Schneier: It`s not the cryptography that`s the issue. I got that wrong. The real issue is everything else that happened: assaults on anonymity, assaults on privacy, assaults on your e-mail - those are the things that have happened because they are the real leverage points. When you break crypto systems, you break one of those other things. I thought it was cryptography and I was wrong.
iWeek: So, effectively, your original threat assessment needed to be revised?
Schneier: Yes, there`s a sense that we all got it wrong back then. We were fighting the crypto wars and we won - we can now freely export cryptography. But it didn`t matter because it wasn`t about the cryptography. These are human problems - the math problems are the easy ones, it`s the human ones that are the hard ones.
iWeek: Are you happy with your Blowfish and Twofish algorithms?
Schneier: Yes. They are good algorithms and they`re used in a lot of products, but I tell people to rather use the standards.
iWeek: What`s the problem with the security measures at airports these days? My deodorant was confiscated because it was "flammable" (unlike all the Jet A1 fuel in the wings), but I was allowed to take nail clippers from Atlanta to Kentucky?
Schneier: Yeah, I apologise for that. Since 9/11, we`ve spent hundreds of billions of dollars defending ourselves from terrorist attacks. Stories about the ineffectiveness of many of these security measures are common, but less so are discussions of why they are so ineffective. In short: much of our country`s counter-terrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs.
A lot of security is of this "cover your ass" kind and it is unfortunate because we seem to be spending a lot of money not getting any safer. I find it very frustrating and wish it were better. We`re seeing CYA security on the national level, from our politicians. We might be better off as a nation funding intelligence gathering and Arabic translators, but it`s a better re-election strategy to fund something visible but ineffective, like a national ID card or a wall between the US and Mexico.
iWeek: What about the corporate environment? Are there similar examples of grandstanding in the business world?
Schneier: There are, and a lot of it is PR-based security. Generally corporations are better at spending money because they have a profit motive - they`re not after being re-elected. But you still see them faking security to fake their customers. Cellphone carriers tout the security of the digital network - which is complete bullsh*t. But they say it because it makes good press and there are reporters who will write about it because they don`t know any better. You see it less in business because there isn`t the same amount of government grandstanding that any democracy requires because politicians want to get re-elected.
But you do see it used to hoodwink customers. Microsoft is a great example. Every time a new version of their operating system comes out, they will tout how secure it is. The new version of Windows is much more secure than the older one! It`s pretty much never true, but they will say it because they want to get the press bump from touting it.
iWeek: How feasible is a managed security service like BT Counterpane`s in a country like ours where bandwidth is slow and costly?
Schneier: Unlike many of the managed security companies, I built mine to be distributed on purpose to reduce bandwidth requirements, so that it doesn`t require a very high bandwidth connection from your country back to our operations centre. For some managed services a slow connection is completely infeasible - you just won`t get the performance, but the BT Counterpane one was built to deal with that problem.
iWeek: What sort of policy advice would you give to developing countries on cryptography?
Schneier: Don`t have one. Just like you might not have a tuna-fish sandwich policy, don`t have a policy on cryptography. You don`t need a crypto policy. Giving companies security is essential for capitalism, democracy and liberty and you don`t want to mess with that.
|
Post a comment
|
Login.
Business Best Practise
