Schneier on Security and Privacy

An excellent post from Bruce Schneier today is worth a mention:

Security and privacy are not opposite ends of a seesaw; you don’t have to accept less of one to get more of the other. Think of a door lock, a burglar alarm and a tall fence. Think of guns, anti-counterfeiting measures on currency and that dumb liquid ban at airports. Security affects privacy only when it’s based on identity, and there are limitations to that sort of approach.

Really good stuff…


Mr. Einstein

I have been reading a very cool book by Scott Berkun called The Myths of Innovation.  First of all, if you are at all curious about how innovations occur, find $33 (or, a mere $20 if you are shopping in the US… don’t get me started on book prices…) and buy this gem. 

In a chapter discussing problems and solutions, he quotes Albert Einstein:

If I had 20 days to solve a problem, I would take 19 days to define it.

The book, and Mr. Einstein, raise an interesting question: do we really know the security and privacy problems we are trying to solve before we rush off to find solutions to them?  It seems that many developers of IT security and privacy solutions are guilty of not knowing what the real problems were prior to developing their ‘solutions’.

In the early 1990s I was roped into teaching a continuing ed course on security and viruses, cleverly titled “Security and Viruses”.  I cobbled together some notes and read up on IT security for the first time.  For the hands-on lab, I managed to capture an Empire virus and grabbed a virus killer program off of a BBS.  We infected the lab computers and set to work cleaning them of this nasty thing.  Much fun was had…

The point to this retro security tale is that the makers of the virus killer framed the problem as ‘find and destroy the Empire virus’.  This was so early in the PC virus wars that they didn’t step back and analyze the problem in its entirety, namely, the real problem was related to preventing the infection and, of course, training users to be more careful with their diskettes. 

Are we still guilty of this today?  Do we focus on authentication when we should really be paranoid about identity proofing?  (Does it matter how well we authenticate a person if we didn’t identify them properly in the first place?) 

Do we invest in technology to protect employee and customer privacy when those people will happily cough up the information on their own with the slightest incentive?  (Why protect a govenment vital statistics database when the same information is shared on Facebook by millions every day?)

I see a lot of after-the-fact Empire virus killing going on.  We are still trying to solve the wrong problems.