Ask Slashdot: Can Bruce Schneier Be Trusted? 330
An anonymous reader writes "Security guru Bruce Schneier is, among other things, a world renowned cryptography expert, author of several popular books, and a second-order internet meme. He is also an outspoken critic of the NSA, in particular the massive NSA surveillance programs disclosed over the summer by Edward Snowden. Schneier has been involved in reviewing the leaked documents and has put in effort to determine which cryptosystems should still be considered safe. I'm a big fan of Bruce Schneier, but just to play devil's advocate, let's say, hypothetically, that Schneier is actually in cahoots with the NSA. Who better to reinstate public trust in weakened cryptosystems? As an exercise in security that Schneier himself may find interesting, what methods are available for proving (or at least affirming) that we can trust Bruce Schneier?"
Re:Just double the encryption (Score:1, Interesting)
But more seriously, if you develop your own crypto system, and only share it with the people who are decoding it, it turns out to be rather hard to break. Applying a substitution cipher followed by a matrix encryption, then stick that into any old commercial encryption, no one is going to have an easy time with it.
Logically retarded (Score:5, Interesting)
Has Schneier given us bad advice? So far, so good it seems.
Has Schneier been a vocal critic of the NSA? Yes.
Has Schneier been on this file for a really long time? Yes.
Do you have any evidence that he's in cahoots with the cryptofascists? No.
So, all you have is a speculation to tear down the reputation of one of the good guys, a thought experiment, based on no evidence, but one that has real world consequences of spreading fear, uncertainty and doubt regarding someone who is fighting the good fight.
Therefore, I would humbly suggest that I could and do logically conclude that YOU are a tool of the NSA, not Schneier, and furthermore, I have more evidence than you do: Your suggestion to consider Schneier as less than reliable based on zero evidence.
Re:Trust no one (Score:5, Interesting)
And now, folks, it's time for "Who do you trust!" Hubba, hubba, hubba! Money, money, money! Who do you trust? Me? I'm giving away free money. And where is the Batman? HE'S AT HOME WASHING HIS TIGHTS!
So do you trust the Joker, or the Batman?
Re:Trust no one (Score:4, Interesting)
Trust might be too strong of a word, but you do need to defer to authority if you interact with society at all. I don't think it is possible to be an expert in everything that you use or interact with on a daily basis and - unless you eschew medical care - you will defer to someone with a medical education at several times in your life. So no, you don't need to trust Schneier or anyone else in cryptography. But your only alternatives are to not use it at all for the purpose you were considering or become educated enough in the field to make your own judgements.
Back on topic, even if you don't trust that the encryption won't frustrate the NSA, it is probably fine for most people's business purposes.
Linux backdoor of 2003 & Underhanded C Contest (Score:5, Interesting)
To make the claim that linux has been never been intentionally weakened in security, you need to know that every single security vulnerability in Linux (to take one example) was due to carelessness, not intended action.
Certainly - some classes of backdoor are trivially obvious 'if(sourceip==NSA)' - but others can be subtle logic errors.
You mean like this attempt in 2003? [slashdot.org]
Personally, I'm not longer all that impressed by the IOCCC. [ioccc.org] Don't get me wrong, some of the code submitted there shows utterly insane levels of skill. However, the above is an excellent example of a good submission for the Underhanded C Contest [xcott.com], which is an excellent teaching tool for discovering exploits as well as for learning about subtle bugs that may drive you utterly mad trying to find.
Bruce Schneier (Score:5, Interesting)
Re:Trust no one (Score:4, Interesting)
The fundamental problem is that as the size of your data set increases linearly, the number of false positives increases exponentially. More computers will not fix this because humans can't be reduced to a series of if/then statements, the computer will either miss gobs of important info or spit so many false positives at you to be worthless. It takes annalists to sift through data making connections and with this data deluge their scarce time and effort is wasted chasing dead ends.
How ineffective is mass surveillance? The Soviet Union and Warsaw pact nations back in the day could not stop the illegal drug trade operating within their borders despite trying as hard as they could to do so. Think about that, nations where you need to apply for a frigin passport to go to the town 10 miles over for a weekend could not interdict and stop the illegal drug trade even while monitoring a massive portion of the population.
What kept the population under control at this time was the government controlling the information the population received. Do you think the North Korean government would last 10 minutes if everyone there was suddenly made aware of living standards outside their country? Likewise in the Soviet Block, people there only had vague rumors of the living standards of the west that could easily be disregarded as exaggeration or propaganda.
Intelligence needs to be focused. Casting a bigger net doesn't do you any good when doing so gets you more bycatch than fish. Sure the intelligence agencies love it because it gets them big budgets, but it doesn't make them more effective. If anything, it makes them LESS effective.