Bruce Schneier is founder and chief technology officer of Mountain View, Calif.-based MSSP Counterpane Internet Security Inc. and author of Applied Cryptography, Secrets and Lies and Beyond Fear. He also publishes Crypto-Gram, a free monthly newsletter, and writes op-ed pieces for various publications. Schneier spoke to SearchSecurity.com about the latest threats, Microsoft's ongoing security struggles and other topics in a two-part...
interview that took place by e-mail and phone last week. In this installment, he talks about the safety of open source vs. closed source, the future of security management and spread of blogs.
Are open source products more secure than closed source?
Schneier: It's more complicated than that. To analyze the security of a software product you need to have software security experts analyze the code. You can do that in the closed-source model by hiring them, or you can do that in the open-source model by making the code public and hoping that they do so for free. Both work, but obviously the latter is cheaper. It's also not guaranteed. There's lots of open-source software out there that no one has analyzed and is no more secure than all the closed-source products that no one has analyzed. But then there are things like Linux, Apache or OpenBSD that get a lot of analysis. When open-source code is properly analyzed, there's nothing better. But just putting the code out in public is no guarantee.
|Bruce Schneier, CTO, Counterpane Security Technologies|
A recent Yankee Group report said enterprises will outsource 90% of their security management by 2010; that more businesses have made security a priority to meet growing threats and comply with laws like HIPAA and Sarbanes-Oxley. Do you agree?
Schneier: I think that network security will largely be outsourced by 2010 regardless of compliance issues. It's infrastructure, and infrastructure is always outsourced … eventually. I say eventually because it often takes years for companies to come to terms with it. But Internet security is no different than tax preparation, legal services, food services, cleaning services or phone service. It will be outsourced. I do believe that the various compliance issues, like the laws you mention, are causing companies to increase their security budgets. It's the same economic driver that I talked about in your question about Microsoft. By increasing the penalties to companies if they don't have adequate security, the laws induce companies to spend more on security. That's good for everyone.
How is Crypto-Gram doing?
Schneier: Crypto-Gram currently has about 100,000 readers; 75,000 get it in e-mail every month and another 25,000 read it on the Web. When I started it in 1998, I had no idea it would get this big. I actually thought about charging for it, which would have been a colossal mistake. I think the key to Crypto-Gram's success is that it's both interesting and honest. Security is an amazingly rich topic, and there are always things in the news to talk about. Last month I talked about airline security, the Olympics and cellphones. This month I'm going to talk about academic freedom, the security of elections, and RFID chips in passports.
Some people compare Crypto-Gram to a blog. Is that a reasonable comparison?
Schneier: It's reasonable in the sense that it's one person writing on topics that interests him. But the form-factor is different. Blogs are Web-based journals, updated regularly. Crypto-Gram is a monthly e-mail newsletter. Sometimes I wish I had the immediacy of a blog, but I like the discipline of a regular publishing schedule. And I think I have more readers because I push the content to my readers' e-mail boxes.
Do you think blogs have become more useful than traditional media as a way to get the latest security news to IT managers?
Schneier: Blogs are faster, but they're unfiltered. They're definitely the fastest way to get the latest news -- on security or any other topic -- as long as you're not too concerned about accuracy. Traditional news sources are slower, but there's higher quality. So they're both useful, as long as you understand their relative strengths and weaknesses.