SAN FRANCISCO—Bruce Schneier is one cryptographer who is about as good with a phrase as he is with numbers, especially when talking or writing about the state of security in the world today.
Schneier, whos founder and chief technology officer of Counterpane Internet Security Inc., a security services provider, is the author of several books, the last two of which—”Beyond Fear” and “Secrets and Lies”—attempted to put security in perspective for the masses.
Tuesday at the RSA Conference here, Schneier took part in a cryptographer panel earlier in the day, but his own popularity was in evidence as he later filled a large theater at the Metreon to, as he said, discuss whats new in security since the publication of “Beyond Fear” last fall.
He saved some of his most interesting comments for last, when he took a question from the audience on his reaction to Microsoft Corp. CEO Bill Gates keynote earlier in the day.
“Was it just me or was he just not excited? I expected more excitement,” Schneier said. “When he talks about features and cool things [in his products], he gets animated. But until he gets animated about security you know hes not going to solve the problem.”
Gates received a friendly reception earlier in the day, despite the fact that Microsoft products are a constant target of viruses and worms. Schneiers audience clearly shared his feelings about the Microsoft executives remarks.
“Security is not as exciting as the next cool thing in Windows,” Schneier said. “[Gates] had an opportunity to wow us [earlier]. I wanted to be wowed. I didnt want to hear about cool dialog boxes.
“Its a big boat to turn around,” Schneier said about Microsofts security initiatives, such as Trustworthy Computing. “Give him some quarter for that, but hes had some time to turn about the boat. Security should be his bottom line. Then hell care.”
Schneiers Gates comments followed some anecdotes about how everyone can help solve the security problems facing all enterprises. “Get involved,” he said. “Thats how we make changes. Otherwise security is something done to us.”
Most security systems affect multiple parties, he explained, but usually only one person makes the decision about how security is implemented. “At this point its a negotiation. The players with most power are the ones who get to decide what the final answer is,” Schneier said. “The best way to effect security is to gain power in negotiations. The best way is to change the environment in which security decisions are being made. Change the agenda of the players. Change the outcome.”
Every person has to make security work for himself, he said. “The goal of security systems is the most security for the least amount of trade-offs. The way to do that is to make the party who is best able to mitigate the risk responsible for the risk,” he said, saying that computer software companies at this point do not share in the risks of software security or insecurity.
Schneier said one of the best and simplest “security systems” hes seen is the local convenience store or fast food restaurant that displays a sign at the cash register that says, “Purchase free if you dont get a receipt.” The system is not designed as a customer service, as it may appear, he said. Rather, its a means of co-opting the customer into keeping an eye on the store employee who may be suspected of skimming from the cash register. Nevertheless, the customer will be watching if he knows he could get something for free.
“Good security systems are in line with their capabilities,” he said. “The store manager is hiring you, aligning your interests with your capabilities. Very cheap security system. For the money its really good. Thats what we should strive for in security systems. The goal is to make them as effective as possible and work with the natural tendencies of people already there.”