Computer Security Guru Bruce Schneier Will Now Take Your Questions

Bruce Schneier

Bruce Schneier could probably find out just about everything about you without breaking a sweat. He has built a career out of discovering weaknesses in computer systems and has analyzed security flaws in everything from biometrics to post-9/11 airline security. The designer of the popular Blowfish and Twofish encryption algorithms (the latter was a finalist for the Federal Advanced Encryption Standard), he has even earned a namecheck in The Da Vinci Code. Schneier is also the founder and C.T.O. of BT Counterpane, which calls itself “the world’s leading protector of networked information.”

In addition to writing a popular security newsletter and a blog, Schneier has also written a slew of books on the subject, including the seminal Applied Cryptography, Secrets and Lies, and his latest, Beyond Fear: Thinking Sensibly about Security in an Uncertain World.

He has kindly agreed to field your questions. Just keep in mind that even if you ask anonymously, he can probably figure out who you are.

Addendum: You can read the answers to these questions here.


Can two-factor authentication really work on a website?

Biometrics isn't feasible because most people don't have the hardware. One-time password tokens are a hassle, and they don't really scale well -- it might be OK to have one, but not very practical to have 10. Image identification and PC fingerprinting technology that some banks are using is pretty easy to defeat with an evil proxy (i.e. any phishing website).

I think we're just kind of stuck with good old usernames and passwords. Then we just try to educate people on how not to get phished and how to pick good passwords.


How much fun/mischief could you have if you were to be 'evil' for a day?

In that vein, what is the most devilish idea you have thought about?


Would you please comment on the difference between anonymity and privacy, and which one you think is more important for civil society?

I'm primarily thinking of security-camera paranoia (wherein we complain that a camera will record when we walk by someone's house, as if nosy neighbors hadn't been in existence for thousands of years), but I'd be happy to hear a summary of your thoughts on the broader topic as well.


I've always thought that if you could vote through the internet that more people would do so, but I've never thought it feasible as cheating would be rampant. Do you think it will ever be feasible to vote on public officials via the internet? Why or why not?


Hacker movies have become quite popular recently. Do any of them have any basis in reality, or are the hacking techniques fabricated by Hollywood?


What would you consider to be the top five security vulnerabilities commonly overlooked by programmers? What book would you recommend that explains how to avoid these pitfalls?


Can security companies really supply secure software for a stupid user? Or do we just have to accept events such as those government computer disks going missing in the UK which contained personal details of 25 million people (and supposedly have an underworld value of $3bn


-So seriously, do you shop on, or anywhere else online for that matter?

-Wouldn't the world be simpler if we went back to ‘magic ink'? How awesome was that stuff!

-Should I visit Minneapolis anytime soon, what is one restaurant that I would be amiss to pass up?

-What was the one defining moment in your life that you knew you wanted to dedicate your life to computer security and cryptography?


- What's the worst security you've seen for a major financial firm. I use ING and their site forces you to use a 4 digit pin. You can't use a nice long password with lots of strange characters, just a 4 digit numeric string. They do some of the silly fake 2-factor authentication too, but it's pretty meaninglessly implemented and does nothing to improve actual security (imo).

- I read that AES and Twofish have protection against timing analysis. How does that work?



How do you remember all of your passwords?


This one is easy, from Bruce Schneier Facts
"Most people use passwords. Some people use passphrases. Bruce Schneier uses an epic passpoem, detailing the life and works of seven mythical Norse heroes."

So Bruce how does it feel to be an internet meme?

Ian Edwards

Is it true that there is a giant database of every site we have ever visited, and that with the right warrant a government agency could know exactly where we've been? Ok, forget about the need for a warrant, silly thought. But what are our real footprints on the web, and would it be possible for, say an employer to someday find out every site you visited in college? Is there a way to hide your presence on sites that you believe to be harmless which others may hold against you?


Is there any bennefit to password protecting you home wi-fi network. I have IT friends that say the only real bennefit is that multiple users can slow down the connection, but they state that there is no security reason. Is this correct?


Why do large goverment agencies and companies continue to put thier faith in computer passwords, when we know that the human mind cannot memorize multiple strong passwords? Why is much more effort placed into password security that human security?


Bruce, do you still find that lying about successes in counter-terrorism to protect your pre-determined notions about what are useful CT tools, is an appropriate option for security experts commenting on these matters ?



What does a truly secure web connection imply for ease of use? What level of tradeoffs must internet consumers accept to have security?

PS: congratulations on drawing a troll (#33).

Rafe Furst

Given an email being sent by a random sender to a random recipient on the internet without encryption, what is the likelihood that
a) one of the mail relay hosts is compromised without the owner's knowing it
b) the mail is being read by a third party by some other means (e.g. phone companies give government agencies access to all their internet traffic)

Relatedly, assuming that encrypting email is not practical for your everyday use, how would you minimize the chances of someone intercepting your emails, other than making sure the sending and receiving accounts are secure?

Aneesh Kulkarni

How do you reconcile all the hard work you do in improving encryption algorithms, with the fact that most breaches of security are from things like bribing someone with access to the data, and not from actually cracking the encryption. Does this mean that security gurus like you have succeeded with the encryption, or just that you guys are tackling the wrong problem?


I appreciate the opportunity to ask a question. I have two:

1) If we can put a man on the moon, why in the world can't we design a computer that can COLD BOOT nearly instantaneously? I know about hibernation, etc., but when I do have to reboot, I hate the three or four minutes to completion.

2) Assuming we are both still here in 50 years, what do you believe will be the most incredible, fantastic, mind-blowing advance in computers/technology during this time?

Thank you!


Considering the carelessness with which the Government (state and federal) and commercial enterprises treat our confidential information (demonstrated almost daily), is it essentially a waste of effort for we as individuals to worry about securing our data? Thanks,


With regard to identity theft, do you see any alternatives to data being king?

Right now, if I know enough about you, I can basically become you in the eyes of many companies, especially those that deal with people only over the internet or mail. Do you see any alternative systems which will mean that just knowing enough about someone is not enough to pretend to be them?

In a previous time, in-person contact was effective: I can figure out if you're the same person I talked to last time we supposedly met. What's the next identity verification system?