Computer Security Guru Bruce Schneier Will Now Take Your Questions

Bruce Schneier

Bruce Schneier could probably find out just about everything about you without breaking a sweat. He has built a career out of discovering weaknesses in computer systems and has analyzed security flaws in everything from biometrics to post-9/11 airline security. The designer of the popular Blowfish and Twofish encryption algorithms (the latter was a finalist for the Federal Advanced Encryption Standard), he has even earned a namecheck in The Da Vinci Code. Schneier is also the founder and C.T.O. of BT Counterpane, which calls itself “the world’s leading protector of networked information.”

In addition to writing a popular security newsletter and a blog, Schneier has also written a slew of books on the subject, including the seminal Applied Cryptography, Secrets and Lies, and his latest, Beyond Fear: Thinking Sensibly about Security in an Uncertain World.

He has kindly agreed to field your questions. Just keep in mind that even if you ask anonymously, he can probably figure out who you are.

Addendum: You can read the answers to these questions here.

Aneesh Kulkarni

How do you reconcile all the hard work you do in improving encryption algorithms, with the fact that most breaches of security are from things like bribing someone with access to the data, and not from actually cracking the encryption. Does this mean that security gurus like you have succeeded with the encryption, or just that you guys are tackling the wrong problem?


I appreciate the opportunity to ask a question. I have two:

1) If we can put a man on the moon, why in the world can't we design a computer that can COLD BOOT nearly instantaneously? I know about hibernation, etc., but when I do have to reboot, I hate the three or four minutes to completion.

2) Assuming we are both still here in 50 years, what do you believe will be the most incredible, fantastic, mind-blowing advance in computers/technology during this time?

Thank you!


Considering the carelessness with which the Government (state and federal) and commercial enterprises treat our confidential information (demonstrated almost daily), is it essentially a waste of effort for we as individuals to worry about securing our data? Thanks,


With regard to identity theft, do you see any alternatives to data being king?

Right now, if I know enough about you, I can basically become you in the eyes of many companies, especially those that deal with people only over the internet or mail. Do you see any alternative systems which will mean that just knowing enough about someone is not enough to pretend to be them?

In a previous time, in-person contact was effective: I can figure out if you're the same person I talked to last time we supposedly met. What's the next identity verification system?


How do you remember all of your passwords?



Thanks for taking questions! I'd be curious as to your opinion of the risks of some of the new (upcoming) on-line storage services such as Google's Gdrive or Microsoft's Live Drive. Most home computer users don't adequately safeguard or backup their storage, and these services would seem to offer a better-maintained means of storing files; but what do users risk by lodging that much important information with organizations like Google or Microsoft?


Do you think in the future everything will go from being hard-wired to being wireless? If so, with cell phones, radios, satellites, radar, etc. using all the airwaves (or spectrum), do you think there is a potential for, well, messing everything up? I mean, I don't think the idea of running "everything" wirelessly sounds very safe. And not just from an information security standpoint. What about power outages and the such? What do you think?

Thank you for your time.

Vic Winkler

Bruce, There has been some work to date on the cost-benefit economics of security. In your estimation, is this a sound approach to motivate better security (I think so) and do you think it is doomed to begin with because society has lost it's collective mind and disproportionately values other things before it values the benefits of security (I think so)? If so, then do you think it's time for us to take up digital pitchforks and shine some light into the economic gatekeeper's personal lives?


Two questions:

1) Is there an equilibrium point in which the cost (either financial or time) of hacking a password becomes more expensive than the value of the data. If so what is it?

2) With over a billion people using computers today and the millions that join every year what is the real threat to the average person?

I cannot imagine my data is worth much to someone unless of course I am dumb enough to store sensitive data like SSN, CC Numbers, Bank Account Numbers, Company secrets, etc. on my computer, which I know people do.


What is the future of electronic voting?


I also thank you for the opportunity:

1) Do you think Google will be able to eliminate the presence of phony malware sites on its search pages? And what can I do to ensure I'm not burned by the same?

2) I recently had an experience on eBay whereby a hacker copy/pasted an exact copy of my selling page with the intention of routing payments to themselves. Afterward, people informed me that such mischief is not that uncommon. How can I ensure that doesn't happen again?

Thank you,



All ethics aside, Do you think you could make more money obtaining sensitive information about high networth individuals and use blackmail/extortion to get money from them, instead of writing books, founding companies, etc?


Mr. Schneier:

Nearly every security model these days seems to boil down to the fact that there must be some entity in which you place your trust. I have to trust Google to keep my personal data and passwords secure every time I check my mail, even as they're sharing it across their Google Reader, Google Maps, and Google Notebook applications. I have to trust Thawte when they vouch for Google's SSL certificate. Even in physical security models, you usually have to trust someone (e.g. the security guard at the front desk, or the police).
There are always decentralized software solutions (like PGP or Tor), but strangely enough, they haven't replaced the old paradigm. In your opinion, is there a business/economic reason for this, or do you see this paradigm eventually becoming a thing of the past?


Mr Schneier,

What do you think about the government or a pseudo-governmental agency being a national or global repository for public keys? It seems that this agency could issue the keys in dongles that would serve to sign any privileged communications. If this were done, would the government insist on a back-door?

Al Donato

Mr. Schneier,
Could you please elaborate on what you think needs to be done to thwart all of the potential internet based attacks that tend to be brewing all of the time and why it is that no one company or Government agency has yet to come up with a design?

I've met you a few times at different conventions and I enjoy your speeches. Thank you...AL

Brian Utterback

You have repeatedly maintained that most of the investments that the government has made towards counter-terrorism are largely "security theater",
and that the real way to combat terrorism is to invest in intelligence. However, Tim Weiner's book, "Legacy of Ashes" shows that the U.S. government at least is particularly inept at gathering and processing intelligence. Doesn't that leave us no hope at all?


I travel a lot and have a continually growing frustration with airport security. TSA studies have shown indirectly that nobody is trying to blow us up (they found that they were able to sneak in the vast majority of bomb components that they tried to sneak in - so, logically, terrorists could have done the same). But what can we, the little people, do to help ease these frustrations (besides taking a deep breath and strapping on our standard-issue orange jumpsuits, I mean)?

Doug B

What kinds of incentives can organizations put into place to (1) decrease the effectiveness of social engineering and (2) persuade individuals to take an appropriate level of concern with respect to organizational security? Are you aware of any particularly creative solutions to these problems?

Since this is an economics blog, "incentives" should be viewed broadly.

Alexi de Sadesky

I am someone that knows little to nothing about computers. So, what would be your advice to someone like me on how to get educated about computers and the internet? A book recomendation or two would be greatly appreciated.


How worried are you about terrorists' or other criminal's hacking into the computer systems of dams, power plants, air traffic control, etc.