The ultra-ultra paranoid might use their popular and widely read blog - a blog which is almost certainly read by more than one or two people at the NSA - to post an enormous boat-load of misdirection that is nevertheless also helpful advice for people who are actually stuck attempting to secure Windows computers. Advice that happens to highlight what a nigh-impossible task that really is. (TEN rules? Good luck.)
I can't think of any reason for someone in Schneier's position to publicize his actual security arrangements at this time.
Then again, maybe he feels he has a duty, as a security expert, to use and thereby remain familiar with the most popular systems around.
>Then again, maybe he feels he has a duty, as a security expert, to use and thereby remain familiar with the most popular systems around.
I think this is the case for security experts like Schneier and Krebs. Most of the threats they're interested in affect Windows. Most of their readers run Windows. They would be a less useful resource if their first recommendation was always "ditch Windows" even if that's accurate.
Maybe he needs to use Windows but whether or not his single air-gap-ed computer runs Windows or not isn't going to determine whether he's going to be running Windows in general.
I don't know how maintaining a full off-Internet computer isn't much more extreme than switching OSes. If he is recommended an off-Internet machine, it seems clear he'd want to recommend the hard steps as well as the easy steps.
I mean, he says he's running open office so Linux should be able to work great for him.
When the attack vector is literally relying on information disparities (previously unknown exploits), "obscurity" does provide a fair amount of security. If everyone thinks you're running Linux+OpenOffice and spends time writing looking for exploits there, but you're really running BeOS+Pe, that gives you a significant upper hand.
I'm surprised how often that's repeated given that it's not true at all. Obscurity is a totally legitimate security technique. Maybe not the strongest one, and hopefully not your only defense, but it's clearly got some value.
In this particular case, Schneier can honestly, with 100% accuracy assume that he is being monitored. This is not paranoia - he has publicly stated that he has some of the Snowden documents. And as we've seen in this saga, the people in power are doing anything and everything they can to get to them. (Miranda case, Guardian UK hard drive destruction, ...)
Under constant and potentially aggressive surveillance, there is not much room for obscurity.
As to his using Windows - well, there may be good reason for that. Schneier has been using Windows for a very long time, and with his level of sophistication, I expect him to be rather good at digging in to the system and identifying potentially unwanted behaviour. This should make NSA less likely to deploy some of their highest-value tools, because it is probable that the tools used would be exposed.
Assuming he is less well versed in maintaining and excavating a Linux installation, it would be more likely for the machine to get silently infected by a zero-day, high-octane exploit.
After all: prevention is desirable, detection is crucial. (How else could you contain the damage once it happens?)
The fundamental misunderstanding that has developed is that there are "systems which are secure", and "systems which are not secure". This is false. Security can be thought of as "how long it will take for Attacker A to compromise this system". All systems can be compromised eventually.
Thus clearly security through obscurity is a valid tactic to increase security. You just have to regularly alter your structure based on how quickly your attackers work- but this is no different from any other form of security. All forms of security have a time limit...
Well I use it as the counterargument to "open source software is full of holes because bad guys can read the source". Because everyone knows that Microsoft doesn't publish their source code and has never been exploited ever.
My point was simply that obsfucation will barely even slow down a determined attacker, ESPECIALLY one with the resources of a nation state (such as the US). It won't even register as a speed bump to anything other than a script kiddie or a worm designed for the majority case.
I'm really kind of shocked that my previous comment was voted -1, when the numbers blatantly agree with me on closed source vendors getting the living snot hacked out of them, even if their source is "obscured" due to not being available.
You are misinterpreting 'obscurity' to as much of a degree as the grandparent post, though in a different way. The 'obscurity' that the adage speaks of is meant to relae to the system you're using. ROT13 is security through obscurity: as soon as your adversary knows you're using it, your system is broken. RSA is not security through obscurity: you can advertise that you use it (indeed, that's fundamentally a part of public key crypto), and still be safe.
"I can't think of any reason for someone in Schneier's position to publicize his actual security arrangements at this time."
Schneier is more and more about promoting Schneier. I can't imagine a reason why someone who is so concerned about security would provide details on exactly what they do security wise (that would be accurate at least) because the more information you have about someone's practices the easier it is to defeat those practices.
Not to mention the mere fact that he is so much a public figure now makes him much more likely a target which could negate many of the things he is trying to do.
Come on, he is doing one of the best jobs in the world educating him about security. No, he probably wont risk his security for the benefit of others but he is a positive force. So please stop holding him to the absurd standards.
He is educating himself about security? This may actually be a tautology. :)
By the way, how many of you guys have read his books? Having actually read Applied Cryptography, I felt his contribution to this field was very little.
Well, that was obviously a typo. There are generation of new knowledge and dissemination of old knowledge. I am not quailified to comment on the first, however his contribution to the second is substantial.
How exactly is it substantial? I felt he mostly says things along the lines of, "oh, here is the 3-DES algorithm." But there is no commentary after it. Queestions like why is 3-DES structured so, or what are these fields are not explained at all. To me, it says that he doesn't really know how 3-DES works at all. Or, another case I remember is the simple password protection scheme in ZIP. He says that the three keys are initialized with these three values (which can be found in the PKZIP app readme). Then he goes on to claim that it is not secure and that cryptographers can break it easily. But how would start to do it is not explained at all. Why even mention what these three keys are initialized with? It was a disappointing book.
I felt he did not even disseminate old knowledge because he does not know/comprehend old knowledge. He just disseminated old predicates.
The ultra-ultra paranoid might use their popular and widely read blog - a blog which is almost certainly read by more than one or two people at the NSA - to post an enormous boat-load of misdirection that is nevertheless also helpful advice for people who are actually stuck attempting to secure Windows computers. Advice that happens to highlight what a nigh-impossible task that really is. (TEN rules? Good luck.)
I can't think of any reason for someone in Schneier's position to publicize his actual security arrangements at this time.
Then again, maybe he feels he has a duty, as a security expert, to use and thereby remain familiar with the most popular systems around.