A Day Listening to Bruce Schneier

Yesterday I was lucky enough to view a talk by Bruce Schneier titled, "Open Source-style Security in the Physical World". Bruce was accompanied by Christine Peterson, Vice President and Co-founder of Foresight Nanotech Institute. The talk was very educational and focused on how we as geeks can apply some of the philosophies of open source software to a security model dealing with the physical world and the threats contained therein.

Bruce had some very interesting things to say regarding thoughts from the audience on how to develop these ideas. Mostly he postulated on how any security model, if it is to be implemented by companies, governments and individuals; must have a low cost false positive verification system. He brought up the TIPS program that was proposed by the US government (mentioined here) and how it would allow too many false positives and a waste of time on verification regarding those suspicions brought forth. This is a very valid point, and really is true in regards to the American way in how we deal with things. What I mean to say is that Americans are very quick to respond and in the end they don't like to waste time on laborious duties or long winded processes.

Bruce brought up a great example of a cost effetive system that Visa (and maybe Mastercard) use to verify legitimate transactions on their customers credit cards. Basically, they monitor patterns in spending and transactions to find card theft. For instance if my card suddenly showed up in Canada and someone was buying $30,000 in diamonds, Visa may hold the transaction from completing and call me to verify that I want to purchase these. Its a great system that, as Bruce mentioned, is actually a great marketing device for these companies. People want to be alerted to their credit card being stolen and there is a certain warm-fuzzy feeling one receives if their credit card company calls up to make sure everything is okay.

The talk lasted an hour, and while there wasn't one valid suggestion by the audience on how to translate open source philosophies, I thought the conversation was a great step forward.

At one point I raised my hand to offer a comment (time ran out before I could share) that I hope to write about a bit further but felt I should spew its basic concepts here and work to provide a detailed description of what I mean later on.

It is my feeling that in order to really replicate the community interaction of open source and to translate that into a security model that can be used by the people, governments and corporations, we need to begin compiling philosophies and methods into tools to teach the next generation. Education is really the only way to secure change in the future. Getting children and young adults thinking in open ways regarding software and their futures will really help to develop methods of security that are effective. Like I said, I'd really like to write a bit more on this. I think it could develop into something valuable.