I am Bruce Schneier, cybersecurity expert, author, and #PublicInterestTech AMA

Very long time fan and reader. Thank you for being a voice for our security interests and for bringing crypto and security knowledge to commoners like me.

In your day to day life, how do you combat attitudes of friends and family who are detrimentally scared of super rare but scary scenarios? We give our kids freedom and people we know really flip out -- you know, because every bush must have a violent stranger behind it. I'd like to calm them before they call the police or some other brash reaction.

This is hard. We are irrational when it comes to fear, and it's pretty much impossible to reason with someone who is scared.

My only advice is to understand the fear: where it comes from, how it works, and so on. This old essay of mine isn't a bad place to start.

Good luck.

What OS are you currently using and why exactly that one?

I always get asked this one...

I use Windows whatever-is-current. Why? Inertia, mostly. I don't want to learn new muscle movements and switch to Mac. Linux feels like too much learning. And a well-hardened Windows install is pretty secure these days. (And I have a colleague I trust to harden Windows for me.)

DOS, because I don't own a mouse.

Does anyone use a mouse anymore? I can't remember the last computer I owned without a trackpad.

According to Bruce Schneier Facts, you once factored a prime. How does it feel to be the only human to have done that?

It's hard to describe the feeling, but I'm sure it's exactly the same feeling that Eratosthenes had.

Do you think Five Eyes is going to try to bring back something like Key escrow? A new crypto war is coming?

"Do you think Five Eyes is going to try to bring back something like Key escrow? A new crypto war is coming?"

It's starting to look that way.

I just blogged about this a couple of hours ago. It looks like the intelligence agencies of the Rich English-Language Speaking Countries Club (aka the "Five Eyes") are starting to push for surveillance over security.

https://www.schneier.com/blog/archives/2018/09/five-eyes_intel.html

I'm not sure we can call it a "new crypto war" anymore. These all seem to be skirmishes in the Crypto Forever War.

For reference, this is why this is such a terrible idea. And this is my short essay.

https://www.schneier.com/academic/paperfiles/paper-keys-under-doormats-CSAIL.pdf

https://www.schneier.com/essays/archives/2016/02/security_vs_surveill.html

Thank you. I hope the Clipper (or whatever they call it) can sink again.

Someone seems to always be there to salvage the wreckage.

What is your opinion on Mozilla's project to redirect all of Firefox' DNS queries to Cloudflare? Can CF really be more trusted than ISPs?

I don't know the details of Mozilla's project, so can't comment directly on it. Your second question is the important one, though. And we can generalize it: Who can you trust? You're not allowed to say "nobody." You have to trust someone. You have to trust a lot of someones. Mozilla has good people thinking about this, and if they decide that Cloudflare is more trusted in this instance than all the ISPs, I am willing to accept their decision.

This is very much related to supply chain security, which is basically an insurmountable problem. I talk about that here.

There's an article talking about Vodafone who refused to compensate for stolen money from accounts that had 1234 (or other possible weak password combination) as a password.

What is your opinion on that?

Wow. I hadn't heard that.

This is a hard one. We want users to take some responsibility for their own security, but we also need to recognize that it is crazy for service providers to allow users to have such poor security. In general, I want service providers to be responsible for losses so they have the incentive to improve security.

Credit cards serve as a great example. In the old days, consumers were charged for losses when they had their cards stolen. Then in 1976 -- or was it 1978? -- Congress passed a law limiting consumer liability to $50. It didn't matter who made the mistake. It didn't matter who was at fault. The maximum a credit card company could charge a consumer was $50.

This change made all the difference. Suddenly, the banks and credit card companies, who were passing the costs of poor security onto consumers, were liable. And we saw an explosion of new security measures: online card verification, expert systems that look for fraudulent spending patterns, card activation systems, and so on. None of them would have happened had the consumers been responsible for the losses.

We need to make the entity that's in the best position to fix the security problem responsible for the security problem. So, in general, companies like Verizon should be forced to pay for fraud.

How do we ensure that technology is being developed not just with an eye toward what's new and 'cool,' but with security and longevity as top priorities?

The only way is through legislation. The market does not reward security or longevity. The market rewards features, time to market, and price. This is a market failure, and we need to recognize it and treat it as such.

Wow, that's pretty powerful. Do you see any way in which the market would reward security and longevity for technology?

Yes, the market will reward it if it is forced to.

Think of laws and regulation as establishing the playing field for the market to operate in. Once society demands -- through the levels of policy -- security and longevity, the market will figure out how to provide it cheaply and efficiently and effectively. Markets are good at that. What they're terrible at is societal direction.

I'm sure staffers are reading. What should Congress prioritize?

This isn't a question I want to answer on the fly. I spend chapters of my latest book on it. (I know this sounds like a cop-out "buy the book" answer, and I'm sorry for that. But you really don't want policy priorities dictated by quick AMA answers. You want them to be well-considered.)

Mine is but a simple question. In your opinion do you think university degrees are necessary to become a professional like yourself?

No, but they are often a shorthand employers use to winnow out an applicant pool. It's the same with certifications. None of them is necessary to do the job, but they may be necessary to get the interview.

I'm currently perusing a degree in cyber security. Do you have any advice for someone just getting into the field? Also, I plan on reading your book, but are there any educational books that you would recommend that you found helpful in your journey to where you are now?

My journey is old enough that the books are all obsolete. Off the top of my head, I would recommend Ross Anderson's Security Engineering and the two (I think) books by Adam Shostack.

What are your browser's security extensions?

Https Everywhere?

uBlock Origin?

referer control?

and/or what they are you recommend?

​

I use HTTPS Everywhere, Adblock Plus, Privacy Badger, and Referer Control.

It seems everything shared via the internet can be exploited. Is anything on the internet truly private?

No.

Well, it depends on your definition of "truly private." Just as there is no such thing as absolute security, there is no such thing as absolute privacy. Add in the Internet, and it's even worse than that.

HI Bruce!

​

I love the movie Minority Report. In it, Tom Cruise walks through the mall and is instantly recognized by Iris Scanners. Then, there are little billboards that pull up his information instantly and remember his last purchases and instantly begin to play customized commercials for Tom.

​

How close are we to living in this type of existence?

​

Iris-scanning has huge privacy implications, do you believe we will in a future were Irish Scanning will not only become legally acceptable, but the norm for things like payment (gas stations, grocery stores can legally and forcibly scan irises)?

​

Here is the link to the scene from Minority Report if you have not seen it: https://www.youtube.com/watch?v=7bXJ_obaiYQ

​

Edited to fix a typo.

We're already there on the Internet. The technology already exists to do the same thing with the Internet of Things. The only thing holding the industry back right now is the creepiness factor, and I expect people to get over that in a few years.

It's an honor to have you here! A couple of questions:

1. What do you think needs to be done about hardware security? I'm speaking mainly of backdoored or buggy firmware, as well as problems with compromising emanations from various types of hardware. Do we need a drastic change in hardware security standards and regulation?

2. How will the increase in the availability of smaller and smaller microphones and cameras with transmission capabilities affect cybersecurity as we now know it? It seems to me that unless people take some extreme measures, their communications will be intercepted by side channels by small and hidden bugs. This could be done on a mass scale as the price of such bugs drop, and it probably will, judging from the technological pace of the past few decades. Targeted surveillance would be a nightmare for anyone not working in a Faraday cage, checking their clothes and belongings for bugs when exiting and entering the room. Almost everyone types on a keyboard that makes noise or is doing so in plain sight. Small ubiquitous bugs could record every password and message someone sends, transmitting it at a later point. It seems to me that cryptography doesn't address this at all, since it's a side channel attack. Right now it's not a real concern, but in 10 or 20 years? Could this be mitigated by using different input/output methods, for example smart glasses?

3. Do you see a way for people to adopt secure operating systems and means of communication (Qubes, Whonix, Signal, etc.)? There's very little funding for such projects and most of the time and money goes towards improving the security and fixing bugs, but the usability of such systems is atrocious (speaking of experience).

4. As a prolific expert and author, could you share with us some of the habits and ways of tackling problems that helped you be so productive?

#3: The only way is to make it the default. If Windows were that secure out of the box, people would adopt it. Otherwise, there's no way.

And that's fine. We don't want a world where you have to be a technical expert to have Internet and computer security.

#1: Yes. As with software, the market doesn't reward security. If we want it, we need to force companies to provide it.

Re #4: I get a lot of work done on airplanes.

Which do you consider the greater threat to the survival of the internet: its fragmentation into different silos or the concentration of too much power into the hands of too few?

edit: and why?

Power, definitely.

There's no short answer to this. Basically, power corrupts and we are already seeing the corrupting effects of too much power concentration. We're seeing it in government power, but we're really seeing it in the concentration of corporate power. I am more worried about the concentration of corporate power and its adverse affects on the free and open Internet right now.

This is very much a theme of my latest book, as it was a theme of my previous book.

Your opinion on pineapple on pizza?

The 1973 Council of Naples authorized fourteen pizza toppings, and pineapple was not one of them.

Despite all the crowdsourced security and privacy benefits of FOSS, they struggle to scale across the world. Even though that may be changing, especially outside the United States (hosting, IM options like Signal, browsers like Tor and Brave etc), we still find governments and firms spending huge amounts of resources on closed-source software with opaque security landscape. As security and privacy extend beyond data to death, as argued in your new book, how can this philosophy of crowdsourced security and privacy scale in the United States? I think this can be generally asked as: does market capitalism stand in opposition to security and privacy?

Market capitalism doesn't, but surveillance capitalism does. As long as surveillance and control are the business models of the Internet, we're not going to get real security and privacy. This is also a theme of my latest book.

What is your point of view of blockchain/cryptocurrency long term? What are the risks? Any of your thoughts on the subject will be appreciate

I am very much a blockchain skeptic. Basically, most of the benefits are illusory and the risks are considerable. It doesn't replace the need for governance. It doesn't decentralize nearly as much as it promises to. And, near as I can tell, none of its applications truly need its security properties.

I am working on a longer essay about this, one that I hope to publish in the coming weeks. Watch my blog; it'll appear there in addition to wherever I end up publishing it.

What's the best way to provide security to clients for email and to verify the identity of your business? Any suggestions?

Bleah. I suggest you don't use e-mail for that. Use Signal.

You saying that for some reason has a bit more force than my saying it.

No. It's just that e-mail has turned out to be impossible to reliably secure. We've spent -- what? -- two decades trying to build a secure and usable e-mail security system and have repeatedly failed. It's not the crypto, it's the fact that e-mail is just hard to secure.

When I want to have a secure conversation, I use Signal. My advice to people who can't use Signal because having it on their phone would in itself be incriminating is to use WhatsApp.

Given the global nature of the internet is there any practical way to balance the American First Amendment and the demands for censorship by other countries who do not share that cultural value? If so, how do you imagine this great reconciliation happening?

I now teach at the Harvard Kennedy School, and there are smarter people than me studying that question. And they have no idea.

The ecosystem of piecemeal interventions (regulations, standards, technical fixes, ethical guidelines, talent pipelines, etc.) is extremely important, but I'm struck by how ostensibly technical conversations quickly get into values and even morals. You've said that privacy is necessary for human progress. A significant majority believe neither political party in the US represents their interests. We might figure out algorithms in the near term, but synthetic biology, nanotech and other tech leaps will reignite fundamental challenges to the deep structures that undergird western civilization. I'm thinking about questions like: What kind of society do we want to live in? How do we define fairness? What kind of a relationship do we want to have with this planet? What do you see as the most promising venues or strategies to have truly public conversations about these topics?

Probably the most promising venues are universities and think tanks. This is where these sorts of issues get discussed. I worry less about these theoretical discussions, which I think are already taking place, and how they get translated into policy priorities. This is where we need technical people in policy positions.

At the end of my book, I talk about the need for "public-interest technologists," technologists who are working in governments, policy organizations, NGOs, investigative journalism, and so on. This is where we are going to get real science and tech injected into policy.

You're right that US politics are pretty dysfunctional, and the two-party system severely limits the range of views that are represented in political discussions. I don't have a solution for that; we've pretty much broken the US political system.

“Public-interest technologists.” This feels like a very important category of expertise if there’s to be any chance of equity in this arena for the future. How do we grow this class of experts? Is early stage philanthropic investment needed?

These are complicated questions. I recommend this report for a comprehensive answer.

Thanks very much! My concern is that universities and think tanks can tend to be elitist and status quo driven. I think it's a big challenge to figure out how to have these conversations in an inclusive way.

Agreed. But these days students are forcing universities to be more inclusive. And universities, sometimes kicking and screaming, are slowly changing.

I'm optimistic here.

How long do you think it will take for the cyber security software market to mature?

Speaking with experience of particular cyber security products, they’ve consistently been found to be difficult to deploy, difficult to support, and flakey; so it isn’t an isolated challenge.

I've given up predicting when the cybersecurity market will mature.

Here's a talk I gave on the topic in 2009. Here's an essay I wrote on the topic in 2007. Everything I said in those places I still think are true, but the future I predicted still has not arrived. At this point, I have no idea.

Hi there! How can I step in cybersecurity? I'm 20, woking in the IT, I have a ccna routing and switching certification and I'm going to take some microsoft certs.

How do I make the big step into security?

Just do it. Read everything you can. Learn. Practice.

There is an enormous demand for security expertise out there. You'll have no trouble finding work and getting experience.

Good luck.

How likely is it that someone would hack into our Electrical Grid and shut it all down? What is stopping something like this from happening?

How can someone hack into my car and cause it to crash?

Bonus points: Do you believe any votes were changed/ vote counts altered/ legal registered voters were purged from the voter roles in the last election?

1. It can be done. Russia demonstrated the attack twice in the Ukraine. At this point, the likelihood is more of a political question than a technical one.

2. I'm not going to explain the techniques. There are papers on the topic -- search for them.

Bonus: I don't believe that any votes were changed. Many legal voters were purged from the voter rolls, but not by foreign hackers. They were purged as part of campaigns to suppress legitimate voters from our state governments.

You refer to the need for “Public-interest technologists.” This feels like a very important category of expertise if there’s to be any chance of equity in this arena for the future. How do we grow this class of experts? Is early stage philanthropic investment needed?

Already asked and answered. See here.

What do you think will be the successor to passwords? Will we ever get away from passwords? Or will MFA be the future.

Passwords will always be around, because they are useful for some sorts of authentication. For high-security authentication, I think it will be a combination of multi-factor authentication -- as we see today -- and continuous authentication systems that monitor your actions and spot anomalies.

The hard one is going to be thing-to-thing authentication. Imagine a driverless car needing to exchange information with thousands of other cars, road signs and sensors, and so on. We have no idea how to do that securely.

You have interactions with political figures. Based on that, do you think State legislated backdoors will eventually happen?

They've already happened in countries like Russia and China. The real question is whether they will happen in the US, UK, Australia, etc.

Truly, I don't know. I hope not, but I fear that they will -- at least in some places in the near term. This could go either way.

When Diffie Hellman assymetric cryptography was published, in the 70s, British secret service revealed that one of their scientists had come up with it years before. They had to keep it secret, because of national security concerns. So my quuestion is this:

Today's cryptography is based on difficult mathematical problems: (prime numbers, discrete logarithms, elliptic curve cryptography etc) what are the chances these are already known to somebody in the intelligence circles (NSA and the like), and they have a way to break these?

Tough question. I talked about this back in 2013, when the first Snowden documents came out. (I am looking for the link, but I can't find it.) If I remember, the "Black Budget" document talked about some large investment the NSA is making to break cryptography. One of my guesses is that they have some sort of elliptic-curve advance that makes breaking it tractable, probably with some massive precomputation. Add to this the fact that the NSA likes to choose curves, and the suspicion increases.

So I don't know. Certainly elliptic-curve public-key cryptography is more risky than conventional public-key crypto.

Were there any surprising moments in yesterday's tech hearings that you feel like the average tech user (that is, *not* already a cybersecurity expert) should be looking at more closely?

I admit that I wasn't paying attention.

And, in general, who cares what the tech companies say? They're not under oath, and they're just trying to say anything they can to make the problem go away. What matters is what the tech companies are doing, their business models, and the laws under which they operate. And in those things nothing much has changed.

Last November, I testified at an Equifax hearing. Congresscritters of both parties were angry at what had happened, and all promised action. Fast-forward to today: nothing was done.

I expect the same thing here, unfortunately.

I've been seeing those ads on TV about new security companies offering "Deep web searches for personal information" such as SSN, CCN, ect... Do you think this is a load of bs? Or do they have some merit to their claims? Obviously they cant search every site in the world.

Don't know, but I would bet BS.

Being that you work for IBM, obviously you're going to vouch for QRadar over Splunk. What are the pros and cons of each?

I vouch for neither because I don't know the details of either. (One of my requirements for continuing to work at IBM is that I don't help market our products.)

What are the biggest cons of being a cybersecurity expert ? And also I read online that its hard to get motivated in Cybersecurity area if thats true how do you get motivated?

Excuse my poor English.

I've never found motivation to be a problem. This is a fascinating area of research and practice, and I cannot think of a single con.

Maybe we should ask people who have left the field.

Have we reached the point where Blowfish is insecure enough that it warrants the effort/expense of migration? Or is it merely an old cipher with better options available?

Blowfish's insecurities stem from its 64-bit block length. I would migrate to something with a 128-bit block length.

How much is open source and open research helping to make our systems safer? Big fan, wish you all the best :)

On a scale of 1-10, an enormous amount. Open research -- and open-source software on which to conduct research -- is how we get smarter at security. It's vital.

What is your opinion on Quantum computers making cracking easy? Is that even remotely possible in the near future?

This is a great question, and something I just wrote a long essay about for IEEE Security and Privacy magazine. It should be published in a few weeks, and I'll post the answer on my blog when it is. So watch that space.

In short: quantum computers will almost certainly drastically change cryptography. But don't worry, cryptographers are already working on quantum-resistant algorithms. And even if they all end up not working, the results won't be catastrophic.

Will you be dictating an audible version of your new book?

No. There will be one, but read by some professional book reader.

A few people asked me on my blog about when the Audible version is coming out. I know the rights were sold to Audible, but I don't know of a publication date. I don't think it's soon. (Yes, it is a reasonable question to ask why the Audible version isn't published at the same time as the print and electronic versions. The answer is that publishing is still a medieval industry.)

Since "tech is shaping the contures of the future," how do you we ensure that we develop learning and employment opportunities with an eye toward inclusion and diversity?

Thank you!🙂

We just have to demand it. There's no special trick here. We, as engineers and programmers, need to demand that companies do this. Eventually there will be laws that require them to, but until then, we have to be the conscience of the companies we work for.

There is no other way.

Long time reader and fan. Two questions

1: It is believed that foreign governments had access to the files Snowden holds/released prior to his time in the spotlight. It is also known that targeted identities can be purchased online(particularly in the carding community) from foreign sites indicating they have a much deeper stronghold on US assets than is portrayed or publically realized.
Q: Do you foresee any real changes to security at the federal or departmental level with this administration.... Understanding accountability and politics are like mixing water and oil.

2: What are some sites or researchers you are fond of their work?

Thanks Bruce!

#2: I hesitate to answer this, because I know I'll leave someone out. The best way to learn what I read is to watch my blog and see who I link to.

With this administration, no. I do not see any changes at the federal level. Everything is too chaotic and everyone is too distracted -- and the good people are all leaving.

Your second question takes more work. I'll answer later if there's a lull in the conversation.