Have you ever had one of those moments where something you knew to be certain was turned upside down and you learned you had been wrong ... for years? A lot of Bruce Schneier’s writing gives me moments like that.
Schneier, CTO of Counterpane, is one of the world’s foremost experts on computer security. His first book, Applied Cryptography, is a long-time best seller for people wishing to understand cryptography in detail, as well from a philosophical viewpoint. His other books, such as Secrets and Lies or Beyond Fear, and his monthly Crypto-Gram continue to promote innovative, commonsense security.
Schneier will come at an issue with what seems like an unpopular viewpoint and turn your initial gut reaction on its head. Say black, and Schneier is likely to say white. Say we need better security at large sports arenas and Schneier will argue the opposite. Say we need to create national ID cards to separate the terrorists from the law-abiding citizens and Schneier will say “baloney!”
What’s amazing is that he is usually right, flying in the face of overwhelming popular odds in the opposite direction.
Often, you’ll want to fight his initial response, but Schneier will win you over by convincing you that what you believed before was based upon false assumptions, popular myths, and illogical thinking. He’ll argue against himself, both pro and con, so that by the time he gets to his conclusion, he’s already out-argued what you could have thrown up against him.
Schneier is especially good at crafting one-sentence responses to make you realise how wrong you are.
For example, when the world was talking about a particular network security protocol, with a newly found vulnerability, Schneier said, “If this is your company’s biggest threat, then you’re doing better than most other companies.”
It was his way of reminding us that all our security risks have to be ranked by criticality and that the biggest threat to most environments is the end user, not some obscure, hard-to-manipulate security protocol.
Schneier is quick to reiterate that open-source code review doesn’t mean open-source software will be more secure than closed-source software.
He tells us that today’s seemingly harmless invention (RFID tags, for instance) can easily become tomorrow’s security risk. When the “experts” tell us that we’re safe because RFID tags can only be read when held incredibly close to the appropriate reader, he reminds us that Bluetooth wireless devices (which were initially said to have only a ten-foot range) can now be read from more than half a mile away, by guys toting Bluetooth “rifles”.
Schneier predicts that security issues will get much worse in the future, not better, if we don’t change the status quo. He pushes us to ignore the hot technical issue of the moment and, instead, focus on why it was allowed to be that way. He forces us to look at the real problem, not just the symptom.
When I was interviewing Schneier for a recent series of articles I wrote on SSL Trojans, I found interacting with him tough. Giving me just a few minutes before he flew off to Turkey, I felt like he was interviewing me more than the other way around. I was asking him how banks could protect themselves against the new threat of SSL-evading Trojans, and for every question I threw at him, he threw one back.
Within a few minutes, he was leading me on my own exploration, to a solution that would work. It was then that I realised he was teaching me, and because I “taught myself”, through our conversation, I would understand better and faster.
Schneier publishes his thoughts on various security issues every week, and he is almost universally ignored — initially. How frustrating it must be for him to keep telling the world the same things over and over, just to be ignored or to listen to other pontificators, like myself, say the same thing years later, and think it’s news.