Securing Your PC and Your Privacy
He might be called the international rock star of computer
security. Having testified before Congress and given
well-regarded speeches the world over, when Bruce Schneier
talks about security, experts listen. A prolific author, he
has penned articles for publications ranging from Wired to
The Guardian to the Sydney Morning Herald. His books include
Applied Cryptography, which delves into the science of
secret codes, and Beyond Fear, which details how to protect
security on the personal and national level.
His recently released book, Schneier on Security, dissects
issues like data mining, the industry power struggle over
controlling PC security, and why some risks are
overestimated while others are underestimated.
In this interview, the security guru discusses a plethora of
security topics – including how to protect your own PC.
What is the single biggest threat to our technological
security at this point?
The single biggest threat is the technology itself.
Technological systems, especially newer ones, are
exceedingly complex—and complexity is the worst enemy of
security. This is true for a number of reasons. One is that
in our rush to build new systems, we generally ignore
security or only pay attention to it at the last minute. But
the other is that complex systems, especially non-linear and
tightly coupled systems, are naturally less secure.
There’s really no solution to this problem; we’re not going
to give up our new technological systems just because of
security concerns, but it is something we need to be
constantly aware of.
Fear of identity theft seems to be at exceptionally high
levels, with constant headlines about hijacked credit cards
and bills run up without the account owner's consent. Is the
threat from identity theft as bad as it seems?
In the U.S., not really. The extreme cases get the press,
but in the main, identity theft is a solved problem. If
someone manages to open a credit card in your name, he makes
an average of $1,350 in fraudulent purchases—but you’re not
liable for that. Your median out-of-pocket cost for new
account fraud is only $40, plus ten hours of grief to clean
up the problem. This isn’t to say that we shouldn’t require
companies to be more vigilant with our personal information,
though. The privacy issues are much bigger than identity
theft.
Are there security risks that are far greater than we know?
That is, some issues that don’t get much coverage but are in
fact quite serious?
Corporate crime—both fraud and espionage—gets less coverage
than personal crime. Companies have an incentive to keep
incidents out of the public eye, so they are more likely not
to talk about them. When mandatory disclosure laws were
passed a few years ago, we learned that companies were
losing personal data far more often than they admitted.
Almost certainly they are suffering other damages as well.
It seems as if there's a national passion for data mining,
largely in hopes that it will detect terrorists before they
act. Do you agree with our apparent enthusiasm for data
mining?
Data mining is great for some things, and terrible for
others. Its success story is credit card fraud prevention.
Right now, data mining systems are looking through credit
card transactions, watching for signs of card theft and
other sorts of fraud. This works because 1) there is a large
data set of attacks to use to generate predictable patterns,
2) criminals tend to do the same things over and over, 3)
fraud reduction is easily quantifiable, and 4) the cost of
false alarms is low.
Compare this with detecting terrorism: 1) there are very few
attacks, 2) they’re mostly different, 3) it’s hard to
quantify what a reduction in risk looks like, and 4) the
cost of false alarms is very expensive. So while I have an
enthusiasm for data mining as a security tool, it’s only in
areas where it makes sense to use it.