His recently released book, Schneier on Security, dissects issues like data mining, the industry power struggle over controlling PC security, and why some risks are overestimated while others are underestimated.
In this interview, the security guru discusses a plethora of security topics including how to protect your own PC.
What is the single biggest threat to our technological security at this point?https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i The single biggest threat is the technology itself. Technological systems, especially newer ones, are exceedingly complexand complexity is the worst enemy of security. This is true for a number of reasons. One is that in our rush to build new systems, we generally ignore security or only pay attention to it at the last minute. But the other is that complex systems, especially non-linear and tightly coupled systems, are naturally less secure.
Theres really no solution to this problem; were not going to give up our new technological systems just because of security concerns, but it is something we need to be constantly aware of.
Fear of identity theft seems to be at exceptionally high levels, with constant headlines about hijacked credit cards and bills run up without the account owner's consent. Is the threat from identity theft as bad as it seems?
In the U.S., not really. The extreme cases get the press, but in the main, identity theft is a solved problem. If someone manages to open a credit card in your name, he makes an average of $1,350 in fraudulent purchasesbut youre not liable for that. Your median out-of-pocket cost for new account fraud is only $40, plus ten hours of grief to clean up the problem. This isnt to say that we shouldnt require companies to be more vigilant with our personal information, though. The privacy issues are much bigger than identity theft.
Are there security risks that are far greater than we know? That is, some issues that dont get much coverage but are in fact quite serious?
Corporate crimeboth fraud and espionagegets less coverage than personal crime. Companies have an incentive to keep incidents out of the public eye, so they are more likely not to talk about them. When mandatory disclosure laws were passed a few years ago, we learned that companies were losing personal data far more often than they admitted. Almost certainly they are suffering other damages as well.
It seems as if there's a national passion for data mining, largely in hopes that it will detect terrorists before they act. Do you agree with our apparent enthusiasm for data mining?
Data mining is great for some things, and terrible for others. Its success story is credit card fraud prevention. Right now, data mining systems are looking through credit card transactions, watching for signs of card theft and other sorts of fraud. This works because 1) there is a large data set of attacks to use to generate predictable patterns, 2) criminals tend to do the same things over and over, 3) fraud reduction is easily quantifiable, and 4) the cost of false alarms is low.
Compare this with detecting terrorism: 1) there are very few attacks, 2) theyre mostly different, 3) its hard to quantify what a reduction in risk looks like, and 4) the cost of false alarms is very expensive. So while I have an enthusiasm for data mining as a security tool, its only in areas where it makes sense to use it.
We've sacrificed a lot of privacy in the last few years in the name of security. Are we actually safer as a result?
The whole security vs. privacy dichotomy is a false one. There are many security measuresdoor locks, burglar alarms, tall chain-link fencesthat have nothing to do with privacy. Its only identity-based security that affects privacy, and there are limits to that approach. Ive repeatedly said that exactly two things have made airplane travel safer since 9/11: reinforcing cockpit doors and convincing passengers that they need to fight back. Those two things have no effect on privacy. Security measures that affect privacy, like ID checks, havent made us any safer. The real dichotomy is liberty vs. control. And real security comes from liberty plus privacy.
Protecting computer security is usually seen as a technological challenge, but you refer to it as an economic problem. Why so?
Because if you dont get the economic incentives right, no amount of technology will help. Security is a trade-off, and people will weigh the cost of security against the benefits. Its easiest to see this in a business environmentfor example, is an anti-fraud measure more or less expensive than the fraud it will preventbut its true everywhere: personally through nationally. These trade-offs arent made in some abstract greatest good sort of way; theyre made by people based on their own personal situation. And if the costs and benefits arent aligned, people wont make good trade-offs.
An example might make this clearer. A lot of identity theft comes from corporations not securing their databases filled with personal information. Of course, they could spend more money to increase security, but the economic incentives arent aligned: the risk of identity theft is borne by those people in the databases, not by the company. So it doesnt matter what kind of technologies you invent; it wont be worth it for the company to implement them. The way you fix this is by fixing the economics: making these data breaches costly to the company.
I found your writings about the psychology of security to be particularly interesting: about how we may feel we're secure when we're not, and vice versa. How does this gap affect our real world efforts to guard our security?
We end up with a lot of security measures that make us feel more secure, regardless of whether they actually make us more secure. This effect is most pronounced when its hard to evaluate the actual effectiveness of a security measure. Crime prevention measures are relatively easy to evaluate, because you can watch the crime rate go up or down. On the other hand, anti-terrorism measures can be very hard to evaluate, because there simply arent enough events to get a sufficient data sample. Fears, folk beliefs, and preconceived notions also make it hard to notice when the feeling of security doesnt match the reality. So we end up with a lot of security theater.
The big question: Our personal PC security. When people ask youas they often dowhat they can do to protect their PCs, you've been known to answer "nothingyou're screwed." But you readily admit the reality is more complicated. What are the most essential things people need to do?
Backup. Backup, backup, backup. For most people, the biggest security risk is losing their data. A regular backup will go a long way to making their computer more secure. And be sure to test those backups; theyre no good if the restore doesnt work. After that, invest in an anti-virus program and keep your patches up to date. Everything else is in the margins.