Bruce Schneier interview

Networking/Security Forums -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security

Author: alt.don PostPosted: Tue Nov 15, 2005 7:26 pm    Post subject: Bruce Schneier interview
    ----
Hi guys/gals,

It appears that Mr. Schneier is willing to do an interview for us. To that end please post the questions you would like to see posed to him in this thread. I will give it a week for questions to be posted to this thread.

Thanks,

Don


Last edited by alt.don on Tue Nov 15, 2005 8:20 pm; edited 1 time in total

Author: ryansuttonLocation: San Francisco, California PostPosted: Tue Nov 15, 2005 8:14 pm    Post subject:
    ----
Datah, Justin, where you guys at?!?! Very Happy

Author: alt.don PostPosted: Tue Nov 15, 2005 8:22 pm    Post subject:
    ----
Well one question that I would like Mr. Schneier to answer is "at what stage does encryption strength become a national security issue?". After all the bad guys are also able to use robust and free encryption.

Author: ryansuttonLocation: San Francisco, California PostPosted: Tue Nov 15, 2005 8:52 pm    Post subject:
    ----
Interesting point and if you really want to spend some time thinking about it as a national issue a good read is digital fortress, purley from a fictional standpoint but interesting none the less.

Author: moondoggie PostPosted: Wed Nov 16, 2005 4:43 am    Post subject:
    ----
wow, what a great post to look forward to. i guess i would like to know his take on the sony xcp rootkit phenomenon and whether or not that scheme is ultimately secure enough to actually protect the data

Author: Secure Lockdown PostPosted: Wed Nov 16, 2005 5:48 am    Post subject:
    ----
ask Schneier what he thinks of Zimmerman and his new VOIP & crypto initiative.

Author: PhiBerLocation: Your MBR PostPosted: Wed Nov 16, 2005 6:40 am    Post subject:
    ----
1.) Recently, you mentioned that you feel ISP's should be held liable for bad network traffic (i.e. viruses, spam, phishing, etcetera). What do you think is the best way of doing this, and how would you reduce false negatives? Also, what would you say to someone who claims that this is no different to holding car manufacturers responsible for drunk driving, gun makers for illegal use of their weapons, and so on.

2.) What do you think about the upcoming World Summit on the Information Society and the implications of giving DNS control to the European Union? Do you think that ICANN should continue to hold a prominent role in the governance of the Internet Root Servers?

Author: Guest PostPosted: Wed Nov 16, 2005 9:31 am    Post subject:
    ----
The interviews have been great but leave out the "what coding language, scripting etc tcp/ip skills should ..." question and it makes a more enjoyable read, unless it of course is in contrast with the other questions made to the person (ie in ron gula interview the last question didn't really fit in, imho) Wink

Author: alt.don PostPosted: Wed Nov 16, 2005 2:02 pm    Post subject:
    ----
Hello Marko,

Well the interviews have geared around having an interview with a security professional and what their views are on not only contemporary issues, but also in what it takes to be a security pro. That includes core skills like programming, and networking ie: TCP/IP. Getting their opinion on these areas is indeed desired. That being said there has been enough now that all of the answers from the various interviewee's has pretty much been the same. Lastly, you are always welcome to suggest future people for interviews, and formulate questions. That is sometimes not an easy task I might addd. Either way I am happy that you are enjoying them.

Author: Guest PostPosted: Wed Nov 16, 2005 2:42 pm    Post subject:
    ----
Maybe the questions should be stated so that it doesn't lead the person to answering about programming and tcp/ip, but allows the person to give an opinion about what he/she considers nice.

That being said, few questions for Schneier:

1. In a nutshell, what do you think of the Sony rootkit case?
2. What in your opinion are the biggest threats that will face us online in the near future (like worms, organized crime, and so on)?
3. What is your opinion about staying anonymous online? Is it really possible legally/illegally?

Then a new suggestion for interview: Raven Alder

Author: AmitabhLocation: Australia PostPosted: Wed Nov 16, 2005 3:49 pm    Post subject:
    ----
What sort of interview will it be?
Anyway my question: I want to know about the various patent laws dealing with cryptography and software in general. What is the future?

Specifically, I want his opinion on patents in cryptography. And how to know if I am violating a patent and if I should worry about it? (additionally, is it necessary to obtain a patent and if so how?)

Author: Secure Lockdown PostPosted: Wed Nov 16, 2005 4:22 pm    Post subject:
    ----
alt.don wrote:
...what it takes to be a security pro.


In that case, I pull back my initial question about Zimmerman and ask if you can ash Schneier what "he" thinks is the best way to graduate from computer/network support/sys admin work and into a info sec role where he/she is doing only info sec and no more admin/support work anymore.

SL

Author: moondoggie PostPosted: Thu Nov 17, 2005 3:51 am    Post subject:
    ----
i actually have a different question for mr schneier: i was reading his entry on RFID passports and RFID security and i was wondering how much of security is based on research and how much is based on a priori knowledge?

Author: PhiBerLocation: Your MBR PostPosted: Thu Nov 17, 2005 7:37 pm    Post subject:
    ----
moondoggie wrote:
wow, what a great post to look forward to. i guess i would like to know his take on the sony xcp rootkit phenomenon and whether or not that scheme is ultimately secure enough to actually protect the data


In case you were still interested, Bruce wrote an article about this posted on wired today.

Author: B-ConLocation: int main() PostPosted: Sat Nov 19, 2005 12:43 am    Post subject:
    ----
Does he forsee the developement of a cryptographically secure hash any time in the near future? And does he anticipate finishing his own hash based on Phelix?

Author: mxb PostPosted: Sat Nov 19, 2005 9:02 pm    Post subject:
    ----
My questions are the following:

1) You have previously suggested holding software developers liable for the security in their products. What is your opinion about free software? Do you think that it will be one single event that causes a hold shift in viewpoint for the entire commercial software industry? What do you think it will be?

2) As privacy seems to be currently eroding away, with the requests for wiretapping VOIP calls, logging of internet usage, and so forth, do you think that eventually the general public will realise and start to demand that privacy back?

3) With the current tactics being employed by the RIAA/MPAA against file sharers, what do you think about the current generation of file sharing networks? Do you think that actions by such corporations are a major driving force behind the research and development of anonymous and encrypted networks?

Cheers,
Martin

Author: B-ConLocation: int main() PostPosted: Sat Nov 19, 2005 10:57 pm    Post subject:
    ----
Hey,

mxb wrote:
1) You have previously suggested holding software developers liable for the security in their products. What is your opinion about free software?


He answered this question in (I believe) Secrets and Lies. He believes that only proprietary software deserves to be held liable.

Quote:
2) As privacy seems to be currently eroding away, with the requests for wiretapping VOIP calls, logging of internet usage, and so forth, do you think that eventually the general public will realise and start to demand that privacy back?

3) With the current tactics being employed by the RIAA/MPAA against file sharers, what do you think about the current generation of file sharing networks? Do you think that actions by such corporations are a major driving force behind the research and development of anonymous and encrypted networks?


Excellent questions. I would heartily second them.

Author: mxb PostPosted: Sat Nov 19, 2005 11:22 pm    Post subject:
    ----
B-Con wrote:
He answered this question in (I believe) Secrets and Lies. He believes that only proprietary software deserves to be held liable.


Indeed, I think you are correct. I've only just finished reading it again, so that might be why I 'thought' of it!

Cheers,
Martin

Author: JustinTLocation: Asheville, NC, US / Uberlāndia, MG, Brazil PostPosted: Sun Nov 20, 2005 6:26 am    Post subject: MACs and notions.
    ----
All of this, preferably (it's long, but the context is needed):

JustinT wrote:

As an academic researcher in cryptography, I pay attention to what you might call the "nitty gritty" areas of cryptanalysis, that the layman wouldn't be aware of; the layman is, ironically enough, sometimes the individual responsible for incorporating some type of cryptographic layer within their framework. When doing a superficial analysis of the specifications, the first thing I look for, habitually, is a MAC. When arriving at some sensible, conservative threat model, more often than not, an integrity failure is just as detrimental than a confidentiality failure; it's also the case, many times, that a loss of the former is even greater than the latter.

There is ample justification for the preservation of integrity through a message authentication code. I have no doubt there. My question entails correlations between notions of security, and compositions for authentication and encryption. Today, it seems plausible that for a modern implementation, we would like to have something that is IND-CCA2 secure and achieves INT-PTXT. For example, I like the rationale behind authenticating first, then encrypting last. However, given the results of Bellare and Namprempre, although this composition allows us to achieve INT-PTXT, it's only IND-CPA secure. On the other hand, there have been instances when this composition was sufficient for a particular threat model I was addressing.

I prefer relying on as few assumptions as possible, and being as conservative as possible, so my question is, "When addressing authentication, should we apply a composition that satisfies the threat model for a particular application, even if it does not particularly satisfy IND-CCA2 security ("MAC-then-Encrypt"), or should we only consider compositions that satisfy IND-CCA2, and achieve at least INT-PTXT?"

The latter seems a bit more comfortable, and here's my rationale. While the proofs associated with these notions aren't surefire guarantees of security, they are, however, useful for reducing the amount of assumptions we have to make, and I am more confident in reducing assumptions, as opposed to applying a composition that isn't IND-CCA2 secure, and assuming that my threat model considers every threat that is applicable to the scenario, and favorable to the adversary. I certainly see the rationale behind your advocation of authenticating first, as noted in your book with Niels Ferguson. However, would it be simpler, and more responsible, to encrypt first, by say, applying a SUF-CMA MAC to an IND-CPA secure encryption construction's ciphertext, which would satisfy IND-CCA2 (and NM-CCA2) and INT-CTXT (and INT-PTXT)?

I've seen both secure and insecure instances of both AtE and EtA, and there are certainly many details and subtleties to get right for either, but I'm curious as to where you stand on the importance of order, and these notions of security. I believe it to be a vital goal to strive for simplicity and the reduction of assumptions, which is my main concern. There's certainly no wrong in wanting to get the MAC part right, and those two goals seem to be key proponents in doing so!

Author: dataLocation: India PostPosted: Sun Nov 20, 2005 1:56 pm    Post subject:
    ----
To Dr.Schneier:

What is your advice to young budding cryptologist's?

Author: B-ConLocation: int main() PostPosted: Mon Nov 21, 2005 12:34 am    Post subject:
    ----
datah wrote:
To Dr.Schneier:

What is your advice to young budding cryptologist's?


I got to ask him that question in person once, and he pointed me to this article of his, as well as this other one.

Author: dataLocation: India PostPosted: Mon Nov 21, 2005 6:39 pm    Post subject:
    ----
Thankyou!

Author: alt.don PostPosted: Wed Nov 23, 2005 3:39 pm    Post subject:
    ----
Hi guys,

I will be collating the questions and sending them to Mr. Schneier. Once I am done I will be getting rid of this thread. I'm looking forward to his answers! Lastly, thanks to those of you who took the time to enter some questions.

Author: patbatemanLocation: philadelphia PostPosted: Thu Dec 29, 2005 5:14 pm    Post subject:
    ----
Any word on when this is going to be posted? Im kinda anxious to read it.

Author: alt.don PostPosted: Thu Dec 29, 2005 5:36 pm    Post subject:
    ----
Hello,

I will be posting this interview on 15 Jan '06.

Author: patbatemanLocation: philadelphia PostPosted: Thu Dec 29, 2005 6:52 pm    Post subject:
    ----
Is there a interview schedule im just not aware of? I noticed there was one that was posted last week or so. One per month im guessing is what you aim for ? Also, thanks for the quick response

Author: alt.don PostPosted: Thu Dec 29, 2005 8:06 pm    Post subject:
    ----
Hello,

I generally post one every month on the 15th barring my being kidnapped by aliens and being gang-probed or somesuch. Don't laugh! It could happen to you to! Laughing In essence on the 15th of every month is when I post one.

cheers

Author: Secure Lockdown PostPosted: Fri Dec 30, 2005 3:58 am    Post subject:
    ----
alt.don wrote:
Hello,

I generally post one every month on the 15th barring my being kidnapped by aliens and being gang-probed or somesuch. Don't laugh! It could happen to you to! Laughing In essence on the 15th of every month is when I post one.

cheers


we will send blackberry msg to alien mothership to re-schedule kidnapping for 16th.

Author: StIlTzLocation: Minnesota PostPosted: Fri Jan 13, 2006 5:55 am    Post subject:
    ----
Secure Lockdown wrote:

we will send blackberry msg to alien mothership to re-schedule kidnapping for 16th.


Whats the motherships PIN? All joking aside I am really interested in this interview as I am doing a capstone project on cryptography/cryptanalysis for part of my undergrad right now. One of my professors is a co-chair of a conference being held here in Minneapolis coming up and Bruce Schneier is one of the speakers. I plan on attending for the day, could be interesting as well.

/me Can't wait for another good interview by alt.don

-=StIlTz=-
_________________

Author: alt.don PostPosted: Fri Jan 13, 2006 4:49 pm    Post subject:
    ----
Hello Stiltz,

The interview goes up on the 15th or in two days as it were. It was not one of the best interviews we have had imho. You guys can be the judge of that though. Stiltz, don't forget that you need to go down to only one link in your sig block dude.

Cheers,

Don

Author: RFmax PostPosted: Fri Jan 13, 2006 5:09 pm    Post subject:
    ----
Stilz, thank for the heads upon the conference. I never would have known about it. Maybe see you there.

Author: StIlTzLocation: Minnesota PostPosted: Fri Jan 13, 2006 5:49 pm    Post subject:
    ----
RFmax wrote:
Stilz, thank for the heads upon the conference. I never would have known about it. Maybe see you there.


It should be an interesting conference. The other keynote is Lt.Colonel Curt Carver who is the associate dean, US Military Academy. My fellow classmates are predicting that the two butt heads hard during the conference at some point.

If you go let me know. I plan on going pending time off of work.

alt.don I know you wouldn't let us down in an interview, perhaps it was our questions that were posed...

-=StIlTz=-

Author: RFmax PostPosted: Fri Jan 13, 2006 6:07 pm    Post subject:
    ----
I was just thinking that myself. Sorry I got your nick wrong by the way. I am a huge fan of Mr. Schneier and agree with most of his assesments. So to see him in person will be a treat. Especially if I can get work to spring for the conference fee.

Author: alt.don PostPosted: Fri Jan 13, 2006 6:16 pm    Post subject:
    ----
Hi Stiltz,

I actually went with the questions that were posed by you guys and sent them to Bruce. Normally I just do them up myself, but felt it important that you guys have the ability to give input. The interview will be up on the site this Sunday 15 Jan '06.

Cheers,

Don

Author: malv PostPosted: Mon Feb 13, 2006 1:08 pm    Post subject:
    ----
Q. for Mr. Schneier:

The upcoming IEEE standard for Tweakable Narrow Block Encryption to my knowledge only deals with LRW-AES.

Recently, LRW seems to be applied by some accross the board for all ciphers instead of CBC. Can any comments be made as to the desirability of LRW for ciphers other than AES?

Should LRW-AES be considered as the 'best' at present time with regard to attacks?

Thank you
malv

Author: sn3fruLocation: Europe, EU PostPosted: Tue Feb 14, 2006 12:03 am    Post subject:
    ----
malv wrote:
Q. for Mr. Schneier:

The upcoming IEEE standard for Tweakable Narrow Block Encryption to my knowledge only deals with LRW-AES.

Recently, LRW seems to be applied by some accross the board for all ciphers instead of CBC. Can any comments be made as to the desirability of LRW for ciphers other than AES?

Should LRW-AES be considered as the 'best' at present time with regard to attacks?

Thank you
malv


LRW mode (as any other decent mode of operation) just needs a secure block cipher. It does not matter which cipher it is, as long as the cipher is secure (the proof is very simple). However, regardless of mode of operation, AES-256 is arguably the most reasonable choice today.

Author: alt.don PostPosted: Tue Feb 14, 2006 1:28 am    Post subject:
    ----
Gentlemen,

The review was already posted. Check out the interview here.



Networking/Security Forums -> Cryptographic Theory and Cryptanalysis - Internal and Transmission Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group