Internationally renowned security guru, privacy specialist and author, Bruce Schneier, stops by BarCode to discuss the FireEye Hack, Covid-19 Vaccine Cold Chain Attacks, CISA, and Net Neutrality.
SYMLINKS
Schneier on Security
EFF
Section 230
WE HAVE ROOT
The Aspen Cybersecurity Institute
DuckDuckGO
You.com
Inrupt
Back Bar (Cambridge Mass)
Triple Crown (Whiskey sour with grapefruit liquor)
PDT (NYC)
Jub-Jub at Callooh Callay – London, UK
Volstead’s Emporium (Minneapolis, Minn)
DRINK INSTRUCTION
THE BLITZEN
1 oz Cinnamon Whiskey
1 oz Rum Chata
1 oz Kaluha
Combine components, shake, and pour over ice. Optionally rim the glass with cinnamon cereal.
CONNECT WITH US
http://www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com
Chris Glanden 01:54
I’m here with Bruce Schneier, an internationally renowned security technologist and security guru. He’s the author of over one dozen books, including his latest, We Have Root, as well as hundreds of articles, essays, and academic papers. His influential newsletter cryptogram and his blog, Schneier on security are read by over 250,000 people. He’s testified before Congress, is a frequent guest on TV and radio, has served on several government committees, and is regularly quoted in the press. Bruce, thank you, and welcome to the barcode podcast.
Bruce Schneier 02:28
Nice to be here, I guess virtually, since we can’t actually be anywhere.
Chris Glanden 02:32
Exactly. So, you’re a veteran in the cybersecurity field, and you continue to inspire others by being extremely active online, and other knowledge sharing platforms. I’m curious to know how you personally continue to learn and what methodology you use to remain at your level of prestige.
Bruce Schneier 02:51
I mean, level of prestige aside but learning is reading. I mean, a lot of people doing great work and it’s just reading everything you can find. I’ve read a lot of other people’s blogs and new sites and articles and papers and books. People are sending me stuff a lot, the benefit of writing my blog is that there’s a lot of readers who send me stuff that might interest me. So, stuff comes to me, but you keep up by reading, because you don’t know everything. And a lot of other people know things and you want to know what they know.
Chris Glanden 03:22
Definitely, it’s hard to learn also, and especially during the COVID era, where it’s been much more difficult to get out and interact with peers. So, with that, I’m curious to know how the pandemic has affected you personally and how you’ve had to adjust your typical workflow.
Bruce Schneier 03:37
I mean, professionally is kind of obvious. We’re not flying everywhere, I used to travel a lot and in the before I traveled all the time and right, it’s either teaching, or speaking or consulting, my average speed was 32 miles an hour, over the year, and it dropped to less than one, it dropped the driving speed, I guess less because I’m sleeping too. So, it really did affect the way I work really affect the way I live my life because I spent a lot of time on airplanes. And that was the big thing. Secondarily, it’s, you know, it’s hard to concentrate, it’s harder to get things done, it’s harder to focus. So, I’m writing less. I mean I’m trying to write a book and it’s not going that great not because it’s a bad topic, because it’s hard to sit down for a few hours and really work because there’s a lot of things that are distracting and the world is distracting. Whether that’s COVID, or racial justice or the election. 2020 is really been a dumpster fire. So, looking forward to 2021 those are the major differences. Not traveling and sort of not being as focused. Other than that, I’m lucky. I don’t have to go to an office. I don’t have to put myself in danger. I can be home and then the effects are all the personal things, right? Not seeing friends not doing things, the stuff we all have to have to deal with. I mean, but the hope is by summer, we might have some semblance of normalcy. Now, I might be willing to get on a plane again, by spring, if there’s a sort of enough take on the vaccine. We’ll see how it goes.
Chris Glanden 05:30
Crazy times.
Alex Srebroski 05:32
The new normal, right.
Bruce Schneier 05:34
Right, it’s 2020. Right? And we’re just living through the head. It’s sort of bizarre thinking about this sort of break in your life and in the way we work and the way we play and what we do everything. But yeah, 2020 is going to be a year for history books.
Chris Glanden 05:55
Definitely. FireEye just got hacked. I didn’t see that coming.
Bruce Schneier 05:57
FireEye just got hacked and that was interesting. This is Mandiant that got hacked. So, this is the intelligence arm, and they had their attack tools popped, or at least their mirrors have. It’s hard to tell exactly but it was stuff that was offensive in nature. That where they published the signatures where they said to the antivirus companies here, we are going to depreciate all these for our use and you need to have them on your list of things that you block if you see anybody using them. We don’t know who did it. It seems like it was the Russians and hard to tell if they were after Mandiant or after Mandiant’s customers still a bunch we don’t know. But that it was interesting to see and there’s a lot of detail there. I think we’ll learn that Kevin Mandy is, I think really good about being public about this. So, I don’t think he’s going to hide stuff, he or may already pull the band aid off and said, we were hacked, this is a big deal and everything else is going to be positive. So, I think we’ll get more details that we don’t know.
Alex Srebroski 07:03
Absolutely. I think that transparency is really important to that event.
Bruce Schneier 07:08
Oh, yeah. The trust is what that company has. We just don’t want that coming out that way where you didn’t say it.
Alex Srebroski 07:16
Yeah. being leaked through the press or some other method of dissemination? Yep. Absolutely. You actually got a little blurry on your camera.
Bruce Schneier 07:26
I don’t know what it is. Sometimes you go in and out of focus. Yeah, we’re all living on zoom these days. So, we just forgot to make it work. Tell me again, because actually don’t have my self view up. Because it’s like really creepy to watch yourself all day. That’s my sort of number one, zoom meeting, advice, turn yourself off because it is stressful looking at yourself.
Alex Srebroski 07:49
I do the same thing
Bruce Schneier 07:51
You have a way more natural meeting if you don’t. second piece of advice I’ll give everybody for zoom is that now you can move people around and if you know that, but if you have like 10 people up on zoom, like moving icons on your iPhone, you can pick a tile up and move it in places.
Chris Glanden 08:07
That’s very helpful. Yeah.
Bruce Schneier 08:08
Right, and then encryptions better. Zooms done a lot. You know, in the beginning of the pandemic, I was beating him up pretty regularly on my blog for having lousy security. And in a lot of ways, it’s not unexpected, it makes no sense to have a secure product that nobody uses You’re better off having insecure private people use. So, if you’re a new company, you tend to skimp on that and you get more security, more reliability, more of those things as you become more popular. They got pushed into popularity So, fast, that they really had a scramble to catch up with their security and reliability and usability to all those things. I think they’ve done a really good job. I’ve been impressed with them and to me, they are the most reliable, versatile, useful platform out there. Although I will give a shout out to Gather, it’s a way to do a virtual party, you have a little icon you move around a virtual room, when you’re physically near a weight when you’re when your avatars near someone else’s avatar, a video pops up. So, it feels like a party. We’re trying to mirror as much as we can have the real-world life online and it’s sort of amazing that we’re doing things we never would have imagined we would be doing a year ago. Tele-Medicine or Tele-psychology, Tele-teaching, Tele-this, Tele-that. And security and reliability and all those things are catching up.
Chris Glanden 09:32
Have you done any of the virtual conferences yet?
Bruce Schneier 09:33
I have. I’ve run virtual conferences, right. You know, conferences have to happen. We’re doing research we want to promulgate it. So, and again, it’s a matter of trying to mirror not just the talks, I mean, that’s pretty easy, but the hallway conversations, So, I ran a conference where when it was the break time, we would put people into random breakout rooms in zoom five people. To mirror, you’re at a table, you just talking to some colleagues and you see what’s going on. So you really want to try to mirror all those things.
Chris Glanden 10:10
Definitely. So, Bruce, I’m sure you saw the IBM X-Force report on cyber attackers targeting the COVID-19 cold chain, which is vital in delivering the vaccine and properly storing it at safe temperatures. What is your view on this? And then also, what other attack vectors do you see going forward within the COVID-19 cold chain specifically?
Bruce Schneier 10:34
You know, I’m not sure about that cold chain attack and what that meant, I mean, certainly we are seeing nation states go after the research. Now, I’m actually not sure that’s valuable. I mean, what good is it that if I have a labs research I kind of need…. it’s probably keys for me to buy it from them than to reproduce it. But countries are going after it. I don’t know about the cold chain in particular, that was weird to me and I couldn’t tell if that was part of a bigger operation. Again, we don’t know what’s going on. I do see it as an intelligence target. I was on a zoom with someone who works for a major health care company as the CISO. And she was talking about the attack she’s seen against COVID related research just pretty much constantly. So, countries are trying to get an upper hand here and this is stuff that is very much above our pay grade and this is nation state stuff. This isn’t cybercrime, this isn’t ransomware, this isn’t a virus, this is some government going after your stuff and it’s really hard to defend against that because they just have a bigger budget than you do. But yes, that’s does, it is a thing, and it’s probably going to be a thing moving forward is probably not going to go away. Because this research is valuable.
Chris Glanden 11:58
And that security should really fit into the security framework. There’s no vaccine security, evolving. I think that all needs to be in place already.
Bruce Schneier 12:10
Yeah, the biosecurity is going to be interesting to watch. A lot of it is reliability the right the reason we spend So, much time testing and verifying before we approve a vaccine is the cost of getting it wrong is enormous. Right? Not only do people have a full sense of security, the virus itself might be harmful and the loss of public confidence when the next vaccine shows up, is very expensive. We’re in a country where you’re probably going to have a third of the people who don’t want the vaccine. That’s going to add that’s kind of insane. I’m reading an article just last week. I guess in the 1960s, I forget the year, Elvis Presley got the first polio vaccine on television. So, where are those spokespeople for today’s generations who are going to go on, I guess, YouTube now and get the vaccine in public?
Alex Srebroski 13:17
You’re absolutely right and I think previous presidents right have announced that they would take the vaccine first. So, Obama, Bush and Clinton came out saying, you know, they would be the public spokesperson to take it.
Bruce Schneier 13:29
And that’s good. So, we got people in both parties, but I kind of want Taylor Swift to do it. I want Ted Nugent to do it. I want icons for pretty much every political group to do it. I want the Pope to do it.
Alex Srebroski 13:46
Absolutely.
Bruce Schneier 13:47
I mean, the more the more people, the more people that people trust, do it, the more trustworthy it’ll be and this is very much a public hygiene issue. I am safer if you take the vaccine. You are safer if I take the vaccine. So, that’s what we want.
Alex Srebroski 14:07
Absolutely. I agree with that completely. The more public facing they make that the easier it’ll be for everyone else to follow so.
Chris Glanden 14:13
So, continuing down the political path I’m interested in your thoughts regarding cybersecurity efforts within the upcoming Biden administration. Do you think cyber threat detection will become a top priority?
Bruce Schneier 14:27
Yeah, So, it’s hard to know. Cybersecurity is a priority. I mean these are the 1000 priorities right now. I mean, we got a sort of like, fix everything. So, I don’t know where this will land. I’m part of a group that the Aspen Institute runs, called the Aspen cybersecurity group. And we meet a few times a year and it’s really good group of government, industry, academic weirdos like me, who come together on cybersecurity issues. And we just published a report, a 70-page Report, which is basically it’s called a National Cybersecurity agenda for resilient digital infrastructure. Basically, these are the things we want the new administration to do now. There’s a lot of things we could do. Here’s the things that are really important right now. So, I’ll give you our list when there’s a lot of details of it. It’s a big report, education, workforce development, right? Feel that cybersecurity skills gap, public core resilience, right? We need our basic infrastructure, internet infrastructure to be more resilient. Supply Chain security. I mean, whether it’s Huawei or Tic Toc or Kaspersky, how do we secure or keep imported Internet of Things crap? How do we make sure that stuff is secure? on measuring cybersecurity, we have a huge problem and not even able to measure what we got. And then operational collaboration, how do we get a collaboration between industry and government, governments and government, industry and industry, academia and everybody else? You know, a lot of silos, and how do we get those all cooperating? Those are the five areas we came up with? I there’s probably 15 more we can go into. But we said these are the top things that you and we wrote it not knowing who would win the election that you do administration need to deal with. So, that’s my list right now. How optimistic am I? ehh Maybe we will see,
Chris Glanden 16:30
I hear they’re looking for someone to run CISA.
Bruce Schneier 16:32
[crosstalk] for someone to run CISA. I don’t like being in charge. Actually. I don’t like authority in general. I’m just bad at authority. I don’t want to I’m not just like being someone above me. I don’t like having authority. I just don’t like being a free agent. It’s more fun. Plus, who wants to live in DC?
Chris Glanden 16:53
Alex is close.
Alex Srebroski 16:55
Yep, I’m actually out of Maryland.
Bruce Schneier 16:57
I used to live in DC.
Alex Srebroski 17:00
Question to that since we went down the CISA route. So, how do you feel about CISO kind of taking the role and Chris Krebs specifically for the misinformation, you know, campaign that I guess, if you want to call it that, but he took upon himself to inform the public on.
Bruce Schneier 17:16
Someone had to do it, I mean, really, we really don’t have a real clean civilian cybersecurity organization, like some other countries do. CISA seems to be moving into that role. That’s not a bad place. You know, I would prefer it under NIST then DHS. Maybe DHS is under NIST, I don’t even know how those things work anymore. Now, I want a more civilian, but maybe he did a good job. CISA turning into a good organization, that kind of out of nowhere. So, it’s got to be somewhere. So, it’s a good a place as any, you don’t want the NSA doing it, you know, what Cyber Command doing it? So, So that’s better.
Alex Srebroski 17:56
Right. And I guess to that point, my follow up question would be where do you think, you know, that misinformation falls in on the list of priorities? You know, should something be established right to battle that.
Bruce Schneier 18:07
You know, the question to ask is what should that thing be? As you start digging into this topic, and that people do a lot more work than I do on misinformation. It is extremely hard, when you just can’t publish the truth and say, Well, we’ve solved misinformation. Because those who believe what you publish, you didn’t need to help them and those who you need to help didn’t believe what you published. So, there’s very deep things about trust and how information spreads. And I think a lot of is going to come down to regulating the tech monopolies. You know, the whether we should like burn democracy down in the interest of short-term corporate profits, kind of seems like an obvious No. But there’s really no mechanism in turn that no into action because in our society, near term, corporate profits are the thing that runs everything. Even things that have no business being run by near term corporate profits. So, it’s gonna take a lot of work and it’s hard to figure out how to get from here to there. And it’s not something I studied the level of detail that others do. So, I hesitate to jump in and say, Well, here’s how to fix it.
Chris Glanden 19:19
So, I do want to hit on the decentralization of the Internet, and you know, your thoughts on if it will ever happen and if you believe it will, you know, what hurdles Do we need to overcome that exist today to get to that point?
Bruce Schneier 19:32
Well, I mean, ever is a long time, So, I think it will happen because it’s the only way to move forward. The generative nature of the internet is vital and something that we will benefit from and again, having a captured for neutron corporate profits of some companies that happen to be the monopolies right now, it kind of makes no sense. I mean, there is right now jockeying going on in the FCC, and the republicans trying to push somebody through and I don’t know that he has what they did or not or they’re going to or have done to really block a democratic majority, which would enshrine net neutrality? We’re not sure why this really seems. I don’t know. I mean, I think if you’re a free market, you really want net neutrality.
So, I can’t quite get the politics, it might just be here, we gave you a lot of money to your campaigns do what we want. But you know, too much American politics runs on. So, it’s going to take some movement in the political sphere and then it’s just a matter of doing it. So, it’s political will not technical will and I’m come really out of my sea, when I’m predicting what’s going to happen there. We don’t know what a Biden Administration is going to look like.
Chris Glanden 20:42
True.
Bruce Schneier 20:42
He is certainly a pretty conservative Democrat. Very middle of the road but that’s what was needed to get elected and that’s why we have one. So, I don’t know, we have to see.
Chris Glanden 20:56
So, a lot of these technologies that are pushing towards that, how do you trust those companies? And along the lines of more, I guess, anonymization and privacy. So, you have Duck-Duck go for one, you have You.com which I just read about the other day.
Bruce Schneier 21:13
That’s right, they are just getting funding and they’re going to be a Google competitor. I mean, that’s I don’t know who invested in how to compete against Google but that’s a risky bet.
Chris Glanden 21:20
Yeah, Ex-Salesforce leadership.
Bruce Schneier 21:24
So a good pedigree, but still a risky bet. I mean, you ask, I think, extremely subtle question. And people asked that question a lot, without realizing how subtle is how do you trust? And how do you trust anything? Right? How do you trust, I don’t know that…? Again, these are all analogies from the before. The taxi you drive in, the plane you fly in, the food you eat in a restaurant, let alone your ISP, the people will make your computer, your software, your hardware, your cloud provider, your cloud storage, your search engine and the answer in all those cases, your kind of just do because you hear good things. It’s never the case that you go to the airplane and say, before I get on, I’m going to look at the engine.
I’m going to check the maintenance log, show me the training certificates to the pilot and you never do that and it’s worth thinking about why and it’s because a couple of things, you kind of know, in your mind that the airline you’re flying and an airline in general, never crash. pretty much never. So, you kind of trust in my cases, delta, I live in Minneapolis, delta has a monopoly, right? I trust Delta Airlines; I trust the government regulations. The FAA on aircraft maintenance, aircraft design, even with the 737-max problem. I still trust it. I trust their rules on, you know, pilot rest and pilot training without even really knowing what they are? And that is a very soft, social, non-technical, non-deterministic system of trust. And that’s pretty much how they all work. All right, how do you pick a VPN? Yeah, you kind of pick it at random? And how do you pick a search engine? How do you pick a cloud provider, an ISP, all those things? You know, you know what your friends do you know, what you read. You kind of make a guess. How do you pick a doctor? How do you pick an attorney and had a tax accountant?
So, again, and again and again. And I think that’s really interesting. I think that’s worth more study than that I’m able to give it I did write a book on trust, serve and security is maybe it’s about six years old. Now, the great name of liars and outliers and this is really about the sociology of trust, and how security systems fall into the mix. So, I try to explore some of these questions. And they get more subtle and weird, the more you go, I mean, talking about how you trust results, the selection. Hey, I could we could publish data, we can do audits, will it convince people who don’t trust results the election, probably not. What will convince them hard to tell? But it’s not a battle of the facts. It’s a battle of narratives of ideas of sides. How do I get someone to trust a vaccine? It might be Elvis takes it on national TV, people will trust it. But you know, that’s theater and that’s that show,that is just a demonstration stunt. Probably more valuable for trust than publishing any medical papers in any journals.
Alex Srebroski 24:53
I absolutely agree. Inherent trust is very interesting topic. So, I agree with you on many levels, from the trust side of things, it is an extremely subtle question and especially in regard to the election. How do you convince anyone of anything at this point?
Bruce Schneier 25:12
Especially now that you can find a new source that supports your narrative or even a new source or you know, a Reddit group, a Facebook group, you will you can find whatever weird thing you believe something’s right, the flat earthers have found each other and it makes them like more convinced, not less and they’ve got little scientific experiments that prove the earth is flat. I mean, they’ve got math they’ve got calculus, they’ve got evidence and if I can’t convince flat earthers I mean, I have no hope with people think the vaccines bad.
Alex Srebroski 25:51
This is a very interesting way to broach the subject with flat earth being the comparison. I do think that it is an extreme but no, to your point, they’ve all found each other. They all have a sounding board, they all have a group of people that agree with their views, and how do you convince then the tribe of anything?
Bruce Schneier 26:11
That’s right. I mean, if you’re a millionaire, if you’re one in a million, there’s like a group of 107 people just like you, and you’re gone find them.
Alex Srebroski 26:17
And I think, the Internet has proliferated that. I mean, that is allowed those views to, you know, disseminate throughout society. So, is it a good thing? Is that a bad thing? I’m honestly indifferent to it most times. I subscribe to the opinion that maybe not everyone should be as vocal as they are but that is the world, we live in. Right?
Bruce Schneier 26:43
And this is a world we choose to live in. We have decided that the value of free speech is greater than the problems of full speech and we do that for a real good reason. I mean, it’s easy to say, that speaker is bad and shouldn’t be allowed to speak because they’re speaking nonsense but then you have to step back and say, who gets to make that decision and what if it’s someone you don’t like making that decision? And once you have decided there are tears of speech, and some are more valuable, more socially acceptable, more something, more true. Now, you have to step back and say, well, who’s making that determination and why do we trust them to do it?
Alex Srebroski 27:29
Who is the arbiter of truth?
Bruce Schneier 27:30
Who’s the arbiter and the benefit of free speech is, there’s no arbiter. Now, that’s tied up very much in power because we might have free speech, but myself, as someone with a blog that a quarter million people read or you with a podcast, that wherever your audience watches, we have more power of speech than someone else who doesn’t have those platforms and because we’re a bunch of white guys, we actually have more power of speech than others and we have to recognize that. So, free speech doesn’t necessarily mean everybody’s ideas get exposed equally. So, how do we elevate voices that have traditionally been marginalized? And make sure that they can enjoy the benefits of free speech and not just us.
Alex Srebroski 28:23
Yeah, I hate to sum this up in basic terms, but social responsibility comes along with the platform.
Bruce Schneier 28:30
It often doesn’t, but it should come along with it.
Alex Srebroski 28:35
Agreed. Agreed.
Chris Glanden 28:37
So in terms of net neutrality, what do you see needs to happen in order for us to achieve it?
Bruce Schneier 28:43
You have two choices if you’re in the internet. You could either be a carrier, in which case, you have to be agnostic to what you carry. If you are zoom, you cannot edit what people are saying. If you are Email, if you are Instagram. Pull out Instagram for a second. If you are a carrier, you need to be neutral. If you are a publisher, curate all you want, but you are now responsible for what you publish. Problem is companies like Facebook want it both ways. They want no responsibility for what we say yet they want to curate. So, I think net neutrality is vital. We need carriers of all types in the internet infrastructure. We also need publishers and I want companies to be forced to choose. So, Instagram, are you a carrier, which case you give people an account, they post their photos, they post their text and you don’t do any editing and you are not liable for anything anybody posts. Or you curate and if you curate, you have some liability what people post. Pick one. AT&T does not advertise on my phone line. They do no curation. If AT&T wanted to advertise my phone line, it’s a different sort of animal, and that different rules should apply. That’s my basic belief.
Alex Srebroski 30:26
Yeah, I was going to say I’m curious in in context, right. And I know this may broach into EFF topics, but section 230 is pretty hot right now. Trump wants it repealed completely. So, that, you know, tech companies have to be held responsible for the censorship that they’re getting like Twitter right now, right for some of the election fraud censorship that they’re doing on Twitter. So, I’m curious what your stance on 230 is and if you believe it should be there, or shouldn’t?
Bruce Schneier 30:54
So I think it’s really important because it establishes this neutrality. I mean, section 230 means if you write a comment on my blog, I’m not liable for it because I’m essentially a carrier there. I post everything. That is vital. I couldn’t have a blog comments section without that. In some ways, Facebook couldn’t exist without that. I think it has been pushed to extremes. So, Tinder uses section 230, to not have to take down a profile that was maliciously put up by the ex-boyfriend of some guy. That seems a stretch. So, I think section 230 has been stretched out of its original intent. But its original intent is vital for the internet to work as it does today. It otherwise everyone has to be like you like this podcast, where you record it and if I say something crazy, you edit it out because you don’t want to be liable for what I say and you are because it’s your podcast. That’s really different from the comments section. Right, sort of under the episode. So, I think we need a conversation about 230 get it back to its original roots. But I think repealing it would be a frickin disaster for So, many things on, it would break the internet that we know.
Alex Srebroski 32:22
Absolutely, I’m going to switch gears here and actually ask you about Inrupt. So, you know, Chris, and I have been talking over the past few days again, about decentralization, kind of what people are calling, if you will, buzzworthy web 3.0. The decentralization of internet and kind of the proliferation of big tech companies, Google, Amazon, Facebook, kind of owning everything at this point. This is my opinion, the idea of the internet was originally to be decentralized and everything just kind of moved this way as it went to a service model, right?
Bruce Schneier 32:59
I think things naturally centralize and we just have to constantly fight it and it’s not just they wouldn’t the service model, it’s not just the cloud. I think we have centralization before that we just have a way to centralization. So, I’m involved Inrupt. What Inrupt is, is a commercialization of Solid. Solid is a open web standard, brainchild of Tim Berners Lee, right, who invented the web, and it’s a way to put data back under the control of us. The basic idea is that you, I, everybody, has a pod, has a place for our data and our data goes there and the stuff we have writes data to our pod and reads data from it, right? So, imagine, right now, if I have a Fitbit, the data is written into Fitbit servers, and I have access to it. Well, this flips that model, the data is written into my pod, and Fitbit has access to it. Now there are a bunch of benefits to this. One is I have control, right, I can now decide, I dropped my Fitbit and I use something else. Or I you know, have an insurance plan, I get a discount or they get a Fitbit data, I decided to give them access to it.
So, it puts me in control. Often companies don’t need my data. So, like Marriott Hotels, in the before I was a Marriott customer and they have all my data on their servers. They don’t actually want it. It’s a liability for them. They just want access to it when they need it. I think they’d be perfectly happy. The data was in my pod, and they were guaranteed access. So, it is less risky for them. It is better for me. And then it allows all of these third-party data aggregation apps. If I wanted to have a public program that looked at my Fitbit data, I don’t know and married it with my Marriott hotel data, and the data from my refrigerator and my medical data and figured out, you know, health plans for me when I was traveling, I just made that up.
Because all the data is in my pod, I can do that. So, suddenly your data is generative. And the Internet of Things is going to produce enormous amount of data about you about you, about your world, about your environment and if that data is in a place that you could control, you have a lot more power. That’s really, we’re trying now, as I’m saying this, you can imagine like this is a security nightmare and that’s really my job to deal with that part. That’s the really the, the idea that we had, instead of this data being centralized at Google, at all these site, Marriott Hotels, at Fitbit, you will have access to your data. So, it shuffles it right instead of being vertical, it’s horizontal. So, all my data is here.
Now, right, you’ll your pod will have to be somewhere. My guess is there’ll be like email addresses and you could run your own email server you want, you probably don’t, you probably have your email hosted at Google or Apple or somebody else. And they’ll probably host your pod as well. But like email addresses, it’ll be portable. If you don’t like what’s being done to your pod, you can move it. And there’ll be ways you can encrypt it So, that maybe the company who’s storing it does that access to the data. Or you might want them to write in some cases, I might want Apple to have access to some of this data, because they do a lot of cool things. By aggregating it, they just like, I might give Google access to my email, because they run anti-spam. So, they need they need the unencrypted email to do that, I can encrypt my email, I can encrypt my Gmail if I want but then I don’t get a lot of the benefits of Google’s processing of it but it changes the locus of control from the big companies, To us.
Alex Srebroski 37:13
You own your own data again.
Bruce Schneier 37:14
You own your own data and you can imagine that we’re on a zoom call, let me record it, and I put it in my pod and I give you access to it, right, you’ve been on the call, too. So, I’m giving you access or maybe we have a fight in a year, and I turn off your axles, I don’t like you anymore. I mean, I have this control. And I can audit who accesses my data not really what they’re doing with it but how often they’re going after it. So, I might give my insurance company access to my medical data. I mean, that might be a requirement but now I will be able to see if I want to, what they’re looking at.
Chris Glanden 37:48
Is that all a cloud service offered by Inrupt?
Bruce Schneier 37:51
So here it depends and again think of it like email. You could run your own email server and store your email in your home on your computer. The pods will be the same way. Most people it will store the short in the cloud, your pod will come with your iPhone, So, Apple will have it or Google will have it. You can imagine being stored locally, there’s local storage that comes with your home router. There’s a pod in your home router and it’s got half a terabyte of storage because that’s So, cheap and So, there your pod is and maybe you back it up into the cloud somewhere encrypted, maybe Dropbox or something. So, I’m making this up, it is a very flexible standard and then we get to decide how it’s implemented. This is Tim Berners-Lee; he’s a surprising visionary and he’s really thinking very generally and then implementation could be in many different ways. So, I think it’s mostly going to be in the cloud, because all of our everything is in the cloud these days. But you could if you want short locally, if that pendulum shifts back, and my guess is your home router is a good place for something like that.
Alex Srebroski 38:55
Agreed, especially from a usability standpoint, I think that would make the most sense.
Bruce Schneier 38:59
It’s there, it’s going to work automatically, all the devices in your home. So, your refrigerator, your thermostat your exercise machine, your all your Internet of Things nonsensical writing to that pod. You’ll keep your photos there, it could be internally facing and externally facing because it’s at the boundary of your network. So, I take photos for Christmas, pretend it is a year when people are over. So, it’s a different year than this year and I would put them in my pod and I’d give access to my whole family.
Alex Srebroski 39:32
Right? So, I guess I have to kind of follow up questions for the Inrupt stuff. One would be how are you going to get the companies to sign on to use the pod infrastructure?
Bruce Schneier 39:44
This is why I joined the company because normally that’s a great question because nobody is going to sign us up like this, because why would you, but you don’t have to sign on to the vision to use the data structure and the data structure itself is valuable. So, we have pilots, with some big names, and I, I know the names, but I forget which names are public, So, I’m afraid to say any of them but they are using what they’re saying is, well, we’re going to use this pod, but we’re going to keep the pod, we’re not giving the customers the pod, we’re going to keep it, that’s fine. It starts the process, they using the data structure, the pods are movable, the pods can be virtual, they can be combined, it all works, it all works seamlessly for the user. But that gets the data structure seeded. And once the data structure is seeded, you’ll have I think, smaller companies signing on, because it’s benefit.
A big company like Facebook, like will be the last to use pods. Google will be the last use pods, but that Google competitor, more likely to So, so you’re going to have these single uses by the single entity pods first, then opened up to some smaller users, and then opened up to bigger ones, that’s probably the way its’s going to flow and it’s that kind of usage flow that makes this possible. The data structure is really flexible and really valuable. Even if you don’t give a user a pod where he puts everything.
Alex Srebroski 41:24
I really, really enjoyed that answer because I wasn’t sure from the adoption standpoint how it was going to happen.
Bruce Schneier 41:30
And that’s always the hard part. I mean, this is something that works best when everyone’s using it. So, how do I have a chicken and egg problem?
Alex Srebroski 41:36
Exactly. So, that kind of leads into my next question. Chris and I have talked about this a couple times. He told me that you weren’t exactly a fan of blockchain for decentralizing applications across the board. And one of the ones that I’ve used was called BlockStack. You know, there’s different efforts out there. From a decentralization standpoint. can you talk to about how Inrupt is different from blockchain and what maybe the advantages or disadvantages are?
Bruce Schneier 42:06
Interrupt has nothing to do with blockchain. Blockchain is a particular technology, which I will say is absolutely no use at all ever for anything. I guess it both data structures but the data structure isn’t the blockchain. The data structure is a Merkel tree and if you need a Merkel tree use a Merkel tree. I think a blockchain. I guess blockchains used Merkle trees but Merkle trees are, are separate. I’ve written about that. Just type “Bruce Schneier blockchain” into Google or I guess the new search engine which will leave Google’s competitor and you’ll see I wrote an essay in Wired a couple of years ago, which goes through the and it goes back to trust back to original topics, this notion that blockchain is trustless is complete and total nonsense and understanding how trust flows, you quickly realize that whenever you see a blockchain application, the blockchain part actually doesn’t provide any value. It’s just the application. So, and this isn’t a fringe view it’d be pretty much everybody in computer security says this about blockchain. It’s dumb and it’s just a bunch of small libertarian crypto bros that kind of like it because it’s kind of stick it to the man stuff, but I think the fans going to go away soon.
Chris Glanden 43:19
Do you think with cryptocurrency that it was more of the application taking advantage of blockchain versus blockchain emerging as a technology stack?
Bruce Schneier 43:29
No, I mean, people like Bitcoin because it’s not backed by- it’s very political. And that’s the only reason and why do people trust Bitcoin? Not because of the math, because their friends trust Bitcoin. Now, why they trust a wallet all the wallets get hacked, why trust exchange exchanges get hacked, because of what they read a friend’s and the system it’s not. It’s not trusting the technology. So, I think Bitcoin and blockchain in general, is part of this sort of anti-government movement, this idea that we don’t need governments. But of course, it’s nonsense. We all need governments just you might not like it, but you do and the fact that all the block chains are failing because of governance problems shows you that you need government and governance and I think whenever you see a blockchain application, it is never been the case that someone says, “Oh, I have this problem. Oh, wait, blockchain can solve it.” They go the other way. They say I have this blockchain. What can I do with it? And that’s why you see things like blockchain voting which is like the dumbest of dumb ideas.
Chris Glanden 44:36
So, Bruce, I can do the standard endorsements here. You got your blog, you’re active on Twitter, although any other projects?..
Bruce Schneier 44:44
So, I am not active on Twitter. I have my blog, and I have a bot that tweets my blog posts. I have a blog and have a Facebook page that post links to my blog. I’m not on any social media. So, put it like this. I don’t even have access to these accounts. So, I am extremely old school. I have a blog Schneier on security schneier.com. I have an email address and that’s how I interact with the world. So, I’m not on any social media, which makes me a freak, but highly productive.
Chris Glanden 45:20
Yeah, I’d like to get to that point. It’s tough, though.
Bruce Schneier 45:24
It is tough and I think not being on Facebook affects your social life, actually, when we had social lives, it affected your social life but it’s a huge time sink and I’m just not willing to do it but again, that makes me a freak. I get that.
Chris Glanden 45:37
All right. So, I just overheard that it’s last call at the bar. So, I have one last question for you before you leave. If you opened a cybersecurity themed bar, what would the name be? And what was your signature drink be called?
Bruce Schneier 45:50
So, I don’t know if you know but I actually spend a lot of time in craft cocktails.
Chris Glanden 45:55
I did not know that.
Bruce Schneier 45:56
So, I ran a conference in Cambridge a few years ago and I don’t know if you know Back Bar. It’s a really good bar in Cambridge. They had a sister bar called aim Street, deli, maybe. Anyway, they ended upstairs. colleague friend of mine ran it and he did a whole bunch of crypto themed drinks for my conference. I don’t remember the names of them. Right now, my favorite drink is a Chinnor Negroni. So, Negroni sub Chinnor for the Campari. It’s a really good drink. So, I will suggest that in a sour right now, I have my favorite something called a Triple Crown. I forget who invented it but it’s basically a whiskey sour with grapefruit liqueur. Phenomenally good drink. So look that up, it’s as serious as the recipe. I tend not to like cutesy drink names. I will not order drinks if the name is too dumb, which is probably kind of dumb of me. But I don’t like dumb cutesy drink names and I don’t know about that. So, I think a lot about my drink list. Now I have cocktail parties at home back when you used to be able to have parties at home where I come up with a cocktail menu 10 or 12 drinks and mix drinks all night for my friends. So, I like making menus. I don’t really think about naming stuff. I’m good at naming books. I don’t name named drinks, but I do pay a lot of attention.
Alex Srebroski 47:29
To the names especially. What about the cybersecurity theme bar, could you name that?
Bruce Schneier 47:34
I have no idea. I mean, the coolest bar with a security theme I can think of one is of course, PDT in New York, which you’d enter through a phone booth at a hotdog stand in the East Village and that is literally how you got into the bar. You’d go into the phone booth, close the door, pick up the receiver, say who you are and then the dead the secret door. On the other side, you have the phone booth open and you’d go into the bar. Then there was a bar in London, one of my favorite bars in London. A secret bar upstairs from another bar and if you were there enough, they gave you a key to it and here I am like living in Minneapolis, and I get a key to the secret bar and the upstairs of another bar in London. That was kind of neat and the bar upstairs are called JubJub room forgetting the name of the downstairs bar. I’ve been to London recently. It’s a fun question and if you gave me 24 hours’ notice I would have had an answer for you but cold I’m not able to do it.
Alex Srebroski 48:33
Fair enough. That’s the news we’re looking for. Though is the secret bars and how to get into them.
Bruce Schneier 48:39
We in Minneapolis. Had one in the before open So, open when we all get back into bars called Volstead Emporium and it was like a round back and this seedy alley and steel door downstairs this rickety staircase. Then open door there is beautiful old bar inside. They had a secret room I used to have birthday parties in there.
Chris Glanden 49:00
Yeah, we’re actually in a speakeasy right now.
Bruce Schneier 49:03
I am noticing your bar back there and I’m going to try. I’ve been looking to see what’s written on the chalkboard and what the bottles are. I see a nice Amara collection behind your ear.
Chris Glanden 49:14
Well, yeah, I think Bruce, we’re going to have something that drinks you mentioned on the chalkboard, those sound awesome.
Bruce Schneier 49:19
All right, do send me an email. I’ll send you recipes.
Chris Glanden 49:22
We’ll do Bruce, I appreciate your time. Thanks for joining us.
Alex Srebroski 49:24
Thanks So, much.
Bruce Schneier 49:25
Thanks for having me. It’s fun.