Wednesday, July 01, 2009

about face on bruce schneier

well, it was nice to see something as fundamental the issue of password masking questioned (usability expert jakob nielson's original article, bruce schneier's reaction), and then answered (rik ferguson's response, graham cluley's response). i wonder if that indicates we're collectively ready (some of us have been individually ready for a while) to question something equally fundamental like the concept of 'security experts'.

i say this because, as was alluded to by rik ferguson, bruce schneier seemed to be pulling 'blatantly evident factoids' out of his ass (as 'self-appointed authorities' tend to do).

empirical evidence of the decline of shoulder surfing, even if it exists, wouldn't be able to support the implied assertion that it would stay in decline if password masking went away. in fact, the opposite seems much more likely. while it's true that a determined shoulder surfer would be able to figure out your password from your keystrokes, without the password mask even the most casual shoulder surfer would easily be successful. remove the control that makes something rare and it won't be rare anymore.

but i digress. this post isn't about password masking, it's about 'security experts' - and i find myself in a bit of a conundrum because, while i would normally be decrying schneier's posting of material obviously outside his field of expertise, as someone who not only doesn't lay claim to the title of expert but actively rejects it would i not be practicing hypocrisy?

to answer my own question: yes, yes i would. stop that.

the problem isn't (or shouldn't be) that schneier (or anyone else for that matter) posts on topics outside their field of expertise. he should be afforded the freedom to post uninformed opinion just like everybody else. in that regard the problem isn't really bruce schneier at all (even if he is a FUD spreading self-described media whore), the problem, dear reader, is you - for not recognizing how narrow a scope expertise has, where schneier's is, and consequently when to hold his statements up to greater/lesser scrutiny (note: if you have figured out that cryptography is his area of expertise and that you should question everything else then i'm not actually talking to you but everyone else).

and yes, i am aware of the implication that you should then question everything i say - that is actually precisely what i want. one of the benefits from not being an expert that i'd like to enjoy is people not blindly accepting everything i say and actually challenging me when something i say doesn't fit with something they know. i actually like arguing, i find it to have useful properties in the gaining of knowledge, and i think it's a shame that so many seem to value the finding of consensus over the finding of correctness (nevermind the tendency to use authoritative quotes as a replacement for critical thinking). oh well, at least nick fitzgerald and vesselin bontchev were still willing to expound at length on the topic of malware last i checked (though it has been a while).


LonerVamp said...

Yeah, Bruce may be an expert, but that doesn't mean everything he says must be gospel...or that he must only speak when he's sure he's right. Sometimes it is the discussion just being brought up that is the most valuable.

I don't think I blogged about it, but this is one of the few times I've quickly disagreed with Bruce. I must have posted on pauldotcom and a few other blogs enough that I didn't want to write more on my blog. :)

Bruce should be able to make such wrongful discussions sometimes, but what sucks is when every media outlet picks up on it and I start seeing things like, "Security experts question password masking." And then I have to dive into the conversation with my boss/colleagues. Doh.

I just hope other non-experts don't pick up on it and we start to see a rash of, say, web apps that cite it as a reason to no longer mask passwords on their logins. I can totally see Twitter trying that just because Bruce brought it up. :\

kurt wismer said...

yup, bruce is a person and all people can be wrong - it's just bruce has a lot of influence even outside his field of expertise (where he's more likely to be wrong).

i'm sure at least some non-experts will pick up on this and we'll have to battle against yet another misconception. that's what it all comes down to. this sort of thing creates powerful misconceptions.