Home opinion-and-analysis Open Sauce Security is always a tradeoff: Schneier

Security is always a tradeoff: Schneier

Security is essentially a tradeoff and the main question about it is not whether we are safe or not but whether it is worth it. Simple and to the point. That's the way Bruce Schneier, probably the world's foremost security expert, puts it.

And that is the reason why Schneier enjoys the reputatio he does - because like the few true intellectuals around, he is a fount of wisdom, not just knowledge.

Schneier gave the keynote address on the opening day of the main part of Australia's national Linux conference today; his topic was "Reconceptualising Security", something on which he is eminently qualified to speak.

As usual, he came to the point: "Security is both a feeling and a reality. You can feel secure without actually being secure and you can be secure even though you don't feel secure."

And how does one bridge the gap between people both knowing they are secure and feeling the same way? Once again, it's very basic: information is the only way.

With this as the central tenet of his talk, Schneier set out to illustrate it and did so with simple examples.

He said that within the industry people tended to discount the feeling in favour of the reality but the difference between the two was important. It explained why there was much of what he called "security theatre" that did not work and why so many smart solutions were never implemented.

By security theatre he said he meant the various "snake oil" solutions that addressed feelings and were no good in reality.

Citing the example of the attacks on the World Trade Centre in September 2001, Schneier said that shortly after the incident he had been asked by a journalist how the US could ensure that such an event never recurred.

He said his answer was very short: "Take all the planes out of the sky."

There was a roar of laughter from the LCA audience at this but everyone settled down when Schneier reminded them that grounding all air traffic was exactly what the US government had done after the incident. It temporarily gave people the feeling of being safe - but obviously could not be persevered with.

Schneier said when it came to the economics of security, once again it was a tradeoff - how much were you spending? And was it worth the risk you were eliminating? "If you take the example of software, you may have to drop a feature set to provide more security - but then you have to weigh up the tradeoff again - do you need that feature set to sell your product to a particular person," he said.

He noted that nobody in the audience was wearing a bulletproof vest - even though that would been a good way of ensuring that they would arrive alive to attend his keynote. But traded off against the inconvenience of wearing such a heavy garment in summer and the lack of fashion sense it would convey, people had chosen not to wear one, he said to peals of laughter.

People tended to over-estimate uncommon risks and play down common ones; they also tended to over-estimate involuntary risk and overplay voluntary risks, Schneier said.

Most of the time this worked reasonably well. But the human brain was optimised to deal with security threats from an age long past and was not used to modern times and all the accompanying threats.

Schneier pointed out that when feeling and reality got out of whack, then fear would influence behaviour.

"If I sell you a lock that does not work, pretty soon you will notice. Until you do, you will have that feeling of security," he said.

While the basic tenets of security were simple, Schneier said that there were people with various agendas who would willingly create misunderstandings. For example, there was a lot of data showing that a national ID card would not be very effective but there were groups which had a stake in such a product who would spread misinformation.

"And the media often plays a role in spreading this kind of mass misinformation," he said.

Schneier touched on the so-called "lemons market" where the information available to the buyer and seller is asymmetric. He gave the example of a used car market where there were 1000 good cars and 1000 "lemons" or cars that were sure to give up the ghost after a short time.

If the good ones cost $2000 and the lemons $500 and the price which an average consumer was willing to pay was around $1500, then more lemons would be sold. However if the buyer was in possession of sufficient information to distinguish between the good cars and the lemons, then more of the former would be sold.

A seller could always increase the attraction of a car in either category by offering a six-month warranty - "he says take it, use it for this amount of time and if it breaks down bring it back."

When it came to IT, people tended to decide about security based on various factors - the reputation of a company (here he cited the old mantra "nobody ever got fired for buying IBM"), product reviews, certifications and so on.

"For some, the fact that a product is open source is a signal that it is good, for others it is a negative; it works the same way for proprietary products," Schneier said.

"Lots of our security is outsourced to people who have agendas and tend to manipulate things; as a result we often tend to end up more insecure though we don't actually feel that way."

To illustrate the importance of feeling, Schneier cited a case in the US where a certain over-the-counter medication had been tampered with and caused a case of poisoning.

"Within a few days, people were terrified of buying any non-prescription drugs," he said. "The company reacted to the crisis and introduced tamper-proof caps for their product and this restored people's feeling of security."

With a twinkle in his eye, he added, "even though there are numerous ways to get around that kind of cap, beginning with a syringe."

Information was the only way around the security problem, Schneier concluded as he ended his talk and earned the closest thing to a standing ovation.

Before the keynote, Jonathan Oxer, the president of Linux Australia, declared the conference formally open and acknowledged the traditional owners of the land on which the conference is being held.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.