Interview with Bruce Schneier, Counterpane Internet Security

R. A. Hettinga rah at
Thu Aug 12 10:35:09 EDT 2004



Interview with Bruce Schneier, Counterpane Internet Security
Bruce Schneier, founder and CTO of Counterpane Internet Security, is one of
the world's foremost security experts and author of the influential books
Applied Cryptography, Secrets & Lies and  Beyond Fear. His free monthly
newsletter, Crypto-Gram, has over 100,000 readers. Interviewed by Glyn
Moody, he discusses the lack of accountability of software companies,
security through diversity, and why he would rather re-write Windows than

 Q.  You've said that Applied Cryptography described a "mathematical
utopia" of algorithms and protocols: what was the attraction of that utopia
for you?

A. Cryptographic security comes from mathematics, not from people and not
from machines. Mathematical security is available to everyone, both the
weak and the powerful alike, and gives ordinary people a very powerful tool
to protect their privacy. That's the cryptographic ideal of security.

Q.  To what extent is the Internet and its global linking of computers
together to blame for the destruction of that utopia?

A. They're entirely to blame, although "blame" is not really the right
word. Cryptography worked well in the era of radios and telegraphs, where
the threat was eavesdropping and mathematical cryptography could protect
absolutely. But in the world of computers and networks, the threats are
more complex and involve software and system vulnerabilities. Cryptography
is much less able to provide security in this new world; that's the
cryptographic reality of security.

Q.  In Secrets & Lies you wrote that you had an epiphany about security in
April 1999: can you say what it was?

A. As a cryptographic consultant, I did a lot of work analyzing operating
systems. Invariably I would break them, but almost never would I break the
mathematical cryptography. I eventually realized that cryptography is the
strongest part of a very weak system, and that the system aspects around
the cryptography - the software, the operating system, the network, the
user interface, etc. - are much more important.

Q.  One of the ideas in your book Secrets & Lies is that at the root of the
computer security problems we face today is the lack of accountability by
software manufacturers for their faulty products: why do you think that
they have managed to evade the responsibility - unlike everyone else -
despite the scale of the damage and the associated profits?

A. Computers are one of the few aspects of our modern society that we don't
expect to work. If cars operated like computers, no one would buy them and
there would be product liability lawsuits aplenty. But we're not seeing
that with computers. This will eventually change. It has to; computers will
eventually become as simple and reliable as telephones. And computers will
have to deal with product liabilities, just as any mass-market product. But
I've given up predicting when.

Q.  As you note, the arrival of email-borne malware has escalated security
challenges hugely. Part of the problem is the spam deluge that assails
nearly everybody's inbox: what is your preferred solution for dealing with

A. I use a service called Postini, and I love it. It cleans spam out of my
mailbox before it hits my network, so I don't have to worry about it at
all. Sure, there are some false positives, but after a few weeks of
configuring my white list, I hardly get any.

Spam filters aren't an ideal solution, though. I publish a free monthly
newsletter: Crypto-Gram. It's subscription-based, and I have over 75,000
subscribers. Again and again my newsletter gets flagged as spam, even
though it isn't. That's the real problem with spam filters: they fail to
differentiate between solicited and unsolicited bulk e-mail.

Q.  Another aspect of the problem is people's apparently irresistible
desire to open attachments: what can be done to discourage them from giving
in to this urge, and to minimise the damage when they do?

A. Education and containment. Some people still open attachments, but more
people don't. That's education. Containment would be efforts to limit what
attachments could do. Right now, when you open an attachment in Windows, it
can do anything on your computer. That simply has to stop.

Q.  You've suggested the idea of a Net-based passport: how would the system
work, and would it help here?

A. I hope I haven't given that impression, because I think it's a terrible
idea. Not only would it make the Internet less useful as a global societal
infrastructure, it wouldn't help security very much. A digital passport
would be too easy to forge and too difficult to check. And if people
blindly trust the passport, it would just make things even worse.

Q.  Looking at this problem from another viewpoint, to what extent are the
dangers of email-borne viruses, worms and trojans a consequence of a
Microsoft monoculture that allows malware programmers to make
broadly-correct assumptions about the operating and application

A. Certainly the monoculture exacerbates the problem, but it isn't the core
of the problem. Insecure, unreliable, and buggy software is endemic to
software in general, and not just Microsoft in particular. This software
causes security vulnerabilities, and would continue to do so even if there
were several equally popular operating systems. What the Microsoft
monoculture does is magnify the effects of these vulnerabilities, so that
they are more disastrous to the Internet as a whole.

One of the ways to maintain security - especially with insecure tools - is
through diversity. Monoculture flies in the face of that security strategy.

Q.  You've said that you are a fan of open source: what in particular do
you like about it?

A. Open source isn't a solution to the world's computer problems, but it is
a compelling alternative to proprietary software. Remember, though, that
open source software isn't magically more secure. It has the potential to
be more secure, because more people are looking at it, but it also has the
potential to be equally insecure. The important thing is to have good
security analysis: proprietary software vendors can buy it, and open source
systems can get it for free. But it's also possible for both proprietary
and open source software to ignore the need for security analysis.

Q.  If those writing software became liable for its faults, as you suggest,
what would be the situation for open source software?

A. I don't know. I presume there would be some exemption for open source,
just as the United States has a "good Samaritan" law protecting doctors who
help strangers in dire need. Companies could also make a business wrapping
liability protection around open source software and selling it, much as
companies like Red Hat wrap customer support around open source software.

Q.  Your books describe an interesting passage from optimism that
technology can be a solution to computer security problems, to a rather
more pessimistic view; how much of a danger do you think there is that
things might get so bad that people will just disconnect themselves from
the Internet - as is already starting to happen with email because of the
unacceptably high levels of spam?

A. I think it's very likely. People and companies make risk management
decisions about network security. If they can't do something securely, at
least some of them will decide not to do it at all.

Q.  If you were designing a replacement for the abandoned Internet, and had
a completely free hand, what would you do differently in order to render it
intrinsically more secure than Net 1.0?

A. The problem isn't the Internet. The problem is the horribly insecure
computers attached to the Internet. I would rather rewrite Windows than
Posted by glyn at August 16, 2004 08:57 AM  | Subscribe
R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list