Bruce Schneier Blazes Through Your Questions

Bruce Schneier Blazes Through Your Questions
Bruce Schneier Blazes Through Your Questions 

By Stephen J. Dubner
December 4, 2007

Last week, we solicited your questions for Internet security guru Bruce 
Shneier. He responded in force, taking on nearly every question, and his 
answers are extraordinarily interesting, providing mandatory reading for 
anyone who uses a computer. He also plainly thinks like an economist: 
search below for crime pays to see his sober assessment of why its 
better to earn a living as a security expert than as a computer 

Thanks to Bruce and to all of you for participating. Heres a note that 
Bruce attached at the top of his answers: Thank you all for your 
questions. In many cases, Ive written longer essays on the topics youve 
asked about. In those cases, Ive embedded the links into the necessarily 
short answers I've given here.

Q: Assuming we are both still here in 50 years, what do you believe will 
be the most incredible, fantastic, mind-blowing advance in 
computers/technology at that time?

A: Fifty years is a long time. In 1957, fifty years ago, there were 
fewer than 2,000 computers total, and they were essentially used to 
crunch numbers. They were huge, expensive, and unreliable; sometimes, 
they caught on fire. There was no word processing, no spreadsheets, no 
e-mail, and no Internet. Programs were written on punch cards or paper 
tape, and memory was measured in thousands of digits. IBM sold a disk 
drive that could hold almost 4.5 megabytes, but it was five-and-a-half 
feet tall by five feet deep and would just barely fit through a standard 

Read the science fiction from back then, and youd be amazed by what they 
got wrong. Sure, they predicted smaller and faster, but no one got the 
socialization right. No one predicted eBay, instant messages, or 

Moores Law predicts that in fifty years, computers will be a billion 
times more powerful than they are today. I dont think anyone has any 
idea of the fantastic emergent properties you get from a billion-times 
increase in computing power. (I recently wrote about what security would 
look like in ten years, and that was hard enough.) But I can guarantee 
that it will be incredible, fantastic, and mind-blowing.

Q: With regard to identity theft, do you see any alternatives to data 
being king? Do you see any alternative systems which will mean that just 
knowing enough about someone is not enough to commit a crime?

A: Yes. Identity theft is a problem for two reasons. One, personal 
identifying information is incredibly easy to get; and two, personal 
identifying information is incredibly easy to use. Most of our security 
measures have tried to solve the first problem. Instead, we need to 
solve the second problem. As long as its easy to impersonate someone if 
you have his data, this sort of fraud will continue to be a major 

The basic answer is to stop relying on authenticating the person, and 
instead authenticate the transaction. Credit cards are a good example of 
this. Credit card companies spend almost no effort authenticating the 
person hardly anyone checks your signature, and you can use your card 
over the phone, where they cant even check if youre holding the card and 
spend all their effort authenticating the transaction. Of course its 
more complicated than this; I wrote about it in more detail here and 

Q: Whats the next major identity verification system?

A: Identity verification will continue to be the hodge-podge of systems 
we have today. Youre recognized by your face when you see someone you 
know; by your voice when you talk to someone you know. Open your wallet, 
and youll see a variety of ID cards that identify you in various 
situations some by name and some anonymously. Your keys identify you as 
someone allowed in your house, your office, your car. I dont see this 
changing anytime soon, and I dont think it should. Distributed identity 
is much more secure than a single system. I wrote about this in my 
critique of REAL ID.

Q: If we can put a man on the moon, why in the world cant we design a 
computer that can cold boot nearly instantaneously? I know about 
hibernation, etc., but when I do have to reboot, I hate waiting those 
three or four minutes.

A: Of course we can; Amiga was a fast booting computer, and OpenBSD 
boxes boot in less than a minute. But the current crop of major 
operating systems just dont. This is an economics blog, so you tell me: 
why dont the computer companies compete on boot-speed?

Q: Considering the carelessness with which the government (state and 
federal) and commercial enterprises treat our confidential information, 
is it essentially a waste of effort for us as individuals to worry about 
securing our data?

A: Yes and no. More and more, your data isnt under your direct control. 
Your e-mail is at Google, Hotmail, or your local ISP. Online merchants 
like Amazon and eBay have records of what you buy, and what you choose 
to look at but not buy. Your credit card company has a detailed record 
of where you shop, and your phone company has a detailed record of who 
you talk to (your cell phone company also knows where you are). Add 
medical databases, government databases, and so on, and theres an awful 
lot of data about you out there. And data brokers like ChoicePoint and 
Acxiom collect all of this data and more, building up a surprisingly 
detailed picture on all Americans.

As you point out, one problem is that these commercial and government 
organizations dont take good care of our data. Its an economic problem: 
because these parties dont feel the pain when they lose our data, they 
have no incentive to secure it. I wrote about this two years ago, 
stating that if we want to fix the problem, we must make these 
organizations liable for their data losses. Another problem is the law; 
our Fourth Amendment protections protect our data under our control 
which means in our homes, in our cars, and on our computers. We dont 
have nearly the same protection when we give our data to some other 
organization for use or safekeeping.

That being said, theres a lot you can do to secure your own data. I give 
a list here.

Q: How do you remember all of your passwords?

A: I cant. No one can; there are simply too many. But I have a few 
strategies. One, I choose the same password for all low-security 
applications. There are several Web sites where I pay for access, and I 
have the same password for all of them. Two, I write my passwords down. 
Theres this rampant myth that you shouldnt write your passwords down. My 
advice is exactly the opposite. We already know how to secure small bits 
of paper. Write your passwords down on a small bit of paper, and put it 
with all of your other valuable small bits of paper: in your wallet. And 
three, I store my passwords in a program I designed called Password 
Safe. Its is a small application Windows only, sorry that encrypts and 
secures all your passwords.

Here are two other resources: one concerning how to choose secure 
passwords (and how quickly passwords can be broken), and one on how 
lousy most passwords actually are.


Visit InfoSec News 

Site design & layout copyright © 1986-2015 CodeGods