Schneier on Security: Essays Tagged Information Security

Schneier on Security

Essays > Essays by Tag >

Essays Tagged “Information Security”

Page 1 of 4

Schneier-Ranum Face-Off on Whitelisting and Blacklisting

  • Bruce Schneier
  • Information Security
  • January 2011

This essay appeared as the second half of a point/counterpoint with Marcus Ranum.

The whitelist/blacklist debate is far older than computers, and it's instructive to recall what works where. Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock. We do it this way not because it's easier -- although it is generally much easier to make a list of people who should be allowed through your office door than a list of people who shouldn't--but because it's a security system that can be implemented automatically, without people.

To find blacklists in the real world, you have to start looking at environments where almost everyone is allowed.

Read More →

The Dangers of a Software Monoculture

  • Bruce Schneier
  • Information Security
  • November 2010

This essay appeared as the first half of a point-counterpoint with Marcus Ranum. Marcus's half is here.

In 2003, a group of security experts -- myself included -- published a paper saying that 1) software monocultures are dangerous and 2) Microsoft, being the largest creator of monocultures out there, is the most dangerous. Marcus Ranum responded with an essay that basically said we were full of it. Now, eight years later, Marcus and I thought it would be interesting to revisit the debate.

Read More →

Should Enterprises Give In to IT Consumerization at the Expense of Security?

  • Bruce Schneier
  • Information Security
  • September 2010

This essay appeared as the second half of a point/counterpoint with Marcus Ranum.

If you're a typical wired American, you've got a bunch of tech tools you like and a bunch more you covet. You have a cell phone that can easily text. You've got a laptop configured just the way you want it. Maybe you have a Kindle for reading, or an iPad. And when the next new thing comes along, some of you will line up on the first day it's available.

Read More →

Weighing the Risk of Hiring Hackers

  • Bruce Schneier
  • Information Security
  • June 2010

This essay previously appeared in Information Security as the first half of a point-counterpoint with Marcus Ranum. Marcus's half is here.

Any essay on hiring hackers quickly gets bogged down in definitions. What is a hacker, and how is he different from a cracker? I have my own definitions, but I'd rather define the issue more specifically: Would you hire someone convicted of a computer crime to fill a position of trust in your computer network?

Read More →

Should the Government Stop Outsourcing Code Development?

  • Bruce Schneier
  • Information Security
  • March 2010

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.

French translation

Information technology is increasingly everywhere, and it's the same technologies everywhere. The same operating systems are used in corporate and government computers. The same software controls critical infrastructure and home shopping.

Read More →

Is Antivirus Dead?

  • Bruce Schneier
  • Information Security
  • November 2009

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.

Security is never black and white. If someone asks, "for best security, should I do A or B?" the answer almost invariably is both. But security is always a trade-off.

Read More →

Is Perfect Access Control Possible?

  • Bruce Schneier
  • Information Security
  • September 2009

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.

Access control is difficult in an organizational setting. On one hand, every employee needs enough access to do his job. On the other hand, every time you give an employee more access, there's more risk: he could abuse that access, or lose information he has access to, or be socially engineered into giving that access to a malfeasant.

Read More →

Should We Have an Expectation of Online Privacy?

  • Bruce Schneier
  • Information Security
  • May 2009

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.

If your data is online, it is not private. Oh, maybe it seems private. Certainly, only you have access to your e-mail.

Read More →

Social Networking Risks

  • Bruce Schneier
  • Information Security
  • February 2009

This essay appeared as the first half of a point-counterpoint with Marcus Ranum.

Are employees blogging corporate secrets? It's not an unreasonable fear, actually. People have always talked about work to their friends. It's human nature for people to talk about what's going on in their lives, and work is a lot of most people's lives.

Read More →

State Data Breach Notification Laws: Have They Helped?

  • Bruce Schneier
  • Information Security
  • January 2009

This essay appeared as the second half of a point/counterpoint with Marcus Ranum. Marcus's half is here.

THERE ARE THREE REASONS for breach notification laws. One, it's common politeness that when you lose something of someone else's, you tell him. The prevailing corporate attitude before the law -- "They won't notice, and if they do notice they won't know it's us, so we are better off keeping quiet about the whole thing" -- is just wrong.

Read More →

1 2 3 4 Next→

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.