Forgot your password?
typodupeerror
Encryption Security

Ask Slashdot: Can Bruce Schneier Be Trusted? 330

Posted by timothy
from the shifty-eyes-and-a-beard dept.
An anonymous reader writes "Security guru Bruce Schneier is, among other things, a world renowned cryptography expert, author of several popular books, and a second-order internet meme. He is also an outspoken critic of the NSA, in particular the massive NSA surveillance programs disclosed over the summer by Edward Snowden. Schneier has been involved in reviewing the leaked documents and has put in effort to determine which cryptosystems should still be considered safe. I'm a big fan of Bruce Schneier, but just to play devil's advocate, let's say, hypothetically, that Schneier is actually in cahoots with the NSA. Who better to reinstate public trust in weakened cryptosystems? As an exercise in security that Schneier himself may find interesting, what methods are available for proving (or at least affirming) that we can trust Bruce Schneier?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Can Bruce Schneier Be Trusted?

Comments Filter:
  • Trust no one (Score:5, Insightful)

    by Bodhammer (559311) on Tuesday October 22, 2013 @11:36AM (#45201293)
    Seriously... Especially the Govt. (and clowns - clowns scare me...)
    • Re:Trust no one (Score:5, Insightful)

      by khasim (1285) <brandioch.conner@gmail.com> on Tuesday October 22, 2013 @11:54AM (#45201551)

      You have to trust someone, somewhere along the line.

      Even the compiler can be compromised. Ken Thompson showed that.

      Where I think "anonymous coward" is wrong is that he's implying the Bruce Schneier would NEED to be compromised by the NSA. He wouldn't.

      There are two aspects to "crypto".
      1. The math.
      2. The implementation.

      Bruce can validate that the math seems to be correct (or he can be compromised into saying that it seems to be correct) but it is the implementation that gets used.

      So even if Bruce actually believed that the math was correct, the NSA could compromise the people/organisation/company that turned that math into a product that you would use.

      And it is much easier to claim that a flawed implementation was an innocent mistake than to compromise EVERYONE who can understand the math behind it.

      • Re:Trust no one (Score:5, Informative)

        by godrik (1287354) on Tuesday October 22, 2013 @12:16PM (#45201819)

        "Even the compiler can be compromised. Ken Thompson showed that."

        Well, double compiling techniques can be used to certify a compiler. (Though it actually assume that you have access to an other safe compiler, which is a little bit complicated, but doable)

        http://arxiv.org/abs/1004.5534 [arxiv.org]

        • by Jeremiah Cornelius (137) on Tuesday October 22, 2013 @12:22PM (#45201897) Homepage Journal

          Why not? I have his SHA256 hash, right here, on this USB stick.

          But wait! Am I sure I spelled "Schneierer" correctly?!?

        • by dwheeler (321049) on Tuesday October 22, 2013 @12:28PM (#45201993) Homepage Journal

          Thanks for pointing out my Diverse Double-Compiling (DDC) paper!

          My page on Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) [dwheeler.com] has more details, including detailed material so you can duplicate the experiments and re-verify the proofs. Note that you do not have to take my word for it.

          You have to trust some things. But you can work to independently verify those things, to determine if they're trustworthy. I don't always agree with Bruce Schneier, but after watching what's he's done for years, I've determined that he's quite trustworthy. This is the same way we decide if we should trust anyone or any thing. In short: "trust, but verify".

        • by HiThere (15173)

          No. You don't need a compiler you can trust to start with, merely one that you know hasn't been compromised by people colluding with those who may have compromised the first one.

          E.g., you could take a C compiler written in, say, Algol and use it to compile the GCC C compiler. That would give you a full C compiler that you could trust. You can be pretty sure that whoever wrote the C compiler in Algol wasn't talking to the people who wrote GCC, so any tricks they slipped into the C compiler wouldn't be rec

      • Re:Trust no one (Score:5, Insightful)

        by ShanghaiBill (739463) on Tuesday October 22, 2013 @12:19PM (#45201841)

        the NSA could compromise the people/organisation/company that turned that math into a product that you would use.

        An obvious solution to this would be two (or more) independent implementations. The implementations wouldn't even need to be done by trustworthy entities, just entities unlikely to cooperate. If the NSA does one implementation, China does another, Russia does a third, and they all produce identical output, then that would be good enough for me.

      • Re: (Score:2, Insightful)

        by Garridan (597129)

        You have to trust someone, somewhere along the line.

        No. No you don't. You should always remain skeptical, consider motivation as well as message, and read between the lines. Think for yourself and check facts.

        It is better to trust the math community (a large body of people of varying motives, hence less corruptible by a single source) than Schneier. It is even better to learn the math yourself. It's even better to kick down the doors of the NSA and demand answers. But that last one will probably get you shot or worse.

        • Re:Trust no one (Score:4, Insightful)

          by bmearns (1691628) on Tuesday October 22, 2013 @12:49PM (#45202357)

          But from whom do you learn the math? A teacher? A textbook? Unless you derive it all yourself from base axioms, you do have to trust someone at some point. Math is logic, pure and simple: that's true, but it is subtle enough and complex enough, especially at the level of cryptography, that you could be taught something which is false and yet verifiable (i.e., internally consistent, but externally incorrect). And of course, beyond outright misinformation, there is the very real possibility that the math is sound but someone has discovered a technique for busting right through it.

          But I think the more important point is that our entire society breaks down instantly without trust. Specialization is the basis for all of human advancement, and trust is the basis for specialization. You don't learn to build a car yourself, you trust an auto mfr to do it for you. You don't spend time growing or hunting your own food, you trust the food industry to provide you with safe and sufficient sustenance. If you didn't trust anyone, you'd spend all your own time and resource attending to your most basic needs.

          The same goes for cryptography and software: everybody uses crypto these days (TLS, for instance), but the vast majority of people don't have any where close to the expertise to verify even the algorithms, let alone the implementations. Sure, we could have a society of crypto experts and everyone could independently verify every algorithm and every piece of code that they use. But whose going to build the the cars and grow the food?

          • Re: (Score:3, Funny)

            by Garridan (597129)

            But from whom do you learn the math? A teacher? A textbook? Unless you derive it all yourself from base axioms, you do have to trust someone at some point.

            A proper math education starts from basic axioms. A teacher should merely guide a math student through derivation of that mathematical knowledge which is taught, all from base axioms. In my undergrad, math majors were required to take a course on the axiomatic foundation of math (set theory). The classes that depended on that built the foundations of algebra, analysis, etc. upon those same axioms. The subsequent built upon those results, etc.

            One problem with crypto is that we've never seen a hardness

      • Re:Trust no one (Score:4, Informative)

        by girlintraining (1395911) on Tuesday October 22, 2013 @12:42PM (#45202239)

        You have to trust someone, somewhere along the line.

        The open source movement (Down people! It's just an umbrella term, not an excuse to rage about the nuaned differences in licensing) recognized early on that the only way to create reasonably secure code is to publish it and let anyone look at it. Politics demands that for every group of people out there wanting power for a specific purpose, there's another group willing to sabotage them. As long as the code is a black box, the war between those groups will be won and fought or lost without anyone being the wiser -- unless the code is published.

        Then, regardless of individual motive, you're on one of either two sides: Publish or don't. If you publish, there's a big risk of being identified if you try anything and in covert operations anonymity is better than bulletproof armor. Nobody's going to risk having their real identity linked to a subversion attempt. So that leaves not publishing -- keeping potential exploits to yourself. This is what the NSA and other intelligence communities are doing.

        When you play that game, however, you're stuck in an arms race where every participant is fighting a war on two fronts -- they can exploit the holes in the enemy's systems, but because the enemy uses a lot of the same technology, they can turn around and do the same to you... which means every weapon is 'single use' against hard targets. But I guess that's how the NSA likes it; As long as you have tons of money to waste, those with the most gold have the most power. It's direct proportionality.

        Actively maintained open source though allows people to build reasonably secure systems without a big investment -- anyone can incrementally improve it. So if you aren't the NSA (ie, second place and below)... it makes sense to contribute to projects like Linux and build your security around them. The NSA has been 'caught' (as much as anyone can be caught in cyberwarfare -- attributation is a bitch, anyone who has researched it knows this) several times trying and failing to create exploits in Linux. This tells me that the cost of finding a linux exploit is now at least equal to that of its closed-source competitors, and may even be higher -- otherwise why risk exposure?

        Any once you find a linux exploit, you're still on the clock -- this isn't like closed source. New people are constantly looking at code, even old code, and could discover your hard-won exploit and close it. Basically, if you're not a "top 10" government and you want security... use open source.

        • 'The open source movement (Down people! It's just an umbrella term, not an excuse to rage about the nuaned differences in licensing) recognized early on that the only way to create reasonably secure code is to publish it and let anyone look at it. '

          To make the claim that linux has been never been intentionally weakened in security, you need to know that every single security vulnerability in Linux (to take one example) was due to carelessness, not intended action.

          Certainly - some classes of backdoor are tri

          • by Valdrax (32670) on Tuesday October 22, 2013 @02:07PM (#45203663)

            To make the claim that linux has been never been intentionally weakened in security, you need to know that every single security vulnerability in Linux (to take one example) was due to carelessness, not intended action.

            Certainly - some classes of backdoor are trivially obvious 'if(sourceip==NSA)' - but others can be subtle logic errors.

            You mean like this attempt in 2003? [slashdot.org]

            Personally, I'm not longer all that impressed by the IOCCC. [ioccc.org] Don't get me wrong, some of the code submitted there shows utterly insane levels of skill. However, the above is an excellent example of a good submission for the Underhanded C Contest [xcott.com], which is an excellent teaching tool for discovering exploits as well as for learning about subtle bugs that may drive you utterly mad trying to find.

      • Re:Trust no one (Score:5, Insightful)

        by PopeRatzo (965947) on Tuesday October 22, 2013 @02:07PM (#45203667) Homepage Journal

        If you were the NSA, wouldn't you plant stories in places like Slashdot suggesting that you can't trust the people who are fighting to protect you from the NSA?

        Which Slashdot editor is so nearsighted that they couldn't see this obvious FUD?

        • Bruce probably doesn't want you to trust him implicitly. You should always keep your wits and take actions to make sure you're not being taken advantage of. I read a while ago about a guy who tricked his son into running into a mirror and was flamed for not wanting his son to trust me: but trusting someone can be dangerous. The lesson is to not let yourself get into a position where you're trusting someone else and not protecting yourself.

        • by Solandri (704621)
          This is a dangerous attitude I've been seeing increasing over the last decade. The notion that disagreement is synonymous with weakness and thus should be stomped out.

          That slashdot has topics which question sacred cows and widely-held beliefs is a good thing. If the site parroted one and only one viewpoint, then I'd be worried that there was some higher force manipulating it. The fact that contrary viewpoints are presented and moderated up is what tells me it's a functioning system of free expression.
        • by moortak (1273582)
          I think it is great to question Schneier, for the same reason we do security audits. You need to examine your trust anchors from time to time. So for Schneier, we ask ourselves a simple question, is the advice sound? The idea that the math is sound, but the implementations are broken has been a constant refrain from everyone for decades. There would be no benefit to paying or threatening Schneier to make him say that, as it has been his refrain for ages. Tomorrow the people in the field with the skills to a
    • Re:Trust no one (Score:5, Interesting)

      by Moryath (553296) on Tuesday October 22, 2013 @11:58AM (#45201603)

      And now, folks, it's time for "Who do you trust!" Hubba, hubba, hubba! Money, money, money! Who do you trust? Me? I'm giving away free money. And where is the Batman? HE'S AT HOME WASHING HIS TIGHTS!

      So do you trust the Joker, or the Batman?

      • by steelfood (895457)

        Neither. Did you not hear what GP said? Don't trust clowns.

    • Re: (Score:2, Insightful)

      by optikos (1187213)
      Applying the mantra of open source to the underlying mathematics: Learn the mathematics of cryptography yourself to find the bugs within the mathematics. Don't place your trust in any person other than yourself. Especially don't worship some brand-name as a god who, as diviner-intercessor, is your sole information-provider on the subject.
      • Re:Trust no one (Score:5, Insightful)

        by Idarubicin (579475) <allsquiet.hotmail@com> on Tuesday October 22, 2013 @12:49PM (#45202359) Journal

        Applying the mantra of open source to the underlying mathematics: Learn the mathematics of cryptography yourself to find the bugs within the mathematics. Don't place your trust in any person other than yourself.

        Which is why I always x-ray the concrete and perform a full metallurgical analysis on the structural steel before I drive across one of those government-built bridges. Sure, I had to do a four-year engineering degree, but it was worth it.

        Seriously, "trust no one, and validate everything from first principles" breaks down very quickly if you try to apply it to any but the narrowest portion of your life. Figuring out workable and robust ways to evaluate trustworthiness of other parties is a damn useful (and equally damn difficult) problem.

      • Re:Trust no one (Score:5, Insightful)

        by swillden (191260) <shawn-ds@willden.org> on Tuesday October 22, 2013 @01:01PM (#45202593) Homepage Journal

        Applying the mantra of open source to the underlying mathematics: Learn the mathematics of cryptography yourself to find the bugs within the mathematics. Don't place your trust in any person other than yourself. Especially don't worship some brand-name as a god who, as diviner-intercessor, is your sole information-provider on the subject.

        Care to point me to the "mathematics" of AES? How about SHA-2? For that matter, will studying the mathematics of RSA make it clear why a chosen ciphertext attack renders RSA with PKCS#1 v1.5 padding vulnerable, and how using Optimal Asymmetric Encryption Padding instead addresses the issue?

        Seriously, the above is laughable advice. Oh, by all means learn crypto if you're interested, it's a fascinating subject -- one which you can easily devote your entire lifetime to, though you'll have to pick a sub-specialty if you really want deep understanding of the sort that will let you meaningfully evaluate the security of some real-world elements.

        The reality is that you must rely on someone else. Even serious academic cryptography researchers make no claims to be able to fully understand anything outside their narrow area of focus, and they're also quick to point out that even when the theory is great, implementations may contain subtle defects which are extremely hard to find. The "open source" mantra is indeed exactly what we need, but your average developer -- bright though he or she may be -- simply doesn't have the background needed to contribute very effectively, and it doesn't make sense for everyone to invest the time needed to acquire that much background.

        Instead, what we need is what we have: An open security research community. It could be bigger, of course, and I'd encourage anyone who has an interest in this stuff to get involved. And I'd also encourage everyone else to become more informed. But expecting to be able to make a significant contribution to improving security with just a little math is misguided.

    • Re:Trust no one (Score:4, Interesting)

      by MightyYar (622222) on Tuesday October 22, 2013 @01:26PM (#45202969)

      Trust might be too strong of a word, but you do need to defer to authority if you interact with society at all. I don't think it is possible to be an expert in everything that you use or interact with on a daily basis and - unless you eschew medical care - you will defer to someone with a medical education at several times in your life. So no, you don't need to trust Schneier or anyone else in cryptography. But your only alternatives are to not use it at all for the purpose you were considering or become educated enough in the field to make your own judgements.

      Back on topic, even if you don't trust that the encryption won't frustrate the NSA, it is probably fine for most people's business purposes.

    • by hairyfeet (841228) <bassbeast1968&gmail,com> on Tuesday October 22, 2013 @01:36PM (#45203105) Journal

      I agree 100%,which is why I wonder why so many attack when I suggest that we should simply discuss whether Naomi Wolf is on to something when she suggests that Snowden may be a plant [nymag.com] working still for the NSA. After all it DOES make sense, you can't have a chilling effect if nobody knows to be scared but at the same time there would be too much backlash (not to mention giving groups like the ACLU court standing) if they just came out and said it, so what to do? The answer is simple...disgruntled employee.

      This way those that you want to be scared, the ones that read up on such things, your rabble rousers, WILL be scared and the clueless can be told "its just a disgruntled employee, nothing to see here" and they will go along, finally groups like the ACLU and FSF can't get a court case unless the gov admits they are spying on everyone (because the courts say you have to show you were targeted to have standing) so the disgruntled employee angle neatly sidesteps it. You have to admit, if he is a plant? Its WELL played. I have talked to plenty of folks at the shop and on forums that fear talking out about politicians or the gov for fear of getting a file started while at the same time most of the right wing teabagger types have parroted the disgruntled employee angle, well played.

      As for TFA I'm sure if you ask Bruce Schneier he'll tell you the same, that you shouldn't trust him or anybody else. Of course the bitch is everything from SELinux to most of our crypto now needs to be looked at with an aura of mistrust because much of it ame from the NSA or won NSA contests so you have to wonder, did they choose it for a nefarious reason? Like they know how to break it? And after reading up on the Kickstarter I'm fully convinced Truecrypt is worthless thanks to the extra blob it has on Windows that nobody knows WTF it does and the fact it won't compile from source and work.

      What we need now is a handful of guys like Schneier to come together and give us some basic crypto tools that can be independently compiled, tested, and retested to insure that it works. But if I were forced to choose between something that has been handled or approved by the NSA, something like Truerypt where we now know that the source and binary do NOT math and there are hidden extra bits on Windows, or something approved of by Schneier or worked on by him like twofish? I think I'd choose Schneier.

      BTW does anybody know of a tool that does full disc encryption on Windows like Truecrypt that ISN'T a big question mark when it comes to sewcurity?

      • Re:Trust no one (Score:4, Interesting)

        by Crosshair84 (2598247) on Tuesday October 22, 2013 @02:46PM (#45204349)
        Anyone who knows anything won't be scared by this. The problem the NSA has is the EXACT same problem as the STAZI or whatever secret police anywhere has had, mass surveillance doesn't work.

        The fundamental problem is that as the size of your data set increases linearly, the number of false positives increases exponentially. More computers will not fix this because humans can't be reduced to a series of if/then statements, the computer will either miss gobs of important info or spit so many false positives at you to be worthless. It takes annalists to sift through data making connections and with this data deluge their scarce time and effort is wasted chasing dead ends.

        How ineffective is mass surveillance? The Soviet Union and Warsaw pact nations back in the day could not stop the illegal drug trade operating within their borders despite trying as hard as they could to do so. Think about that, nations where you need to apply for a frigin passport to go to the town 10 miles over for a weekend could not interdict and stop the illegal drug trade even while monitoring a massive portion of the population.

        What kept the population under control at this time was the government controlling the information the population received. Do you think the North Korean government would last 10 minutes if everyone there was suddenly made aware of living standards outside their country? Likewise in the Soviet Block, people there only had vague rumors of the living standards of the west that could easily be disregarded as exaggeration or propaganda.

        Intelligence needs to be focused. Casting a bigger net doesn't do you any good when doing so gets you more bycatch than fish. Sure the intelligence agencies love it because it gets them big budgets, but it doesn't make them more effective. If anything, it makes them LESS effective.
        • Re:Trust no one (Score:5, Insightful)

          by killfixx (148785) * on Tuesday October 22, 2013 @03:52PM (#45205333) Journal

          Hrmmm... You have a great point... More computers won't make the job easier... Smarter computers will...

          Look at Watson... Specifically designed to measure the value of information in both directions and use these values real time as it sorts through massive amounts of data...

          Areas where humans were thought to be the only solution, here comes Watson...

          Law, medical diagnostics, computer software troubleshooting, etc...

          These are all areas where Watson will soon dominate...

          We can only hope the Utah data center will NOT have IBM as one of the contractors...

          • Watson will suffer the exact same problem, false positives increase exponentially when your data set increases at a linear rate.

            Just because a computer can compete on Jeopardy and do a decent job of recommending cancer treatments, which are all double checked by humans BTW, does not mean it won't spew garbage when given terabytes of new data every day. Real intelligence is non-algorithmic, a computer will never be be to match it, only perform a crude simulation of it.
    • Agreed. Of COURSE Bruce Schneier can't be trusted. I believe he himself would say, "trust is something you must determine for yourself." That said, I don't think there are many folks better at it than he is.
  • by bhlowe (1803290) on Tuesday October 22, 2013 @11:37AM (#45201307)
    I use two cyphers, just in case. In my case, I found ROT13 and XOR excellent for speed and obfuscation.
    • by Gibgezr (2025238) on Tuesday October 22, 2013 @11:47AM (#45201457)

      This is why we need a "+2 insightful AND funny" category, dammit.

    • Well, if you XOR with a good random one-time pad, I don't think that anyone can break your encryption ever, not even with a quantum computer.

      The ROT13 is just unnecessary fluff.

      --PM

    • I use 2ROT13.

    • by Empiric (675968)

      Chained-XOR (say, XOR-ing with the key byte sequence -and- the preceding file bytes in the last XOR-ing round, with an arbitrary key length) is actually quite secure.

      IIRC, it is one of the techniques that automatically qualified an algorithm as an unexportable "munition".

      • by TheCarp (96830)

        Whats funny about that is, I am pretty sure I suggested XOR in CBC mode to someone recently as a joke. Didn't even realize I was suggesting they use unexportable munitions :)

    • I do the same, I ROT13 and XOR the resulting text with itself. Completely unbreakable, and as a bonus, the encripted text compresses pretty well.

  • witch (Score:5, Funny)

    by stormpunk (515019) on Tuesday October 22, 2013 @11:37AM (#45201313) Homepage

    Obviously we burn him at the stake. If he burns he was innocent.

  • Easy (Score:5, Insightful)

    by TubeSteak (669689) on Tuesday October 22, 2013 @11:37AM (#45201323) Journal

    and has put in effort to determine which cryptosystems should still be considered safe.

    Have someone(s) double check his work.
    We should be doing that anyway, even for someone who is 100% trusted.

  • by Skapare (16644) on Tuesday October 22, 2013 @11:38AM (#45201331) Homepage

    ... Anonymous Coward. There are some very suspicious posts he makes. And besides, he seems to never sleep.

  • ...not trusting and simply relying upon his evaluations and pointing out that you need to think for yourself.

    Not a very positive trait for the NSA irrespective of their goals.

  • by Hypotensive (2836435) on Tuesday October 22, 2013 @11:42AM (#45201403)

    If you're talking about absolute trust, i.e. "I trust him" = "I trust him to do anything", you should probably have your head examined.

    Phrase your questions better and you will get more useful answers.

  • Oh please (Score:4, Informative)

    by weav (158099) on Tuesday October 22, 2013 @11:43AM (#45201405)

    If we can't trust old Bruce, we're all screwed. Though possibly we are anyway. But if he's an asset, he's pretty well disguised.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Dude, Bruce Schneider doesn't even trust his own private keys. That should be a lesson to us all.

  • by PPH (736903) on Tuesday October 22, 2013 @11:43AM (#45201407)

    ... to point out the systems that should not be trusted. IMO, there is nobody I'll trust to tell me that a system is safe. Only time and repeated inspections will get something close to a state of trust.

  • I've got exactly what you need [urbandictionary.com]! Tinfoil hats are cheap [amazon.co.uk]. They are easy, to make too, it takes less than two [youtube.com] minutes. Don't believe the MIT study [theatlantic.com] that debunks the time honored tinfoil hat, it's a government conspiracy you know!

    Don't worry, there are support groups [meetup.com] for conspiracy theorists! Now I know like any number of other conspiracy theories those pesky facts might get in the way [popularmechanics.com]. However, learn from Joseph Goebbels [psywarrior.com] and don't ever let logic, facts or reality get in your way. I know you look like a raving l

  • by trifish (826353) on Tuesday October 22, 2013 @11:46AM (#45201449)

    Problem: Paranoia
    Solution: None

  • by new death barbie (240326) on Tuesday October 22, 2013 @11:47AM (#45201451)

    Bruce Schnier may be the front-line spokesperson for the security community, but that should be completely separate from his body of work in cryptography. At the bottom line, he's doing mathematics, and mathematical proofs can be reproduced and confirmed -- or debated and disproven -- by anyone else in any country with sufficient background to understand them.

    He is not some guru spouting unprovable wisdom from a mountaintop, he is a member of a scientific community, and if he is able to earn and keep the respect of that community, then that's a pretty good indication that he knows what he's talking about.

    • by godrik (1287354)

      There is something else. Bruce Schneier is a public figure in the cryptography area. Scientist need to fight for money and a large part of it comes from reputation and fame. If Bruce said something that appear wrong to security researchers, they would speak up, just to be "the one that knows better".

  • by Boawk (525582) on Tuesday October 22, 2013 @11:49AM (#45201483)
    That's the best way to tell
  • Let the whitch hunt begin!
    Just be sure to have enough matches!
  • Logically retarded (Score:5, Interesting)

    by Ralph Spoilsport (673134) on Tuesday October 22, 2013 @11:51AM (#45201515) Journal
    An assumption of bad faith is self defeating. How can we trust YOU???

    Has Schneier given us bad advice? So far, so good it seems.

    Has Schneier been a vocal critic of the NSA? Yes.

    Has Schneier been on this file for a really long time? Yes.

    Do you have any evidence that he's in cahoots with the cryptofascists? No.

    So, all you have is a speculation to tear down the reputation of one of the good guys, a thought experiment, based on no evidence, but one that has real world consequences of spreading fear, uncertainty and doubt regarding someone who is fighting the good fight.

    Therefore, I would humbly suggest that I could and do logically conclude that YOU are a tool of the NSA, not Schneier, and furthermore, I have more evidence than you do: Your suggestion to consider Schneier as less than reliable based on zero evidence.

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      1. They are playing devil's advocate, not to tear down someone's reputation, but actually to question it in order to put it on a more solid foundation. That is not self defeating, but rather a typical method of proof by dialogue.
      2. Your argument seems to be based on deflecting the claims back on the questioner. That doesn't answer the original question about Scheier. Also, your evidence against the writer of the summary is circumstantial.
      3. If anyone actually has any evidence against Schneier's trustwort

  • Trust no one (Score:5, Insightful)

    by Dunbal (464142) * on Tuesday October 22, 2013 @11:53AM (#45201535)
    Seriously. The mere act of trusting someone will eventually lead to that person betraying said trust. Trusting someone puts them in a position of power, and power corrupts. You can't trust anyone.
    • Seriously. The mere act of trusting someone will eventually lead to that person betraying said trust. Trusting someone puts them in a position of power, and power corrupts. You can't trust anyone.

      That's a very good statement. I trust you completely.

  • by burni2 (1643061) on Tuesday October 22, 2013 @11:54AM (#45201545)

    Hi,

    read his papers check the hints within, its even possible for non crypt-math geeks to get a background understanding, because
    there are many more out there. Work out differences in their argumentation, dont just think because there is a citation it can be trusted, check what`s
    behind a citation.

    Wikipedia is the best entry point for you.

    Check Argumentation on a logical level, and question the argumentation, especially if it fits the known problems till know, when it remains true, you have a good chance that its really true.

  • It's a subjective measure, based on long experience with someone and someone's writings. It's much easier to assess trust from personal contacts, but even then you can get thoroughly disappointed - just think of some types of failed marriages as an example.

    The question is why would you personally have to trust Bruce Schneier? I don't have to, in order to enjoy his books and blog posts and make up my own mind. Has he recently asked you to hand over the masterpassword for you computer?

    Regarding business with

  • by StandardCell (589682) on Tuesday October 22, 2013 @11:56AM (#45201573)
    I guess people's paranoia with the NSA revelations have been difficult to swallow. Now everyone is slowly becoming suspicious of everyone else.

    Anything is possible I suppose. To me, it was no surprise really. I do have to say that, having worked with individuals in the security community, the primary focus really is the safety of our way of life at the hands of those who would subvert it.

    The problem comes when those of less character use the government apparatus for control, political or other purposes. It's the same reason police and military need to be kept separate - one enforces the rule of law, and one protects against enemies. When those lines are blurred, history has demonstrated repeatedly that individual rights suffer. The degree to which this happens is the degree of the moral compass of those at the helm of this extremely powerful surveillance apparatus.

    I'm not sure how many true boy scouts are really left running the show up there, but I do know this: the more paranoid we get, the more we lose. All of this need not come to pass in this way. One of the most important things I learned in my time in this world was "trust, but verify" and it rings true today. You can still trust the message that Bruce Schneier has. We have to, for otherwise we will be consumed by our own paranoia. But to verify is probably the most important point. That's where openness and information sharing in the spirit of open source is paramount and what will lead us to the proper conclusion on this matter.
  • Why? (Score:5, Funny)

    by oldhack (1037484) on Tuesday October 22, 2013 @11:57AM (#45201593)
    Agree/disagree with what he writes/says, but why do you have to trust him? Is he dating your daughter?
  • He Would Agree (Score:4, Insightful)

    by wisnoskij (1206448) on Tuesday October 22, 2013 @11:59AM (#45201625) Homepage

    This question is stupid. It would not matter if he was the most honest, intelligent, and experienced security expert in existence, he would tell you the same thing, do not trust him.

  • by Dzimas (547818) on Tuesday October 22, 2013 @11:59AM (#45201631)
    Forget Schneier. The critical question is actually "Can we trust ourselves?" I'd argue not. Many of us post all manner of information about ourselves, our family, friends and work acquaintances on Facebook, LinkedIn, Twitter, Four Square and other sites. Our GPS-equipped phones know where we are, where we've been, and can probably predict where we're going and when. Short of unplugging, there's little we can do to assure that we're trustworthy electronic citizens.
  • by ArhcAngel (247594)

    As an exercise in security that Schneier himself may find interesting, what methods are available for proving (or at least affirming) that we can trust Bruce Schneier?

    What's good for the goose is good for the gander. [xkcd.com]

  • by Hartree (191324) on Tuesday October 22, 2013 @12:02PM (#45201661)

    He's really version 2.0 of a long term general intelligence project running on a supercomputer at Fort Meade.

    Version 1.0 was called Henry Spencer and was developed in Canada.

    (The original graphics version now used for videos of him started out as Max Headroom. This demonstrates yet again, it's much easier to improve on the presentation than the underlying system.)

  • by tgd (2822)

    There's two reasons to potentially not trust Bruce Schneier -- he's in cahoots with the NSA (and by "cahoots" I mean involved in a conspiracy to somehow impact you) or he's biased against the NSA, in which case his opinions are equally untrustworthy.

    It doesn't matter why someone's opinion isn't neutral -- its just as invalid to blindly trust it if that opinion matches yours or not. In fact, its probably worse to blindly trust it if it happens to match yours because you already have a bias.

  • The BT security directorate will obviously administer the test at Martelsham/BT Labs/Disatral Park - in the time honored suffolk fashion by throwing him into the lake at the labs if he sinks we can trust him if not hes a witch :-)

    though Bruce's lack of a proper martleman beard will probably count against him.
  • Now that tinfoil hats are in fashion the answer is quite simple. If he proves a weakness then the crypto system is crap. If he doesn't then regardless of his motives the system still can't be trusted.

    Here is where we can even add a layer of lead to our tinfoil hats. What is to say that the NSA doesn't have working quantum computers? Thus almost any system that is susceptible to any sort of quantum math such as factoring is quite simply dead as far as the NSA is concerned.

    This last is an important cons
  • make it to the front page of Slashdot?
  • Put Schneier in a ring with Bruce Wayne, Bruce Willis, and Bruce Lee. See who survives.

    • by Arker (91948)

      "Put Schneier in a ring with Bruce Wayne, Bruce Willis, and Bruce Lee. See who survives."

      Obviously the answer is no one. Lee is already dead, and he will still kill all the others before they can make it over the rope.

  • No secret last longer than 6 years, 5 years on average. Planning on it could save one from some, um, uncomfortable outcomes. If one is looking at Crypto, look at those who are successful. The Banking Industry. Why? How many Bankers have gone to jail, damn few. Also, who's making the money in Banking? That's who Crypto as superior. If one plans on being ratted out, then one can move forward with more confidence, by not creating an naive enviornment.
  • by Imagix (695350)
    Reminds me of a scene from Andromeda when Tyr was advising a prince:
    Tyr: Trust no one
    Prince: Can I trust you?
    Tyr (incredulous): No!
  • It's been awhile since Bruce really has said anything that hadn't already been thought through, discussed, and agreed on by a large part of the industry. Bruce leads from the middle of the pack these days - so who cares if the NSA has compromised him?
  • by cpghost (719344) on Tuesday October 22, 2013 @02:08PM (#45203693) Homepage
    Since Bruce Schneier himself said that you can't trust US-based cryptography companies, because such companies can be compelled by law to cooperate with the CIA... doesn't it also mean that NO US Person who is under the jurisdiction of the NSA can be trusted w.r.t. crypto advice? Is there a law of some kind in the US that muzzles US crypto researchers and forces them not to disclose certain facts that could harm the NSA's ability to operate? I'm just curious.
  • Bruce Schneier (Score:5, Interesting)

    by david_a_eaves (1132271) on Tuesday October 22, 2013 @02:37PM (#45204149) Homepage
    I am sitting next (or at least across) from Bruce right now. He is definitely interested (and humoured) in this conversation. As he notes, he's written a book on it. I'd say that a conversation about Bruce's trustworthiness is definitely worthwhile. One should have it about everybody. Of course, it means we should also have it about the people who are most interested in trying to attack Bruce's trustworthiness.
  • by cstacy (534252) on Tuesday October 22, 2013 @03:48PM (#45205281)
    Is it reasonable to ask if Bruce Schneier can be trusted? WWBSD? A little history might inform your thinking on this question.

    One of the early projects that Schneier lead, precipitated by the Y2K date crisis, was a security evaluation of old COBOL system (code-named "ZEBRA") that was still being used by a certain un-named U.S. Government agency.

    This mainframe software had not been maintained for some years, except by patching the binary image; no online version of the source code was available. It would be too hard to audit that way, so they decided to upload the original code (from paper), recompile, diff against the binaries, and eventually reconstruct accurate source code for the Y2K bugs and security issues.

    Schneier's group decided to use OCR. The source code had been "line printed" [wikipedia.org] on "greenbar" paper, where alternate lines have a light green background stripes for contrast. The problem was that OCR scanners of the day were designed only for black-and-white, and would get confused by the green stripes, and sometimes mis-scan some letters and numbers [slashdot.org], making this source code unreliable. This required them to manually read and type in corrections, to about half the code!

    Bruce Schneier is an outspoken critic of agencies like the DHS and the TSA, but he has been a consultant for the Government in the past. And as you can see from the above story, he was originally an early proponent of scanners, and only in more recent years has spoken out against them [schneier.com]. So it is quite reasonable to ask if Bruce Schneier has ever changed his stripes [snopes.com].

We don't know one millionth of one percent about anything.

Working...