As the Internet gets more powerful, how can we navigate uncharted technological territory while maintaining the privacy and security of the individual? I'm the Chief Technology Officer of IBM Resilient, a fellow at Harvard's Berkman Center, and a board member of EFF. I am part of the growing community of #PublicInterestTech.

I am the author of the new book, Click Here To Kill Everybody: Security and Survival in a Hyper-connected World. (If you are going to buy it, please buy it this week.)

And I'm here to answer all of your burning questions about the promise and perils of our interconnected, digitized world.

Proof Proof2

1:00 pm: That's all we have time for today. Thank you for all the questions. Until next time!

Comments: 130 • Responses: 47  • Date: 

darchangel18 karma

Very long time fan and reader. Thank you for being a voice for our security interests and for bringing crypto and security knowledge to commoners like me.

In your day to day life, how do you combat attitudes of friends and family who are detrimentally scared of super rare but scary scenarios? We give our kids freedom and people we know really flip out -- you know, because every bush must have a violent stranger behind it. I'd like to calm them before they call the police or some other brash reaction.

BruceSchneier23 karma

This is hard. We are irrational when it comes to fear, and it's pretty much impossible to reason with someone who is scared.

My only advice is to understand the fear: where it comes from, how it works, and so on. This old essay of mine isn't a bad place to start.

Good luck.

dale-gr16 karma

What OS are you currently using and why exactly that one?

BruceSchneier25 karma

I always get asked this one...

I use Windows whatever-is-current. Why? Inertia, mostly. I don't want to learn new muscle movements and switch to Mac. Linux feels like too much learning. And a well-hardened Windows install is pretty secure these days. (And I have a colleague I trust to harden Windows for me.)

Troppin6 karma

DOS, because I don't own a mouse.

BruceSchneier8 karma

Does anyone use a mouse anymore? I can't remember the last computer I owned without a trackpad.

tinkrman15 karma

According to Bruce Schneier Facts, you once factored a prime. How does it feel to be the only human to have done that?

BruceSchneier32 karma

It's hard to describe the feeling, but I'm sure it's exactly the same feeling that Eratosthenes had.

abcdefghjkilopqrst4414 karma

Do you think Five Eyes is going to try to bring back something like Key escrow? A new crypto war is coming?

BruceSchneier26 karma

"Do you think Five Eyes is going to try to bring back something like Key escrow? A new crypto war is coming?"

It's starting to look that way.

I just blogged about this a couple of hours ago. It looks like the intelligence agencies of the Rich English-Language Speaking Countries Club (aka the "Five Eyes") are starting to push for surveillance over security.

I'm not sure we can call it a "new crypto war" anymore. These all seem to be skirmishes in the Crypto Forever War.

For reference, this is why this is such a terrible idea. And this is my short essay.

abcdefghjkilopqrst446 karma

Thank you. I hope the Clipper (or whatever they call it) can sink again.

BruceSchneier8 karma

Someone seems to always be there to salvage the wreckage.

NAN00114 karma

What is your opinion on Mozilla's project to redirect all of Firefox' DNS queries to Cloudflare? Can CF really be more trusted than ISPs?

BruceSchneier32 karma

I don't know the details of Mozilla's project, so can't comment directly on it. Your second question is the important one, though. And we can generalize it: Who can you trust? You're not allowed to say "nobody." You have to trust someone. You have to trust a lot of someones. Mozilla has good people thinking about this, and if they decide that Cloudflare is more trusted in this instance than all the ISPs, I am willing to accept their decision.

This is very much related to supply chain security, which is basically an insurmountable problem. I talk about that here.

BabisPotatis11 karma

There's an article talking about Vodafone who refused to compensate for stolen money from accounts that had 1234 (or other possible weak password combination) as a password.

What is your opinion on that?

BruceSchneier49 karma

Wow. I hadn't heard that.

This is a hard one. We want users to take some responsibility for their own security, but we also need to recognize that it is crazy for service providers to allow users to have such poor security. In general, I want service providers to be responsible for losses so they have the incentive to improve security.

Credit cards serve as a great example. In the old days, consumers were charged for losses when they had their cards stolen. Then in 1976 -- or was it 1978? -- Congress passed a law limiting consumer liability to $50. It didn't matter who made the mistake. It didn't matter who was at fault. The maximum a credit card company could charge a consumer was $50.

This change made all the difference. Suddenly, the banks and credit card companies, who were passing the costs of poor security onto consumers, were liable. And we saw an explosion of new security measures: online card verification, expert systems that look for fraudulent spending patterns, card activation systems, and so on. None of them would have happened had the consumers been responsible for the losses.

We need to make the entity that's in the best position to fix the security problem responsible for the security problem. So, in general, companies like Verizon should be forced to pay for fraud.

re_bb10 karma

How do we ensure that technology is being developed not just with an eye toward what's new and 'cool,' but with security and longevity as top priorities?

BruceSchneier33 karma

The only way is through legislation. The market does not reward security or longevity. The market rewards features, time to market, and price. This is a market failure, and we need to recognize it and treat it as such.

WunDumGuy7 karma

Wow, that's pretty powerful. Do you see any way in which the market would reward security and longevity for technology?

BruceSchneier26 karma

Yes, the market will reward it if it is forced to.

Think of laws and regulation as establishing the playing field for the market to operate in. Once society demands -- through the levels of policy -- security and longevity, the market will figure out how to provide it cheaply and efficiently and effectively. Markets are good at that. What they're terrible at is societal direction.

zznop4 karma

I'm sure staffers are reading. What should Congress prioritize?

BruceSchneier23 karma

This isn't a question I want to answer on the fly. I spend chapters of my latest book on it. (I know this sounds like a cop-out "buy the book" answer, and I'm sorry for that. But you really don't want policy priorities dictated by quick AMA answers. You want them to be well-considered.)

FG39V9-19 karma

Mine is but a simple question. In your opinion do you think university degrees are necessary to become a professional like yourself?

BruceSchneier26 karma

No, but they are often a shorthand employers use to winnow out an applicant pool. It's the same with certifications. None of them is necessary to do the job, but they may be necessary to get the interview.

xProjectilePenguinx9 karma

I'm currently perusing a degree in cyber security. Do you have any advice for someone just getting into the field? Also, I plan on reading your book, but are there any educational books that you would recommend that you found helpful in your journey to where you are now?

BruceSchneier21 karma

My journey is old enough that the books are all obsolete. Off the top of my head, I would recommend Ross Anderson's Security Engineering and the two (I think) books by Adam Shostack.

imanmi9 karma

What are your browser's security extensions?

Https Everywhere?

uBlock Origin?

referer control?

and/or what they are you recommend?

BruceSchneier19 karma

I use HTTPS Everywhere, Adblock Plus, Privacy Badger, and Referer Control.

kristmasdestroyer7 karma

It seems everything shared via the internet can be exploited. Is anything on the internet truly private?

BruceSchneier17 karma


Well, it depends on your definition of "truly private." Just as there is no such thing as absolute security, there is no such thing as absolute privacy. Add in the Internet, and it's even worse than that.

nikki_D_NY6 karma

HI Bruce!

I love the movie Minority Report. In it, Tom Cruise walks through the mall and is instantly recognized by Iris Scanners. Then, there are little billboards that pull up his information instantly and remember his last purchases and instantly begin to play customized commercials for Tom.

How close are we to living in this type of existence?

Iris-scanning has huge privacy implications, do you believe we will in a future were Irish Scanning will not only become legally acceptable, but the norm for things like payment (gas stations, grocery stores can legally and forcibly scan irises)?

Here is the link to the scene from Minority Report if you have not seen it:

Edited to fix a typo.

BruceSchneier19 karma

We're already there on the Internet. The technology already exists to do the same thing with the Internet of Things. The only thing holding the industry back right now is the creepiness factor, and I expect people to get over that in a few years.

throwaway2498895 karma

It's an honor to have you here! A couple of questions:

  1. What do you think needs to be done about hardware security? I'm speaking mainly of backdoored or buggy firmware, as well as problems with compromising emanations from various types of hardware. Do we need a drastic change in hardware security standards and regulation?

  2. How will the increase in the availability of smaller and smaller microphones and cameras with transmission capabilities affect cybersecurity as we now know it? It seems to me that unless people take some extreme measures, their communications will be intercepted by side channels by small and hidden bugs. This could be done on a mass scale as the price of such bugs drop, and it probably will, judging from the technological pace of the past few decades. Targeted surveillance would be a nightmare for anyone not working in a Faraday cage, checking their clothes and belongings for bugs when exiting and entering the room. Almost everyone types on a keyboard that makes noise or is doing so in plain sight. Small ubiquitous bugs could record every password and message someone sends, transmitting it at a later point. It seems to me that cryptography doesn't address this at all, since it's a side channel attack. Right now it's not a real concern, but in 10 or 20 years? Could this be mitigated by using different input/output methods, for example smart glasses?

  3. Do you see a way for people to adopt secure operating systems and means of communication (Qubes, Whonix, Signal, etc.)? There's very little funding for such projects and most of the time and money goes towards improving the security and fixing bugs, but the usability of such systems is atrocious (speaking of experience).

  4. As a prolific expert and author, could you share with us some of the habits and ways of tackling problems that helped you be so productive?

BruceSchneier11 karma

#3: The only way is to make it the default. If Windows were that secure out of the box, people would adopt it. Otherwise, there's no way.

And that's fine. We don't want a world where you have to be a technical expert to have Internet and computer security.

BruceSchneier9 karma

#1: Yes. As with software, the market doesn't reward security. If we want it, we need to force companies to provide it.

BruceSchneier8 karma

Re #4: I get a lot of work done on airplanes.

happiness77345 karma

Which do you consider the greater threat to the survival of the internet: its fragmentation into different silos or the concentration of too much power into the hands of too few?

edit: and why?

BruceSchneier11 karma

Power, definitely.

There's no short answer to this. Basically, power corrupts and we are already seeing the corrupting effects of too much power concentration. We're seeing it in government power, but we're really seeing it in the concentration of corporate power. I am more worried about the concentration of corporate power and its adverse affects on the free and open Internet right now.

This is very much a theme of my latest book, as it was a theme of my previous book.

That_one_Pizza5 karma

Your opinion on pineapple on pizza?

BruceSchneier34 karma

The 1973 Council of Naples authorized fourteen pizza toppings, and pineapple was not one of them.

TheEverWatchful4 karma

Despite all the crowdsourced security and privacy benefits of FOSS, they struggle to scale across the world. Even though that may be changing, especially outside the United States (hosting, IM options like Signal, browsers like Tor and Brave etc), we still find governments and firms spending huge amounts of resources on closed-source software with opaque security landscape. As security and privacy extend beyond data to death, as argued in your new book, how can this philosophy of crowdsourced security and privacy scale in the United States? I think this can be generally asked as: does market capitalism stand in opposition to security and privacy?

BruceSchneier9 karma

Market capitalism doesn't, but surveillance capitalism does. As long as surveillance and control are the business models of the Internet, we're not going to get real security and privacy. This is also a theme of my latest book.

maxiu864 karma

What is your point of view of blockchain/cryptocurrency long term? What are the risks? Any of your thoughts on the subject will be appreciate

BruceSchneier19 karma

I am very much a blockchain skeptic. Basically, most of the benefits are illusory and the risks are considerable. It doesn't replace the need for governance. It doesn't decentralize nearly as much as it promises to. And, near as I can tell, none of its applications truly need its security properties.

I am working on a longer essay about this, one that I hope to publish in the coming weeks. Watch my blog; it'll appear there in addition to wherever I end up publishing it.

LoveEsq4 karma

What's the best way to provide security to clients for email and to verify the identity of your business? Any suggestions?

BruceSchneier12 karma

Bleah. I suggest you don't use e-mail for that. Use Signal.

LoveEsq3 karma

You saying that for some reason has a bit more force than my saying it.

BruceSchneier11 karma

No. It's just that e-mail has turned out to be impossible to reliably secure. We've spent -- what? -- two decades trying to build a secure and usable e-mail security system and have repeatedly failed. It's not the crypto, it's the fact that e-mail is just hard to secure.

When I want to have a secure conversation, I use Signal. My advice to people who can't use Signal because having it on their phone would in itself be incriminating is to use WhatsApp.

happiness77344 karma

Given the global nature of the internet is there any practical way to balance the American First Amendment and the demands for censorship by other countries who do not share that cultural value? If so, how do you imagine this great reconciliation happening?

BruceSchneier10 karma

I now teach at the Harvard Kennedy School, and there are smarter people than me studying that question. And they have no idea.

MSPubIntTech4 karma

The ecosystem of piecemeal interventions (regulations, standards, technical fixes, ethical guidelines, talent pipelines, etc.) is extremely important, but I'm struck by how ostensibly technical conversations quickly get into values and even morals. You've said that privacy is necessary for human progress. A significant majority believe neither political party in the US represents their interests. We might figure out algorithms in the near term, but synthetic biology, nanotech and other tech leaps will reignite fundamental challenges to the deep structures that undergird western civilization. I'm thinking about questions like: What kind of society do we want to live in? How do we define fairness? What kind of a relationship do we want to have with this planet? What do you see as the most promising venues or strategies to have truly public conversations about these topics?

BruceSchneier9 karma

Probably the most promising venues are universities and think tanks. This is where these sorts of issues get discussed. I worry less about these theoretical discussions, which I think are already taking place, and how they get translated into policy priorities. This is where we need technical people in policy positions.

At the end of my book, I talk about the need for "public-interest technologists," technologists who are working in governments, policy organizations, NGOs, investigative journalism, and so on. This is where we are going to get real science and tech injected into policy.

You're right that US politics are pretty dysfunctional, and the two-party system severely limits the range of views that are represented in political discussions. I don't have a solution for that; we've pretty much broken the US political system.

mebekind3 karma

“Public-interest technologists.” This feels like a very important category of expertise if there’s to be any chance of equity in this arena for the future. How do we grow this class of experts? Is early stage philanthropic investment needed?

BruceSchneier5 karma

These are complicated questions. I recommend this report for a comprehensive answer.

MSPubIntTech3 karma

Thanks very much! My concern is that universities and think tanks can tend to be elitist and status quo driven. I think it's a big challenge to figure out how to have these conversations in an inclusive way.

BruceSchneier3 karma

Agreed. But these days students are forcing universities to be more inclusive. And universities, sometimes kicking and screaming, are slowly changing.

I'm optimistic here.

iamarmintamzarian4 karma

How long do you think it will take for the cyber security software market to mature?

Speaking with experience of particular cyber security products, they’ve consistently been found to be difficult to deploy, difficult to support, and flakey; so it isn’t an isolated challenge.

BruceSchneier14 karma

I've given up predicting when the cybersecurity market will mature.

Here's a talk I gave on the topic in 2009. Here's an essay I wrote on the topic in 2007. Everything I said in those places I still think are true, but the future I predicted still has not arrived. At this point, I have no idea.

SirDragix4 karma

Hi there! How can I step in cybersecurity? I'm 20, woking in the IT, I have a ccna routing and switching certification and I'm going to take some microsoft certs.

How do I make the big step into security?

BruceSchneier13 karma

Just do it. Read everything you can. Learn. Practice.

There is an enormous demand for security expertise out there. You'll have no trouble finding work and getting experience.

Good luck.

CitizenMillennial3 karma

How likely is it that someone would hack into our Electrical Grid and shut it all down? What is stopping something like this from happening?

How can someone hack into my car and cause it to crash?

Bonus points: Do you believe any votes were changed/ vote counts altered/ legal registered voters were purged from the voter roles in the last election?

BruceSchneier9 karma

  1. It can be done. Russia demonstrated the attack twice in the Ukraine. At this point, the likelihood is more of a political question than a technical one.

  2. I'm not going to explain the techniques. There are papers on the topic -- search for them.

Bonus: I don't believe that any votes were changed. Many legal voters were purged from the voter rolls, but not by foreign hackers. They were purged as part of campaigns to suppress legitimate voters from our state governments.

mebekind3 karma

You refer to the need for “Public-interest technologists.” This feels like a very important category of expertise if there’s to be any chance of equity in this arena for the future. How do we grow this class of experts? Is early stage philanthropic investment needed?

BruceSchneier5 karma

Already asked and answered. See here.

WunDumGuy3 karma

What do you think will be the successor to passwords? Will we ever get away from passwords? Or will MFA be the future.

BruceSchneier10 karma

Passwords will always be around, because they are useful for some sorts of authentication. For high-security authentication, I think it will be a combination of multi-factor authentication -- as we see today -- and continuous authentication systems that monitor your actions and spot anomalies.

The hard one is going to be thing-to-thing authentication. Imagine a driverless car needing to exchange information with thousands of other cars, road signs and sensors, and so on. We have no idea how to do that securely.

tinkrman3 karma

You have interactions with political figures. Based on that, do you think State legislated backdoors will eventually happen?

BruceSchneier7 karma

They've already happened in countries like Russia and China. The real question is whether they will happen in the US, UK, Australia, etc.

Truly, I don't know. I hope not, but I fear that they will -- at least in some places in the near term. This could go either way.

tinkrman2 karma

When Diffie Hellman assymetric cryptography was published, in the 70s, British secret service revealed that one of their scientists had come up with it years before. They had to keep it secret, because of national security concerns. So my quuestion is this:

Today's cryptography is based on difficult mathematical problems: (prime numbers, discrete logarithms, elliptic curve cryptography etc) what are the chances these are already known to somebody in the intelligence circles (NSA and the like), and they have a way to break these?

BruceSchneier6 karma

Tough question. I talked about this back in 2013, when the first Snowden documents came out. (I am looking for the link, but I can't find it.) If I remember, the "Black Budget" document talked about some large investment the NSA is making to break cryptography. One of my guesses is that they have some sort of elliptic-curve advance that makes breaking it tractable, probably with some massive precomputation. Add to this the fact that the NSA likes to choose curves, and the suspicion increases.

So I don't know. Certainly elliptic-curve public-key cryptography is more risky than conventional public-key crypto.

re_bb2 karma

Were there any surprising moments in yesterday's tech hearings that you feel like the average tech user (that is, *not* already a cybersecurity expert) should be looking at more closely?

BruceSchneier13 karma

I admit that I wasn't paying attention.

And, in general, who cares what the tech companies say? They're not under oath, and they're just trying to say anything they can to make the problem go away. What matters is what the tech companies are doing, their business models, and the laws under which they operate. And in those things nothing much has changed.

Last November, I testified at an Equifax hearing. Congresscritters of both parties were angry at what had happened, and all promised action. Fast-forward to today: nothing was done.

I expect the same thing here, unfortunately.

awsomer3652 karma

I've been seeing those ads on TV about new security companies offering "Deep web searches for personal information" such as SSN, CCN, ect... Do you think this is a load of bs? Or do they have some merit to their claims? Obviously they cant search every site in the world.

BruceSchneier9 karma

Don't know, but I would bet BS.

Karpathos812 karma

Being that you work for IBM, obviously you're going to vouch for QRadar over Splunk. What are the pros and cons of each?

BruceSchneier12 karma

I vouch for neither because I don't know the details of either. (One of my requirements for continuing to work at IBM is that I don't help market our products.)

Snxb2 karma

What are the biggest cons of being a cybersecurity expert ? And also I read online that its hard to get motivated in Cybersecurity area if thats true how do you get motivated?

Excuse my poor English.

BruceSchneier7 karma

I've never found motivation to be a problem. This is a fascinating area of research and practice, and I cannot think of a single con.

Maybe we should ask people who have left the field.

Pariah_Zero2 karma

Have we reached the point where Blowfish is insecure enough that it warrants the effort/expense of migration? Or is it merely an old cipher with better options available?

BruceSchneier6 karma

Blowfish's insecurities stem from its 64-bit block length. I would migrate to something with a 128-bit block length.

WarrantyVoider2 karma

How much is open source and open research helping to make our systems safer? Big fan, wish you all the best :)

BruceSchneier9 karma

On a scale of 1-10, an enormous amount. Open research -- and open-source software on which to conduct research -- is how we get smarter at security. It's vital.

tinkrman2 karma

What is your opinion on Quantum computers making cracking easy? Is that even remotely possible in the near future?

BruceSchneier12 karma

This is a great question, and something I just wrote a long essay about for IEEE Security and Privacy magazine. It should be published in a few weeks, and I'll post the answer on my blog when it is. So watch that space.

In short: quantum computers will almost certainly drastically change cryptography. But don't worry, cryptographers are already working on quantum-resistant algorithms. And even if they all end up not working, the results won't be catastrophic.

Gui4life2 karma

Will you be dictating an audible version of your new book?

BruceSchneier7 karma

No. There will be one, but read by some professional book reader.

A few people asked me on my blog about when the Audible version is coming out. I know the rights were sold to Audible, but I don't know of a publication date. I don't think it's soon. (Yes, it is a reasonable question to ask why the Audible version isn't published at the same time as the print and electronic versions. The answer is that publishing is still a medieval industry.)

prebreach2 karma

Since "tech is shaping the contures of the future," how do you we ensure that we develop learning and employment opportunities with an eye toward inclusion and diversity?

Thank you!🙂

BruceSchneier9 karma

We just have to demand it. There's no special trick here. We, as engineers and programmers, need to demand that companies do this. Eventually there will be laws that require them to, but until then, we have to be the conscience of the companies we work for.

There is no other way.

overseasons2 karma

Long time reader and fan. Two questions

1: It is believed that foreign governments had access to the files Snowden holds/released prior to his time in the spotlight. It is also known that targeted identities can be purchased online(particularly in the carding community) from foreign sites indicating they have a much deeper stronghold on US assets than is portrayed or publically realized.
Q: Do you foresee any real changes to security at the federal or departmental level with this administration.... Understanding accountability and politics are like mixing water and oil.

2: What are some sites or researchers you are fond of their work?

Thanks Bruce!

BruceSchneier7 karma

#2: I hesitate to answer this, because I know I'll leave someone out. The best way to learn what I read is to watch my blog and see who I link to.

BruceSchneier5 karma

With this administration, no. I do not see any changes at the federal level. Everything is too chaotic and everyone is too distracted -- and the good people are all leaving.

Your second question takes more work. I'll answer later if there's a lull in the conversation.