Episode: 1581
Title: HPR1581: Sensible Security: The Schneier Model
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr1581/hpr1581.mp3
Transcribed: 2025-10-18 05:16:38

---

This episode of HBR is brought to you by AnanasThost.com.
Get 15% discount on all shared hosting with the offer code HBR15.
That's HBR15.
Better web hosting that's honest and fair at AnanasThost.com.
Hello, this is Ahuka, welcoming you to Hacker Public Radio and
another exciting episode in our security and privacy series and in this one what I want
to do is I want to give you a way of thinking sensibly about security and to do this I'm
going to be pulling on some stuff done by real smart security people in particular for
this one Bruce Schneier.
If you cast your mind back to 2001 there was a certain incident on September 11th that led
many people to go oh my god we are doomed we must increase security do whatever it takes
and the NSA was happy to oblige and on 7705 July 7th of 2005
an attack in London added to the frenzy.
I think it is fair to say that the security agencies felt they were given a mandate to
do anything as long as it stops the attacks and thus was the overwhelming attack on privacy
moved to a whole level higher. Now to be clear security agencies are always pushing the limits
it is in their DNA and politicians have learned that you never lose votes by insisting
on stronger security and appearing tough but the reality is that security is never 100%
and the higher the level of security the greater the costs in terms of our privacy and liberty
and it is also the case that total insistence on liberty and privacy would cause your security
to go down as well so you should not adopt any simple-minded approach to this problem
in general as you add layers of security each added layer gives you less benefit some simple
security steps can give you a lot but as you add more and more the added benefit drops and this
is an example of what we call the law of diminishing returns by the same token each added measure
extracts an ever-increasing cost in terms of the loss of liberty and privacy
and conceptually you could draw a couple of curves one rising for the costs the other falling
for the benefits look for where the curves cross to determine the optimum level of security that
balances the costs and benefits in practice it's not that simple measuring these costs and benefits
tricky and there is no simple equation for either curve nonetheless a balance of some kind does need
to be struck and I want to be clear that my position is I don't think we should get rid of all
government security services I don't think that spying is one of those things that no one should
ever do for any reason and I think they very often do valuable things in some cases I'd like
to see them do more you know when we take a look at cyber security and how do we secure computer
systems I think it's a very valuable role for government experts in helping to make this happen
so I'm not I'm not an anarchist about all of this but my my position is you have to strike a
balance and as a member of the public I think I need to have my voice heard about this so
in the wake of the 9-11 attacks Bruce Schneier published a book called Beyond Fear
Thinking sensibly about security in an uncertain world came out in 2003
in this book he shows that hysteria is not a good approach to security and that you need to ask
yourself some questions to see what the cost versus benefit calculation looks like for you
I'm going to draw on his model to talk about security as we are discussing it in this series
now you've probably all heard the old joke about what constitutes a secure computer and the answer
is is that it has to be locked in a vault with no network connection and no power connection
and even then you need to worry about who can access the vault now it's a joke in the sense that
no one would ever do this we use computers in the internet because of the benefits they give us
and having a computer in a vault with no network connection and no power connection is just
a waste of money we accept a certain degree of risk because that's the only way to get the
benefits we want so how does Schneier approach this he suggests a five step process for any security
measure you are contemplating you need to have a clear eyed rational look at the costs and benefits
and Bruce's five step process looks to accomplish this this is a series of questions you need to
ask in order to figure out if this particular measure makes any sense it's a question number one
what assets are you trying to protect this is what defines the initial problem any proposed
counter measure needs to specifically protect these assets need to understand why these assets are
valuable how they work and what are attackers going after and why so if your problem is that
someone has been stealing the email out of your mailbox and your security measures to lock the
back door hmm kind of a mismatch there locking the bad back door may or may not be a good thing to do
in many cases it's probably a good thing to do but it's not going to stop anyone from stealing your
mail all right so what are the risks against these assets to do this you need to analyze who threatens
the assets what are their goals how might they try to attack your assets to achieve these goals
you need to be on the lookout for how changes in technology might affect this analysis
right the risks are going to be a changing thing as the technology changes for instance we've
talked a lot about encryption in this series that's what we started off with
and we talked about creating keys and one of the things we said was the expectation by NIST
was that 2048 bit PGP would stand up to attack until the year 2030 now they come up with that by
making estimates of how quickly computing power is increasing you know looking at Moore's law
and things like that if there's a breakthrough in quantum computing that's going to change everything
now if there's a breakthrough in quantum computing our standard ways of encryption almost
immediately become like tissue on the other hand what I haven't heard too many people say yet
is if we have a breakthrough in quantum computing maybe there is a new way of doing encryption
you know it is kind of an arms race here but you need to keep up with what's going on in technology
question three how well does the security solution mitigate the risk now mitigate is a useful term
here as opposed to totally eliminate because very rarely do you totally eliminate a risk
very often is just a matter of making it not worth anyone's while you know I remember a joke
about two campers who are out in the woods and all of a sudden they realized that there's a bear
who is prowling around their campsite and one of the guys says all right I've got to get my track
shoes the other guy says well track shoes aren't going to help you cannot run a bear and the first guy
says don't have to I just have to outrun you you know mitigation is very often a case of
making it just you know giving yourself a little edge you know a good example of mitigation
is locking your front door most of us do that at least in the United States maybe where you are it's
different I always lock my front door when I leave in the morning could someone still break into my
house yeah they could it's a little harder if the door is locked so to me that is a reasonable
amount of safety you know if they have to break down the door that you know might get noticed by
the neighbors someone might call the police and generally the feeling is if you just make it a
process where they they move on to some other place that's easier to deal with then you've achieved
your goal so understand your counter measure all right how will it protect the asset when it works
properly but you know you also need to take an account what happens when it fails because no
security measure is a hundred percent foolproof and everyone will fail at some point in some
circumstances a fragile system fails badly a resilient system handles failure well
that think about that a fragile system fails badly a resilient system handles failure well
one of the things about nine eleven that I have not heard enough people talk about
is that the experts didn't do a damn thing that was useful it was individual people
all right individual people are resilient security systems tend to be very fragile
now a security measure could be slightly less effective under ideal conditions but handle
failure much better and that might make it the optimum choice so that's one of the things you
need to think about another one is a measure that guards against one risk may increase vulnerability
somewhere else and then you got to watch out for the whole false positive versus false negative
trade-off it is a truism that any set of measures designed to reduce the number of false negatives
will increase the number of false positives and vice versa reduce the false positives the false
negatives will go up now false positive is when you think you've discovered an attack and you
didn't really a false negative is where you think everything's fine and yet you really are under
attack you know both of those are problems question four what other risks does the security solution
cause security countermeasures always interact with each other and the rule is that all security
countermeasures cause additional security risks question five what trade-offs does the security
solution require every security countermeasure affects everything else in the system it affects
the functionality of the assets being protected it affects all related work connected systems
and they all have a cost frequently but not always financial but also in terms of usability
convenience and freedom so these are the five steps that you want to go through to evaluate
and you don't just do this once you need to re-evaluate as the systems evolve as the technology changes
there's a saying security is a process and that's really what we're talking about
now i'm going to take a look at a very common one and in fact it's going to set me up
because i want to talk about this some more going forward and that's passwords and we take a
look at that in this context so i have a cartoon on the wall of my cubicle at work that shows an alert
box says password must contain an uppercase letter a punctuation mark a three digit prime number
and a Sanskrit hieroglyph i think the only thing that left out was a squirrel noise
now we've all encountered this it does get frustrating this is a humorous take on something that
is an accepted best practice i recall the story about a fellow who worked at a company that
insisted he regularly changed his password and would also remember the eight previous passwords
and not let him use any of them again but he liked the one he had so he spent a few minutes
changing his password nine times in a row the last time being back to his favored password
now was he a threat to security or was the corporate policy misguided let's try Bruce's model and see
where we get what assets is the company trying to protect now i think this has several possible
answers the company may want to prevent unauthorized access to corporate data on its network
or the company wants to prevent unauthorized use of its resources possibly with legal implications
and the company may be concerned to prevent damage to its network all of these are good
reasons to try and control who has access to this asset and to protect it but knowing which of
these is being targeted may matter when we get to trade-offs and effectiveness of the proposed
countermeasures for now let's assume the primary interest is in preventing unauthorized access
to the data such as credit card numbers on an e-commerce site question two what are the risks
against these assets well if we're talking about credit card numbers the risk is that criminals
could get their hands on these numbers from the company standpoint though the risk is what
can happen to them if this occurs will this cause them to assume financial penalties will the CEO
be hauled in front of legislative committees will their insurance premiums rise as a result
this is the sort of thing companies really care about and when you understand this you begin to
see why companies all adopt the same policies when people talk about best practices
you should not assume that anyone has actually determined in a rational manner what the best
practices should be it only means that they are protected in some sense when things go wrong
after all they followed the industry best practices the biggest failure of security
is when companies or organizations just apply a standard instead of rules instead of creating
a process of security I see this criticized constantly in my daily newsletter from the sans
institute question three how well does the security solution mitigate the risks
this becomes a question of whether forcing people to change their passwords frequently is a
significantly effective measure in preventing unauthorized access to computer networks and here's
where things really start to break down it is very difficult to come up with many examples of
cases where a password in use for a long time leads to unauthorized access that's simply not how
these things work we know that the majority of these cases derive from one of two problems
social engineering to get people to give up their password and malware that people manage to
get on their computer one way or another now how does that work constantly let's take social
engineering for number one we're always hearing stories about how some security company and I
have a friend who does this kind of testing for his customers he's a security professional
and you know the first thing they do when they're evaluating the security is they start calling
people up and something oh hi I'm from the IT department I just am trying to verify something
could you give me your password and about half the time people well this has been done over and
over again all you have to do is you know plausibly look like you're the sort of person they ought to
give this stuff to now does changing your passwords frequently stop that attack no
that do a damn thing now the other one is people managing to get malware okay RSA which is a security
company they lost the keys to the kingdom they lost the keys to the RSA security tokens
from malware because a secretary clicked a link in an email there there was a attack levied
against Iranian facilities and the median for that was and it's pretty clear now is some
combination of the US government and the Israeli government that worked on all of this
and the way they got it on there was by dropping usb keys on the ground in the vicinity of the
facility figuring will someone will pick it up and say oh look usb key lucky me plug it into
their computer and then the software we get in there there's lots of ways to do this okay
making people change their passwords won't guard against any of these things and and this is
really the thing you've got a policy that everyone complies with because it is a best practice
and when you look at it it does not guard against the risks that are out there
now can you make an argument that forcing people to frequently change passwords might in rare
cases actually do some good maybe but there's no way to say that this is in general an effective
countermeasure against unauthorized access it simply isn't question four what other risks
does the security solution cause there are several possible risks that come out of this
first since all security measures require a variety of resources and remember people's time and
attention is one of those resources emphasizing one security measure may take resources away from
more effective measures that don't get sufficient attention but there are also risks from how people
act in response to this policy in the ideal world of the security department each person with
access would choose a long complicated password each time chosen for a maximum entropy and then
memorized but never written down yeah that'll happen sadly for the security department they
have to deal with actual human beings who do not do any of these things most people at the very
least consider this an annoyance some may actively subvert the system like the fellow in our story
who changed his password nine times in a row to get back to the one he liked but even without
this type of subversion we know what people will do if you let them they will choose something
that is easy to remember is their first attempt and that means they will most likely choose a
password that can easily be cracked in a dictionary attack if you instead insist that each password
contain letters numbers upper and lower case a Sanskrit higher or a glyph and two squirrel noises
they will write it down probably on a yellow sticky note attached to their monitor
if the person question is a top executive of course it gets even worse because they don't put
up with the BS that the ordinary worker bees have to tolerate question five what trade-offs does
the security solution require well this policy causes a major impact on usability and convenience
and all of this for a policy that we saw above actually accomplishes very little in the majority
of organizations the IT department is viewed with a certain amount of hostility and this is part
of it in addition anyone in an IT help desk can tell you that they get a lot of calls from people
who cannot log in because they forgot their password which is a natural consequence of forcing
people to keep changing it so bottom line what does all this mean in the final analysis
I think it means you need to carefully consider which measures are actually worth taking
and this is at least impart a cost versus benefit analysis for instance as I have
initially written this the heartbleed vulnerability was in the news and I got to hear
Bruce Schneyer discuss how people should react and he did not say oh my god change all your
passwords right now he said you should assess the case if it is your password to log into your bank
probably something you want to change but if it was some social network you access once every two
weeks he said and don't bother and that seems reasonable and as another example although I have
discussed how to encrypt emails and digitally sign them that does not mean I open up GPG every
time I send an email it is something of a pain in the posterior to do and I use it judiciously
I don't see the point in digitally signing every email when a lot of it is just stupid stuff anyway
so I'm going to give three final rules from Bruce Schneyer
all of this is in his book Beyond Fear by the way and he goes into this in much more depth
rule number one risk demystification you need to take the time to understand what the actual
risk is and understand just how effective any proposed security countermeasure would be
there will always be a trade-off if the risk is low and the countermeasure is not particularly
effective why are you doing this saying we must do everything on our power to prevent
a risk that is unlikely and where the countermeasures are not likely to work is how you get to
what Snowden revealed rule number two secrecy demystification secrecy is the enemy of security
to get that secrecy is the enemy of security if you're looking for security
making things secret doesn't get you there security can only happen when problems are discussed not
when discussions are forbidden secrecy will always break down at some point see above Snowden
this is the failure mode of security by obscurity most often secrecy is used to cover up incompetence
or malfeasance rule number three agenda demystification people have agendas and
often use security as an excuse for something that is not primarily a security measure
and emotions can lead people to make irrational trade-offs
so with that this is a hookah signing off and as always reminding you to support free software bye bye
so like all our shows was contributed by an hbr listener like yourself if you ever thought of
recording a podcast and click on our contributing to find out how easy it really is
hecka public radio was founded by the digital dog pound and the infonomicon computer club
and it's part of the binary revolution at binrev.com if you have comments on today's show
please email the host directly leave a comment on the website or record a follow-up episode yourself
unless otherwise stated today's show is released on the creative comments attribution share
free www.fieldrie.org license