Schneier On SchneierSchneier On Schneier
Renowned security icon Bruce Schneier shares food for thought on security, fine dining, and disclosing and eating bugs
January 9, 2007
He's eaten guinea pig in Peru, whale in Japan, and tried insects in Australia. But security guru -- and part-time restaurant critic -- Bruce Schneier mostly steers clear of chain restaurants, which he finds oppressively uniform.
Figure 1: Bruce Schneier
When he's not sampling exotic cuisine, Schneier is best known as the developer of the Blowfish and Twofish encryption algorithms and as the bestselling author of Applied Cryptography, which has been called the bible for hackers. He's written other books that examine security and society, and he is a renowned security speaker, blogger, and columnist, as well as a popular media talking head who offers unique views on everything from encryption to post-9/11 security overkill.
Schneier says he writes restaurant reviews as an escape from his work in security, but he does see some symmetry in security and food: "Food is more about how a culture uses what it has to make an interesting meal. That's the same thinking as security," he says. "I look at it from a systemic point of view -- what is going on here in the bigger picture that creates this traditional dish. Tibetan food is moderately spicy, because spices don't grow that high [in elevation]," for example, says Schneier, founder and CTO of BT Counterpane, now part of British Telecom.
Security is a system, he says, and you have to look at security technologies in that broader context, from cryptography to airline security. "A lot of technologists focus on the details of the technology, such as biometrics or explosive-detection machines. I look at the big picture," he says. "The lessons in my writings are not about specific technologies, but about the world and human nature."
That's really what it's all about for Schneier, 43, who had a big year last year. His managed security services company, Counterpane, was purchased by British Telecom in October. Schneier admits he was initially worried the BT deal would stifle his work and public persona he has built, but BT made it clear it was hiring him not as a pitch man, but as an independent voice. "That's important to me," he says. "BT is giving me a bigger platform to do the things I do for Counterpane."
And his security research options will expand, given BT's global presence. Schneier travels to London next week to meet with BT's research group and discuss its work, which ranges from biometrics, quantum cryptography, and identity management -- things outside of what Counterpane has done, he says. Schneier's not sure what his level of involvement will be in BT research just yet, but he hopes to be an adviser to marketing and research.
He doesn't expect any of this to detract from the Bruce Schneier brand, however, which feeds off Schneier's candid and sometimes controversial commentary on all things security.
"BT recognizes the more general I am, the more value I give BT. They get that," he says. "Everything feeds into everything else, the writing the speaking. I can't just go inside BT and disappear doing BT work, because everything [I do is related to] BT work."
Schneier won't shy away from the hot-button topics in IT security or physical security. Last week, for example, he told a reporter at a Tacoma, Wash.-based radio station after the school shooting there, that metal detectors would be a waste of money. "The goal isn't to stop shootings in schools. It's to stop shootings," he says, by investing in ways to ensure a kid doesn't resort to violence at all. "If a kid shoots another kid in the playground because there's a metal detector in the building," then the physical security was ineffective, he adds.
"That's a tough message for people to hear."
Meanwhile, Schneier says today's hackers/researchers are doing some good work poking holes in software, but there is some of what he calls "ethical sloppiness" out there. "People who don't pay attention to the ramifications of what they are doing." As for the vulnerability disclosure debate, Schneier is all for it, as long as it's for legitimate purposes and not "self-aggrandizing," he says.
"It's polite to give vendors advanced notice. But companies shouldn’t expect advanced notice, because the bad guys won't give it to them," he says. "A lot of this debate obscures the fact that these bugs are mistakes. We focus on the person who disclosed it, but it's a programming error...a mistake someone made."
His latest work is on brain heuristics and perceptions of security, and he'll be doing a presentation on that topic at the RSA Conference next month. "I'm looking at the differences between the feeling and reality of security," he says. "I want to talk about why our perceptions of risk don't match reality, and there's a lot of brain science that can help explain this."
And as for now, Schneier's title remains CTO of Counterpane, but he and BT are cooking up an updated title for him. Nothing is firm yet, but don't expect it to have "evangelist" in it: "I hate the word 'evangelist,'" he says. "It's not a bad term, but I don't like the implications... It's almost like a cheerleader."
He may not be shy about speaking his mind on hot-potato security topics, but Schneier makes it a policy not to write bad reviews on indie or mom-and-pop restaurants. "I try not to write bad restaurant reviews," he says. "If a restaurant is bad, I'd prefer to simply ignore them. A bad review only hurts them."
What scares Schneier most about security: "Crime. We over-emphasize cyber terrorism and under-emphasize cyber crime. But cyber crime is where the attacks are coming from."
On Microsoft and security: "They're getting a lot of things right, but Microsoft continually uses security as a way to solidify its monopoly position. Microsoft is right to treat security as a business issue -- they're not a public charity -- but it hurts all of us when they use it to lock out the competition."
Favorite team: "I tend not to pay attention to spectator sports."
Favorite hangout: "Home. I'm on the road 40 percent of the time..."
After hours: "Spending time with people I'm close to... friends."
In Schneier's iPod right now: "All sorts of things. Folk, folk rock, Irish and Celtic music, singer-songwriters. My favorite band at the moment is Crooked Still."
Biggest pet peeve: "Airport security is the stupid security I most come into contact with."
PC or Mac: "PC."
Wheels: "My wife buys the cars we have at home. The car I most commonly drive is a rental."
Next Career: "Curmudgeon. Anyone can be cynical and bitter, but being a curmudgeon is hard."
— Kelly Jackson Higgins, Senior Editor, Dark Reading
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment