Bert Martinez: Welcome I’m glad you’re here this is going to be a very eye-opening interview with my guest today Bruce Schneier Bruce Schneier the security technologist and author and teaches at the Harvard Kennedy School Bruce welcome to the show.
Bruce Schneier: Thanks for having me.
Bert Martinez: Hey. I’m excited to have you here. First of all, a quick shout out, your latest book, a hacker’s mind, how the rich and powerful bend society’s rules and how to bend them back. So far, I love this book. I’m about halfway through, and I can’t wait to dive in a little bit deeper, but first, I wanted to ask you this. Is the TSA a huge waste of money or what?
Bruce Schneier: You know, it’s not actually. And it’s really interesting that in some ways, what they’re doing doesn’t make sense, and in some ways they’re doing makes a lot of sense. So let’s sort of do them both. You know, on the one hand, if we secure the airports, the terrorists will bomb shopping malls instead. Like, we haven’t wasted our time. Right?
We were forcing them to change their tactics and target so much. Right? On the other hand, airplanes kinda have a special place in terrorism for for a bunch of reasons. One is that a small bomb kills everybody. Right? You blow up a shopping mall and some people die. Some people are injured. Some people are bruised. Some people get away.
You put the same bomb on an airplane. It crashes, and everybody dies. Right? So that failure mode makes it a more attractive target. Airlines are traditional terrorist targets for whatever historical reasons, so there are things terrorists gravitate to, and they’re often national symbols.
Near France, British Air, Singapore Air, American Airlines. I mean, they say the name of the country. Which makes them also a good, sort of terrorist target for that value. So All that being said, we actually need to secure airplanes more than shopping malls or trains or restaurants or any of the other dozens of things that you could consider bombing if you were a terrorist. Now the question is, how do you go about doing it? And then we can get into the noise.
I think some things the TSA does are good. Some are less good. But, you know, that is in the noise. I definitely want a government agency doing this and not the airlines. Right? Airlines have too much conflict of interest here. You know, I want airlines in air airplane security, They did a much worse job than when TSA does it. So I do want a government bureaucracy in charge of this, and I want it to be sensible.
I mean, you know, if a TSA agent finds a gun in your luggage, they’re gonna call the FBI and at best, your day is ruined. Right. If they find a bottle of liquid in your luggage, They throw it away and let you throw it. Right? So is that liquid dangerous or not with a gun even if they have them gonna make this up 70% chance of catching it. They’re really lousy at it. It’s risky for me to try because they’ll probably catch me, and it spoils the plot. If my plot involves liquids, man, I just keep trying. If I try a thousand times and I get it once, I’m golden. Right. Right. So there’s a lot in the details I don’t like about the TSA, but in general, they are security that we need in the 21st century.
Bert Martinez: Alright. So one of the things I heard is this term security theater.
Bruce Schneier: And where did that term come from? I invented that term. I know. It’s like it’s my contribution to pop culture.
Bert Martinez: I love it. I love And and what’s so interesting to me is, 1st of all, never thought about it, but when I traveled outside of the United States, the theater was ramped up. Meaning, you will see people walking around with total tactical gear on while they’re carrying their rifles they look like they could hurt you immediately as opposed to TSA, in no offense to the good people at TSA, most of these guys look so unfit that they could not chase you down If they had to.
Bruce Schneier: But that’s not their job. No. It’s not. They are not law enforcement officers and not police officers. Their job is to screen people and bags. If you run through airport security at a full tilt, they’re not gonna chase you. They’re gonna shut down the airport.
And that’s what’s gonna happen. Now when you go through the airports of Europe and you see the soldiers with rifles, with pistols, with machine guns, That’s because there have been commando style raids on airports in past decades. Those people are serious.
You go through airport security in Israel. It’s way different than the United States because they are super serious.
And they tell you to bring your luggage the night before. That’ll let us screen it in peace and not waste your time. You know? But it’s it’s but and the, Tel Aviv airport is as busy as New york. Right? You know, they’re at a different scale. Then the United States so they can do things differently. But, yeah, I mean, a TSA agent is not going to apprehend a terrorist. That’s not their job.
Bert Martinez: Gotcha. Alright. So I did some research. Could not find the answer. Maybe you know the answer. However, I think this is on your website as well . In fact, it is on your website that I think back in 2015 2016 or maybe 2019, the TSA had a failure rate of 95% if they were missing real targets. I mean, they were these fake handguns and whatever, but they were failing 95% of the time.
Bruce Schneier: It wasn’t that bad. I don’t remember the numbers, but it wasn’t 19 out of 20 weapons went through. Right? I mean, that does, like, make no sense. Their failure rate is really totally high. But remember what I said? Even a 20% failure rate, which is miserable. Kinda means you can’t have a plot that involves a gun. You’re likely not to get through. You’re not gonna try it. Right? So depending on the ramifications, the repercussions if you get caught. I mean, this is the way, I don’t know, customs works.
They don’t search your luggage very often, but if they do and find something, it’s gonna be really unpleasant so you don’t try it. This is the way the IRS is supposed to work. Right? You know, we don’t audit everybody, but if we audit you and find something, we make your life really unpleasant. They don’t do that, so it’s so it’s actually not very good enforcement, but that’s the point of random selective enforcement. That you make the penalties so high that it’s not worth trying.
Alright. So, you know, I’m okay with a, you know, a moderately high failure rate for guns. Yeah. It’s the liquids that make no sense.
Bert Martinez: Right. The liquids and but in some of the other stuff that they do, and and and it’s the inconsistency. Right? Because, one of the things that really kind of, floored me was there is a company called Clear, and they they have the ability, and I’m sure you’re familiar with this company, at at the, security point as you’re going through, there are salespeople there who will, you know, hey, if you wanna avoid this big long line, come over here to clear whatever it is, 200 bucks a year, they can fingerprint scan you right there, verify your identity, and give you a membership, and now you’re you’re, in some cases, ahead of TSA pre check. And I’m thinking, If a third party can do this, why can’t our government do this? Why can’t the TSA or homeland security?
Bruce Schneier: Just set this up? Yeah. The government could. They choose not to. Remember, we live in a country where the government is underfunded. Where, you know, actually, both Republicans and Democrats tend to want corporate America to do the thing in government, not, which I think is wrong. I mean, I think I think you’re right. Government should do that.
My main complaint with CLEAR, with PreCheck, although I have all of those things. I love them because I get through the airport security faster, because it makes two lines: the lines for those who have and the lines for those who have nots. And now if nobody who’s in power, if no congress person ever has to wait in a long security line and take off their shoes and pull their laptops, all the things that pre check and clear people don’t do, it’ll never get better because they never experience the indignation.
So I really want that it’ll be one line, even though I personally benefit, right, from all of those skip the line if you’re a frequent flyer, if you pay money, all of those things because I fly a lot. Right. But I don’t think it’s good for society. Sort of in the same way you don’t want everybody at the amusement park to have to wait in the long line. Now Disney now has, you know, you pay more money. You can cut the line. I don’t like that. Like, that’s not fair, but I want everybody to be in the same boat.
Bert Martinez: And I agree with you. And, again, just to be transparent, I’m just like you. I pay for my pre-check. And, I think pre-check now has stepped up their game a little bit. I believe they’re available At some airports, I believe they’re available at the LAX Airport, and they’re starting to be available at some retail outlets. I can’t remember which. But, yeah,
Bruce Schneier: You mean clear, not pre check?
Bert Martinez: No. No. TSA pre check.
Bruce Schneier: Oh, I see. Just to sign up. Almost all airports. You could sign up at pretty much any airport.
Bert Martinez: Yeah. So they’re stepping up their game a little bit. And then to the other side, yes. You’re right. They are underfunded, but because we’re talking politics, you know, somebody up the food chain said, hey. Yep. We’re gonna let Pre-check do this thing, and I’m sure that our government gets a fee for that.
And I don’t have a problem with that, but it is a little annoying. It is a little annoying. The idea that, TSA, excuse me, is, like you said, they’re not really so much to, what do you call it? Stops. I guess they are. They’re gonna stop somebody. They’re gonna screen the bags. They’re gonna call security or FBI or whoever they’re gonna call. And and and But but I think that before I got ahold of your materials, I thought TSA was completely different.
Now I understand that TSA is just you know, it’s a little bit more show than I thought it was. And and and and I just find that concept so interesting, but it works. I mean, it’s no different than when your parents set that boundary. Right? And sometimes they let you push that boundary and sometimes they don’t.
Bruce Schneier:You know, the TSA is supposed to be less arbitrary than our parents were, but but, indeed.
Bert Martinez: Yeah. Alright. So let me ask you this. How did you get started in this field?
Bruce Schneier: So which field is this field? I have a complicated history. Which origin story do you want?
Bert Martinez: Well, I guess, the origin story, how did you get into the security field, specifically, because you know, as I introduced you, your security technology.
Bruce Schneier: Right. I’m super general. And and and I think that’s the key. My life has been a series of generalizations. I started out writing about cryptography, the mathematics of securities by book in 1993, and then I write about security of computers and then networks and then general security technology, then I start writing about the psychology of security, the economics of security, the sociology security, I have a book on trust, then I’m writing more about the political science. Of security. My book on data Goliath about surveillance and eavesdropping, click here to kill everybody, which is about internet of things and safety. Now my latest book is about hacking in general, hacking broader social systems. So that’d be the book you’re reading. So it is sort of me becoming more and more general trying to figure out context. That is always the way I think And along the way, I’ve, you know, I’ve had companies. I now, you know, teach at the Harvard Kennedy School where I’m teaching really public policy students about internet security and cybersecurity. And, you know, I guess that’s my origin. Urgent is mathematics, which is pretty scary and boring.
Bert Martinez: You know, and it’s so funny too. I think that one of the issues that we have as humans Is and this happened to me this morning, and I just thought it was just a perfect timing thing where one of my one of the websites that I use, I forgot my password. The password that I was, you know, 100% sure was the password was not the password. It’s okay. No big deal. I’ll hit the reset button. I think it denied my different passwords that I used four different times. It kept saying your password’s 2 weeks. Try again.
2 weeks. Try again. And they want you to have a suggested password. Now my my my passwords are typically 12 to 15 characters long but and I can’t remember how many characters this was, but it was a very it’s a huge amount of characters, multiple symbols, something I’m not gonna remember
But what was interesting to me was my own laziness, you know, back to what you said about Boredom. Here we are. Security is an important thing. We take it for granted. Here me and here I was. I was getting frustrated because here’s this application saying, hey. We want your security. We want you to take your security seriously, and we want you to upgrade your password. I’m like, no. I wanna use the passwords I’ve used before that I have memorized. I think they work pretty good, but I think part of the flaw in security is that we, after a while, take it for granted. We don’t want to change our password every few months like we’re supposed to. We don’t want to do all the things to keep ourselves secure. We kinda lull ourselves into a false sense of security.
Bruce Schneier: So that’s true. Well, let me give you a couple of bits of this practical advice in this whole thing. Number one Use a password manager. Stop remembering your passwords. Get a password manager. Remember one password. Put them all in there. Any password you can remember isn’t any good, period. Right? So you remember one really secure password. There are tricks for that, but then, you know, 16 random characters Just put it in your password manager. Never remember it again. So that’s advice 1.
Advice number two we don’t need to change our passwords every three months, that is old advice. That is bad advice. Some sites still make you do it. They are wrong.
So don’t change your password unless you feel it has been compromised and then change it immediately. So those are 2 pieces of practical advice.
In general, I think you’re right. I really dislike faster generation rules because they seem arbitrary and they’re inconsistent. This one wants a number, this one So it’s a special character. This one says the number can’t be in the beginning. This one says it can’t be at the end. Right?
You know, I can create secure passwords. Sometimes they get blocked because they don’t fit wherever the hell their rules are, then I’m stuck with a password that is not in my system, and it doesn’t actually and things go all bad. So I agree with you on the rules. I also agree with you on, security fades in the background, but good security does.
The security that’s best is the security you don’t notice and lets you go back to your business, do what you want, and magically keeps you safe. Now that’s really hard. Right? If you were the president, the secret service would do that for you. They’d be, like, invisible in the background, making sure everybody around you is safe, and you can just blithely walk around, not even knowing because you got thirty people who are keeping you safe. But we don’t have that.
Right? So security is annoying. Right? Security means when I come to my house, I gotta pull a key out of my pocket, stick it in a lock and turn. You know, why do I have to do that? That’s annoying. Why can’t it just work? Well, it can’t. Right. And whether it’s passwords, or biometrics or physical keys or credit card swipes and smart cards.These are all things that in a sense, get in the way and provide security. But, yeah, I mean, usability says we should make them fade into the background. But sometimes I don’t want them to. I want you to know when you’re dealing with an honest merchant. Or a fraudulent one. I want you to know when someone breaks the window of your house. We sometimes want security to be visible and audible.
Bert Martinez: Yes. It’s true. I mean, look, there’ve been crimes, abductions, murders that would not have been caught, but for the fact that we have this proliferation, proliferation of cameras everywhere now.
Bruce Schneier: Yeah. Even less than you think. My cameras are not as effective as the camera people want you to believe in crime solving.
I mean, they’re a very good tool for social control, which is why you see them in, you know, China, in Hungary, and Turkey, right, countries that really want social control. In the US, you see them for law enforcement, and they are less effective than I mean, they sound effective. Right? There’s a camera. Of course, I was gonna commit a crime. Turns out, that doesn’t work that way. Right?
And if you’d see, I mean, I don’t know when you’re gonna air this, but, like, the other day, there was a big smash and grab crime in San Francisco. And there’s a video of it. Right? You can watch these people, you know, going through the store, grabbing, I assume $10,000 handbags. And and and leaving the store with them. Is that camera gonna convict anybody? I doubt it.
Bert Martinez: Right. However, if you look at January 6, cameras helped.
Bruce Schneier: Cameras would really help oddly enough with cell phones. Sure. Not the cameras, but everybody carried a cell phone. The police got a warrant for all of that data of who is around the capital is around the white house, you know, who’s on the white house lawn, who is who is, like, at the capitol, who is inside, you know, people carrying cell phones in their own names, will they identify people that way? So cameras were useful. Cell phone data was more valuable.
Bert Martinez: And, again, people posted it online. Here I go.
Bruce Schneier: right, and people who are even hiding it. That’ll, you know, also that.
Bert Martinez: Alright. So let’s talk about your latest book. A hacker’s mind how the rich and powerful bend societies rule and how to bend them back. You know, that title caught me a little bit because I do like to bend society’s rules a little bit.
Bruce Schneier: Oh, I do too. I mean, all all the fun people do. Let’s let’s sort of let’s lay that out there.
Bert Martinez: So hold up your book. Let’s take a look at it because I got the digital audio. what was the catalyst behind writing this book?
Bruce Schneier: You know, again, this is me being a generalist, and I’m looking at the term hacking, right, which is getting the computer to do what you want, breaking into computer systems, finding vulnerabilities and software. And I’m extending that metaphor to social systems, to political systems, to economic systems, to all sorts of systems.
So a good example is the tax code. Right? It’s not computer code, but it’s code. It’s a series of algorithms as inputs and outputs. And those algorithms have bugs. They have mistakes, and there are vulnerabilities. We call them tax loopholes.
And there are exploits based on those vulnerabilities. We call them tax avoidance strategies, and there are black hat hackers. We call them accountants. We call them attorneys. Whose job it is to find and exploit those vulnerabilities. And the parallel is really very tight. Right? A hack is something the system permits but is unintended and undesired by the system designers. Remember, taxable polls are not illegal. They’re legal. Right?
There are things that the designers of the code, the law forgot, or didn’t notice or situations changed just like software. Right? And there are ways that people can exploit them and there are hacks and all sorts of systems.
And the most fun part of the book is writing about different systems. I write about hacks and sports in casino games, in religious laws, in, economic systems, and regulations of all kinds, in politics, Right? The filibuster is a hack invented in ancient Rome. I think Keto the Elder was his name, and he looks at the rules and says basically, all business has to be included by Sundown. That’s the rules. He looks around and says, you know, if I never stop talking, I will get to Sundown and nothing will happen. I win. And he realized that.
Now the person who wrote the rule, all business Tucked by Sundown just wanted to go home for dinner. Right. Right. Right. He did not expect the rule to be abused in that way. And there are rules in sports, mileage runs in frequent flyer programs, all sorts of examples that the rule allows but it’s a trick. It’s something that nobody expected. And maybe it’s good, and maybe it’s bad.
Bert Martinez: Right. Well, one of my favorite things that you point out in the book and this is true. I have 5 children that are great hackers. And they’ll figure out a way to hack communication. You mentioned, Disney’s penguin thing that they eventually shut down because It got hacked. I mean, there was, predators interacting with kids, and then I think you mentioned another time where kids were, then there are certain things that they could not put in. I don’t know if it was the same Penguin program, but there are certain communications that weren’t allowed, and they figured out a way around it by using pictures or whatever, but I love the fact that, yeah, some of the best hackers in the world are kids.
Bruce Schneier: Yeah. And that’s because they don’t really fully understand the rules. Right? I mean, they don’t know the box because they just don’t have any of the same things that you and I do as adults.
My favorite examples that I collect are the ways kids hacked Zoom during the pandemic. So I have a story. I don’t. Don’t know if I made it to the book, but there’s one kid who would change his screen name to connecting dot dot dot and turn his camera off. No. That’s brilliant. It’s someone else. And what she would do is she would log in with a bad password. I don’t know if this was Zoom or another system. She would log in with the wrong password enough times. The system would lock her out. Then she would call her mom and say, I can’t get in. The system locked me out. And it took the mom like a week to figure out that the kid was doing this on purpose. Right. So, yes, the pandemic brought out the hacker in a lot of kids.
Yeah. Right. But you wanna give this kid a job. Right? And and and so and this is attention. Right? How do we nurture that spirit without turning them criminal? Right? How do we nurture that hacking spirit in a way that isn’t I break the rules, but I’m creative about the rules. Right? There’s a benefit here, but there’s also a dark side. And I and I try to explore that. Right? Max walks this line between something you shouldn’t do and something you should do. If we want that kid to thrive, but not to become a career criminal, that would be too much.
Bert Martinez: Speaking of Zoom, again, on your website, you, there’s an article out there about Zoom. Can spy on your calls, use your conversations to train AI but they’re saying they’re not gonna do that. What’s your take on this? Do you believe them at all?
Bruce Schneier: Yeah. So this is I think this is a problem right now with society that we rely on the benevolence of for profit corporations who are not benevolent. So the story is a couple weeks old that Zoom changed their terms of service, and didn’t tell anybody. They just did it because, as companies do, and the terms of service say that, like, we can use your conversations. You can use your data to train an ai. Right? So this conversation happening on a Zoom, Zoom can, according to their service, use it to train their AI to do whatever they want. Someone saw that. It made the press. People freaked. Like, what the hell? And Zoom said, no. No. No. Sorry. Sorry. We didn’t mean that. We promise. We will never do that. Now maybe they’re being honest. Today, they probably are. They’re probably not doing it. It could change at any time, but the real question is, why do we rely on Zoom’s benevolence here?
Hey. Why aren’t there rules? Why isn’t there a law? Why isn’t there some regulation about whether or not Zoom is allowed? To train its AIs on our conversations. I had a conversation with someone from Amazon about a month ago. Who said that Amazon has an enormous database of transcribed customer service conversations. That it’s used to train AI and customer service. I wait. I’m sure the rules say they’re allowed to do that. But is that okay? Like, do we expect that? Do we want that? So what’s missing here in a lot of areas of tech are some government rules of the road. Right? Because corporations will do whatever they can to maximize their profits. That’s their job. Sure. If we wanna put them in a constrained box, we need to actually do that and government society is sort of how we do that because the market will never do that.
Bert Martinez: And I and to your point, I think we have a lot of historical data that big corporations do 2 things. They connect with politicians because it’s smart for them to do so. And they will break, bend, bruise, batter the laws until you get caught.
Bruce Schneier: That’s it. And this is what I call hacking. Uber is hacking the laws for common carriage that allows them to basically replace taxis without all the taxi regulations or Airbnb doing the same thing. And, yes, and and and they do. There is this pipeline that takes profits and convert them into lobbying dollars to create policy for more profits.
And that pipeline has been I don’t know if perfected is the right word yet. But has been optimized to the degree that we have not seen before. And this is the reason that tech monopolies are much more dangerous now than monopolies were in the past. Absolutely. To turn profits into policy into profits. The policy to profits.
Bert Martinez: Absolutely. Alright. So you mentioned AI. I see AI definitely, you know, creeping into security. I can see that’s, you know, because everybody’s, oh, let’s AI this. Let’s AI that. And what’s your thought on AI and security?
Bruce Schneier: So I think it’s gonna be interesting. I mean, security is always an arms race to tackle versus defender. And the real question that you wanted to ask is will AI benefit the attacker or defender more? Like, how will it affect the arms race? The real answer is we don’t know that this stuff tends to be emergent and what we’re gonna find out.
My guess is that in the near term AI, helps the defense more, because already you’re being attacked at computer speeds, defending computer speeds is an enormous advantage. But that’s near term. We will see what happens long term. Certainly, it will change everything. I think AI is gonna change a lot of things. But you don’t wanna know this but I was interviewed about a month ago, 2 months ago, and, the interviewer put, asked Chat GPT some interview questions for me, and they were like the best questions I’ve ever got.
So as a podcast interviewer, I’m gonna tell you your days are numbered because those large language models are coming up fast, and they’re coming up with great questions. Like, one of the questions was if you were an action figure, What would your accessories be, and what would your catchphrase be? I mean, I’ve never gotten that question before. I had to think about it. It is rare that I get questions. I have to stop and say, woah. That’s a question.
Bert Martinez: It is. It is. You know, and one of the things in your book, again, hacker’s mind, you point out, Peter Theal, how he bought a bunch of PayPal stock, put it in his Roth IRA. Now that Roth IRA is worth a couple $2 billion or $3 billion. I remember, I think it was Elizabeth Warren who was saying it’s just another rich person trying to, you know, trying to get away with not paying taxes. First of all, we all wanna do that. I mean, if you and I could go buy $5 thousand worth of stock. And then 20 years from now, have it be worth a billion dollars, sign me up.
Bruce Schneier: Right. But you wouldn’t be you. I mean, this is the thing. Right? Peter Thiel was already a billionaire when he did that. Right? So these hacks benefit the rich more. So if you and I found a tax loophole, it’s legit. We find a loophole. We’re gonna want to make a few thousand dollars. We’re not that wealthy. We can’t do what Peter Thiel did.
And probably if we get hold of the tax court, we’re gonna lose. Because how much an attorney are we gonna afford? You’re already a billionaire. You find a tax loophole. You can, A. Make a billion dollars and, B. You can afford the level of attorneys to make sure that thing stays legal. So it’s not really the same. And what he did, it’s that he bought shares of a company he founded using money that was already in his roster. Right? Now Roth IRA is IRA designed to help middle class taxpayers save some money for retirement. That’s its purpose. That’s the way it was written. But because he founded a company that became immensely successful, he was able to use that Roth IRA as a shield to protect, like, four and a half billion dollars from tax.
Which is a bit nutty. It is not what was intended. Now it is legal. It is not illegal. That’s the key of a hack, but it’s an exploitation of the system and I’d like a system that is flexible enough to say, hey, Peter. You know, that’s not the way it’s supposed to work. Give us our tax.
Bert Martinez: Alright. I will have to disagree with them. And you’re right. In the sense that, yes, I cannot. I don’t have a billion dollars if I’m not a billionaire, so I don’t have a billion dollars. I can’t do the stuff that Peter Thiel can do. But I don’t know. I I thought it was brilliant, but it was a good use. And I think one of the chances.
Because one of the issues I have with the Roth IRA is that as an average person, not a millionaire or a billionaire is that we’re only allowed to put so much money into that account. I think that, depending on your age, it’s 6 to 500 bucks a year up to 700 500 dollars a year depending on your age.
Bruce Schneier: That little, but honestly, this is totally not a financial advice show. All you listeners, like, no Google this . Don’t listen to us.
Bert Martinez: Yes. That’s a good point. But either way, I thought it was a brilliant hack. And to your point, that is the whole point of a good hack as you go, wow. That was cool. That was brilliant. I’m gonna see if I can do some of that.
Bruce Schneier: I mean, you know, less than the 911 terrorists. That was a hack. Yeah. Using an airplane as a missile, I hadn’t I never thought of that. I mean, it was horrific, but it was totally a heck of the system. Right? The entire airplane security before 911 was based on 1970s terrorism. I’m gonna hijack a plane and fly it to Cuba. Right. Not based on what happened on September 11th.
They changed the nature of airplane terrorism. Right. What they did was clever. You don’t have it doesn’t have to be good to be clever. Right? It could be horrific and clever at the same time.
Bert Martinez: Absolutely. You cannot you cannot in any way disagree with that. It was clever. They thought, you know, thought out. I think they planted a year or 18 months in advance. They were methodical. They took their time. It was very clever. Very clever.
Bruce Schneier: Although you think they would have been caught, I mean, if you go to a flying school, I want to learn how to fly a big plane, but I don’t wanna learn how to land. You’d think that would be a red flag? Turns out it wasn’t.
Bert Martinez: It’s amazing. Alright. So, I guess, my takeaway, and I want your feedback on this. I’m like halfway through your book, I’ve done I’ve I’ve looked at some of your articles on your website. And security is completely Temporary. It’s there to give us a false sense of security. Matter of fact, I think in your TED Talk, you talk about that security is a component of 2 things. It’s real and it makes us feel a certain way and part of it is real. Right? Something like that.
Bruce Schneier: Yeah. I mean, but it is real. I mean, there’s some security. I mean, I have a lock on my front door, and it works. I mean, it’s not just there for show. I mean, yes, someone could smash your window. So I’m living in a society where the rule of law keeps most people honest, but, you know, security does have reality. There are feelings. There is a security theater. But some of it’s real. You know, the TSA does some good stuff. Some stuff is theater, some stuff is real, and there’s always both. It’s never just one. And security kinda keeps the world functioning.
Bert Martinez: Sure. No. I mean, look. You need it. Yeah. You absolutely have to rely on a certain level of security work. You and I are driving on opposite lanes on the street. I’m counting on you staying in your lane. You’re counting on me staying in my lane. and that works. Every now and then, we see people that Forget about that rule. So awful things. But ultimately, I think that my 2 takeaways have been we, as a society, who have our own personal responsibility. We gotta take our own security a little bit more seriously. And then second, you know, the minute you think, hey. I’m safe. I’m not hackable. That’s when you get hacked?
I mean, because there isn’t one large corporation that I’m aware of that hasn’t been hacked. You know, you banks who you think have these great securities. They have a whole department. They have cyber security experts. They do the whole red teaming thing. Hacked.
Bruce Schneier: I mean, at the end, the banks get hacked, but our money is largely safe. We do what we are worried about? Not worried about hacking. We’re about bank runs. We’re worried about, you know, what happens to Silicon Valley Bank. It was belly up. Like, that’s our risk. Our risk is not the hackers. Our risk is, like, the greedy and regulated bankers.
Bert Martinez: Absolutely. Absolutely. Bruce, thank you so much for stopping by. I love the book. And real quick, we’ll shout it out one more time. It is a hacker’s mind how the rich and powerful bend society’s rules and how to bend them back. It’s a great book. I want everybody to check it out. It’s available on Amazon or wherever you get your favorite books.
