Bruce Schneier on security

Back in 1994 one of my first programming jobs was to build a key management application for a banking system. I had to deal with Triple DES, MD5 and RSA. While I had some background in cryptography, I quickly found the bible on this subject Applied Cryptography by Bruce Schneier as my guide. The book over 10 years old is still a reference in the field, and has left us with the names Alice, Bob, Eve and a series of others.

Over the years I have continued to read work from and follow Bruce Schneier. He was quick to find out that the protocols used to encrypt and secure data might be safe, the people holding the keys were not so safe. Sticking your password on a yellow note to your monitor is an example of this fact.

Since 9/11 Bruce has written substantially about security measures in the post 9/11 world. One of his central themes is that most measures are security theatre, the measures cost a lot of money, appeal to the public demand to do something, but do not make us any safer. Passenger screening programs that have been initiated in the US and costs billions of dollars are examples of this. They generate too much false positives to make the system work and the actual terrorists you want to catch are smart enough to work around the system.

His most recent argument is that some of this security theatre is actually helping. Most of these measures have the side effect that they make people feel more secure. As a result, the perception of security starts to match the actual security. And thus people start making proper decisions about the risks of certain activities again. On his blog is more on his praise for security theatre.

If you are interested in security and need a guide in what makes sense and what not, I strongly recommend his monthly cryptogram newsletter. Thought provoking stuff.


%d bloggers like this: