IamA Security Technologist and Author Bruce Schneier AMA!

Bruce, I'm a regular reader of your "Schneier on Security" blog. I enjoyed last month's article on how you set up an air gap to protect the computer you use to work with Snowden's documents. My questions: is the air gap still working as planned, and are you making any progress with Snowden's documents?

I don't have any of the Snowden documents with me, so I haven't made much use of the airgap computer. As to the Snowden documents, I'm hoping to get back to Rio in December. Things are on hold pending Greenwald's new press venture getting off the ground.

I am of the opinion that our airport security is poorly designed and for the hassle passengers go through, we get minimal benefit. I feel like we react to specific circumstances to create an illusion of security and that perception is more important to the TSA than creating a constructive plan to deal with threats. I know you are a proponent of the fail well philosophy which accepts failure and tries to compartmentalize and minimize the damage. Based on this theory what should be the security steps that airports should be taking?

I think airport security should be rolled back to pre-9/11 levels, and all the money saved should be spent on things that work: intelligence, investigation, and emergency response.

Hi Bruce. We've met before in Portland, OR at a book signing.

I agree. Before 9/11, I carried a Buck knife everywhere I went.

I would not have hesitated to use it to incapacitate a hijacker.

Now, I don't have that option.

But, the simple fact of the matter is this: If anyone tries to hijack a plane now, they will be ripped from limb to limb by their fellow passengers.

"Enhanced security" has nothing to do with this. Stronger cockpit doors were a very good idea, though.

Thank you for being a voice of sanity.

Only two things have improved airplane security since 9/11: reinforcing the cockpit doors, and teaching passengers that they have to fight back. Everything else has been security theater.

Have you ever heard of schneierfacts.com?
What do you think about it?

No, I've never heard of it. I'll go check it out.

Thank you for doing this, Bruce. I'm highly interested in security and a regular reader of your writeups.

You recently said that there are things about TrueCrypt that make you suspicious. Can you elaborate on that? Have your concerns been addressed to any degree by the fact that a person was able to compile TrueCrypt and get binaries matching the official Windows distribution?

It's just the shadowy nature of the program and its developers. Still, I think it's the best of all the options. I was pleased that the independent compilation matched the distribution binaries, and even more pleased that a bunch of us have raised money to do an independent audit of TrueCrypt. So I hope we'll be able to trust it more soon.

What is your opinion about password managers (keepass, lastpass, and others)? Do you use/trust any of these services?

I use my own Password Safe. I'm very happy with it.

From a technical perspective, is there anything in the Snowden documents (or other public releases) that you think hasn't received sufficient public attention (where public may mean "the broader software engineering or cryptographic communities")?

(I'm thinking of things such as the relative strengths of ciphers like RC4, etc.)

There has been nothing published about the relative strength of ciphers, and I don't believe that anything like that will be published. Annoying, but we're not going to get any COMSEC secrets out of the Snowden documents. (For that, we'll need another whistleblower.)

I would like more attention to be paid to BULLRUN: the NSA's program to deliberately weaken the security products we all purchase and use. And QUANTUM: the NSA's program to insert packets from the Internet backbone. Both are really impressive in their own way, and I don't think we've fully grasped the significance of them.

Hello Mr Bruce, Is BadBios a myth? Do you think it is state-sponsered malware such as Stuxnet and Duqu?

I wrote about badBios. Honestly, I don't know whether it's real or not. It sure sounds too good to be true. But then, so did Stuxnet.

After studying the Snowden documents for a while now, do you still trust AES?

Yes, I do, although there is nothing in the documents I have seen specifically about AES. Honestly, the way the NSA breaks most cryptography is by getting around it. It exploits default or weak keys, bad implementations, and back doors. It deliberately inserts vulnerabilities, and "exfiltrates" -- the NSA's word for steal -- keys when it has to.

Hi Bruce, what security breach which has been made public in recent times do you find the most intriguing and why?

The two things that interest me the most right now are packet injection attacks from the backbone and traffic shaping by maliciously using BGP. The first one because I know the NSA is doing it, and the second because I believe it is doing it.

If you were put in charge of a 21st-century Church Committee who would you want on that committee to work with you? And why?

Also, what is your favorite Linux distribution?

Back when President Obama announced his NSA review panel, I remember thinking about what a real review panel would look like. I wish I could remember who I wanted on it. Ed Felten. Jennifer Granick. Yochai Benkler. Orin Kerr. Matt Blaze. Ross Anderson. James Bamford. Those would all be people who would understand both what the NSA was telling us and what they were not telling us. There are more people, I'm sure.

I don't use Linux. (Shhh. Don't tell anyone.) Although I have started using Tails.

Why do you haven't used linux until now?

Laziness. The default is just easier.

Surely not windows?

Right. I know.

Hi Bruce. I'm a relatively new PhD student in security - do you have any advice for students like me?

In particular, how I can get more involved in the field and work on things that will really make our lives more secure and private?

Edit: a word

My primary advice is to study what interests you, and don't worry about anything else. There are so many areas of security, and they're all important. Pick the one that interests you the most and focus on that.

As to getting involved in the field, you do it by getting involved. Go to conferences. Meet colleagues. Participate in discussions. It's a really great community.

How does one deal with encryption algorithms on a memory or processing-constrained system like a microcontroller?

Slowly.

There are encryption algorithms that are designed for small devices. Either they don't need a lot of memory, or they're optimized for 8-bit processors, and the like. This is actually a significant problem sometimes; encryption is easy when you've got a huge CPU and all the memory you might want, but it's lot harder in a constrained computing environment.

Hello Bruce,

What is your greatest hope regarding outcomes from the Snowden leaks? Is a global right to privacy even possible?

I hope the government will rein in NSA surveillance -- and believe it eventually will. I believe very strongly that we face a choice: an Internet that is vulnerable to all attackers, or an Internet that is secure for all users. Eventually we'll get to the latter outcome, but I don't think it'll be anytime soon.

In the near term, the best outcome of the Snowden leaks would be that the US government comes clean and tells us what they're doing.

Hey Bruce! Given the recent insight on the NSA and their systems for backdoors and systematic flawing of encryption techniques, do you anticipate there being any backdoors discovered in embedded systems IE the actual transmission chips in phones? Thanks!

I don't think it's necessary. There are so many ways into cell phone traffic already that a backdoor isn't necessary.

Hey Bruce, I'm really interested in getting into computer security. Is there any media (book, video etc) you would recommend someone starting off with?

Ross Anderson's Security Engineering.

Thanks

Be sure to get the second edition. It's a huge book, but it's packed with lots of really good information and it's enjoyable to read.

[deleted]

Yes. I think it is.

And I'm not saying this just because I run an open Wi-Fi network.

I feel justified: http://www.reddit.com/r/IAmA/comments/1oguh2/im_a_wifi_expert_ask_me_anything/ccrucm7

This is what I wrote five years ago.

Bruce, if a portion of electronic communication users included alarming words in their communications, would it impair surveillance? If so, what portion. Is attempting to frustrate surveillance a secret crime?

Thank you.

My guess is that it would not -- that the NSA's semantic filters are cleverer than that. Still, it can't hurt to try. Although it would be annoying to the people you're communicating with.

And so far, attempting to frustrate surveillance is not a crime.

Bruce, How did the whole squid blogging thing get started?

It was a blog post on a Friday, I think.

As a security expert, do you think organisations should use more than one type of firewall in an attempt to secure their informational assets? Any type in particular you would consider to be the most important?

I am generally a big fan of multiple security devices from multiple companies. As to which kind of firewall, I don't care very much. They're all equally mediocre, in my opinion.

Configuration is king, yes?

Yes. It's the same for operating systems and networks.

Bruce, I've followed your blog for a while and I've always wondered about the fact that a malicious party can subvert the various security apparatuses employed to stop them to achieve their goals.

For example: one could simply leave a empty suitcase in an airport or train station and make a phone report stating that you saw a "suspicious person" drop it there. The end goal results is two fold: 1. the temporary shut down thus allowing economic cost to build up, and with repeated efforts, you effectively train the security staff to ignore an actual attack by flooding them with false positives.

Is there anyway to effectively counter this?

Other than to arrest (and thereby discourage) anyone who does this, no.

Hi Bruce! What do you think about the mass data collection by private companies on the internet e.g. google in order to "sell targeted ads"?

I'm not generally in favor of surveillance as a business model. And I just published an essay about that.

Recently, I read a very interesting essay about "peak ads," arguing that the ad-based economy can't sustain itself long-term. I don't know yet what I think about the arguments, but they're worth reading.

What do you think is the best way to get people who aren't so computer literate (ie most baby boomers) to understand computer security at a basic sense. Good Password etc

It has to be intuitive. It can't require expertise. It has to just work. I think the problem is more us as security system designers than them as users. We need to design systems so that non-computer-literate baby boomers can be secure without having to understand computer security.

Hi. So if we have proof that the NSA/GCHQ has been deliberately sabotaging public standards and installed backdoors into security products, doesn't this make most online contracts unenforceable? Why hasn't e-commerce collapsed? Or will this only happen once the "bad guys" start exploiting these weaknesses?

Because 1) it doesn't make online contracts unenforceable, and 2) most people don't care. And why should it be any different when the bad guys start exploiting these weaknesses? They've been exploiting other weaknesses for decades and e-commerce hasn't collapsed.

It turns out that commerce is highly resilient to insecure systems.

Can you recomend any webpages/sites/books/videos/stone tablets/other media that explain advanced encryption concepts such as (using the wiki article for SHA256 as a reference here) "structure", "rounds", these?

On a mostly unrelated note: How do you actually pronounce your last name? (It has been confusing me for years!)

Pretty much any modern cryptography text will explain those concepts. They're pretty basic.

And Schneier rhymes with tire.

Thomas Ptacek of Matasano Security laid out an update he'd love to see you and Niels Ferguson do to your book Cryptographic Engineering. What do you think of Thomas's suggestions? Do you and Ferguson have any plans to do such an update?

I'm speaking of this blog posting from Thomas Ptacek: http://sockpuppet.org/blog/2013/07/22/applied-practical-cryptography/

We haven't talked about it. My guess is no, that Cryptography Engineering is the last crypto book I'm going to write.

New news though: just four hours ago I signed a contract for a new book, on the Internet and power. It'll be published in spring 2015, so don't go looking for it just yet.

What would you say has most influenced your views and perspective on security? You've written a number of awesome books but I'm very curious to learn what's influenced your views along the way :)

It's less individual things and more everything. Economics. Evolutionary biology. Sociology. Political science. I can't even begin to select a "most."

What's your opinion on the USA FREEDOM Act currently being considered? Looks like some good news for the US but the rest of the world is still out of luck.

One of the most important things we've learned from the Snowden documents is that NSA surveillance is robust: technically, legally, and politically. I can count three different ways the NSA has to get at Google user data, for example. Those three different ways use different legal authorities and different technical capabilities. What this means is that any law that targets a particular program or a particular legal authority is likely to be ineffective. And while I have not read the USA FREEDOM Act in detail, I worry that the details are weak enough that the NSA can circumvent them.

My biggest worry is that Congress passes a law that looks good but does nothing, then pats itself on the back for a job well done and goes home.

EFF has a good analysis of the USA Freedom Act.

International espionage is its own thing. You're right that no US law, either existing or being considered, will protect non-US persons from NSA surveillance. The truth is that there is no law in any country, or any international treaty, that prevents a country from spying on foreigners. I agree that this has to change, but it's going to take a long time and a lot of international negotiating to get there.

Hi! What would you prefer to happen to SSL/TLS in the near future?

I think the protocol is good for what it does, even though there are lots of flaws with it.

If we could fix anything, though, it'd have to be the certificate system.

Recently somebody on Mozilla Security policy mailing list recommended a more SSH-like approach for https (basically, get warned about site identity the first time you visit it, and remember the certificate for the future visits, and show a much more dire warning if the certificate changes). Do you think this approach could work with something like https?

I think it could. The devil is in the details, though. It has to be done correctly.

Fundamentally, this a hard problem to solve. I don't think there ever will be a robust solution. But we certainly can do better.

Has there been any indication that the NSA or other agencies have been able to break it, without forging certificates and so on?

No. I'm not ruling out the possibility of flaws in the various implementations, though.

Hi Bruce. In the context of the future of encryption, what is your take on the mathematical "breakthroughs" associated with "finite bound on the gaps between prime numbers"? (See "Sudden Progress on Prime Number Problem Has Mathematicians Buzzing", http://www.wired.com/wiredscience/2013/11/prime/all/)

I think it's fantastic research, but I don't think it will have any effect on the difficulty of factoring. But these sorts of things are often surprising, so who knows? (This recent blog post is related.)

bruce, long time fan, first time caller =)

i'm interested to hear a prediction, provided you're willing to give one, on how the surveillance vs encryption vs law will play out:

surveillance, both online and increasingly offline via cameras in urban areas, has been a persistent problem for citizens seeking privacy. while surveillance has been increasing so has the ubiquitous use of cryptography by individuals and organizations, turning the current situation into an arms race. legislators seem loathe to put any real legal protections in place that benefit privacy or prevent citizens from being prosecuted for crimes related to activities recorded by intelligence services. do you expect that (A) the laws will be amended to actually protect privacy, (B) individuals will be left to fend for themselves (legally speaking) in an environment where there is essentially zero privacy, or (C) intelligence services actually become unable to conduct ubiquitous surveillance due to ubiquitous proper use of crypto?

i figured i would ask you this after seeing recent eric schmidt comments.

In the near term, option (B). I don't think we'll get any meaningful privacy legislation anytime soon, especially since surveillance is the business model of the Internet. And since government surveillance largely piggybacks on corporate capabilities, they'll still be able to eavesdrop. What I hope is that we can make surveillance more expensive, largely through technical means but somewhat through legal constraints. I want targeted surveillance to again be cheaper than ubiquitous surveillance.

I'm planning on doing forensic computing and security next year in university, do you think this will be able to lead on to good jobs after uni?

I think security will continue to be an excellent subfield for employment until the Internet is made up of something other than people.

Bruce, as a student, where or how can I learn to start about criptography and not die trying?

Google is a good place to start, although you'd do better by spelling the word "cryptography" correctly. After that, there are lots of good books out there. I'm happy to recommend my own Cryptography Engineering, but there are lots of others as well.

Warning, though. Cryptography = math. It's not really hard math, but it's hard math. So if math is deadly, you're going to have problems.

Thanks so much for taking the time to do this! What is your computer setup? i.e. what OS(s), devices, and services do you use? What measures do you take to secure your data?

I always worry that questions like this are intelligence gathering, so I don't often answer them. Basically, though: I encrypt my hard drive, securely erase my files, use Tor when I have to, and use Tails when I have to. I do some other things as well, but nothing magical.

My apologies. I meant no disrespect to your privacy. I was just curious about what you do so I can perhaps see what I might do to better protect my data. I too use Tor sometimes as well as encrypt my hard drive. Thanks for your response!

I wrote about some of what I do here.

WiFi: If I enable mutual auth w/ PEAP, can a hacker capture my server's cert & trick my supplicant into building a TLS tunnel to the hacker?

Off the top of my head: I have no idea.