Editors' Rating
Published: 22 Oct 2008
ZDNet talks to Bruce Schneier
Bruce Schneier first came to public attention in 1993, when he created the encryption algorithm Blowfish, which is still, impressively, in use after much expert examination. In 1999, he founded the managed security solutions company Counterpane, which was bought by BT in 2006. Meanwhile, he wrote books, breaking out with Applied Cryptography (1993, 2nd edition 1996), which is still probably the best-known textbook in the field.
It was, he says now, 'the right book at the right time. There was no other book out there. I was able to ride the internet wave'. And, of course, the mid-1990s wave of passionate activism surrounding cryptography — until then a controlled, military technology.
Schneier branched out, first into more general computer security with Secrets and Lies (2000) and and then into broader security policy with Beyond Fear (2003). He also publishes the free monthly email newsletter Crypto-Gram, which he says has 150,000 subscribers. About 100,000 people read his daily blog, and many more read his words through other blogs and media stories. He is doubtless one of the few people who could make money from advertising on his personal site, but he doesn't bother. 'I already have a day job' (as BT's Chief Security Technology Officer), he says, adding wryly, 'and no reader has ever asked for me to include advertising.'
Secrets and Lies aimed to teach businesses how to cope with security in the digital age; Beyond Fear promoted practical security rather than the fear-driven kind that has become pervasive since 9/11. In the new book he talks about the cost of that security.
'No country has infinite resources,' he says, 'and we need to be smart about how we spend ours. I see this over and over again in security: people comparing the benefits of various security measures without looking at the costs.'
People who write books that, like Applied Cryptography, explain the inner workings of one or more aspects of security, often get asked if they aren't helping the bad guys by doing so. Schneier, however, has a different worry; that a little knowledge is a dangerous thing.
'I've often said that my book Applied Cryptography has done more damage to computer security than anything else ever written', he says. 'The problem is that people read my book and think they know how to design cryptography. Of course, they don't — this stuff is really hard — and they design something insecure. Even worse, they're convinced it is secure.' His way of shouldering that responsibility: writing Practical Cryptography (2003), in which, he says, 'I tried to be much more focused and prescriptive; I wanted readers to understand the context of cryptography better, instead of just all the cool things you could do with it.'
Being good at security requires a certain kind of mind — the kind that automatically scopes out a method of shoplifting whenever its owner walks into a store.
'I've done it ever since I can remember,' he says: 'wandering around stores as a child, going into a voting booth with my mother. Whenever I saw a system, I wanted to figure out how I could break it. I've often said that ethics is the only thing that separates a good security professional from a good criminal.'
Previous
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
