Interview with Bruce Schneier, Counterpane Internet Security

Bruce Schneier, founder and CTO of Counterpane Internet Security, is one of the world's foremost security experts and author of the influential books Applied Cryptography, Secrets & Lies and Beyond Fear. His free monthly newsletter, Crypto-Gram, has over 100,000 readers. Interviewed by Glyn Moody, he discusses the lack of accountability of software companies, security through diversity, and why he would rather re-write Windows than TCP/IP.

Q. You've said that Applied Cryptography described a "mathematical utopia" of algorithms and protocols: what was the attraction of that utopia for you?

A. Cryptographic security comes from mathematics, not from people and not from machines. Mathematical security is available to everyone, both the weak and the powerful alike, and gives ordinary people a very powerful tool to protect their privacy. That's the cryptographic ideal of security.

Q. To what extent is the Internet and its global linking of computers together to blame for the destruction of that utopia?

A. They're entirely to blame, although "blame" is not really the right word. Cryptography worked well in the era of radios and telegraphs, where the threat was eavesdropping and mathematical cryptography could protect absolutely. But in the world of computers and networks, the threats are more complex and involve software and system vulnerabilities. Cryptography is much less able to provide security in this new world; that's the cryptographic reality of security.

Q. In Secrets & Lies you wrote that you had an epiphany about security in April 1999: can you say what it was?

A. As a cryptographic consultant, I did a lot of work analyzing operating systems. Invariably I would break them, but almost never would I break the mathematical cryptography. I eventually realized that cryptography is the strongest part of a very weak system, and that the system aspects around the cryptography - the software, the operating system, the network, the user interface, etc. - are much more important.

Q. One of the ideas in your book Secrets & Lies is that at the root of the computer security problems we face today is the lack of accountability by software manufacturers for their faulty products: why do you think that they have managed to evade the responsibility - unlike everyone else - despite the scale of the damage and the associated profits?

A. Computers are one of the few aspects of our modern society that we don't expect to work. If cars operated like computers, no one would buy them and there would be product liability lawsuits aplenty. But we're not seeing that with computers. This will eventually change. It has to; computers will eventually become as simple and reliable as telephones. And computers will have to deal with product liabilities, just as any mass-market product. But I've given up predicting when.

Q. As you note, the arrival of email-borne malware has escalated security challenges hugely. Part of the problem is the spam deluge that assails nearly everybody's inbox: what is your preferred solution for dealing with spam?

A. I use a service called Postini, and I love it. It cleans spam out of my mailbox before it hits my network, so I don't have to worry about it at all. Sure, there are some false positives, but after a few weeks of configuring my white list, I hardly get any.

Spam filters aren't an ideal solution, though. I publish a free monthly newsletter: Crypto-Gram. It's subscription-based, and I have over 75,000 subscribers. Again and again my newsletter gets flagged as spam, even though it isn't. That's the real problem with spam filters: they fail to differentiate between solicited and unsolicited bulk e-mail.

Q. Another aspect of the problem is people's apparently irresistible desire to open attachments: what can be done to discourage them from giving in to this urge, and to minimise the damage when they do?

A. Education and containment. Some people still open attachments, but more people don't. That's education. Containment would be efforts to limit what attachments could do. Right now, when you open an attachment in Windows, it can do anything on your computer. That simply has to stop.

Q. You've suggested the idea of a Net-based passport: how would the system work, and would it help here?

A. I hope I haven't given that impression, because I think it's a terrible idea. Not only would it make the Internet less useful as a global societal infrastructure, it wouldn't help security very much. A digital passport would be too easy to forge and too difficult to check. And if people blindly trust the passport, it would just make things even worse.

Q. Looking at this problem from another viewpoint, to what extent are the dangers of email-borne viruses, worms and trojans a consequence of a Microsoft monoculture that allows malware programmers to make broadly-correct assumptions about the operating and application environments?

A. Certainly the monoculture exacerbates the problem, but it isn't the core of the problem. Insecure, unreliable, and buggy software is endemic to software in general, and not just Microsoft in particular. This software causes security vulnerabilities, and would continue to do so even if there were several equally popular operating systems. What the Microsoft monoculture does is magnify the effects of these vulnerabilities, so that they are more disastrous to the Internet as a whole.

One of the ways to maintain security - especially with insecure tools - is through diversity. Monoculture flies in the face of that security strategy.

Q. You've said that you are a fan of open source: what in particular do you like about it?

A. Open source isn't a solution to the world's computer problems, but it is a compelling alternative to proprietary software. Remember, though, that open source software isn't magically more secure. It has the potential to be more secure, because more people are looking at it, but it also has the potential to be equally insecure. The important thing is to have good security analysis: proprietary software vendors can buy it, and open source systems can get it for free. But it's also possible for both proprietary and open source software to ignore the need for security analysis.

Q. If those writing software became liable for its faults, as you suggest, what would be the situation for open source software?

A. I don't know. I presume there would be some exemption for open source, just as the United States has a "good Samaritan" law protecting doctors who help strangers in dire need. Companies could also make a business wrapping liability protection around open source software and selling it, much as companies like Red Hat wrap customer support around open source software.

Q. Your books describe an interesting passage from optimism that technology can be a solution to computer security problems, to a rather more pessimistic view; how much of a danger do you think there is that things might get so bad that people will just disconnect themselves from the Internet - as is already starting to happen with email because of the unacceptably high levels of spam?

A. I think it's very likely. People and companies make risk management decisions about network security. If they can't do something securely, at least some of them will decide not to do it at all.

Q. If you were designing a replacement for the abandoned Internet, and had a completely free hand, what would you do differently in order to render it intrinsically more secure than Net 1.0?

A. The problem isn't the Internet. The problem is the horribly insecure computers attached to the Internet. I would rather rewrite Windows than TCP/IP.