Monday, March 5, 2007

The Security Evangelist

Minnesota-based author Bruce Schneier challenges the conventional wisdom about what makes people, corporations and nations safer in the post-9/11 world.

By Leslie Brooks Suzukamo Pioneer Press November 19, 2006
Want to keep your kids safe? Teach them to talk to strangers, says Bruce Schneier, a Minneapolis author who happens to be one of the world's leading security experts.

The Brooklyn transplant made his reputation as a cryptographer — his work has been mentioned in "The Da Vinci Code" and on the TV show "24" — and as co-founder of the network security company Counterpane, which was recently acquired by BT, the former British Telecom.
A geek's geek who gets treated like a rock star at hacker conventions and mainstream security conferences alike, he continues as chief technology officer of BT Counterpane, a Silicon Valley-based company that manages the security of hundreds of corporations worldwide. But he's spent much of the past few years trying to change the way most of us think about security.

In books like "Secrets and Lies: Digital Security in a Networked World" and "Beyond Fear," he argues that well-intentioned public policies since the Sept. 11 terrorist attacks have actually made us more vulnerable, not less. He wants to change public perceptions by giving ordinary folks the tools to think about security the way he does.

But there's a catch.

"A lot of what I do is (analyze) risk," he said. "And risk is math."
Consider, for example, the risk faced by a lost child. Schneier says the safest strategy is for the child to pick out the nearest nice-looking stranger and ask for help.

That's the math part. By making the kid choose the stranger, and not the other way around, Schneier says the odds are that the child will pick someone who will help him. If he waits for an adult to help him, he's increased the odds that the adult is a predator who has targeted him.

"When was the last time you talked to a stranger and got mugged by him?" he asked rhetorically. "People are basically good. If that were not true, society would have fallen apart a long time ago."

Besides, he says, kids have good people instincts.

Schneier says that most people have a pathology about risk that prevents them from dealing with security threats rationally.

He's dealing with that, though. "Rather than bang my head against the wall, I think it's a lot smarter to try to figure out where people's understandings begin, where their proclivities and pathologies come from."

HE TRUSTS HIS MATH

On a drizzly November day, Schneier sits hunched over a laptop at the Highland Grill in St. Paul, trying to polish off a magazine column on voting-machine security while he waits to order a chicken sandwich and some pirogies.

No one takes note of the slight, middle-aged guy with a ponytail. A celebrity in the security world, the Brooklyn-born Schneier lives in near-anonymity here with his wife, Karen, a food writer and cook, even though his company is based in Mountain View, Calif. Why the Twin Cities? "My wife lives here; it seemed polite," is his standard explanation.

Asked his age, he has to think a moment. He knows his birth year: 1963, which makes him 43. "It's easier to do the math; the age will always change, but not the birth date," he explained.

For the same reason, he never changes his watch while traveling — he could be in Amsterdam or London or Tokyo, but his watch remains synchronized with the clocks in his house in South Minneapolis. He trusts his math.

Even in the quirky and murky world of security, Schneier stands out. Computer experts are often accused of spreading fear, uncertainty and doubt — they nicknamed it FUD — so they can promote technology, but Schneier is the odd-duck nerd who insists technology by itself isn't going to save us.

For example, Schneier believes security needs to be malleable, stretchable and pliable, so that when it breaks — and it will break — it breaks in a predictable way.

Predictable security buys you time for backup to arrive. A bank makes crooks hurdle layers of security — guards, a vault, an alarm system — to give the cops time to get to the bank.

By contrast, a hard but brittle system, once cracked, lays bare all its secrets like a broken piƱata.

On the national security front, Schneier asks why we ban liquids from being carried on board airplanes instead of spending money to hire and train lots more guards to wander through airports and look for suspicious activity of all kinds. And he raises a larger issue: Is there a way to get ahead of the threats instead of reacting to each new one?

Though not yet a household name, Schneier's expertise is increasingly sought out after every well-publicized security lapse.

Take the case a few weeks ago of Christopher Soghoian, a 24-year-old Ph.D. candidate in the computer sciences from Bloomington, Ind. When he put a tool on his Web site that let anyone create forged boarding passes for Northwest Airlines flights, he said he was trying to highlight a flaw in the nation's airline security procedures that would allow someone to bypass the federal No-Fly list.

The FBI confiscated Soghoian's computers. When reporters called Schneier to comment, he told them that he had pointed out that particular vulnerability three years ago.

"I think we really need to ask why the government is shooting the messenger here, when it should be spending its time fixing this obvious loophole," Schneier told the Washington Post.

A 'THOUGHT LEADER'
Computer geeks don't have many heroes. Schneier is on most short lists.
At a hacker underground convention in Las Vegas a few years ago, BT Counterpane CEO Paul Stich said he saw some of Schneier's fans bow down to him with the "Wayne's World" "we are not worthy" treatment. At the more mainstream RSA security show in San Francisco, people lined up for his autograph.

He has consulted with government agencies on projects he can't talk about and written op-ed pieces criticizing a host of government measures that he believes don't do anything to strengthen homeland security.
In October, he and Counterpane's management team sold the company, which employs 100 people, to the British telecom giant BT, which is planning to add Counterpane's security services to its own array. The price was in the "tens of millions," according to a BT spokeswoman.
His title at BT Counterpane is chief technology officer, but a better description is "security evangelist."

"He's a thought leader," said Chuck Pol, president of BT's Americas division. "He's got a worldwide reputation as an expert in security, monitoring and security practices. He's a free thinker."
His friend and business colleague Jay Walker, the founder of Priceline, says, "He's a real Renaissance man." Walker runs his own technology research and development shop, and has hired Schneier for security-related projects. "You think he's a high tech, off-the-charts genius in one area and you find out he's an off-the-charts genius in a lot of different areas."

When the waitress at the Highland Grill scribbles the night's menu on the whiteboard for a special Australian wine dinner featuring "spicy kangaroo," Schneier off-handedly volunteers that "it tastes like venison." A self-confessed "foodie," he likes to write restaurant reviews for a local paper because it is so far removed from anything involving computers or security.

His security books are considered models of clarity and readability, even the first one, which bears the scary title, "Applied Cryptography."
"The first seven or eight chapters you can read without knowing any math at all," Walker said. "The second half of the book you can't export overseas — it's classified as munitions."

SEES LIBERTIES AT RISK

The American Civil Liberties Union lauds Schneier for opposing surveillance technologies and some anti-terrorism measures that he feels encroach upon civil liberties.

"Bruce knows we are heading toward a surveillance society," said Barry Steinhardt, director of the ACLU Technology and Liberty Project. "He knows the solution is not to smash the technology," he said. "It is to put some chains on the monster, and that means laws and rules."
Schneier himself expresses concerns about some measures, such as the new abilities of a president to hold detainees suspected of terrorism indefinitely without charges. The son of a New York state appeals court judge, Schneier considers the Constitution and the law as "security devices" for society that safeguard liberties. He said the new anti-terrorism laws weaken privacy rights and put everyone's security at risk.
The government disagrees. "To say we're less secure since 9/11 is a ridiculous statement, given all we've done since 9/11," said Joanna Gonzalez, spokeswoman for the U.S. Department of Homeland Security.
The ban on taking liquids on airplanes, for instance, came in response to a specific threat, but the Transportation Security Administration is training officers to not only use technology like bag scanners but also to recognize suspicious behavior, she said.

"We're going to keep changing, and we're going to be a step ahead of them," she said.

Schneier's security peers sometimes think he overstates the threats.
"He tends to see Big Brother, and I tend to see it (the government) as too ineffective to worry about," said Marcus Ranum, the chief security officer of a rival company, Tenable Network Security. Ranum is better known for helping to develop and implement some of the first commercial firewalls in the early 1990s.

But Ranum and Schneier share a mutual respect, and have debated various security topics on their blogs.

Ranum compares Schneier to a brick maker who gradually started to see the big picture. Schneier learned how to build a house — the security system — once he realized that encryption alone — the brick — wasn't enough to safeguard secrets.

Walker said he supposes Schneier can take his security evangelism to the next level.

"I think he could go on Oprah and talk about security," he mused. "Yeah, he could. He'd be OK. He's got the ponytail."

No comments: