[linkregister]

Although Schneier is probably correct in this instance, one of the most exasperating features of his computer security writing is an utter lack of citations or evidence to back up his claims. (His writing about cryptography should require no citations because he is an actual crypto expert.)

After the significant inaccuracies and frequent unsubstantiated speculation in Schneier on Security, I don't think credible security researchers can take his analysis at face value. Additionally, the halo effect of his actual expertise, cryptography, convinces people who aren't security experts that his opinions and speculations are correct. Worse, he rarely frames his speculation as such; he states conjecture as fact. This is counterproductive and leads to confusion among journalists and eventually the general public.

To the imminent downvoters, I'm not offended; I expect it with an unpopular opinion. I'd prefer you engage with a reply in addition to the downvote so we can have a discourse. I think it's important that I add my dissent to the conversation.

[Florin_Andrei]

Sometimes it feels as if computer engineers have a unique inability to deal with ambiguous information.

Yes, I agree the article is vague, and I'd like to learn more. But this is typical for this kind of backchannel intel. From some sources, through some channels, for some kinds of info - this is all you get. This is business as usual.

Take it in for what it's worth. It's a signal from a sea of noise, nothing more. Maybe it's actionable, but perhaps it's not. Just learn to deal with ambiguity; the world at large is quite different from the rigid boolean-logic computer systems you're interacting with on a daily basis.

[TeMPOraL]

> Just learn to deal with ambiguity; the world at large is quite different from the rigid boolean-logic computer systems you're interacting with on a daily basis.

You're shitting me, right?

Computer engineers are the last people who think in rigid, boolean-logic ways. It's the general population that does that. If you do any serious thinking in any STEM field, you quickly learn that the world is probabilistic in nature, and ambiguity is what you eat for breakfast. What the technical fields do to manage with it is learn to quantify the exact nature of ambiguity. When you do that, by means of probability theory, you learn that ambiguity doesn't mean "anything goes", there are rules it follows.

Like, backchannel intel may be vague, and this also implies it's likely to not be true (unless you can pull out additional evidence in its favour, like e.g. good track record of the person delivering this backchannel intel; that point is discussed in parallel threads). In a sea of noise, the "signal" you see is most likely a coincidence. Not comprehending this (aka. "seeing patterns everywhere") is one of the biggest sources of irrationality in people.

[qwertyuiop924]

Well, as far as ambiguity goes, a CS or CE's job is to fit that round peg into our square hole, with mathematics and neural networking as our hammers.

[linkregister]

Taken out of context, your statement is true. In context, your relativist position isn't applicable. In this case, this is a renowned cryptologist making some assertions. My complaint was that this article is good, but given the author's track record, I want more evidence. I don't think that's unreasonable.

[linkregister]

> the world at large is quite different from the rigid boolean-logic computer systems you're interacting with on a daily basis.

This rhetoric is patronizing and doesn't contribute to the conversation.

[flukus]

> Sometimes it feels as if computer engineers have a unique inability to deal with ambiguous information.

This is a limitation of computers, not the engineers. The engineers are happy to deal with ambiguous information as long as you don't mind ambiguous results.

[gipp]

> Take it in for what it's worth. It's a signal from a sea of noise, nothing more.

His post is the very definition of "taking it for what it's worth".

[joshdick]

Schneier cited the Verisign DDoS trends report and provided a link to it.

He also cites anonymous sources. These sources agreed with each other and with the public report from Verisign. He explained why he was keeping those sources anonymous.

That is just good journalism.

[linkregister]

I agree with everything you said.

My comment was juxtaposing it with the accuracy of Schneier's blog and his public statements on computer security.

[AnimalMuppet]

I don't think he can give citations or evidence. He gets told some stuff in confidence. He can violate the confidence, and not be told stuff in the future. Or he can say nothing. Or he can tell us as much as he feels he can, even though that's annoyingly vague and unspecific. As far as I can see, those are his only options.

On this topic, he chose the third option, because he felt that people needed to know, even though he couldn't give specifics. It sounds like you wanted him to pick the first option. If he did, though, it would be the last time he would be able to do so, because his information would dry up.

That's the pragmatic argument. There are also some of us who feel, when you tell someone that you aren't going to blab what they told you in confidence, that you should keep your word...

[linkregister]

I think you are mischaracterizing my statement. At no point did I suggest he should violate journalistic integrity by belying his sources' confidence.

I do say that it's inappropriate to expect implicit trust after all his previous integrity failures (conjecture as fact, etc). I want to believe this article. I do believe it. But I also can't rely on it, as his track record shows that given the topic of computer security, he will even present unfounded speculation to Congress as fact if given the opportunity.

[whiddershins]

Can you please do as you say, and provide specific citations and examples of his conjectures framed as fact?

[Tomte]

Schneier is undoubtably a world-class expert in cryptanalysis and cryptography, but he has decided to leave that field and become a tech journalist and pundit.

That's a pity, but I guess it makes sense for him if he wants to exert influence.

Unfortunately too many laypeople take everything he's writing as gospel. Remember when he clearly misunderstood the "xkcd scheme", was called out by pretty much everyone and couldn't even admit that and post a correction? You can be sure that lots and lots of people will dismiss everything looking like it (Diceware!), simply because Schneier erroneously piled heaps of ridicule on it.

[tptacek]

His writing about cryptography certainly should include citations.

[linkregister]

It might sound blasphemous but I (as a non-expert in crypto) would be satisfied if either you or Bruce didn't cite their writing about crypto.

Yes, appeal to authority and all that, but I don't have time to fully learn a field to find out if a cryptographer is mistaken.

Also, the point I was making is that if he wants to leave work uncited, it should at least be the work he has actual credibility in.

[SilasX]

Citations aren't simply about "is this valid?", but about enabling others to audit the basis of the clais -- was the author they saying it based on their more nebulous "general expertise" (speaking ex cathedra), or were they relying on the credibility of other source? If the later, that makes it easier to fix when the same error was propagating through several sources to the point that became common knowledge.

(Interestingly enough, that sounds like a point Schneier would make :-p )

In fact, there's a general problem in belief updating (Bayesian or otherwise) where you may over-credit others' opinions by treating them as independent when they were both actually relaying the same data point. You can only detect this error if you can inspect the source of those opinions.

[tptacek]

Ngah. No. You should definitely want references from me, too!

[linkregister]

On second thought, I do want references. I thoroughly enjoy watching you and other cryptographers arguing on HN. Especially when the topic of DNSSEC comes up.

[AnimalMuppet]

That works for you, but on the subject of security, tptacek is on a different level than most of the rest of us. It's perfectly valid for him to say that he wants to see Schneier's references, and for you to say that you will take it on trust from either of them.

> Also, the point I was making is that if he wants to leave work uncited, it should at least be the work he has actual credibility in.

A totally valid point. Way too often, people smuggle credibility from an area where they have expertise (and therefore deserve the credibility) to areas where they don't. In this case, though, the real credibility is Schneier's honesty, not his expertise, since he's passing on (obscured) reports from others.

[linkregister]

My point is that his honesty is actually not existent, as it has been tainted by his provably incorrect speculation from 2013-2016.

I think it's absolutely valid for tptacek to demand citations from Schneier!

[AnimalMuppet]

> My point is that his honesty is actually not existent, as it has been tainted by his provably incorrect speculation from 2013-2016.

What are you referring to here?

And, taking your statement at face value: If he speculated, and was clear that he was speculating, and was wrong, that doesn't destroy his honesty - merely his reputation as a speculator.

[linkregister]

Indeed in my original comment I assert that he speculates without appropriately labeling it as such. Hence, why my viewpoint is controversial on HN. Most HNers believe Mr. Schneier is an authority on computer security. I believe he takes his genuine expertise in cryptography and mistakes it for understanding of computer security that he doesn't actually possess.

His shortcomings are especially apparent when applied to APT, memory corruption, and computer network intrusion/defense.

[lucb1e]

> To the imminent downvoters, I'm not offended; I expect it with an unpopular opinion

This is the modern way to ask for upvotes.

Ask for upvotes straight out? The community saw it one too many times and doesn't anymore.

Mention you expect downvotes and that it's an unpopular opinion? People agreeing with you, which there almost always are anyway, will show you support while making potential downvoters think twice.

I was going to upvote, but never mind.

[SixSigma]

e.g.

> someone has been probing the defenses of the companies that run critical pieces of the Internet.

...

> China and Russia would be my first guesses.

[vacri]

My $0.02, as a latecomer to this tech industry (really only been in it for 6-8 years)

I don't understand the reverance around Schneier. I first saw him give a talk in 2009, and it was an 'insert town name here' speech about stuff that was blazingly obvious to people who should already know (topic: social engineering and passwords). Yet people were fawning over the talk. It really struck me as a guy who was once great, but is now resting on his laurels - that halo effect you mention.

I get exactly the same feeling from this article. There is nothing in it that we don't already know. What, there are state actors in Russia and China that are effectively at cyberwar with us? Quelle surprise! DDoS attacks are getting more sophisticated? Quelle surprise again! He takes one issue in tech that actually has filtered through to the general public, and makes it sound like he has the inside story. DDoS attacks pick up where they left off last time? Must be the work of an evil genius - no mere mortal could think of that!

I also get that the article is for a general audience, but in that case, the "oo, I can't share details!" bit is just populism. In short, I find his writing on tech to be lots of fluff and little meat.

Perhaps I'd have a different opinion if I grew up with him in his glory days, or if I was more interested in crypto and read his more technical papers, but while I've been on HN, I've never been enlightened by a linked article of his. This is all, of course, personal perception, and he may be a downright top bloke to someone more in the know.

[xyzzy123]

He wrote a book in the 90's that defined crypto for a lot of people. It was the first time that I know of that this info was all collected, curated and available to the "average reasonably technical developer", without reading a ton of academic papers.

In retrospect we've learned a lot since them and no one (including the author) would recommend developers read that book first or even at all. Now we've come to the understanding that folks are much better served by opinionated cryptosystem design ("no sharp edges") and texts like "cryptography engineering" that have a better focus on failure modes.

Anyway, he's not the be all, end all expert but he has been thinking about this stuff for a long time and often has perspectives that are worth thinking about. Some of them, like his views on airline security etc are now so mainstream that you wouldn't realise he was a big part of why they are now widely held.

But mainly it's that he has a lot of pretty high level gov and industry connections that I would at least entertain his conjecture here.

[gaius]

Also ISTR he had a column in DDJ, I first encountered him via an articld there.