This website does readability filtering of other pages. All styles, scripts, forms and ads are stripped. If you want your website excluded or have other feedback, use this form.

Schneier on Security: Essays Tagged Communications of the ACM

Schneier on Security

Essays > Essays by Tag >

Essays Tagged “Communications of the ACM”

Page 1 of 2

Psychology of Security

  • Bruce Schneier
  • Communications of the ACM
  • May 2007

The security literature is filled with risk pathologies, heuristics that we use to help us evaluate risks. I've collected them from many different sources.

Risks of Risks Exaggerated Risks Downplayed Risks Spectacular Pedestrian Rare Common Personified Anonymous Beyond one’s control More under control Externally imposed Taken willingly Talked about Not discussed Intentional or man-made Natural Immediate Long-term or diffuse Sudden Evolving slowly over time Affecting them personally Affecting others New and unfamiliar Familiar Uncertain Well understood Directed against their children Directed toward themselves Morally offensive Morally desirable Entirely without redeeming features Associated with some ancillary benefit Not like their current situation Like their current situation

When you look over the list of exaggerated and downplayed risks in the table here, the most remarkable thing is how reasonable so many of them seem. This makes sense for two reasons.

Read More →

Risks of Third-Party Data

  • Bruce Schneier
  • Communications of the ACM
  • May 2005

Reports are coming in torrents. Criminals are known to have downloaded personal credit information of over 145,000 Americans from ChoicePoint's network. Hackers took over one of Lexis Nexis' databases, gaining access to personal files of 32,000 people. Bank of America Corp. lost computer data tapes that contained personal information on 1.2 million federal employees, including members of the U.S.

Read More →

Two-Factor Authentication: Too Little, Too Late

  • Bruce Schneier
  • Communications of the ACM
  • April 2005

Two-factor authentication isn't our savior. It won't defend against phishing. It's not going to prevent identity theft. It's not going to secure online accounts from fraudulent transactions.

Read More →

The Non-Security of Secrecy

  • Bruce Schneier
  • Communications of the ACM
  • October 2004

Considerable confusion exists between the different concepts of secrecy and security, which often causes bad security and surprising political arguments. Secrecy usually contributes only to a false sense of security.

In June 2004, the U.S. Department of Homeland Security urged regulators to keep network outage information secret.

Read More →

Insider Risks in Elections

  • Paul Kocher and Bruce Schneier
  • Communications of the ACM
  • July 2004

Many discussions of voting systems and their relative integrity have been primarily technical, focusing on the difficulty of attacks and defenses. This is only half of the equation: it's not enough to know how much it might cost to rig an election by attacking voting systems; we also need to know how much it would be worth to do so. Our illustrative example uses the most recent available U.S. data, but is otherwise is not intended to be specific to any particular political party.

Read More →

Voting and Technology: Who Gets to Count Your Vote?

Paperless voting machines threaten the integrity of democratic process by what they don't do.

  • David L. Dill, Bruce Schneier, and Barbara Simons
  • Communications of the ACM
  • August 2003

Voting problems associated with the 2000 U.S. Presidential election have spurred calls for more accurate voting systems. Unfortunately, many of the new computerized voting systems purchased today have major security and reliability problems.

The ideal voting technology would have five attributes: anonymity, scalability, speed, audit, and accuracy (direct mapping from intent to counted vote).

Read More →

Cyber Underwriters Lab?

  • Bruce Schneier
  • Communications of the ACM
  • April 2001

Underwriters Laboratories (UL) is an independent testing organization created in 1893, when William Henry Merrill was called in to find out why the Palace of Electricity at the Columbian Exposition in Chicago kept catching on fire (which is not the best way to tout the wonders of electricity). After making the exhibit safe, he realized he had a business model on his hands. Eventually, if your electrical equipment wasn't UL certified, you couldn't get insurance.

Today, UL rates all kinds of equipment, not just electrical.

Read More →

Insurance and the Computer Industry

  • Bruce Schneier
  • Communications of the ACM
  • March 2001

In the future, the computer security industry will be run by the insurance industry. I don't mean insurance companies will start selling firewalls, but rather the kind of firewall you use--along with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you use--will be strongly influenced by the constraints of insurance.

Consider security and safety in the real world. Businesses don't install alarms in their warehouses because it makes them safer; they do it because they get a break in their insurance rates.

Read More →

Risks of PKI: Electronic Commerce

  • Carl Ellison and Bruce Schneier
  • Communications of the ACM
  • February 2000

Open any popular article on public-key infrastructure (PKI) and you're likely to read that a PKI is desperately needed for E-commerce to flourish. Don't believe it. E-commerce is flourishing, PKI or no PKI. Web sites are happy to take your order if you don't have a certificate and even if you don't use a secure connection.

Read More →

Risks of PKI: Secure E-Mail

  • Carl Ellison and Bruce Schneier
  • Communications of the ACM
  • January 2000

Public-key infrastructure (PKI), usually meaning digital certificates from a commercial or corporate certificate authority (CA), is touted as the current cure-all for security problems.

Certificates provide an attractive business model. They cost almost nothing to manufacture, and you can dream of selling one a year to everyone on the Internet. Given that much potential income for CAs, we now see many commercial CAs, producing literature, press briefings and lobbying.

Read More →

1 2 Next→

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.