Introduction

Bruce Schneier is founder and chief of Counterpane Internet Security. Furthermore he is the author of six books of which one is seen as the "the definitive work on cryptography for computer programmers". That book is called  Applied Cryptography. If his name or this book title do not ring any bells... well, in that case you haven't been working in the information security area the last couple of years. Last december he was declared one of the 50 most influential executives in the IT industry by Network Fusion magazine.

In this interview Bruce talks, amongst his fear for flying, about his vision on e-commerce developments, the problems with secure computing and his ideas about privacy.

This is the integral text with added hyperlinks. The interview will be published next year (in dutch) in the magazine Informatiebeveiliging. A dutch transcription is also available online.

Interview

Schneier: "It's a matter of evaluating risk. The odds of being in an airplane crash or terrorist attack are very small. It's more dangerous to drive your car up to the airport. So you have to worry about the right thing."

Schneier: "There are a couple of things. People cancel their appointments not because they are afraid to fly, but because it is so much more inconvenient now. Flying from America used to be very easy. Now the lines are longer, there is more security. Flights are being cancelled. For this trip I had to reschedule my flights because I wasn't able to fly directly from Amsterdam back to America. It was going to take me two days. So I was about to cancel the appointment as well, just because of the inconvenience. So that's an important point. The whole point of terror is getting people afraid. And people will become more fearful, just because they are not evaluating the correct risks. Terrorism is not the biggest danger. Heart diseases and cancer are killing more people very year. But we don't have a war on heart disease.

Schneier: "Cryptography is thousands of years old. What we are celebrating is 25 years of public mathematical cryptography. In the '70s we saw DES and RSA and Diffie-Helman. And for the first time in the academic world, the free world, there was a science about mathematical cryptography. And we learned a lot about making and breaking algorithms, designing secure mathematics and evaluating secure mathematics.

We have come to the point now, 25 years later, where the math is as strong as we need. There are really no cryptography problems. We can make things better and faster ..., but we do not have problems for which we can say 'we need cryptography to solve this' or 'here's a big unanswered problem with cryptography'. There are a lot of these problems in the science where there is a lot of mathematical research. But as engineers, the last 25 years, we have build all the cryptography we need to secure systems.

Now we see a lot of attention turned to other aspects of security. Security is a chain, and the weakest link breaks it. We have made cryptography the strongest link in that chain. So making it stronger doesn't really help us, because it will not make the chain any stronger. That's why you see a lot of people looking at computer security, anti virus, secure operating systems, secure databases, secure communication protocols, wireless security. All these things are really miserable in terms of security.

So these last 25 years have brought us very good cryptography and the realization that security is so much more."

Schneier: "Probably not. If things get more complex they get less secure. This is not only true in computer security but also in a lot of other things like nuclear power plants, commercial shipping and in airplane scheduling and routing. And we have reached the point that operating systems and computers are so complex that they cannot be made secure. They can be made much better than they are now. Microsoft puts features in their operating system that reduce security in an effort to get more functionality and more usability. In order to get more market share. But the notion of having a secure operating system is probably one that will, at least in the near term, be fiction. We do not know yet how to build complex computer systems securely. As a science we can't do that."

And I should put a side on that. It is very interesting that we are sitting here in the house of Niels Ferguson, because it was with him that I first phrased that. I think 'complexity is security's worst enemy' is Niels's phrasing. So we should give him co-credit on this. [LK, reference]

Schneier: "Full disclosure. I am actually writing an essay on this. Recently we saw Scott Pulp [Microsoft, LK] publish his essay [LK, reference] on the evils of full disclosure. In the next cryptogram I am writing about it, as I have done in the past. [LK, reference]

But it is a complicated issue. It is a free speech issue. And it is also an issue of writing attack tools. So some things are good and some things are bad. As a security community we have gained a lot from full disclosure. Before full disclosure companies would not fix vulnerabilities. Companies would threaten researchers, companies would cover things up, companies would even deny that vulnerabilities existed. And that all changed because of full disclosure. If we go back to no disclosure we risk loosing all of that security. Still the people who write attack tools, in order to break into somebody else's systems, are doing bad. None of this is perfect. The question is which is better for security. And full disclosure is much better. It has proven to be so historically and it is like that in the future. But it is not an obvious A versus B."

Schneier: "Expectation of privacy is more a technological issue. One of the things I have come to believe is that we need privacy protection by laws.

It used to be that you could close your door and be secure and private in your home. That is no longer true because of modern eavesdropping. Technology is making it so that there is no technological expectation of privacy. What we need to replace that with is legal protection. A legal expectation of privacy. You need to know that no one is eavesdropping on your phone call. Or put on a x-ray heat sensor and eavesdrop on you through your walls. Because all of this is now technologically possible. And it is getting worse. Things that can be done are so invasive that we need protecting over what will be done, because you will have no privacy. Now there are people who are saying 'Look, you do not have any privacy' and we need to work on that. I would like to see much better legal protection."

Schneier: "I long argued that you cannot prevent copying of material. You just fundamentally can't. That is the nature of digital material, just as when you have a radio transmitter you can not prevent somebody from picking up the signal. And any type of copyright protection that goes against this natural law of digital material will fail. Just like when radio appeared companies had to figure out how to make money while anybody within range could listen in on the radio broadcast. Companies now have to figure out how they can make money with digital content, even though anyone can copy and distribute it.

Some people have taken my position as being anti-copyright. But I am not against copyright. I just don't believe it can be protected in the same way as it could before. In the digital world we need to figure out business models that are aligned with the way digital information works. So you could see a world in which the media companies are continuously trying to control this. This vision was painted in an article a couple of years ago [LK, reference?]. A world in which content had to be registered. A world where computers were outlawed because they were of general purpose. Where even unauthorized speakers or video players were illegal. All this stuff had to be regulated and licensed in an effort to try to contain copyright. I have long argued that the media does not like computers. They basically would like to see an internet entertainment platform. A controllable device through which people could listen to and see digital content. And not one where people would have control of software.

The other type of world in which content would be free. Not because people are giving away copyright, but because that is the way they make money. As an example; I publish a monthly newsletter called Cryptogram of which I retain the copyrights. But I give it away for free. I do that because I do better that way. It is a publicity vehicle. It is a vehicle by which I can communicate. So I could charge for that newsletter, I could charge for instance 100 US$ for a year subscription. In that case I might have made money, but I would have much less subscribers. But it would do worse for me as a security expert, because fewer people would be reading it. The fact that more people are reading it and the fact that it is free is better for me than if I would charge for it.

This is a different way of thinking. And similar things could be done with other forms of content. As an example: A newspaper is very cheap. They are in fact giving it away and selling advertisements. Television is the same thing. Or think of the Grateful Dead band. They always allowed fans to record their concerts. And that helped their popularity. They would sell more concert tickets because they gave away recordings. So they gave away the content but charged for live performance. Think of public funding of art. You give away the art and the government is paying for it. Or Stephen King who gave away an electronic novel. And he said: 'We are going to do this with the honor system. If you pay I will write and if you don't pay I won't write'. This is an interesting model, because one person could say 'I would like to read the next chapter'. And he could give Stephen King a check for a hundred thousand guilders. And everyone else would benefit of that.

So it doesn't matter if ten thousand people pay ten guilders or one person pays hundred thousand guilders. As far as Stephen King is concerned it is the same thing. Stephen King will do better the more people get his chapters for free, get hooked and want to pay. Disney is very concerned that digital copies of their films are published on the internet. That is because their business model is based upon charging every copy to every individual. But if they would figure out a different business model they might want things to be distributed. All of these new business models take advantage of the copy ability of digital work. These are examples of businesses making money just because digital content is copy able.

So this is a challenge, this is a struggle. Businesses have bet their future on this charging-for-each-copy model. But I don't think this model is going to survive. Digital content can not be controlled in the same matter as records and tapes can.

Schneier: "It is interesting to see that all micro payment models have basically died. There is no one really who wants to pay a nickel. No one really wants to pay a tenth of a cent. You see small payments of a few dollars with for instance Visa and Paypall. Most of these payment-relationships are based on established relationships. You might think we are going to do micro payments with newspapers where you pay a nickel for each article you read. What will happen really is that you will subscribe to a newspaper, read articles for a very small amount and each month will get a bill. I do that now with an international patent database to which I am subscribed to. And I don't pay a micro payment every time I use it. I get a bill which is aggregated.

And this is more likely to happen than micro payments. That is also what Paypall does. They aggregate. They aggregate ad-hoc relationships. With a newspaper you will establish an ongoing relationship. So there doesn't seem to be a requirement for a separate micro payment currency on the internet. That might change, but right now and in the conceivable future I don't see the need for it."

Schneier: "Eventually we will win, because digital information cannot be protected. But it might be a long and ugly fight, for a decade or so. In the short term it is going to be hard to win. Because in the United States and also in Europe you are fighting very strong lobby interests. You are fighting very well funded special interests groups of the recording industry and the entertainment industry. It is hard to win, because at the surface the things they are saying sound very reasonable. But they are really going very far. There was a draft amendment that was going to be attached to the United States Counter Terrorism legislation, which basically equated people who steal music with people who blow up sky scrapers. And which would give the recording industry the right to attack. This was very scary. The new bills would require copy protection in every computing platform.

The chilling effect on security research is bad. It is bad for everybody because it is going to hurt the security overall. But a lot of people don't see it that way. So it is a tough fight, but I think we will win. We won the battle against export [LK, of strong encryption] which seemed to be a very tough battle for a long time. We won that battle because it became irrelevant. There will be a point in the evolution of computers where it no longer matters. And the recording industry and entertainment industry will realize that they have lost. In the meantime they will come up with new business models that will make it 'OK' that they have lost. In the meantime the intelligence agencies will build new ways of getting intelligence that will make the loss by cryptography irrelevant.

So I think we will loose in the short term, but we will win in the long term."

Schneier: "Information security experts used to think of security as an on-off thing. Something was either secure or it wasn't. In the past few years we have been seeing a switch to a more risk-management approach. With this approach nothing is one hundred percent secure, but there are levels, there are risks that need to be managed. There was a group of security experts who believed that from the beginning. And that believe is becoming more mainstream. I think it is a change for the better as people are getting more aware of the risks. With cryptography something is secure or it isn't. With information security this is much more vague."

Schneier: "Not really. There hasn't been any development in the area of security products over the last five or six years that made a crucial difference. Products like firewalls, intrusion detection systems and anti virus products are better capable of finding problems and solving them. But there has not been a revolution in products. The only thing right now is the move from these products into services. Anti virus products are moving into services because the virus industry is moving to fast. Intrusion detection products are moving into services. We [LK, at Counterpane] do monitoring services. The idea is that the products are to static and the world is to dynamic."

Schneier: "Yes, it is because of the lack of new products. The problem with computer security when you instantiate new products is that it is very fragile. And we have all seen this. You go to bed one night, you are completely secure and during the night a bunch of new vulnerabilities are discovered, so when you wake up you are insecure. But there was nothing you did! It is impossible to keep up. We see it again and again that companies do not install patches. I do not believe it is their fault. There are dozens and dozens of patches that come out every week.

Companies would have to use all their time installing patches. And they don't. So vulnerabilities are inevitable. And new attack tools show up very fast. In that environment it is impossible for companies to keep up. You actually need people who are intelligent, people that can make decisions, people who see things. And monitoring is the only way to get security in this environment. You see the effects for instance in computer forensics. With computer forensics you pull out the log files and try to figure out where the attacker went and what he did. If you could read these log files in real time you can figure out what the attacker is doing. So that is the point of monitoring. You can see what the attackers is doing and you can stop them before it is to late.

There is no way you can do that within a product. You actually need a human brain to do this. Computers are the sensors but humans do the analysis and make the decisions."

Schneier: "Sure. When artificial intelligence works you could fire all your analysts. In thirty to fifty years Counterpane would become an AI-company. But in the near term artificial intelligence doesn't work. And you know this when you have an intrusion detection product. The false alarms just make the products useless. You have to figure out what is a false alarm and what is real. And outsourcing this is just natural, because you cannot possible do it yourself. Robocop will work when Cybercop will work. Until that time we will have to work with humans."

Schneier: "I'm running Windows 2000."

Schneier: "I don't know if they are winning the battle for the desktop. But maybe my opinion in this is not so relevant. What is the interesting point here is the security. People say that open source software is more secure compared to close source software. But that is an overstatement. Open source software has the potential of being more secure. Just like systems are more secure the more evaluating they get. But this does not happen automatically. This only works for software that is widely used and evaluated. It doesn't work for products which are open source but which do not get these evaluations. They could claim that they are more secure but that is not the case. You need people to look into it." [LK, reference]

Schneier: "I haven't seen any changes in the way PKI works. It is not about the mathematics in PKI but how they interact with the real world. With PKI you know a private key signed a certain document. Mathematically and absolutely. What you don't know is if it was the person who did it. Or what process did the signing. Did the person understand the document when he signed it? Did the person even see the document or did the computer sign it without the person's permission? How did the person get the private key? Is the identity attached to the private key the proper one? It is all those processes around the mathematics that fail. And this is back to complexity. Again the cryptography is the strongest link. In this chain of PKI security there are many links and risks that I outlined. And I talked about those other links and how they affect this security. And I haven't seen any changes in that and I don't see any changes coming in the future."

Schneier: "They are picking it up, though not explicitly. PKI has been the future of security for seven years or so. And we are still not seeing it used. Amazon knows this. They will let you buy a book using SSL, but if you don't want to, they will sell you the book anyway. They understand PKI doesn't matter for security."

Schneier: "Your passport already holds biometrics through the picture of yourself and your private information. And this works very well. The customs immigration officer can take a look at the passport and the picture and check to see if that hasn't been forged by looking at your face. But there are a lot of examples where biometrics fail, where they make bad use of biometrics. So I think biometrics do have their place in security, as you see with passports, but they are not a panacea."

Schneier: "That seems to be very hard. The problem is the person is not electronic. It is a difficult, but probably doable, problem to identify a computer. But how do you identify the person sitting in front of the computer? How do I make the leap from the computer to the human being? This is where you have the problem and biometrics don't solve it. Is there any way of positively identifying the person that is sitting in front of the computer? I think probably not. Unless you have another person there. For instance in an internet cafe where you would have somebody check your identity before you sit down in front of the computer. Or in America where you can take your drivers license exam on a computer. But there will be a person there who will check your identity and make sure that you are the person who you say you are.

So there are two things you have to identify. The computer and the person who is sitting in front of it. Computers can identify computers and people can identify people. It is very hard to mix these up."

Schneier: "In America we see more and more lawsuits. Especially to custom made software vendors. But then it normally has to do with a breach of contract. I think one of the problems with software nowadays is that there is no accountability, there is no liability. Microsoft can produce a product which is really insecure. Where all the advertising is wrong. But you still cannot sue them. And this has got to change. And it will change eventually. Companies will start to produce more secure software because the market will demand for them to do so.

So I believe that software liability is very important to achieve secure products in the end. And I am in favor of it. Even though it will probably end up in a lot of very ugly law suits. Right now companies don't have a marketing incentive to do so. Microsoft treats security as a PR <public relations, LK> problem, because that is what it is."

Schneier: "Yes. Security will become a business enabler."

Schneier: "Well, you will be the first persons to know. Niels Ferguson and I have just signed a contract with Jon Wiley and Sons [LK, reference] for a new book titled "Practical Cryptography". It will be a book less about the mathematical part of cryptography but more about how to use it. We will not talk about all of the algorithms, but about how to use them. Again this is going back to the real problem. The problems are not within the mathematics but in how to use them. So teaching people on how to use an algorithm properly is more important than teaching them about how an algorithm works."

Schneier: "I don't think I can actually solve it. But I think I can learn people to be better cryptography implementers and to be better security designers. You know, there is an awful lot of bad cryptography out there. If we could reduce that I think we have done well. The book will be published in spring 2003."

Schneier: "It is very hard. If McDonalds in the United States would give away a free hamburger for an DNA sample they would be handing out free lunches around the clock. So people care about their privacy, but they don't care to pay for it. In the United States we have frequent shopper cards, which will track down people's purchases for a 5 cents discount on a can of tuna fish. I don't think you can convince the public to care about it. You see this after the attacks of 11th September. People say they would gladly give up a part of their privacy if they could get more safety from that.

And this is why we are having problems convincing congress that privacy is important. A lot of companies want to take away privacy, but there are no companies that want to give back privacy. Privacy is a right you only notice in its absence. Europe is much more sensitive about personal privacy, because of things that happened during world war II. These things never happened in the United States. But memories fade. So I'm not sure, it might not even be possible, to convince people that privacy is important."