In a security industry full of FUD and hype, cryptographer and consultant Bruce Schneier offers a no-nonsense reality check verging on social commentary.
He has worked on numerous ciphers, hash functions, and other cryptographic algorithms that are arcane to the average computer user but which have been instrumental in protecting the privacy of data. But his influence extends beyond the world of encryption.
Schneier wrote several bestselling books--including "Secrets and Lies: Digital Security in a Networked World," "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," and his latest, "Schneier on Security"--that provide perspective on risks and threats in everything from e-mail to airport security. And his Cryto-Gram newsletter and blog are considered must-reads inside and outside the industry.
Opinionated and cynical, he doesn't hesitate to point out that one of the biggest limitations of technology is people. ("The user's going to pick dancing pigs over security every time," he has been quoted as saying.)
In an e-mail interview with CNET News, Schneier pokes fun at National Cyber Security Month, talks about his background in crypto and working for the U.S. Defense Department, and says he fears privacy invasion more from marketers than governments or criminals.
Q: You started out as a cryptographer but are considered an expert on all types of security threats, hypes, and realities. Do you still do much cryptography? Schneier: Some. I'm a member of the cryptographic team that developed the Skein hash function, currently a second-round candidate in NIST's competition to choose an SHA-3. These competitions are kind of like cryptographic demolitions derbies: all the teams put their algorithms in the ring and try to beat up everyone else's. NIST received 64 submissions, of which 51 met the submission criteria. Of those 51, 14 proceeded to the second round. It's great fun to be working on this.
Overall, though, I am not doing a lot of cryptography. Over the past several years I have been studying security economics, and more recently, the psychology of security. These are important new fields that will have many lessons for security technology.
What are your thoughts on the state of cryptography today? There doesn't seem to be anything going on as exciting as the crypto battles of the 1990s. Schneier: We really have all the cryptography we need for the foreseeable future; the problem is using it securely. Computer and network security are by far the weaker links. Even worse are things like user interface, installation, implementation, configuration, use, and update. There's so much good cryptography that doesn't get used properly because of one of these issues. These are hardly new areas, but they're the areas that need the most work.
Do you encrypt your e-mail?… Read more