"Security Is Always a Choice Between Different Sets of Risk"

Politico profiles the maverick security specialist Bruce Schneier.


Politico profiles Bruce Schneier, a security specialist who has emerged as one of the foremost critics of the security state. Here's an excerpt:

I was going to insert a joke here about the British "Carry On" films, but a discriminating alt-text connoisseur like yourself doesn't want to see that kind of shit.

After 9/11, Schneier saw a familiar utopian thinking creeping into the politics of national security, and he grew into an outspoken critic. He coined the term "security theater" to describe the showy-but-ineffectual performance of security around air travel, a choreography designed to produce a feeling of safety despite being poorly implemented, defending against the wrong danger, or both. His blog, dedicated to cryptography and tech security, was for a time a catalog of the many ways that ever-changing TSA regulations had been defeated by people with everyday resources but above-average creativity. And last year, he caused a small controversy when he cited research claiming that in the years following the September 11th attacks, enough people had chosen long-distance driving over air travel that the increase in auto-accident fatalities surpassed the number of deaths in the Twin Towers.

For Schneier, security is always a choice between different sets of risk, and there is no such thing as a perfect defense; you calculate the probabilities, and the potential costs of your decisions, as best you can. His arguments illuminate not only the places where politics and superstition have worked their way into supposedly rational systems, but also, in sometimes unexpected ways, how the shadow of 9/11 continues to define U.S. national security.

Read the rest here. Read Reason's interview with Schneier here, and read a piece he wrote for us here.

NEXT: New York and California Suck For Taxpayers, and For Freedom

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. fucking awesome alt-text

  2. Connoisseurs of quality alt-tex are nodding their approval.

    Also Bruce needs more air time. On any network.

  3. It’s hard to savor the alt-text when you can’t comment on it!

  4. What is the deal with alt-text? H&R commentators seem to have a strange hangup for it.

    1. It’s a medical issue, but only somewhat contagious.

    2. If you have to ask, you can’t know.

  5. Wow, we’re getting personalized alt-text now? What did people with less discriminating tastes get?

    1. A section of Mary’s Episiarch slashfic

  6. Chive on! Or whatever those green shirted cultists chant.

  7. His initial disbelief faded when companies began hiring him to review their digital security, and he found “the weak points had nothing to do with the mathematics. They were in the hardware, the software, the networks and the people. Beautiful pieces of mathematics were made irrelevant.”

    This is why I love this guy. Where I work, we have layers and layers and layers of encryption, passwords, security, all of it technical. But you’d be amazed at how easily the whole thing goes south because a medical assistant gives her password away to a stranger on the phone.

    People don’t get hacked, they get dumbassed.

      1. It’s the endpoints… IT’S THE DAMNED ENDPOINTS!

        FBI investigator: Shit, Silk Road is all encrypted and TORd and anonymized… and their damned servers are in Turkmenistan!

        FBI Director: Hang on. *looks over shoulder* Gladys! Get the Turkmenistan head of intelligence on the phone!

        Gladys: *dials number* He’s on line 3, sir!

        FBI Director: Alexei, long time no talk. Look, need a favor, got these servers I want images for. *crackled talking on other end* Don’t I know it… no fourth amendment for you! Ha, in Turkmenistan, Fourth Amendments YOU! What a country! *laughing on both ends of phone* No, but seriously, I’ll telex the server details to you and if you could just let me know when the server images are ready.

        *crackled talking on other end of line*

        FBI Director: Oh, the usual. How does $5 million for a security and stabilization grant sound?

    1. I just read an article about the Target breach. Sounds like Target’s security systems worked correctly to identify the breach, but Target failed to act on the notice. In other words, some human error led to a massive security breach.

      1. I haven’t read anything except when the story first broke… at that time it very much looked like inside job.

        Will check your link.

        1. It’s not all public I’m sure, but I heard a while back that it was access through an HVAC vendor that got the malware into the POS systems. Which, if this article is correct, was detected by Target before the breach.

          Sucks to be Target right now.

        2. Molly Snyder, says the intruders had gained access to the system by using stolen credentials from a third-party vendor.

          Jesus this is classic. Classic. This whole article is like a who’s who of security weaknesses that exist in probably every damned organization. Yes, including mine. Hell, especially mine.

          Management: Paul and team, create generic logins that random people will know because logging on is hard.

          Us: Not a good idea. Presents a security vulnerability.

          Management: Do it anyway.

          1. Oh wait, what am I saying? My management is creating opportunities.

            1. Management where I work is fairly good at managing security, which is odd since we are a chemical science company. However, there are some seriously strange protocols. Example: sensitive information should not be shared through email unless it is first encrypted in an archive. Then it can be sent through email; the password should then be sent in a separate message.

              I brought this up to the legal department and pointed out that if the mail system was compromised an attacker would have the sensitive information just like they would have if the information hadn’t been encrypted.

              Within my company security concerns raised through the legal department tend to get addressed faster/more thoroughly than through regular channels. It doesn’t hurt that there is a specific Legal IT group

      2. As a result, we are conducting an end-to-end review of our people, processes and technology to understand our opportunities to improve data security and are committed to learning from this experience.

        Jesus fucksticks… fire this guy. He’s calling the world’s largest retail breach an “opportunity”.

        “By elevating can-do attitudes above accurate-and-sometimes-gloomy status reporting, such project managers undercut their ability to take corrective action. They don’t even kjnow they need to take corrective action until the damage has been done. As Tom DeMarco says, can-do attitudes escalate minor setbacks into true disasters.

        1. That’s corporate speak. Every fuck-up is an opportunity or challenge.

          If the Nazis were around today, they’d call the Holocaust a “Demographic-Shifting Opportunity.”

      3. I will not say anything further right now, because reasons, but I will say that I will say that I have personal, intimate experience with a similar security breach, and the similarities are very close indeed. Technological safeguards usually work just fine, as long as the humans have bothered to put the safeguards into place, pay attention to them, and respond appropriately. Real problems occur when good safeguards are not put into place (because there’s always something more important to do), people are tricked into giving away access, and the organization fails to immediately go into complete lockdown and pretty much just sits there and watches things happen.

  8. Bruce is awesome…I got involved with crypto and security several years ago and found him to be the authority on it. Plus he has THIS site dedicated to him, my favorite is Divides by Zero.

  9. Bruce is awesome…I got involved with crypto and security several years ago and found him to be the authority on it. Plus he has THIS site dedicated to him, my favorite is Divides by Zero.


    2. But can you make $8745 a week from home? Well??

  10. I am going to have squirrel for dinner tonight! DAMNIT!

  11. Reason, your servers suck.

    1. It’s not the servers, it’s the people who run them

  12. Posting tip.

    If it won’t preview, it won’t post.

  13. ?”he cited research claiming that in the years following the September 11th attacks, enough people had chosen long-distance driving over air travel that the increase in auto-accident fatalities surpassed the number of deaths in the Twin Towers.”
    So the net on TSA is not that it is ineffective, it is that is truly harmful. And for this we pay every time we try to board a plane and every April 15th.

    And playing the comment-lotto is such fun!

Please to post comments

Comments are closed.