> Schneier is a so-called expert who has testified in front of congress
Schneier has been around for a long time, knows the industry well and has made significant contributions. Not everyone get's things right all the time including Schneier.
Credibility wise he ..
- has a master's degree in computer science
- was awarded an honorary Ph.D from the University of Westminster in London
- is chief technology officer of BT Managed Security Solutions
15 publications, 6 notable books -
- Applied Cryptograph
- Cryptography Engineering
- Secrets and Lies: Digital Security in a Networked World
- Beyond Fear: Thinking Sensibly About Security in an Uncertain World
- Liars and Outliers: Enabling the Trust that Society Needs to Thrive
- Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
I don't want to throw more shade at Schneier than needs to be thrown, but I want to point out that you've pointed out basically two† real credentials:
* He has a masters degree.
* He wrote a bunch of popular books, and reaped a lot of fame from them.
I work, part-time, in the cryptography space his best-known books cover. His most popular book, Applied Cryptography, is not well regarded in the field. Opinions differ on Cryptography Engineering --- I like it a lot --- but he's a coauthor on that book, alongside a practicing cryptographer of significant renown. The rest of those books are non-technical.
I've worked in security since the mid-1990s, and Schneier has been a presence in the industry that whole time. And his Mirai attribution is far from the dumbest thing he's had to say.
I want to be careful because I'm sure Schneier is very good at what he's good at. My concern is that in addition to that --- without intending to be --- he's also insidiously "famous for being famous", and that his takes on things like DDoS attribution are thus taken more seriously than they should be. There are HN commenters that I think have more reliable takes on what's happening in the computer underground than Schneier.
He should write HN comments rather than pieces that get syndicated into magazines. He'd be an excellent HN commenter. :)
† (You might add that he's a co-author of some well-known cipher and hash designs, and IIRC the sole author of Blowfish, his best-known design. [Don't use Blowfish.])
Schneier decided to leave the academic/technical side and become a pundit.
That‘s nothing to be ashamed of, I‘m sure he didn‘t just do it for the fame, but because he wanted to make things better. I still think he‘s a better cryptographer than writer, but he really seems to enjoy writing.
But it feels uncomfortable when people misunderstand his role.
(And he lost some of my good-will and admiration when he ridiculed Randall Munroe‘s comic and didn‘t have it in him to post a correction for what was basically him not reading the comic, but projecting something he already had in mind. That happens to everyone, it‘s a bit embarassing and not really bad, but sticking to it when he knows full well that the masses trust him is inexcusable.)
Thanks for the perspective. How would you classify him if ranked against the other usual high profile “security personalities?”. Often an individuals ability for self promotion can place a shadow over their true ability making it difficult to discern their true qualities when not a subject matter expert on the topic at hand.
On the book front, would be keen to gain your perspective on the following crypto book that was recently published -
Serious Crypto is strong, and JP Aumasson is the real deal. I might still want both Cryptography Engineering and Serious Crypto; Serious Crypto is far more detailed and up-to-date, but Cryptography Engineering has valuable perspective on a lot of nuts-and-bolts stuff.
Why? If this is just based on it being a massive attack, then there's no basis to automatically blame China/Russia. Have you not noticed this trend? Every time there's a big attack or new strain of malware, it's always China/Russia/North Korea, and that finger pointing is before any concrete evidence?
Honestly, it's xenophobic and will cloud judgement as you'll be looking for evidence that it is China/Russia/North Korea rather than looking for facts.
Even if there's a good chance it is them, should we not believe in innocent until proven guilty?
This is not as much about xenophobia (as xenophobic as USA is) but about not having an egg on your face.
Companies seems to love to throw "state sponsored" around because it sounds better to imply that you were so secure that only North Korea, Russia or China had a chance and at that level of attack (by such a state that openly challenges USA so often) it's not your fault you got breached because it's implied everyone would be. Equifax ran outdated Apache Struts for a few days after a patch and information about the vulnerability was out and now China is being pointed at with really flimsy (IMO) evidence[0].
On the other hand no one probably wants to defend China, North Korea and Russia and it sounds much cooler to be fighting against their state hackers than script kiddies and saying that all these "high profile state attacks" were script kiddies is basically shitting on the security industry in a way.
Occam's razor? If the majority of large, coordinated attacks and malware come from those countries it seems reasonable to suspect them initially, doesn't it? He said they were "guesses". He straight up told you he was speculating. That's not xenophobic, that's statistical probability.
> Even if there's a good chance it is them, should we not believe in innocent until proven guilty?
Yes, but if no speculation is allowed until after a conviction then how would anyone ever be investigated? We would never be able to accuse anyone of anything!
> Occam's razor? If the majority of large, coordinated attacks and malware come from those countries it seems reasonable to suspect them initially, doesn't it?
Not really, just because attacks come from a certain country domain does not mean that said countries government is sponsoring said attacks.
Even the CIA/NSA use hijacked foreign servers for their operations, that's why attribution of this stuff is so difficult.
I'd also be interested in how you define "large and coordinated attacks" because if you track by something like Norse Attack Map [0] then your Occam's Razor would suddenly point at the US, at least right now.
> Yes, but if no speculation is allowed until after a conviction then how would anyone ever be investigated? We would never be able to accuse anyone of anything!
There's a difference between "speculation" and flat out misrepresenting the probabilities. At this point, it should be pretty clear, especially to any expert in the field, that the Internet is a massive force multiplier and the regular rules of "You need big influence to have big impact" have pretty much never applied to it.
People need to account for that in their attempts at attribution instead of going the lazy route of blaming "The axis of evil" for it, which this lazy China/Russia/NK attribution basically boils down to.
He doesn't look silly because he guessed at a state-level attribution --- state-level attacks certainly happen. He looks silly because the attacks he chose to attribute to state actors were in fact being conducted by a small number of teenaged Minecraft players.
While I agree with your basic premise, everybody gets things wrong sometimes, I still feel this was needles dramatization by Schneier when I read it back then.
Somebody with his experience should know better than to throw guesswork attribution haphazardly around like that (at least not without a very big disclaimer), especially in a climate that was, and still is, pretty hawkish on "cyberwar turning hot".
Because it's exactly his experience and prestige which gives the uninformed the impression that his "Russia/China" attribution was based on something solid, and not just mere guesswork without any basis on evidence at all.
Schneier has been around for a long time, knows the industry well and has made significant contributions. Not everyone get's things right all the time including Schneier.
Credibility wise he ..
- has a master's degree in computer science
- was awarded an honorary Ph.D from the University of Westminster in London
- is chief technology officer of BT Managed Security Solutions
15 publications, 6 notable books -
- Applied Cryptograph
- Cryptography Engineering
- Secrets and Lies: Digital Security in a Networked World
- Beyond Fear: Thinking Sensibly About Security in an Uncertain World
- Liars and Outliers: Enabling the Trust that Society Needs to Thrive
- Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
Reference: https://en.wikipedia.org/wiki/Bruce_Schneier