By Kelly Jackson Higgins
January 10, 2007
Security is a system, he says, and you have to look at security
technologies in that broader context
He's eaten guinea pig in Peru, whale in Japan, and tried insects in
Australia. But security guru -- and part-time restaurant critic -- Bruce
Schneier mostly steers clear of chain restaurants, which he finds
When he's not sampling exotic cuisine, Schneier is best known as the
developer of the Blowfish and Twofish encryption algorithms and as the
bestselling author of Applied Cryptography, which has been called the
bible for hackers. He's written other books that examine security and
society, and he is a renowned security speaker, blogger, and columnist,
as well as a popular media talking head who offers unique views on
everything from encryption to post-9/11 security overkill.
Schneier, a contributing editor to Dr. Dobb's Journal and recipient of
the magazine's 2006 Excellence in Programming Award, says he writes
restaurant reviews as an escape from his work in security, but he does
see some symmetry in security and food: "Food is more about how a
culture uses what it has to make an interesting meal. That's the same
thinking as security," he says. "I look at it from a systemic point of
view -- what is going on here in the bigger picture that creates this
traditional dish. Tibetan food is moderately spicy, because spices don't
grow that high [in elevation]," for example, says Schneier, founder and
CTO of BT Counterpane, now part of British Telecom.
Security is a system, he says, and you have to look at security
technologies in that broader context, from cryptography to airline
security. "A lot of technologists focus on the details of the
technology, such as biometrics or explosive-detection machines. I look
at the big picture," he says. "The lessons in my writings are not about
specific technologies, but about the world and human nature."
That's really what it's all about for Schneier, 43, who had a big year
last year. His managed security services company, Counterpane, was
purchased by British Telecom in October. Schneier admits he was
initially worried the BT deal would stifle his work and public persona
he has built, but BT made it clear it was hiring him not as a pitch man,
but as an independent voice. "That's important to me," he says. "BT is
giving me a bigger platform to do the things I do for Counterpane."
And his security research options will expand, given BT's global
presence. Schneier travels to London next week to meet with BT's
research group and discuss its work, which ranges from biometrics,
quantum cryptography, and identity management -- things outside of what
Counterpane has done, he says. Schneier's not sure what his level of
involvement will be in BT research just yet, but he hopes to be an
adviser to marketing and research.
He doesn't expect any of this to detract from the Bruce Schneier brand,
however, which feeds off Schneier's candid and sometimes controversial
commentary on all things security.
"BT recognizes the more general I am, the more value I give BT. They get
that," he says. "Everything feeds into everything else, the writing the
speaking. I can't just go inside BT and disappear doing BT work, because
everything [I do is related to] BT work."
Schneier won't shy away from the hot-button topics in IT security or
physical security. Last week, for example, he told a reporter at a
Tacoma, Wash.-based radio station after the school shooting there, that
metal detectors would be a waste of money. "The goal isn't to stop
shootings in schools. It's to stop shootings," he says, by investing in
ways to ensure a kid doesn't resort to violence at all. "If a kid shoots
another kid in the playground because there's a metal detector in the
building," then the physical security was ineffective, he adds.
"That's a tough message for people to hear."
Meanwhile, Schneier says today's hackers/researchers are doing some good
work poking holes in software, but there is some of what he calls
"ethical sloppiness" out there. "People who don't pay attention to the
ramifications of what they are doing." As for the vulnerability
disclosure debate, Schneier is all for it, as long as it's for
legitimate purposes and not "self-aggrandizing," he says.
"It's polite to give vendors advanced notice. But companies shouldn't
expect advanced notice, because the bad guys won't give it to them," he
says. "A lot of this debate obscures the fact that these bugs are
mistakes. We focus on the person who disclosed it, but it's a
programming error...a mistake someone made."
His latest work is on brain heuristics and perceptions of security, and
he'll be doing a presentation on that topic at the RSA Conference next
month. "I'm looking at the differences between the feeling and reality
of security," he says. "I want to talk about why our perceptions of risk
don't match reality, and there's a lot of brain science that can help
And as for now, Schneier's title remains CTO of Counterpane, but he and
BT are cooking up an updated title for him. Nothing is firm yet, but
don't expect it to have "evangelist" in it: "I hate the word
'evangelist,'" he says. "It's not a bad term, but I don't like the
implications... It's almost like a cheerleader."
He may not be shy about speaking his mind on hot-potato security topics,
but Schneier makes it a policy not to write bad reviews on indie or
mom-and-pop restaurants. "I try not to write bad restaurant reviews," he
says. "If a restaurant is bad, I'd prefer to simply ignore them. A bad
review only hurts them."
* What scares Schneier most about security: "Crime. We over-emphasize
cyber terrorism and under-emphasize cyber crime. But cyber crime is
where the attacks are coming from."
* On Microsoft and security: "They're getting a lot of things right, but
Microsoft continually uses security as a way to solidify its monopoly
position. Microsoft is right to treat security as a business issue --
they're not a public charity -- but it hurts all of us when they use
it to lock out the competition."
* Favorite team: "I tend not to pay attention to spectator sports."
* Favorite hangout: "Home. I'm on the road 40 percent of the time..."
* After hours: "Spending time with people I'm close to... friends."
* In Schneier's iPod right now: "All sorts of things. Folk, folk rock,
Irish and Celtic music, singer-songwriters. My favorite band at the
moment is Crooked Still."
* Biggest pet peeve: "Airport security is the stupid security I most
come into contact with."
* PC or Mac: "PC."
* Wheels: "My wife buys the cars we have at home. The car I most
commonly drive is a rental."
* Next Career: "Curmudgeon. Anyone can be cynical and bitter, but being
a curmudgeon is hard."
Kelly Jackson Higgins is a Senior Editor at Dark Reading.
Subscribe to InfoSec News