a small application Windows only, sorry that encrypts and secures all your passwords. Here are two other resources: one concerning how to choose secure passwords (and how quickly passwords can be broken), and one on how lousy most passwords actually are. [...] __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Tue Dec 04 2007 - 22:42:04 PST