My short bio: Bruce Schneier is an internationally renowned security technologist, called a "security guru" by The Economist. He is the author of 12 books -- including Liars and Outliers: Enabling the Trust Society Needs to Survive -- as well as hundreds of articles, essays, and academic papers. His influential newsletter "Crypto-Gram" and his blog "Schneier on Security" are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Center for Internet and Society at Harvard Law School, a program fellow at the New America Foundation's Open Technology Institute, a board member of the Electronic Frontier Foundation, an Advisory Board Member of the Electronic Privacy Information Center, and the Security Futurologist for BT -- formerly British Telecom.

Proof: https://www.schneier.com/blog/archives/2013/11/reddit_ask_me_a.html

Thank you all for your time and for coming by to ask me questions. Please visit my blog for more information and opinions.

Comments: 310 • Responses: 45  • Date: 

Gravy-Leg__81 karma

Bruce, I'm a regular reader of your "Schneier on Security" blog. I enjoyed last month's article on how you set up an air gap to protect the computer you use to work with Snowden's documents. My questions: is the air gap still working as planned, and are you making any progress with Snowden's documents?

BruceSchneier86 karma

I don't have any of the Snowden documents with me, so I haven't made much use of the airgap computer. As to the Snowden documents, I'm hoping to get back to Rio in December. Things are on hold pending Greenwald's new press venture getting off the ground.

mrshatnertoyou60 karma

I am of the opinion that our airport security is poorly designed and for the hassle passengers go through, we get minimal benefit. I feel like we react to specific circumstances to create an illusion of security and that perception is more important to the TSA than creating a constructive plan to deal with threats. I know you are a proponent of the fail well philosophy which accepts failure and tries to compartmentalize and minimize the damage. Based on this theory what should be the security steps that airports should be taking?

BruceSchneier135 karma

I think airport security should be rolled back to pre-9/11 levels, and all the money saved should be spent on things that work: intelligence, investigation, and emergency response.

TiltedPlacitan30 karma

Hi Bruce. We've met before in Portland, OR at a book signing.

I agree. Before 9/11, I carried a Buck knife everywhere I went.

I would not have hesitated to use it to incapacitate a hijacker.

Now, I don't have that option.

But, the simple fact of the matter is this: If anyone tries to hijack a plane now, they will be ripped from limb to limb by their fellow passengers.

"Enhanced security" has nothing to do with this. Stronger cockpit doors were a very good idea, though.

Thank you for being a voice of sanity.

BruceSchneier168 karma

Only two things have improved airplane security since 9/11: reinforcing the cockpit doors, and teaching passengers that they have to fight back. Everything else has been security theater.

fqm56 karma

Have you ever heard of schneierfacts.com?
What do you think about it?

BruceSchneier51 karma

No, I've never heard of it. I'll go check it out.

CreepyOctopus55 karma

Thank you for doing this, Bruce. I'm highly interested in security and a regular reader of your writeups.

You recently said that there are things about TrueCrypt that make you suspicious. Can you elaborate on that? Have your concerns been addressed to any degree by the fact that a person was able to compile TrueCrypt and get binaries matching the official Windows distribution?

BruceSchneier107 karma

It's just the shadowy nature of the program and its developers. Still, I think it's the best of all the options. I was pleased that the independent compilation matched the distribution binaries, and even more pleased that a bunch of us have raised money to do an independent audit of TrueCrypt. So I hope we'll be able to trust it more soon.

leonardocabeza52 karma

What is your opinion about password managers (keepass, lastpass, and others)? Do you use/trust any of these services?

BruceSchneier80 karma

I use my own Password Safe. I'm very happy with it.

kingkilr44 karma

From a technical perspective, is there anything in the Snowden documents (or other public releases) that you think hasn't received sufficient public attention (where public may mean "the broader software engineering or cryptographic communities")?

(I'm thinking of things such as the relative strengths of ciphers like RC4, etc.)

BruceSchneier82 karma

There has been nothing published about the relative strength of ciphers, and I don't believe that anything like that will be published. Annoying, but we're not going to get any COMSEC secrets out of the Snowden documents. (For that, we'll need another whistleblower.)

I would like more attention to be paid to BULLRUN: the NSA's program to deliberately weaken the security products we all purchase and use. And QUANTUM: the NSA's program to insert packets from the Internet backbone. Both are really impressive in their own way, and I don't think we've fully grasped the significance of them.

Epicbullet44 karma

Hello Mr Bruce, Is BadBios a myth? Do you think it is state-sponsered malware such as Stuxnet and Duqu?

BruceSchneier63 karma

I wrote about badBios. Honestly, I don't know whether it's real or not. It sure sounds too good to be true. But then, so did Stuxnet.

AlbertVeli43 karma

After studying the Snowden documents for a while now, do you still trust AES?

BruceSchneier87 karma

Yes, I do, although there is nothing in the documents I have seen specifically about AES. Honestly, the way the NSA breaks most cryptography is by getting around it. It exploits default or weak keys, bad implementations, and back doors. It deliberately inserts vulnerabilities, and "exfiltrates" -- the NSA's word for steal -- keys when it has to.

Pixulated42 karma

Hi Bruce, what security breach which has been made public in recent times do you find the most intriguing and why?

BruceSchneier81 karma

The two things that interest me the most right now are packet injection attacks from the backbone and traffic shaping by maliciously using BGP. The first one because I know the NSA is doing it, and the second because I believe it is doing it.

bitshifts_be_crazy29 karma

If you were put in charge of a 21st-century Church Committee who would you want on that committee to work with you? And why?

Also, what is your favorite Linux distribution?

BruceSchneier64 karma

Back when President Obama announced his NSA review panel, I remember thinking about what a real review panel would look like. I wish I could remember who I wanted on it. Ed Felten. Jennifer Granick. Yochai Benkler. Orin Kerr. Matt Blaze. Ross Anderson. James Bamford. Those would all be people who would understand both what the NSA was telling us and what they were not telling us. There are more people, I'm sure.

I don't use Linux. (Shhh. Don't tell anyone.) Although I have started using Tails.

elfio25 karma

Why do you haven't used linux until now?

BruceSchneier32 karma

Laziness. The default is just easier.

bowser423 karma

Surely not windows?

BruceSchneier38 karma

Right. I know.

sylocybin26 karma

Hi Bruce. I'm a relatively new PhD student in security - do you have any advice for students like me?

In particular, how I can get more involved in the field and work on things that will really make our lives more secure and private?

Edit: a word

BruceSchneier52 karma

My primary advice is to study what interests you, and don't worry about anything else. There are so many areas of security, and they're all important. Pick the one that interests you the most and focus on that.

As to getting involved in the field, you do it by getting involved. Go to conferences. Meet colleagues. Participate in discussions. It's a really great community.

bitshifts_be_crazy23 karma

How does one deal with encryption algorithms on a memory or processing-constrained system like a microcontroller?

BruceSchneier43 karma

Slowly.

There are encryption algorithms that are designed for small devices. Either they don't need a lot of memory, or they're optimized for 8-bit processors, and the like. This is actually a significant problem sometimes; encryption is easy when you've got a huge CPU and all the memory you might want, but it's lot harder in a constrained computing environment.

VR223 karma

Hello Bruce,

What is your greatest hope regarding outcomes from the Snowden leaks? Is a global right to privacy even possible?

BruceSchneier54 karma

I hope the government will rein in NSA surveillance -- and believe it eventually will. I believe very strongly that we face a choice: an Internet that is vulnerable to all attackers, or an Internet that is secure for all users. Eventually we'll get to the latter outcome, but I don't think it'll be anytime soon.

In the near term, the best outcome of the Snowden leaks would be that the US government comes clean and tells us what they're doing.

JFKingsley22 karma

Hey Bruce! Given the recent insight on the NSA and their systems for backdoors and systematic flawing of encryption techniques, do you anticipate there being any backdoors discovered in embedded systems IE the actual transmission chips in phones? Thanks!

BruceSchneier41 karma

I don't think it's necessary. There are so many ways into cell phone traffic already that a backdoor isn't necessary.

TsumeAlphaWolf19 karma

Hey Bruce, I'm really interested in getting into computer security. Is there any media (book, video etc) you would recommend someone starting off with?

BruceSchneier45 karma

Ross Anderson's Security Engineering.

TsumeAlphaWolf6 karma

Thanks

BruceSchneier25 karma

Be sure to get the second edition. It's a huge book, but it's packed with lots of really good information and it's enjoyable to read.

mkr19 karma

[deleted]

BruceSchneier26 karma

Yes. I think it is.

And I'm not saying this just because I run an open Wi-Fi network.

BruceSchneier26 karma

This is what I wrote five years ago.

Wailea18 karma

Bruce, if a portion of electronic communication users included alarming words in their communications, would it impair surveillance? If so, what portion. Is attempting to frustrate surveillance a secret crime?

Thank you.

BruceSchneier38 karma

My guess is that it would not -- that the NSA's semantic filters are cleverer than that. Still, it can't hurt to try. Although it would be annoying to the people you're communicating with.

And so far, attempting to frustrate surveillance is not a crime.

Gravy-Leg__15 karma

Bruce, How did the whole squid blogging thing get started?

BruceSchneier29 karma

It was a blog post on a Friday, I think.

Leeding13 karma

As a security expert, do you think organisations should use more than one type of firewall in an attempt to secure their informational assets? Any type in particular you would consider to be the most important?

BruceSchneier30 karma

I am generally a big fan of multiple security devices from multiple companies. As to which kind of firewall, I don't care very much. They're all equally mediocre, in my opinion.

expo53d17 karma

Configuration is king, yes?

BruceSchneier31 karma

Yes. It's the same for operating systems and networks.

Shock22313 karma

Bruce, I've followed your blog for a while and I've always wondered about the fact that a malicious party can subvert the various security apparatuses employed to stop them to achieve their goals.

For example: one could simply leave a empty suitcase in an airport or train station and make a phone report stating that you saw a "suspicious person" drop it there. The end goal results is two fold: 1. the temporary shut down thus allowing economic cost to build up, and with repeated efforts, you effectively train the security staff to ignore an actual attack by flooding them with false positives.

Is there anyway to effectively counter this?

BruceSchneier16 karma

Other than to arrest (and thereby discourage) anyone who does this, no.

lrby13 karma

Hi Bruce! What do you think about the mass data collection by private companies on the internet e.g. google in order to "sell targeted ads"?

BruceSchneier27 karma

I'm not generally in favor of surveillance as a business model. And I just published an essay about that.

Recently, I read a very interesting essay about "peak ads," arguing that the ad-based economy can't sustain itself long-term. I don't know yet what I think about the arguments, but they're worth reading.

GatonM12 karma

What do you think is the best way to get people who aren't so computer literate (ie most baby boomers) to understand computer security at a basic sense. Good Password etc

BruceSchneier34 karma

It has to be intuitive. It can't require expertise. It has to just work. I think the problem is more us as security system designers than them as users. We need to design systems so that non-computer-literate baby boomers can be secure without having to understand computer security.

merkwurdig12 karma

Hi. So if we have proof that the NSA/GCHQ has been deliberately sabotaging public standards and installed backdoors into security products, doesn't this make most online contracts unenforceable? Why hasn't e-commerce collapsed? Or will this only happen once the "bad guys" start exploiting these weaknesses?

BruceSchneier28 karma

Because 1) it doesn't make online contracts unenforceable, and 2) most people don't care. And why should it be any different when the bad guys start exploiting these weaknesses? They've been exploiting other weaknesses for decades and e-commerce hasn't collapsed.

It turns out that commerce is highly resilient to insecure systems.

smd75jr11 karma

Can you recomend any webpages/sites/books/videos/stone tablets/other media that explain advanced encryption concepts such as (using the wiki article for SHA256 as a reference here) "structure", "rounds", these?

On a mostly unrelated note: How do you actually pronounce your last name? (It has been confusing me for years!)

BruceSchneier26 karma

Pretty much any modern cryptography text will explain those concepts. They're pretty basic.

And Schneier rhymes with tire.

spiffiness10 karma

Thomas Ptacek of Matasano Security laid out an update he'd love to see you and Niels Ferguson do to your book Cryptographic Engineering. What do you think of Thomas's suggestions? Do you and Ferguson have any plans to do such an update?

I'm speaking of this blog posting from Thomas Ptacek: http://sockpuppet.org/blog/2013/07/22/applied-practical-cryptography/

BruceSchneier18 karma

We haven't talked about it. My guess is no, that Cryptography Engineering is the last crypto book I'm going to write.

New news though: just four hours ago I signed a contract for a new book, on the Internet and power. It'll be published in spring 2015, so don't go looking for it just yet.

ikkaiteku10 karma

What would you say has most influenced your views and perspective on security? You've written a number of awesome books but I'm very curious to learn what's influenced your views along the way :)

BruceSchneier14 karma

It's less individual things and more everything. Economics. Evolutionary biology. Sociology. Political science. I can't even begin to select a "most."

penguinopusredux9 karma

What's your opinion on the USA FREEDOM Act currently being considered? Looks like some good news for the US but the rest of the world is still out of luck.

BruceSchneier33 karma

One of the most important things we've learned from the Snowden documents is that NSA surveillance is robust: technically, legally, and politically. I can count three different ways the NSA has to get at Google user data, for example. Those three different ways use different legal authorities and different technical capabilities. What this means is that any law that targets a particular program or a particular legal authority is likely to be ineffective. And while I have not read the USA FREEDOM Act in detail, I worry that the details are weak enough that the NSA can circumvent them.

My biggest worry is that Congress passes a law that looks good but does nothing, then pats itself on the back for a job well done and goes home.

BruceSchneier22 karma

EFF has a good analysis of the USA Freedom Act.

BruceSchneier21 karma

International espionage is its own thing. You're right that no US law, either existing or being considered, will protect non-US persons from NSA surveillance. The truth is that there is no law in any country, or any international treaty, that prevents a country from spying on foreigners. I agree that this has to change, but it's going to take a long time and a lot of international negotiating to get there.

AlbertVeli9 karma

Hi! What would you prefer to happen to SSL/TLS in the near future?

BruceSchneier26 karma

I think the protocol is good for what it does, even though there are lots of flaws with it.

If we could fix anything, though, it'd have to be the certificate system.

ender-_12 karma

Recently somebody on Mozilla Security policy mailing list recommended a more SSH-like approach for https (basically, get warned about site identity the first time you visit it, and remember the certificate for the future visits, and show a much more dire warning if the certificate changes). Do you think this approach could work with something like https?

BruceSchneier17 karma

I think it could. The devil is in the details, though. It has to be done correctly.

Fundamentally, this a hard problem to solve. I don't think there ever will be a robust solution. But we certainly can do better.

merkwurdig5 karma

Has there been any indication that the NSA or other agencies have been able to break it, without forging certificates and so on?

BruceSchneier10 karma

No. I'm not ruling out the possibility of flaws in the various implementations, though.

enrpir8 karma

Hi Bruce. In the context of the future of encryption, what is your take on the mathematical "breakthroughs" associated with "finite bound on the gaps between prime numbers"? (See "Sudden Progress on Prime Number Problem Has Mathematicians Buzzing", http://www.wired.com/wiredscience/2013/11/prime/all/)

BruceSchneier14 karma

I think it's fantastic research, but I don't think it will have any effect on the difficulty of factoring. But these sorts of things are often surprising, so who knows? (This recent blog post is related.)

behindtext7 karma

bruce, long time fan, first time caller =)

i'm interested to hear a prediction, provided you're willing to give one, on how the surveillance vs encryption vs law will play out:

surveillance, both online and increasingly offline via cameras in urban areas, has been a persistent problem for citizens seeking privacy. while surveillance has been increasing so has the ubiquitous use of cryptography by individuals and organizations, turning the current situation into an arms race. legislators seem loathe to put any real legal protections in place that benefit privacy or prevent citizens from being prosecuted for crimes related to activities recorded by intelligence services. do you expect that (A) the laws will be amended to actually protect privacy, (B) individuals will be left to fend for themselves (legally speaking) in an environment where there is essentially zero privacy, or (C) intelligence services actually become unable to conduct ubiquitous surveillance due to ubiquitous proper use of crypto?

i figured i would ask you this after seeing recent eric schmidt comments.

BruceSchneier24 karma

In the near term, option (B). I don't think we'll get any meaningful privacy legislation anytime soon, especially since surveillance is the business model of the Internet. And since government surveillance largely piggybacks on corporate capabilities, they'll still be able to eavesdrop. What I hope is that we can make surveillance more expensive, largely through technical means but somewhat through legal constraints. I want targeted surveillance to again be cheaper than ubiquitous surveillance.

henry_blackie6 karma

I'm planning on doing forensic computing and security next year in university, do you think this will be able to lead on to good jobs after uni?

BruceSchneier27 karma

I think security will continue to be an excellent subfield for employment until the Internet is made up of something other than people.

leonardocabeza5 karma

Bruce, as a student, where or how can I learn to start about criptography and not die trying?

BruceSchneier43 karma

Google is a good place to start, although you'd do better by spelling the word "cryptography" correctly. After that, there are lots of good books out there. I'm happy to recommend my own Cryptography Engineering, but there are lots of others as well.

Warning, though. Cryptography = math. It's not really hard math, but it's hard math. So if math is deadly, you're going to have problems.

583JJDWD5 karma

Thanks so much for taking the time to do this! What is your computer setup? i.e. what OS(s), devices, and services do you use? What measures do you take to secure your data?

BruceSchneier19 karma

I always worry that questions like this are intelligence gathering, so I don't often answer them. Basically, though: I encrypt my hard drive, securely erase my files, use Tor when I have to, and use Tails when I have to. I do some other things as well, but nothing magical.

583JJDWD8 karma

My apologies. I meant no disrespect to your privacy. I was just curious about what you do so I can perhaps see what I might do to better protect my data. I too use Tor sometimes as well as encrypt my hard drive. Thanks for your response!

BruceSchneier10 karma

I wrote about some of what I do here.

benjamiller3 karma

WiFi: If I enable mutual auth w/ PEAP, can a hacker capture my server's cert & trick my supplicant into building a TLS tunnel to the hacker?

BruceSchneier16 karma

Off the top of my head: I have no idea.