Internationally renowned security guru, Bruce Schneier, will be encouraging technologists at linux.conf.au to take a lesson from Luke Skywalker, and "feel the force" a little more when it comes to security.
Schneier, who is CTO of BT Counterpane, is one of the three keynote speakers at the 2008 Linux.conf.au. He joins Python release manager, Anthony Baxter and founding member of HP's Linux division, Stormy Peters.
Dahna McConnachie speaks with Schneier about his talk, "Reconceptualising Security" and how technologists need to remember the importance of the human element. He also discusses cyber-war, what Linux has done for security, and the likelihood of another edition of Applied Cryptography.
What do you spend most of your spare time working on these days?
Much of my work these days involves the human motivations around security: the economics of security, the psychology of security, and so on. Again and again I see good technology failing because these aspects of the security system haven't been well thought out, and these social science communities have a lot to teach us in computer security.
(Read some of Bruce's recent thoughts on the psychology of security here)
What will your keynote talk "Reconceptualising Security" be about?
Security is both a feeling and a reality, and they're different. You can feel secure, even if you're not. And you can be secure, even if you don't feel it. Really, there are two different concepts sharing the same word. My talk is about the feeling and reality of security: when they are different, why they diverge, and how they can be made to converge. As technologists we tend to focus on the reality of security and ignore the feeling. I will argue that both are important.
Do you think that technologists sometimes forget about the human element generally when designing, developing, testing, implementing and/or maintaining systems?
Sometimes? I think they forget almost all the time.
One of the messages you preach is that organisations need more than secure algorithms to be secure. Can you synthesise this argument, in terms of what it means, particularly in today's Web 2.0 environment?
Security is fundamentally a people problem. It doesn't matter how many bits your encryption algorithm has if your employees go home and blog about your company's secrets.
Analysing the security stories that make the news is one of your pastimes. Is there a disparity between what gets covered and what matters the most?
I think the media covers security stories more or less at random: they cover stories that aren't important, and they miss ones that are important. Largely, this is because the stories can be complicated and technical, and reporters don't have the expertise to separate what's important from what isn't.