Bruce Schneier, founder and CTO of Counterpane Internet Security, is one of the world’s foremost security experts and author of the influential books Applied Cryptography, Secrets & Lies and Beyond Fear. His free monthly newsletter, Crypto-Gram, has over 100,000 readers. Interviewed by Glyn Moody, he discusses the lack of accountability of software companies, security through diversity, and why he would rather re-write Windows than TCP/IP.
Q. You’ve said that Applied Cryptography described a “mathematical utopia” of algorithms and protocols: what was the attraction of that utopia for you?
A. Cryptographic security comes from mathematics, not from people and not from machines. Mathematical security is available to everyone, both the weak and the powerful alike, and gives ordinary people a very powerful tool to protect their privacy. That’s the cryptographic ideal of security.
Q. To what extent is the Internet and its global linking of computers together to blame for the destruction of that utopia?
A. They’re entirely to blame, although “blame” is not really the right word. Cryptography worked well in the era of radios and telegraphs, where the threat was eavesdropping and mathematical cryptography could protect absolutely. But in the world of computers and networks, the threats are more complex and involve software and system vulnerabilities. Cryptography is much less able to provide security in this new world; that’s the cryptographic reality of security.
Q. In Secrets & Lies you wrote that you had an epiphany about security in April 1999: can you say what it was?
A. As a cryptographic consultant, I did a lot of work analyzing operating systems. Invariably I would break them, but almost never would I break the mathematical cryptography. I eventually realized that cryptography is the strongest part of a very weak system, and that the system aspects around the cryptography - the software, the operating system, the network, the user interface, etc. - are much more important.
Q. One of the ideas in your book Secrets & Lies is that at the root of the computer security problems we face today is the lack of accountability by software manufacturers for their faulty products: why do you think that they have managed to evade the responsibility - unlike everyone else - despite the scale of the damage and the associated profits?Continue reading